From d7400d582921123b1205566b03b1e42160fecb45 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 18 Jun 2026 22:58:22 +0000 Subject: [PATCH] test: update smoke golden files --- .../testdata/golden/diff-go-audit.golden.json | 693 +- .../golden/explain-go-enrich.golden.json | 100 +- .../testdata/golden/lite-diff-go.golden.json | 693 +- .../golden/lite-explain-go.golden.json | 100 +- .../testdata/golden/lite-scan-go.golden.json | 215 +- .../golden/scan-github-actions.golden.json | 12 + .../golden/scan-go-audit-high.golden.json | 215 +- .../testdata/golden/scan-go-audit.golden.json | 215 +- .../golden/scan-go-enrich.golden.json | 215 +- .../golden/scan-go-reachability.golden.json | 606 +- .../scan-java-maven-reachability.golden.json | 15716 +--- .../golden/scan-npm-audit.golden.json | 4422 +- .../golden/scan-npm-reachability.golden.json | 63298 ++-------------- .../golden/scan-npm-scope-runtime.golden.json | 1425 +- .../scan-python-pip-reachability.golden.json | 3920 +- .../golden/scan-python-pip.golden.json | 1822 +- .../golden/scan-python-poetry.golden.json | 336 +- 17 files changed, 15925 insertions(+), 78078 deletions(-) diff --git a/test/smoke/testdata/golden/diff-go-audit.golden.json b/test/smoke/testdata/golden/diff-go-audit.golden.json index 339c381a..a9bd54f4 100644 --- a/test/smoke/testdata/golden/diff-go-audit.golden.json +++ b/test/smoke/testdata/golden/diff-go-audit.golden.json @@ -11,8 +11,8 @@ }, "command": "diff", "comparison": { - "base": "v1.5.0", - "head": "v1.6.0" + "base": "v0.9.0", + "head": "v1.0.0" }, "metadata": { "duration_ms": 0 @@ -25,31 +25,670 @@ "target_type": "dependency diff" }, "results": { - "dependencies": {}, + "dependencies": { + "added": [ + { + "package": { + "id": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "licenses": [], + "name": "github.com/google/go-cmp", + "purl": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "scope": "development", + "version": "v0.5.2", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/google/uuid@v1.6.0", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/uuid", + "purl": "pkg:golang/github.com/google/uuid@v1.6.0", + "scope": "runtime", + "version": "v1.6.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "licenses": [], + "name": "golang.org/x/xerrors", + "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "scope": "development", + "version": "v0.0.0-20191204190536-9bdfabe68543", + "vulnerabilities": [] + } + } + ], + "changed": [ + { + "after": { + "id": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-querystring", + "purl": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "scope": "runtime", + "version": "v1.1.0", + "vulnerabilities": [] + }, + "before": { + "id": "pkg:golang/github.com/google/go-querystring@v1.0.0", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-querystring", + "purl": "pkg:golang/github.com/google/go-querystring@v1.0.0", + "scope": "runtime", + "version": "v1.0.0", + "vulnerabilities": [] + } + } + ], + "removed": [ + { + "package": { + "id": "pkg:golang/github.com/bitly/go-simplejson@v0.5.0", + "licenses": [], + "name": "github.com/bitly/go-simplejson", + "purl": "pkg:golang/github.com/bitly/go-simplejson@v0.5.0", + "scope": "runtime", + "version": "v0.5.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/bmizerany/assert@v0.0.0-20160611221934-b7ed37b82869", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/bmizerany/assert", + "purl": "pkg:golang/github.com/bmizerany/assert@v0.0.0-20160611221934-b7ed37b82869", + "scope": "development", + "version": "v0.0.0-20160611221934-b7ed37b82869", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", + "licenses": [], + "name": "github.com/davecgh/go-spew", + "purl": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", + "scope": "development", + "version": "v1.1.1", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/fatih/color@v1.7.0", + "licenses": [], + "name": "github.com/fatih/color", + "purl": "pkg:golang/github.com/fatih/color@v1.7.0", + "scope": "runtime", + "version": "v1.7.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/kr/pretty@v0.3.1", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/kr/pretty", + "purl": "pkg:golang/github.com/kr/pretty@v0.3.1", + "scope": "development", + "version": "v0.3.1", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/kr/text@v0.2.0", + "licenses": [], + "name": "github.com/kr/text", + "purl": "pkg:golang/github.com/kr/text@v0.2.0", + "scope": "development", + "version": "v0.2.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/mattn/go-colorable@v0.0.9", + "licenses": [], + "name": "github.com/mattn/go-colorable", + "purl": "pkg:golang/github.com/mattn/go-colorable@v0.0.9", + "scope": "runtime", + "version": "v0.0.9", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/mattn/go-isatty@v0.0.4", + "licenses": [], + "name": "github.com/mattn/go-isatty", + "purl": "pkg:golang/github.com/mattn/go-isatty@v0.0.4", + "scope": "runtime", + "version": "v0.0.4", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/mattn/go-runewidth@v0.0.4", + "licenses": [], + "name": "github.com/mattn/go-runewidth", + "purl": "pkg:golang/github.com/mattn/go-runewidth@v0.0.4", + "scope": "runtime", + "version": "v0.0.4", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/nsf/termbox-go@v0.0.0-20181027232701-60ab7e3d12ed", + "licenses": [], + "name": "github.com/nsf/termbox-go", + "purl": "pkg:golang/github.com/nsf/termbox-go@v0.0.0-20181027232701-60ab7e3d12ed", + "scope": "runtime", + "version": "v0.0.0-20181027232701-60ab7e3d12ed", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/nwidger/jsoncolor@v0.0.0-20170215171346-75a6de4340e5", + "licenses": [], + "name": "github.com/nwidger/jsoncolor", + "purl": "pkg:golang/github.com/nwidger/jsoncolor@v0.0.0-20170215171346-75a6de4340e5", + "scope": "runtime", + "version": "v0.0.0-20170215171346-75a6de4340e5", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/pkg/errors@v0.8.0", + "licenses": [], + "name": "github.com/pkg/errors", + "purl": "pkg:golang/github.com/pkg/errors@v0.8.0", + "scope": "runtime", + "version": "v0.8.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0", + "licenses": [], + "name": "github.com/pmezard/go-difflib", + "purl": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0", + "scope": "development", + "version": "v1.0.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/rogpeppe/go-internal@v1.9.0", + "licenses": [], + "name": "github.com/rogpeppe/go-internal", + "purl": "pkg:golang/github.com/rogpeppe/go-internal@v1.9.0", + "scope": "development", + "version": "v1.9.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/simeji/jid@v0.7.6", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/simeji/jid", + "purl": "pkg:golang/github.com/simeji/jid@v0.7.6", + "scope": "runtime", + "version": "v0.7.6", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/stretchr/testify@v1.8.2", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/stretchr/testify", + "purl": "pkg:golang/github.com/stretchr/testify@v1.8.2", + "scope": "development", + "version": "v1.8.2", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405", + "licenses": [], + "name": "gopkg.in/check.v1", + "purl": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405", + "scope": "development", + "version": "v0.0.0-20161208181325-20d25e280405", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", + "licenses": [], + "name": "gopkg.in/yaml.v3", + "purl": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", + "scope": "development", + "version": "v3.0.1", + "vulnerabilities": [] + } + } + ] + }, "licenses": {}, "manifests": [ { - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/apidiff.yaml", - "status": "unchanged", - "subproject": "." - }, - { - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/tests.yaml", - "status": "unchanged", - "subproject": "." - }, - { + "added": [ + { + "package": { + "id": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "licenses": [], + "name": "github.com/google/go-cmp", + "purl": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "scope": "development", + "version": "v0.5.2", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/google/uuid@v1.6.0", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/uuid", + "purl": "pkg:golang/github.com/google/uuid@v1.6.0", + "scope": "runtime", + "version": "v1.6.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "licenses": [], + "name": "golang.org/x/xerrors", + "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "scope": "development", + "version": "v0.0.0-20191204190536-9bdfabe68543", + "vulnerabilities": [] + } + } + ], + "changed": [ + { + "after": { + "id": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-querystring", + "purl": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "scope": "runtime", + "version": "v1.1.0", + "vulnerabilities": [] + }, + "before": { + "id": "pkg:golang/github.com/google/go-querystring@v1.0.0", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-querystring", + "purl": "pkg:golang/github.com/google/go-querystring@v1.0.0", + "scope": "runtime", + "version": "v1.0.0", + "vulnerabilities": [] + } + } + ], "ecosystem": "go", "kind": "go.mod", "package_manager": "gomod", "path": "go.mod", - "status": "unchanged", + "removed": [ + { + "package": { + "id": "pkg:golang/github.com/bitly/go-simplejson@v0.5.0", + "licenses": [], + "name": "github.com/bitly/go-simplejson", + "purl": "pkg:golang/github.com/bitly/go-simplejson@v0.5.0", + "scope": "runtime", + "version": "v0.5.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/bmizerany/assert@v0.0.0-20160611221934-b7ed37b82869", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/bmizerany/assert", + "purl": "pkg:golang/github.com/bmizerany/assert@v0.0.0-20160611221934-b7ed37b82869", + "scope": "development", + "version": "v0.0.0-20160611221934-b7ed37b82869", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", + "licenses": [], + "name": "github.com/davecgh/go-spew", + "purl": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", + "scope": "development", + "version": "v1.1.1", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/fatih/color@v1.7.0", + "licenses": [], + "name": "github.com/fatih/color", + "purl": "pkg:golang/github.com/fatih/color@v1.7.0", + "scope": "runtime", + "version": "v1.7.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/kr/pretty@v0.3.1", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/kr/pretty", + "purl": "pkg:golang/github.com/kr/pretty@v0.3.1", + "scope": "development", + "version": "v0.3.1", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/kr/text@v0.2.0", + "licenses": [], + "name": "github.com/kr/text", + "purl": "pkg:golang/github.com/kr/text@v0.2.0", + "scope": "development", + "version": "v0.2.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/mattn/go-colorable@v0.0.9", + "licenses": [], + "name": "github.com/mattn/go-colorable", + "purl": "pkg:golang/github.com/mattn/go-colorable@v0.0.9", + "scope": "runtime", + "version": "v0.0.9", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/mattn/go-isatty@v0.0.4", + "licenses": [], + "name": "github.com/mattn/go-isatty", + "purl": "pkg:golang/github.com/mattn/go-isatty@v0.0.4", + "scope": "runtime", + "version": "v0.0.4", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/mattn/go-runewidth@v0.0.4", + "licenses": [], + "name": "github.com/mattn/go-runewidth", + "purl": "pkg:golang/github.com/mattn/go-runewidth@v0.0.4", + "scope": "runtime", + "version": "v0.0.4", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/nsf/termbox-go@v0.0.0-20181027232701-60ab7e3d12ed", + "licenses": [], + "name": "github.com/nsf/termbox-go", + "purl": "pkg:golang/github.com/nsf/termbox-go@v0.0.0-20181027232701-60ab7e3d12ed", + "scope": "runtime", + "version": "v0.0.0-20181027232701-60ab7e3d12ed", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/nwidger/jsoncolor@v0.0.0-20170215171346-75a6de4340e5", + "licenses": [], + "name": "github.com/nwidger/jsoncolor", + "purl": "pkg:golang/github.com/nwidger/jsoncolor@v0.0.0-20170215171346-75a6de4340e5", + "scope": "runtime", + "version": "v0.0.0-20170215171346-75a6de4340e5", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/pkg/errors@v0.8.0", + "licenses": [], + "name": "github.com/pkg/errors", + "purl": "pkg:golang/github.com/pkg/errors@v0.8.0", + "scope": "runtime", + "version": "v0.8.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0", + "licenses": [], + "name": "github.com/pmezard/go-difflib", + "purl": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0", + "scope": "development", + "version": "v1.0.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/rogpeppe/go-internal@v1.9.0", + "licenses": [], + "name": "github.com/rogpeppe/go-internal", + "purl": "pkg:golang/github.com/rogpeppe/go-internal@v1.9.0", + "scope": "development", + "version": "v1.9.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/simeji/jid@v0.7.6", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/simeji/jid", + "purl": "pkg:golang/github.com/simeji/jid@v0.7.6", + "scope": "runtime", + "version": "v0.7.6", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/stretchr/testify@v1.8.2", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/stretchr/testify", + "purl": "pkg:golang/github.com/stretchr/testify@v1.8.2", + "scope": "development", + "version": "v1.8.2", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405", + "licenses": [], + "name": "gopkg.in/check.v1", + "purl": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405", + "scope": "development", + "version": "v0.0.0-20161208181325-20d25e280405", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", + "licenses": [], + "name": "gopkg.in/yaml.v3", + "purl": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", + "scope": "development", + "version": "v3.0.1", + "vulnerabilities": [] + } + } + ], + "status": "changed", "subproject": "." } ], @@ -58,14 +697,14 @@ "schema_version": "1.0", "summary": { "added_manifest_count": 0, - "added_package_count": 0, - "changed_manifest_count": 0, - "changed_package_count": 0, - "exact_match_count": 0, + "added_package_count": 3, + "changed_manifest_count": 1, + "changed_package_count": 1, + "exact_match_count": 1, "fuzzy_match_count": 0, "removed_manifest_count": 0, - "removed_package_count": 0, - "unchanged_manifest_count": 3, - "unmatched_package_count": 0 + "removed_package_count": 18, + "unchanged_manifest_count": 0, + "unmatched_package_count": 21 } } diff --git a/test/smoke/testdata/golden/explain-go-enrich.golden.json b/test/smoke/testdata/golden/explain-go-enrich.golden.json index 0c8df375..e07d98c1 100644 --- a/test/smoke/testdata/golden/explain-go-enrich.golden.json +++ b/test/smoke/testdata/golden/explain-go-enrich.golden.json @@ -9,10 +9,22 @@ }, "command": "explain", "dependency": { - "id": "github.com/google/uuid", + "id": "golang.org/x/text@v0.3.5", "licenses": [], - "name": "github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "golang.org/x/text", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", + "scope": "runtime", + "version": "v0.3.5", "vulnerabilities": [] }, "metadata": { @@ -20,13 +32,32 @@ }, "paths": [ { - "introduced_via": "pkg:golang/github.com/google/uuid", + "introduced_via": "pkg:golang/github.com/bomly/example-go-modules", "packages": [ { - "id": "pkg:golang/github.com/google/uuid", + "id": "pkg:golang/github.com/bomly/example-go-modules", "licenses": [], - "name": "github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid", + "name": "github.com/bomly/example-go-modules", + "purl": "pkg:golang/github.com/bomly/example-go-modules", + "vulnerabilities": [] + }, + { + "id": "golang.org/x/text@v0.3.5", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "golang.org/x/text", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", + "scope": "runtime", + "version": "v0.3.5", "vulnerabilities": [] } ], @@ -34,15 +65,15 @@ } ], "project": { - "ecosystem": "other", + "ecosystem": "go", "name": "\u003cnormalized\u003e", - "package_manager": "multiple", + "package_manager": "gomod", "path": "\u003cnormalized\u003e", - "target_ref": "v1.6.0", + "target_ref": "v1.0.0", "target_type": "git repository" }, "query": { - "name": "github.com/google/uuid" + "name": "golang.org/x/text" }, "schema_version": "1.0", "targets": [ @@ -56,23 +87,54 @@ "unknown": 0 }, "dependency": { - "id": "github.com/google/uuid", + "id": "golang.org/x/text@v0.3.5", "licenses": [], - "name": "github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "golang.org/x/text", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", + "scope": "runtime", + "version": "v0.3.5", "vulnerabilities": [] }, "detector": "go-detector", "package_manager": "gomod", "paths": [ { - "introduced_via": "pkg:golang/github.com/google/uuid", + "introduced_via": "pkg:golang/github.com/bomly/example-go-modules", "packages": [ { - "id": "pkg:golang/github.com/google/uuid", + "id": "pkg:golang/github.com/bomly/example-go-modules", + "licenses": [], + "name": "github.com/bomly/example-go-modules", + "purl": "pkg:golang/github.com/bomly/example-go-modules", + "vulnerabilities": [] + }, + { + "id": "golang.org/x/text@v0.3.5", "licenses": [], - "name": "github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "golang.org/x/text", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", + "scope": "runtime", + "version": "v0.3.5", "vulnerabilities": [] } ], @@ -84,7 +146,7 @@ "name": "\u003cnormalized\u003e", "package_manager": "gomod", "path": "\u003cnormalized\u003e", - "target_ref": "v1.6.0", + "target_ref": "v1.0.0", "target_type": "filesystem" } } diff --git a/test/smoke/testdata/golden/lite-diff-go.golden.json b/test/smoke/testdata/golden/lite-diff-go.golden.json index 9727fcf4..c40e4c73 100644 --- a/test/smoke/testdata/golden/lite-diff-go.golden.json +++ b/test/smoke/testdata/golden/lite-diff-go.golden.json @@ -1,8 +1,8 @@ { "command": "diff", "comparison": { - "base": "v1.5.0", - "head": "v1.6.0" + "base": "v0.9.0", + "head": "v1.0.0" }, "metadata": { "duration_ms": 0 @@ -15,31 +15,670 @@ "target_type": "dependency diff" }, "results": { - "dependencies": {}, + "dependencies": { + "added": [ + { + "package": { + "id": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "licenses": [], + "name": "github.com/google/go-cmp", + "purl": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "scope": "development", + "version": "v0.5.2", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/google/uuid@v1.6.0", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/uuid", + "purl": "pkg:golang/github.com/google/uuid@v1.6.0", + "scope": "runtime", + "version": "v1.6.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "licenses": [], + "name": "golang.org/x/xerrors", + "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "scope": "development", + "version": "v0.0.0-20191204190536-9bdfabe68543", + "vulnerabilities": [] + } + } + ], + "changed": [ + { + "after": { + "id": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-querystring", + "purl": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "scope": "runtime", + "version": "v1.1.0", + "vulnerabilities": [] + }, + "before": { + "id": "pkg:golang/github.com/google/go-querystring@v1.0.0", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-querystring", + "purl": "pkg:golang/github.com/google/go-querystring@v1.0.0", + "scope": "runtime", + "version": "v1.0.0", + "vulnerabilities": [] + } + } + ], + "removed": [ + { + "package": { + "id": "pkg:golang/github.com/bitly/go-simplejson@v0.5.0", + "licenses": [], + "name": "github.com/bitly/go-simplejson", + "purl": "pkg:golang/github.com/bitly/go-simplejson@v0.5.0", + "scope": "runtime", + "version": "v0.5.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/bmizerany/assert@v0.0.0-20160611221934-b7ed37b82869", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/bmizerany/assert", + "purl": "pkg:golang/github.com/bmizerany/assert@v0.0.0-20160611221934-b7ed37b82869", + "scope": "development", + "version": "v0.0.0-20160611221934-b7ed37b82869", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", + "licenses": [], + "name": "github.com/davecgh/go-spew", + "purl": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", + "scope": "development", + "version": "v1.1.1", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/fatih/color@v1.7.0", + "licenses": [], + "name": "github.com/fatih/color", + "purl": "pkg:golang/github.com/fatih/color@v1.7.0", + "scope": "runtime", + "version": "v1.7.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/kr/pretty@v0.3.1", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/kr/pretty", + "purl": "pkg:golang/github.com/kr/pretty@v0.3.1", + "scope": "development", + "version": "v0.3.1", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/kr/text@v0.2.0", + "licenses": [], + "name": "github.com/kr/text", + "purl": "pkg:golang/github.com/kr/text@v0.2.0", + "scope": "development", + "version": "v0.2.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/mattn/go-colorable@v0.0.9", + "licenses": [], + "name": "github.com/mattn/go-colorable", + "purl": "pkg:golang/github.com/mattn/go-colorable@v0.0.9", + "scope": "runtime", + "version": "v0.0.9", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/mattn/go-isatty@v0.0.4", + "licenses": [], + "name": "github.com/mattn/go-isatty", + "purl": "pkg:golang/github.com/mattn/go-isatty@v0.0.4", + "scope": "runtime", + "version": "v0.0.4", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/mattn/go-runewidth@v0.0.4", + "licenses": [], + "name": "github.com/mattn/go-runewidth", + "purl": "pkg:golang/github.com/mattn/go-runewidth@v0.0.4", + "scope": "runtime", + "version": "v0.0.4", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/nsf/termbox-go@v0.0.0-20181027232701-60ab7e3d12ed", + "licenses": [], + "name": "github.com/nsf/termbox-go", + "purl": "pkg:golang/github.com/nsf/termbox-go@v0.0.0-20181027232701-60ab7e3d12ed", + "scope": "runtime", + "version": "v0.0.0-20181027232701-60ab7e3d12ed", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/nwidger/jsoncolor@v0.0.0-20170215171346-75a6de4340e5", + "licenses": [], + "name": "github.com/nwidger/jsoncolor", + "purl": "pkg:golang/github.com/nwidger/jsoncolor@v0.0.0-20170215171346-75a6de4340e5", + "scope": "runtime", + "version": "v0.0.0-20170215171346-75a6de4340e5", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/pkg/errors@v0.8.0", + "licenses": [], + "name": "github.com/pkg/errors", + "purl": "pkg:golang/github.com/pkg/errors@v0.8.0", + "scope": "runtime", + "version": "v0.8.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0", + "licenses": [], + "name": "github.com/pmezard/go-difflib", + "purl": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0", + "scope": "development", + "version": "v1.0.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/rogpeppe/go-internal@v1.9.0", + "licenses": [], + "name": "github.com/rogpeppe/go-internal", + "purl": "pkg:golang/github.com/rogpeppe/go-internal@v1.9.0", + "scope": "development", + "version": "v1.9.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/simeji/jid@v0.7.6", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/simeji/jid", + "purl": "pkg:golang/github.com/simeji/jid@v0.7.6", + "scope": "runtime", + "version": "v0.7.6", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/stretchr/testify@v1.8.2", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/stretchr/testify", + "purl": "pkg:golang/github.com/stretchr/testify@v1.8.2", + "scope": "development", + "version": "v1.8.2", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405", + "licenses": [], + "name": "gopkg.in/check.v1", + "purl": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405", + "scope": "development", + "version": "v0.0.0-20161208181325-20d25e280405", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", + "licenses": [], + "name": "gopkg.in/yaml.v3", + "purl": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", + "scope": "development", + "version": "v3.0.1", + "vulnerabilities": [] + } + } + ] + }, "licenses": {}, "manifests": [ { - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/apidiff.yaml", - "status": "unchanged", - "subproject": "." - }, - { - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/tests.yaml", - "status": "unchanged", - "subproject": "." - }, - { + "added": [ + { + "package": { + "id": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "licenses": [], + "name": "github.com/google/go-cmp", + "purl": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "scope": "development", + "version": "v0.5.2", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/google/uuid@v1.6.0", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/uuid", + "purl": "pkg:golang/github.com/google/uuid@v1.6.0", + "scope": "runtime", + "version": "v1.6.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "licenses": [], + "name": "golang.org/x/xerrors", + "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "scope": "development", + "version": "v0.0.0-20191204190536-9bdfabe68543", + "vulnerabilities": [] + } + } + ], + "changed": [ + { + "after": { + "id": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-querystring", + "purl": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "scope": "runtime", + "version": "v1.1.0", + "vulnerabilities": [] + }, + "before": { + "id": "pkg:golang/github.com/google/go-querystring@v1.0.0", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-querystring", + "purl": "pkg:golang/github.com/google/go-querystring@v1.0.0", + "scope": "runtime", + "version": "v1.0.0", + "vulnerabilities": [] + } + } + ], "ecosystem": "go", "kind": "go.mod", "package_manager": "gomod", "path": "go.mod", - "status": "unchanged", + "removed": [ + { + "package": { + "id": "pkg:golang/github.com/bitly/go-simplejson@v0.5.0", + "licenses": [], + "name": "github.com/bitly/go-simplejson", + "purl": "pkg:golang/github.com/bitly/go-simplejson@v0.5.0", + "scope": "runtime", + "version": "v0.5.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/bmizerany/assert@v0.0.0-20160611221934-b7ed37b82869", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/bmizerany/assert", + "purl": "pkg:golang/github.com/bmizerany/assert@v0.0.0-20160611221934-b7ed37b82869", + "scope": "development", + "version": "v0.0.0-20160611221934-b7ed37b82869", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", + "licenses": [], + "name": "github.com/davecgh/go-spew", + "purl": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", + "scope": "development", + "version": "v1.1.1", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/fatih/color@v1.7.0", + "licenses": [], + "name": "github.com/fatih/color", + "purl": "pkg:golang/github.com/fatih/color@v1.7.0", + "scope": "runtime", + "version": "v1.7.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/kr/pretty@v0.3.1", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/kr/pretty", + "purl": "pkg:golang/github.com/kr/pretty@v0.3.1", + "scope": "development", + "version": "v0.3.1", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/kr/text@v0.2.0", + "licenses": [], + "name": "github.com/kr/text", + "purl": "pkg:golang/github.com/kr/text@v0.2.0", + "scope": "development", + "version": "v0.2.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/mattn/go-colorable@v0.0.9", + "licenses": [], + "name": "github.com/mattn/go-colorable", + "purl": "pkg:golang/github.com/mattn/go-colorable@v0.0.9", + "scope": "runtime", + "version": "v0.0.9", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/mattn/go-isatty@v0.0.4", + "licenses": [], + "name": "github.com/mattn/go-isatty", + "purl": "pkg:golang/github.com/mattn/go-isatty@v0.0.4", + "scope": "runtime", + "version": "v0.0.4", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/mattn/go-runewidth@v0.0.4", + "licenses": [], + "name": "github.com/mattn/go-runewidth", + "purl": "pkg:golang/github.com/mattn/go-runewidth@v0.0.4", + "scope": "runtime", + "version": "v0.0.4", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/nsf/termbox-go@v0.0.0-20181027232701-60ab7e3d12ed", + "licenses": [], + "name": "github.com/nsf/termbox-go", + "purl": "pkg:golang/github.com/nsf/termbox-go@v0.0.0-20181027232701-60ab7e3d12ed", + "scope": "runtime", + "version": "v0.0.0-20181027232701-60ab7e3d12ed", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/nwidger/jsoncolor@v0.0.0-20170215171346-75a6de4340e5", + "licenses": [], + "name": "github.com/nwidger/jsoncolor", + "purl": "pkg:golang/github.com/nwidger/jsoncolor@v0.0.0-20170215171346-75a6de4340e5", + "scope": "runtime", + "version": "v0.0.0-20170215171346-75a6de4340e5", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/pkg/errors@v0.8.0", + "licenses": [], + "name": "github.com/pkg/errors", + "purl": "pkg:golang/github.com/pkg/errors@v0.8.0", + "scope": "runtime", + "version": "v0.8.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0", + "licenses": [], + "name": "github.com/pmezard/go-difflib", + "purl": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0", + "scope": "development", + "version": "v1.0.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/rogpeppe/go-internal@v1.9.0", + "licenses": [], + "name": "github.com/rogpeppe/go-internal", + "purl": "pkg:golang/github.com/rogpeppe/go-internal@v1.9.0", + "scope": "development", + "version": "v1.9.0", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/simeji/jid@v0.7.6", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/simeji/jid", + "purl": "pkg:golang/github.com/simeji/jid@v0.7.6", + "scope": "runtime", + "version": "v0.7.6", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/github.com/stretchr/testify@v1.8.2", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/stretchr/testify", + "purl": "pkg:golang/github.com/stretchr/testify@v1.8.2", + "scope": "development", + "version": "v1.8.2", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405", + "licenses": [], + "name": "gopkg.in/check.v1", + "purl": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405", + "scope": "development", + "version": "v0.0.0-20161208181325-20d25e280405", + "vulnerabilities": [] + } + }, + { + "package": { + "id": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", + "licenses": [], + "name": "gopkg.in/yaml.v3", + "purl": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", + "scope": "development", + "version": "v3.0.1", + "vulnerabilities": [] + } + } + ], + "status": "changed", "subproject": "." } ], @@ -48,14 +687,14 @@ "schema_version": "1.0", "summary": { "added_manifest_count": 0, - "added_package_count": 0, - "changed_manifest_count": 0, - "changed_package_count": 0, - "exact_match_count": 0, + "added_package_count": 3, + "changed_manifest_count": 1, + "changed_package_count": 1, + "exact_match_count": 1, "fuzzy_match_count": 0, "removed_manifest_count": 0, - "removed_package_count": 0, - "unchanged_manifest_count": 3, - "unmatched_package_count": 0 + "removed_package_count": 18, + "unchanged_manifest_count": 0, + "unmatched_package_count": 21 } } diff --git a/test/smoke/testdata/golden/lite-explain-go.golden.json b/test/smoke/testdata/golden/lite-explain-go.golden.json index 0c8df375..e07d98c1 100644 --- a/test/smoke/testdata/golden/lite-explain-go.golden.json +++ b/test/smoke/testdata/golden/lite-explain-go.golden.json @@ -9,10 +9,22 @@ }, "command": "explain", "dependency": { - "id": "github.com/google/uuid", + "id": "golang.org/x/text@v0.3.5", "licenses": [], - "name": "github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "golang.org/x/text", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", + "scope": "runtime", + "version": "v0.3.5", "vulnerabilities": [] }, "metadata": { @@ -20,13 +32,32 @@ }, "paths": [ { - "introduced_via": "pkg:golang/github.com/google/uuid", + "introduced_via": "pkg:golang/github.com/bomly/example-go-modules", "packages": [ { - "id": "pkg:golang/github.com/google/uuid", + "id": "pkg:golang/github.com/bomly/example-go-modules", "licenses": [], - "name": "github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid", + "name": "github.com/bomly/example-go-modules", + "purl": "pkg:golang/github.com/bomly/example-go-modules", + "vulnerabilities": [] + }, + { + "id": "golang.org/x/text@v0.3.5", + "licenses": [], + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "golang.org/x/text", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", + "scope": "runtime", + "version": "v0.3.5", "vulnerabilities": [] } ], @@ -34,15 +65,15 @@ } ], "project": { - "ecosystem": "other", + "ecosystem": "go", "name": "\u003cnormalized\u003e", - "package_manager": "multiple", + "package_manager": "gomod", "path": "\u003cnormalized\u003e", - "target_ref": "v1.6.0", + "target_ref": "v1.0.0", "target_type": "git repository" }, "query": { - "name": "github.com/google/uuid" + "name": "golang.org/x/text" }, "schema_version": "1.0", "targets": [ @@ -56,23 +87,54 @@ "unknown": 0 }, "dependency": { - "id": "github.com/google/uuid", + "id": "golang.org/x/text@v0.3.5", "licenses": [], - "name": "github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "golang.org/x/text", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", + "scope": "runtime", + "version": "v0.3.5", "vulnerabilities": [] }, "detector": "go-detector", "package_manager": "gomod", "paths": [ { - "introduced_via": "pkg:golang/github.com/google/uuid", + "introduced_via": "pkg:golang/github.com/bomly/example-go-modules", "packages": [ { - "id": "pkg:golang/github.com/google/uuid", + "id": "pkg:golang/github.com/bomly/example-go-modules", + "licenses": [], + "name": "github.com/bomly/example-go-modules", + "purl": "pkg:golang/github.com/bomly/example-go-modules", + "vulnerabilities": [] + }, + { + "id": "golang.org/x/text@v0.3.5", "licenses": [], - "name": "github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "golang.org/x/text", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", + "scope": "runtime", + "version": "v0.3.5", "vulnerabilities": [] } ], @@ -84,7 +146,7 @@ "name": "\u003cnormalized\u003e", "package_manager": "gomod", "path": "\u003cnormalized\u003e", - "target_ref": "v1.6.0", + "target_ref": "v1.0.0", "target_type": "filesystem" } } diff --git a/test/smoke/testdata/golden/lite-scan-go.golden.json b/test/smoke/testdata/golden/lite-scan-go.golden.json index 985515b8..dbb56c00 100644 --- a/test/smoke/testdata/golden/lite-scan-go.golden.json +++ b/test/smoke/testdata/golden/lite-scan-go.golden.json @@ -5,109 +5,136 @@ "dependencies": [ { "depends_on": [ - "pkg:githubactions/actions/checkout@v3", - "pkg:githubactions/actions/setup-go@v4" + "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", + "pkg:golang/github.com/google/go-querystring@v1.1.0", + "pkg:golang/github.com/google/uuid@v1.6.0", + "pkg:golang/golang.org/x/text@v0.3.5" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", + "id": "pkg:golang/github.com/bomly/example-go-modules", "licenses": [], - "name": ".github/workflows/apidiff.yaml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", - "scopes": [ - "runtime" - ], - "version": "local" + "name": "github.com/bomly/example-go-modules", + "package_ref": "pkg:golang/github.com/bomly/example-go-modules", + "purl": "pkg:golang/github.com/bomly/example-go-modules" }, { - "depends_on": [], - "id": "pkg:githubactions/actions/checkout@v3", + "depends_on": [ + "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543" + ], + "id": "pkg:golang/github.com/google/go-cmp@v0.5.2", "licenses": [], - "name": "actions:checkout", - "package_ref": "pkg:githubactions/actions/checkout@v3", - "purl": "pkg:githubactions/actions/checkout@v3", + "name": "github.com/google/go-cmp", + "package_ref": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "purl": "pkg:golang/github.com/google/go-cmp@v0.5.2", "scopes": [ - "runtime" + "development" ], - "version": "v3" + "version": "v0.5.2" }, { - "depends_on": [], - "id": "pkg:githubactions/actions/setup-go@v4", + "depends_on": [ + "pkg:golang/github.com/google/go-querystring@v1.1.0" + ], + "id": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", "licenses": [], - "name": "actions:setup-go", - "package_ref": "pkg:githubactions/actions/setup-go@v4", - "purl": "pkg:githubactions/actions/setup-go@v4", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-github", + "package_ref": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", + "purl": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", "scopes": [ + "development", "runtime" ], - "version": "v4" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/apidiff.yaml", - "subproject": "." - }, - { - "dependencies": [ + "version": "v17.0.0+incompatible" + }, { "depends_on": [ - "pkg:githubactions/actions/checkout@v3", - "pkg:githubactions/actions/setup-go@v4" + "pkg:golang/github.com/google/go-cmp@v0.5.2" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", + "id": "pkg:golang/github.com/google/go-querystring@v1.1.0", "licenses": [], - "name": ".github/workflows/tests.yaml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-querystring", + "package_ref": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "purl": "pkg:golang/github.com/google/go-querystring@v1.1.0", "scopes": [ "runtime" ], - "version": "local" + "version": "v1.1.0" }, { "depends_on": [], - "id": "pkg:githubactions/actions/checkout@v3", + "id": "pkg:golang/github.com/google/uuid@v1.6.0", "licenses": [], - "name": "actions:checkout", - "package_ref": "pkg:githubactions/actions/checkout@v3", - "purl": "pkg:githubactions/actions/checkout@v3", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/uuid", + "package_ref": "pkg:golang/github.com/google/uuid@v1.6.0", + "purl": "pkg:golang/github.com/google/uuid@v1.6.0", "scopes": [ "runtime" ], - "version": "v3" + "version": "v1.6.0" }, { "depends_on": [], - "id": "pkg:githubactions/actions/setup-go@v4", + "id": "pkg:golang/golang.org/x/text@v0.3.5", "licenses": [], - "name": "actions:setup-go", - "package_ref": "pkg:githubactions/actions/setup-go@v4", - "purl": "pkg:githubactions/actions/setup-go@v4", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "golang.org/x/text", + "package_ref": "pkg:golang/golang.org/x/text@v0.3.5", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", "scopes": [ + "development", "runtime" ], - "version": "v4" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/tests.yaml", - "subproject": "." - }, - { - "dependencies": [ + "version": "v0.3.5" + }, { "depends_on": [], - "id": "pkg:golang/github.com/google/uuid", + "id": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", "licenses": [], - "name": "github.com/google/uuid", - "package_ref": "pkg:golang/github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid" + "name": "golang.org/x/xerrors", + "package_ref": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "scopes": [ + "development" + ], + "version": "v0.0.0-20191204190536-9bdfabe68543" } ], "detector": "go-detector", @@ -123,51 +150,67 @@ }, "packages": [ { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": ".github/workflows/apidiff.yaml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", - "version": "local", + "name": "github.com/bomly/example-go-modules", + "purl": "pkg:golang/github.com/bomly/example-go-modules", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": ".github/workflows/tests.yaml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", - "version": "local", + "name": "github.com/google/go-cmp", + "purl": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "version": "v0.5.2", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": "checkout", - "purl": "pkg:githubactions/actions/checkout@v3", - "version": "v3", + "name": "github.com/google/go-github", + "purl": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", + "version": "v17.0.0+incompatible", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": "setup-go", - "purl": "pkg:githubactions/actions/setup-go@v4", - "version": "v4", + "name": "github.com/google/go-querystring", + "purl": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "version": "v1.1.0", "vulnerabilities": [] }, { "ecosystem": "go", "licenses": [], "name": "github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid", + "purl": "pkg:golang/github.com/google/uuid@v1.6.0", + "version": "v1.6.0", + "vulnerabilities": [] + }, + { + "ecosystem": "go", + "licenses": [], + "name": "golang.org/x/text", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", + "version": "v0.3.5", + "vulnerabilities": [] + }, + { + "ecosystem": "go", + "licenses": [], + "name": "golang.org/x/xerrors", + "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "version": "v0.0.0-20191204190536-9bdfabe68543", "vulnerabilities": [] } ], "project": { - "ecosystem": "other", + "ecosystem": "go", "name": "\u003cnormalized\u003e", - "package_manager": "multiple", + "package_manager": "gomod", "path": "\u003cnormalized\u003e", - "target_ref": "v1.6.0", + "target_ref": "v1.0.0", "target_type": "git repository" }, "schema_version": "1.0" diff --git a/test/smoke/testdata/golden/scan-github-actions.golden.json b/test/smoke/testdata/golden/scan-github-actions.golden.json index 343fd260..eaa5d4cc 100644 --- a/test/smoke/testdata/golden/scan-github-actions.golden.json +++ b/test/smoke/testdata/golden/scan-github-actions.golden.json @@ -56,6 +56,18 @@ "depends_on": [], "id": "pkg:githubactions/actions/checkout@v1", "licenses": [], + "locations": [ + { + "access_path": ".github/workflows/main.yml", + "position": { + "column": 0, + "end_line": 9, + "file": ".github/workflows/main.yml", + "line": 0 + }, + "real_path": ".github/workflows/main.yml" + } + ], "name": "actions:checkout", "package_ref": "pkg:githubactions/actions/checkout@v1", "purl": "pkg:githubactions/actions/checkout@v1", diff --git a/test/smoke/testdata/golden/scan-go-audit-high.golden.json b/test/smoke/testdata/golden/scan-go-audit-high.golden.json index 985515b8..dbb56c00 100644 --- a/test/smoke/testdata/golden/scan-go-audit-high.golden.json +++ b/test/smoke/testdata/golden/scan-go-audit-high.golden.json @@ -5,109 +5,136 @@ "dependencies": [ { "depends_on": [ - "pkg:githubactions/actions/checkout@v3", - "pkg:githubactions/actions/setup-go@v4" + "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", + "pkg:golang/github.com/google/go-querystring@v1.1.0", + "pkg:golang/github.com/google/uuid@v1.6.0", + "pkg:golang/golang.org/x/text@v0.3.5" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", + "id": "pkg:golang/github.com/bomly/example-go-modules", "licenses": [], - "name": ".github/workflows/apidiff.yaml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", - "scopes": [ - "runtime" - ], - "version": "local" + "name": "github.com/bomly/example-go-modules", + "package_ref": "pkg:golang/github.com/bomly/example-go-modules", + "purl": "pkg:golang/github.com/bomly/example-go-modules" }, { - "depends_on": [], - "id": "pkg:githubactions/actions/checkout@v3", + "depends_on": [ + "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543" + ], + "id": "pkg:golang/github.com/google/go-cmp@v0.5.2", "licenses": [], - "name": "actions:checkout", - "package_ref": "pkg:githubactions/actions/checkout@v3", - "purl": "pkg:githubactions/actions/checkout@v3", + "name": "github.com/google/go-cmp", + "package_ref": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "purl": "pkg:golang/github.com/google/go-cmp@v0.5.2", "scopes": [ - "runtime" + "development" ], - "version": "v3" + "version": "v0.5.2" }, { - "depends_on": [], - "id": "pkg:githubactions/actions/setup-go@v4", + "depends_on": [ + "pkg:golang/github.com/google/go-querystring@v1.1.0" + ], + "id": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", "licenses": [], - "name": "actions:setup-go", - "package_ref": "pkg:githubactions/actions/setup-go@v4", - "purl": "pkg:githubactions/actions/setup-go@v4", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-github", + "package_ref": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", + "purl": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", "scopes": [ + "development", "runtime" ], - "version": "v4" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/apidiff.yaml", - "subproject": "." - }, - { - "dependencies": [ + "version": "v17.0.0+incompatible" + }, { "depends_on": [ - "pkg:githubactions/actions/checkout@v3", - "pkg:githubactions/actions/setup-go@v4" + "pkg:golang/github.com/google/go-cmp@v0.5.2" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", + "id": "pkg:golang/github.com/google/go-querystring@v1.1.0", "licenses": [], - "name": ".github/workflows/tests.yaml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-querystring", + "package_ref": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "purl": "pkg:golang/github.com/google/go-querystring@v1.1.0", "scopes": [ "runtime" ], - "version": "local" + "version": "v1.1.0" }, { "depends_on": [], - "id": "pkg:githubactions/actions/checkout@v3", + "id": "pkg:golang/github.com/google/uuid@v1.6.0", "licenses": [], - "name": "actions:checkout", - "package_ref": "pkg:githubactions/actions/checkout@v3", - "purl": "pkg:githubactions/actions/checkout@v3", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/uuid", + "package_ref": "pkg:golang/github.com/google/uuid@v1.6.0", + "purl": "pkg:golang/github.com/google/uuid@v1.6.0", "scopes": [ "runtime" ], - "version": "v3" + "version": "v1.6.0" }, { "depends_on": [], - "id": "pkg:githubactions/actions/setup-go@v4", + "id": "pkg:golang/golang.org/x/text@v0.3.5", "licenses": [], - "name": "actions:setup-go", - "package_ref": "pkg:githubactions/actions/setup-go@v4", - "purl": "pkg:githubactions/actions/setup-go@v4", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "golang.org/x/text", + "package_ref": "pkg:golang/golang.org/x/text@v0.3.5", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", "scopes": [ + "development", "runtime" ], - "version": "v4" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/tests.yaml", - "subproject": "." - }, - { - "dependencies": [ + "version": "v0.3.5" + }, { "depends_on": [], - "id": "pkg:golang/github.com/google/uuid", + "id": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", "licenses": [], - "name": "github.com/google/uuid", - "package_ref": "pkg:golang/github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid" + "name": "golang.org/x/xerrors", + "package_ref": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "scopes": [ + "development" + ], + "version": "v0.0.0-20191204190536-9bdfabe68543" } ], "detector": "go-detector", @@ -123,51 +150,67 @@ }, "packages": [ { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": ".github/workflows/apidiff.yaml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", - "version": "local", + "name": "github.com/bomly/example-go-modules", + "purl": "pkg:golang/github.com/bomly/example-go-modules", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": ".github/workflows/tests.yaml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", - "version": "local", + "name": "github.com/google/go-cmp", + "purl": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "version": "v0.5.2", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": "checkout", - "purl": "pkg:githubactions/actions/checkout@v3", - "version": "v3", + "name": "github.com/google/go-github", + "purl": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", + "version": "v17.0.0+incompatible", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": "setup-go", - "purl": "pkg:githubactions/actions/setup-go@v4", - "version": "v4", + "name": "github.com/google/go-querystring", + "purl": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "version": "v1.1.0", "vulnerabilities": [] }, { "ecosystem": "go", "licenses": [], "name": "github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid", + "purl": "pkg:golang/github.com/google/uuid@v1.6.0", + "version": "v1.6.0", + "vulnerabilities": [] + }, + { + "ecosystem": "go", + "licenses": [], + "name": "golang.org/x/text", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", + "version": "v0.3.5", + "vulnerabilities": [] + }, + { + "ecosystem": "go", + "licenses": [], + "name": "golang.org/x/xerrors", + "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "version": "v0.0.0-20191204190536-9bdfabe68543", "vulnerabilities": [] } ], "project": { - "ecosystem": "other", + "ecosystem": "go", "name": "\u003cnormalized\u003e", - "package_manager": "multiple", + "package_manager": "gomod", "path": "\u003cnormalized\u003e", - "target_ref": "v1.6.0", + "target_ref": "v1.0.0", "target_type": "git repository" }, "schema_version": "1.0" diff --git a/test/smoke/testdata/golden/scan-go-audit.golden.json b/test/smoke/testdata/golden/scan-go-audit.golden.json index 985515b8..dbb56c00 100644 --- a/test/smoke/testdata/golden/scan-go-audit.golden.json +++ b/test/smoke/testdata/golden/scan-go-audit.golden.json @@ -5,109 +5,136 @@ "dependencies": [ { "depends_on": [ - "pkg:githubactions/actions/checkout@v3", - "pkg:githubactions/actions/setup-go@v4" + "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", + "pkg:golang/github.com/google/go-querystring@v1.1.0", + "pkg:golang/github.com/google/uuid@v1.6.0", + "pkg:golang/golang.org/x/text@v0.3.5" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", + "id": "pkg:golang/github.com/bomly/example-go-modules", "licenses": [], - "name": ".github/workflows/apidiff.yaml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", - "scopes": [ - "runtime" - ], - "version": "local" + "name": "github.com/bomly/example-go-modules", + "package_ref": "pkg:golang/github.com/bomly/example-go-modules", + "purl": "pkg:golang/github.com/bomly/example-go-modules" }, { - "depends_on": [], - "id": "pkg:githubactions/actions/checkout@v3", + "depends_on": [ + "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543" + ], + "id": "pkg:golang/github.com/google/go-cmp@v0.5.2", "licenses": [], - "name": "actions:checkout", - "package_ref": "pkg:githubactions/actions/checkout@v3", - "purl": "pkg:githubactions/actions/checkout@v3", + "name": "github.com/google/go-cmp", + "package_ref": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "purl": "pkg:golang/github.com/google/go-cmp@v0.5.2", "scopes": [ - "runtime" + "development" ], - "version": "v3" + "version": "v0.5.2" }, { - "depends_on": [], - "id": "pkg:githubactions/actions/setup-go@v4", + "depends_on": [ + "pkg:golang/github.com/google/go-querystring@v1.1.0" + ], + "id": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", "licenses": [], - "name": "actions:setup-go", - "package_ref": "pkg:githubactions/actions/setup-go@v4", - "purl": "pkg:githubactions/actions/setup-go@v4", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-github", + "package_ref": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", + "purl": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", "scopes": [ + "development", "runtime" ], - "version": "v4" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/apidiff.yaml", - "subproject": "." - }, - { - "dependencies": [ + "version": "v17.0.0+incompatible" + }, { "depends_on": [ - "pkg:githubactions/actions/checkout@v3", - "pkg:githubactions/actions/setup-go@v4" + "pkg:golang/github.com/google/go-cmp@v0.5.2" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", + "id": "pkg:golang/github.com/google/go-querystring@v1.1.0", "licenses": [], - "name": ".github/workflows/tests.yaml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-querystring", + "package_ref": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "purl": "pkg:golang/github.com/google/go-querystring@v1.1.0", "scopes": [ "runtime" ], - "version": "local" + "version": "v1.1.0" }, { "depends_on": [], - "id": "pkg:githubactions/actions/checkout@v3", + "id": "pkg:golang/github.com/google/uuid@v1.6.0", "licenses": [], - "name": "actions:checkout", - "package_ref": "pkg:githubactions/actions/checkout@v3", - "purl": "pkg:githubactions/actions/checkout@v3", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/uuid", + "package_ref": "pkg:golang/github.com/google/uuid@v1.6.0", + "purl": "pkg:golang/github.com/google/uuid@v1.6.0", "scopes": [ "runtime" ], - "version": "v3" + "version": "v1.6.0" }, { "depends_on": [], - "id": "pkg:githubactions/actions/setup-go@v4", + "id": "pkg:golang/golang.org/x/text@v0.3.5", "licenses": [], - "name": "actions:setup-go", - "package_ref": "pkg:githubactions/actions/setup-go@v4", - "purl": "pkg:githubactions/actions/setup-go@v4", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "golang.org/x/text", + "package_ref": "pkg:golang/golang.org/x/text@v0.3.5", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", "scopes": [ + "development", "runtime" ], - "version": "v4" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/tests.yaml", - "subproject": "." - }, - { - "dependencies": [ + "version": "v0.3.5" + }, { "depends_on": [], - "id": "pkg:golang/github.com/google/uuid", + "id": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", "licenses": [], - "name": "github.com/google/uuid", - "package_ref": "pkg:golang/github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid" + "name": "golang.org/x/xerrors", + "package_ref": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "scopes": [ + "development" + ], + "version": "v0.0.0-20191204190536-9bdfabe68543" } ], "detector": "go-detector", @@ -123,51 +150,67 @@ }, "packages": [ { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": ".github/workflows/apidiff.yaml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", - "version": "local", + "name": "github.com/bomly/example-go-modules", + "purl": "pkg:golang/github.com/bomly/example-go-modules", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": ".github/workflows/tests.yaml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", - "version": "local", + "name": "github.com/google/go-cmp", + "purl": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "version": "v0.5.2", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": "checkout", - "purl": "pkg:githubactions/actions/checkout@v3", - "version": "v3", + "name": "github.com/google/go-github", + "purl": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", + "version": "v17.0.0+incompatible", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": "setup-go", - "purl": "pkg:githubactions/actions/setup-go@v4", - "version": "v4", + "name": "github.com/google/go-querystring", + "purl": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "version": "v1.1.0", "vulnerabilities": [] }, { "ecosystem": "go", "licenses": [], "name": "github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid", + "purl": "pkg:golang/github.com/google/uuid@v1.6.0", + "version": "v1.6.0", + "vulnerabilities": [] + }, + { + "ecosystem": "go", + "licenses": [], + "name": "golang.org/x/text", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", + "version": "v0.3.5", + "vulnerabilities": [] + }, + { + "ecosystem": "go", + "licenses": [], + "name": "golang.org/x/xerrors", + "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "version": "v0.0.0-20191204190536-9bdfabe68543", "vulnerabilities": [] } ], "project": { - "ecosystem": "other", + "ecosystem": "go", "name": "\u003cnormalized\u003e", - "package_manager": "multiple", + "package_manager": "gomod", "path": "\u003cnormalized\u003e", - "target_ref": "v1.6.0", + "target_ref": "v1.0.0", "target_type": "git repository" }, "schema_version": "1.0" diff --git a/test/smoke/testdata/golden/scan-go-enrich.golden.json b/test/smoke/testdata/golden/scan-go-enrich.golden.json index 985515b8..dbb56c00 100644 --- a/test/smoke/testdata/golden/scan-go-enrich.golden.json +++ b/test/smoke/testdata/golden/scan-go-enrich.golden.json @@ -5,109 +5,136 @@ "dependencies": [ { "depends_on": [ - "pkg:githubactions/actions/checkout@v3", - "pkg:githubactions/actions/setup-go@v4" + "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", + "pkg:golang/github.com/google/go-querystring@v1.1.0", + "pkg:golang/github.com/google/uuid@v1.6.0", + "pkg:golang/golang.org/x/text@v0.3.5" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", + "id": "pkg:golang/github.com/bomly/example-go-modules", "licenses": [], - "name": ".github/workflows/apidiff.yaml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", - "scopes": [ - "runtime" - ], - "version": "local" + "name": "github.com/bomly/example-go-modules", + "package_ref": "pkg:golang/github.com/bomly/example-go-modules", + "purl": "pkg:golang/github.com/bomly/example-go-modules" }, { - "depends_on": [], - "id": "pkg:githubactions/actions/checkout@v3", + "depends_on": [ + "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543" + ], + "id": "pkg:golang/github.com/google/go-cmp@v0.5.2", "licenses": [], - "name": "actions:checkout", - "package_ref": "pkg:githubactions/actions/checkout@v3", - "purl": "pkg:githubactions/actions/checkout@v3", + "name": "github.com/google/go-cmp", + "package_ref": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "purl": "pkg:golang/github.com/google/go-cmp@v0.5.2", "scopes": [ - "runtime" + "development" ], - "version": "v3" + "version": "v0.5.2" }, { - "depends_on": [], - "id": "pkg:githubactions/actions/setup-go@v4", + "depends_on": [ + "pkg:golang/github.com/google/go-querystring@v1.1.0" + ], + "id": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", "licenses": [], - "name": "actions:setup-go", - "package_ref": "pkg:githubactions/actions/setup-go@v4", - "purl": "pkg:githubactions/actions/setup-go@v4", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-github", + "package_ref": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", + "purl": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", "scopes": [ + "development", "runtime" ], - "version": "v4" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/apidiff.yaml", - "subproject": "." - }, - { - "dependencies": [ + "version": "v17.0.0+incompatible" + }, { "depends_on": [ - "pkg:githubactions/actions/checkout@v3", - "pkg:githubactions/actions/setup-go@v4" + "pkg:golang/github.com/google/go-cmp@v0.5.2" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", + "id": "pkg:golang/github.com/google/go-querystring@v1.1.0", "licenses": [], - "name": ".github/workflows/tests.yaml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/go-querystring", + "package_ref": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "purl": "pkg:golang/github.com/google/go-querystring@v1.1.0", "scopes": [ "runtime" ], - "version": "local" + "version": "v1.1.0" }, { "depends_on": [], - "id": "pkg:githubactions/actions/checkout@v3", + "id": "pkg:golang/github.com/google/uuid@v1.6.0", "licenses": [], - "name": "actions:checkout", - "package_ref": "pkg:githubactions/actions/checkout@v3", - "purl": "pkg:githubactions/actions/checkout@v3", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "github.com/google/uuid", + "package_ref": "pkg:golang/github.com/google/uuid@v1.6.0", + "purl": "pkg:golang/github.com/google/uuid@v1.6.0", "scopes": [ "runtime" ], - "version": "v3" + "version": "v1.6.0" }, { "depends_on": [], - "id": "pkg:githubactions/actions/setup-go@v4", + "id": "pkg:golang/golang.org/x/text@v0.3.5", "licenses": [], - "name": "actions:setup-go", - "package_ref": "pkg:githubactions/actions/setup-go@v4", - "purl": "pkg:githubactions/actions/setup-go@v4", + "locations": [ + { + "access_path": "go.mod", + "position": { + "file": "go.mod", + "line": 0 + }, + "real_path": "go.mod" + } + ], + "name": "golang.org/x/text", + "package_ref": "pkg:golang/golang.org/x/text@v0.3.5", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", "scopes": [ + "development", "runtime" ], - "version": "v4" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/tests.yaml", - "subproject": "." - }, - { - "dependencies": [ + "version": "v0.3.5" + }, { "depends_on": [], - "id": "pkg:golang/github.com/google/uuid", + "id": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", "licenses": [], - "name": "github.com/google/uuid", - "package_ref": "pkg:golang/github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid" + "name": "golang.org/x/xerrors", + "package_ref": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "scopes": [ + "development" + ], + "version": "v0.0.0-20191204190536-9bdfabe68543" } ], "detector": "go-detector", @@ -123,51 +150,67 @@ }, "packages": [ { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": ".github/workflows/apidiff.yaml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fapidiff.yaml@local", - "version": "local", + "name": "github.com/bomly/example-go-modules", + "purl": "pkg:golang/github.com/bomly/example-go-modules", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": ".github/workflows/tests.yaml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Ftests.yaml@local", - "version": "local", + "name": "github.com/google/go-cmp", + "purl": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "version": "v0.5.2", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": "checkout", - "purl": "pkg:githubactions/actions/checkout@v3", - "version": "v3", + "name": "github.com/google/go-github", + "purl": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", + "version": "v17.0.0+incompatible", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "go", "licenses": [], - "name": "setup-go", - "purl": "pkg:githubactions/actions/setup-go@v4", - "version": "v4", + "name": "github.com/google/go-querystring", + "purl": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "version": "v1.1.0", "vulnerabilities": [] }, { "ecosystem": "go", "licenses": [], "name": "github.com/google/uuid", - "purl": "pkg:golang/github.com/google/uuid", + "purl": "pkg:golang/github.com/google/uuid@v1.6.0", + "version": "v1.6.0", + "vulnerabilities": [] + }, + { + "ecosystem": "go", + "licenses": [], + "name": "golang.org/x/text", + "purl": "pkg:golang/golang.org/x/text@v0.3.5", + "version": "v0.3.5", + "vulnerabilities": [] + }, + { + "ecosystem": "go", + "licenses": [], + "name": "golang.org/x/xerrors", + "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "version": "v0.0.0-20191204190536-9bdfabe68543", "vulnerabilities": [] } ], "project": { - "ecosystem": "other", + "ecosystem": "go", "name": "\u003cnormalized\u003e", - "package_manager": "multiple", + "package_manager": "gomod", "path": "\u003cnormalized\u003e", - "target_ref": "v1.6.0", + "target_ref": "v1.0.0", "target_type": "git repository" }, "schema_version": "1.0" diff --git a/test/smoke/testdata/golden/scan-go-reachability.golden.json b/test/smoke/testdata/golden/scan-go-reachability.golden.json index b83cff73..3cf28b05 100644 --- a/test/smoke/testdata/golden/scan-go-reachability.golden.json +++ b/test/smoke/testdata/golden/scan-go-reachability.golden.json @@ -5,76 +5,35 @@ "dependencies": [ { "depends_on": [ - "pkg:golang/github.com/bmizerany/assert@v0.0.0-20160611221934-b7ed37b82869" + "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", + "pkg:golang/github.com/google/go-querystring@v1.1.0", + "pkg:golang/github.com/google/uuid@v1.6.0", + "pkg:golang/golang.org/x/text@v0.3.5" ], - "id": "pkg:golang/github.com/bitly/go-simplejson@v0.5.0", + "id": "pkg:golang/github.com/bomly/example-go-modules", "licenses": [], - "matched": true, - "name": "github.com/bitly/go-simplejson", - "package_ref": "pkg:golang/github.com/bitly/go-simplejson@v0.5.0", - "purl": "pkg:golang/github.com/bitly/go-simplejson@v0.5.0", - "scopes": [ - "development", - "runtime" - ], - "version": "v0.5.0" + "name": "github.com/bomly/example-go-modules", + "package_ref": "pkg:golang/github.com/bomly/example-go-modules", + "purl": "pkg:golang/github.com/bomly/example-go-modules" }, { "depends_on": [ - "pkg:golang/github.com/kr/pretty@v0.3.1" + "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543" ], - "id": "pkg:golang/github.com/bmizerany/assert@v0.0.0-20160611221934-b7ed37b82869", - "licenses": [], - "locations": [ - { - "access_path": "go.mod", - "position": { - "file": "go.mod", - "line": 0 - }, - "real_path": "go.mod" - } - ], - "name": "github.com/bmizerany/assert", - "package_ref": "pkg:golang/github.com/bmizerany/assert@v0.0.0-20160611221934-b7ed37b82869", - "purl": "pkg:golang/github.com/bmizerany/assert@v0.0.0-20160611221934-b7ed37b82869", - "scopes": [ - "development" - ], - "version": "v0.0.0-20160611221934-b7ed37b82869" - }, - { - "depends_on": [], - "id": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", + "id": "pkg:golang/github.com/google/go-cmp@v0.5.2", "licenses": [], "matched": true, - "name": "github.com/davecgh/go-spew", - "package_ref": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", - "purl": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", + "name": "github.com/google/go-cmp", + "package_ref": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "purl": "pkg:golang/github.com/google/go-cmp@v0.5.2", "scopes": [ "development" ], - "version": "v1.1.1" - }, - { - "depends_on": [ - "pkg:golang/github.com/mattn/go-colorable@v0.0.9", - "pkg:golang/github.com/mattn/go-isatty@v0.0.4" - ], - "id": "pkg:golang/github.com/fatih/color@v1.7.0", - "licenses": [], - "matched": true, - "name": "github.com/fatih/color", - "package_ref": "pkg:golang/github.com/fatih/color@v1.7.0", - "purl": "pkg:golang/github.com/fatih/color@v1.7.0", - "scopes": [ - "runtime" - ], - "version": "v1.7.0" + "version": "v0.5.2" }, { "depends_on": [ - "pkg:golang/github.com/google/go-querystring@v1.0.0" + "pkg:golang/github.com/google/go-querystring@v1.1.0" ], "id": "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", "licenses": [], @@ -97,35 +56,11 @@ ], "version": "v17.0.0+incompatible" }, - { - "depends_on": [], - "id": "pkg:golang/github.com/google/go-querystring@v1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "go.mod", - "position": { - "file": "go.mod", - "line": 0 - }, - "real_path": "go.mod" - } - ], - "matched": true, - "name": "github.com/google/go-querystring", - "package_ref": "pkg:golang/github.com/google/go-querystring@v1.0.0", - "purl": "pkg:golang/github.com/google/go-querystring@v1.0.0", - "scopes": [ - "runtime" - ], - "version": "v1.0.0" - }, { "depends_on": [ - "pkg:golang/github.com/kr/text@v0.2.0", - "pkg:golang/github.com/rogpeppe/go-internal@v1.9.0" + "pkg:golang/github.com/google/go-cmp@v0.5.2" ], - "id": "pkg:golang/github.com/kr/pretty@v0.3.1", + "id": "pkg:golang/github.com/google/go-querystring@v1.1.0", "licenses": [], "locations": [ { @@ -138,150 +73,17 @@ } ], "matched": true, - "name": "github.com/kr/pretty", - "package_ref": "pkg:golang/github.com/kr/pretty@v0.3.1", - "purl": "pkg:golang/github.com/kr/pretty@v0.3.1", - "scopes": [ - "development" - ], - "version": "v0.3.1" - }, - { - "depends_on": [], - "id": "pkg:golang/github.com/kr/text@v0.2.0", - "licenses": [], - "matched": true, - "name": "github.com/kr/text", - "package_ref": "pkg:golang/github.com/kr/text@v0.2.0", - "purl": "pkg:golang/github.com/kr/text@v0.2.0", - "scopes": [ - "development" - ], - "version": "v0.2.0" - }, - { - "depends_on": [ - "pkg:golang/github.com/mattn/go-isatty@v0.0.4" - ], - "id": "pkg:golang/github.com/mattn/go-colorable@v0.0.9", - "licenses": [], - "matched": true, - "name": "github.com/mattn/go-colorable", - "package_ref": "pkg:golang/github.com/mattn/go-colorable@v0.0.9", - "purl": "pkg:golang/github.com/mattn/go-colorable@v0.0.9", - "scopes": [ - "development", - "runtime" - ], - "version": "v0.0.9" - }, - { - "depends_on": [], - "id": "pkg:golang/github.com/mattn/go-isatty@v0.0.4", - "licenses": [], - "matched": true, - "name": "github.com/mattn/go-isatty", - "package_ref": "pkg:golang/github.com/mattn/go-isatty@v0.0.4", - "purl": "pkg:golang/github.com/mattn/go-isatty@v0.0.4", - "scopes": [ - "development", - "runtime" - ], - "version": "v0.0.4" - }, - { - "depends_on": [], - "id": "pkg:golang/github.com/mattn/go-runewidth@v0.0.4", - "licenses": [], - "matched": true, - "name": "github.com/mattn/go-runewidth", - "package_ref": "pkg:golang/github.com/mattn/go-runewidth@v0.0.4", - "purl": "pkg:golang/github.com/mattn/go-runewidth@v0.0.4", - "scopes": [ - "runtime" - ], - "version": "v0.0.4" - }, - { - "depends_on": [ - "pkg:golang/github.com/mattn/go-runewidth@v0.0.4" - ], - "id": "pkg:golang/github.com/nsf/termbox-go@v0.0.0-20181027232701-60ab7e3d12ed", - "licenses": [], - "matched": true, - "name": "github.com/nsf/termbox-go", - "package_ref": "pkg:golang/github.com/nsf/termbox-go@v0.0.0-20181027232701-60ab7e3d12ed", - "purl": "pkg:golang/github.com/nsf/termbox-go@v0.0.0-20181027232701-60ab7e3d12ed", - "scopes": [ - "runtime" - ], - "version": "v0.0.0-20181027232701-60ab7e3d12ed" - }, - { - "depends_on": [ - "pkg:golang/github.com/fatih/color@v1.7.0" - ], - "id": "pkg:golang/github.com/nwidger/jsoncolor@v0.0.0-20170215171346-75a6de4340e5", - "licenses": [], - "matched": true, - "name": "github.com/nwidger/jsoncolor", - "package_ref": "pkg:golang/github.com/nwidger/jsoncolor@v0.0.0-20170215171346-75a6de4340e5", - "purl": "pkg:golang/github.com/nwidger/jsoncolor@v0.0.0-20170215171346-75a6de4340e5", - "scopes": [ - "runtime" - ], - "version": "v0.0.0-20170215171346-75a6de4340e5" - }, - { - "depends_on": [], - "id": "pkg:golang/github.com/pkg/errors@v0.8.0", - "licenses": [], - "matched": true, - "name": "github.com/pkg/errors", - "package_ref": "pkg:golang/github.com/pkg/errors@v0.8.0", - "purl": "pkg:golang/github.com/pkg/errors@v0.8.0", + "name": "github.com/google/go-querystring", + "package_ref": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "purl": "pkg:golang/github.com/google/go-querystring@v1.1.0", "scopes": [ - "development", "runtime" ], - "version": "v0.8.0" - }, - { - "depends_on": [], - "id": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0", - "licenses": [], - "matched": true, - "name": "github.com/pmezard/go-difflib", - "package_ref": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0", - "purl": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0", - "scopes": [ - "development" - ], - "version": "v1.0.0" + "version": "v1.1.0" }, { "depends_on": [], - "id": "pkg:golang/github.com/rogpeppe/go-internal@v1.9.0", - "licenses": [], - "matched": true, - "name": "github.com/rogpeppe/go-internal", - "package_ref": "pkg:golang/github.com/rogpeppe/go-internal@v1.9.0", - "purl": "pkg:golang/github.com/rogpeppe/go-internal@v1.9.0", - "scopes": [ - "development" - ], - "version": "v1.9.0" - }, - { - "depends_on": [ - "pkg:golang/github.com/bitly/go-simplejson@v0.5.0", - "pkg:golang/github.com/mattn/go-runewidth@v0.0.4", - "pkg:golang/github.com/nsf/termbox-go@v0.0.0-20181027232701-60ab7e3d12ed", - "pkg:golang/github.com/nwidger/jsoncolor@v0.0.0-20170215171346-75a6de4340e5", - "pkg:golang/github.com/pkg/errors@v0.8.0", - "pkg:golang/github.com/stretchr/testify@v1.8.2" - ], - "id": "pkg:golang/github.com/simeji/jid@v0.7.6", + "id": "pkg:golang/github.com/google/uuid@v1.6.0", "licenses": [], "locations": [ { @@ -294,53 +96,13 @@ } ], "matched": true, - "name": "github.com/simeji/jid", - "package_ref": "pkg:golang/github.com/simeji/jid@v0.7.6", - "purl": "pkg:golang/github.com/simeji/jid@v0.7.6", + "name": "github.com/google/uuid", + "package_ref": "pkg:golang/github.com/google/uuid@v1.6.0", + "purl": "pkg:golang/github.com/google/uuid@v1.6.0", "scopes": [ "runtime" ], - "version": "v0.7.6" - }, - { - "depends_on": [ - "pkg:golang/github.com/google/go-github@v17.0.0%2Bincompatible", - "pkg:golang/github.com/google/go-querystring@v1.0.0", - "pkg:golang/github.com/simeji/jid@v0.7.6", - "pkg:golang/golang.org/x/text@v0.3.5" - ], - "id": "pkg:golang/github.com/srcclr/example-go-modules", - "licenses": [], - "name": "github.com/srcclr/example-go-modules", - "package_ref": "pkg:golang/github.com/srcclr/example-go-modules", - "purl": "pkg:golang/github.com/srcclr/example-go-modules" - }, - { - "depends_on": [ - "pkg:golang/github.com/davecgh/go-spew@v1.1.1", - "pkg:golang/github.com/pmezard/go-difflib@v1.0.0", - "pkg:golang/gopkg.in/yaml.v3@v3.0.1" - ], - "id": "pkg:golang/github.com/stretchr/testify@v1.8.2", - "licenses": [], - "locations": [ - { - "access_path": "go.mod", - "position": { - "file": "go.mod", - "line": 0 - }, - "real_path": "go.mod" - } - ], - "matched": true, - "name": "github.com/stretchr/testify", - "package_ref": "pkg:golang/github.com/stretchr/testify@v1.8.2", - "purl": "pkg:golang/github.com/stretchr/testify@v1.8.2", - "scopes": [ - "development" - ], - "version": "v1.8.2" + "version": "v1.6.0" }, { "depends_on": [], @@ -368,31 +130,16 @@ }, { "depends_on": [], - "id": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405", + "id": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", "licenses": [], "matched": true, - "name": "gopkg.in/check.v1", - "package_ref": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405", - "purl": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405", + "name": "golang.org/x/xerrors", + "package_ref": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", "scopes": [ "development" ], - "version": "v0.0.0-20161208181325-20d25e280405" - }, - { - "depends_on": [ - "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405" - ], - "id": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", - "licenses": [], - "matched": true, - "name": "gopkg.in/yaml.v3", - "package_ref": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", - "purl": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", - "scopes": [ - "development" - ], - "version": "v3.0.1" + "version": "v0.0.0-20191204190536-9bdfabe68543" } ], "detector": "go-detector", @@ -416,57 +163,26 @@ "reachability_enabled": true }, "packages": [ - { - "ecosystem": "go", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "github.com/bitly/go-simplejson", - "purl": "pkg:golang/github.com/bitly/go-simplejson@v0.5.0", - "version": "v0.5.0", - "vulnerabilities": [] - }, { "ecosystem": "go", "licenses": [], - "name": "github.com/bmizerany/assert", - "purl": "pkg:golang/github.com/bmizerany/assert@v0.0.0-20160611221934-b7ed37b82869", - "version": "v0.0.0-20160611221934-b7ed37b82869", - "vulnerabilities": [] - }, - { - "ecosystem": "go", - "licenses": [ - { - "spdxExpression": "ISC", - "type": "external-depsdev", - "value": "ISC" - } - ], - "matched": true, - "name": "github.com/davecgh/go-spew", - "purl": "pkg:golang/github.com/davecgh/go-spew@v1.1.1", - "version": "v1.1.1", + "name": "github.com/bomly/example-go-modules", + "purl": "pkg:golang/github.com/bomly/example-go-modules", "vulnerabilities": [] }, { "ecosystem": "go", "licenses": [ { - "spdxExpression": "MIT", + "spdxExpression": "BSD-3-Clause", "type": "external-depsdev", - "value": "MIT" + "value": "BSD-3-Clause" } ], "matched": true, - "name": "github.com/fatih/color", - "purl": "pkg:golang/github.com/fatih/color@v1.7.0", - "version": "v1.7.0", + "name": "github.com/google/go-cmp", + "purl": "pkg:golang/github.com/google/go-cmp@v0.5.2", + "version": "v0.5.2", "vulnerabilities": [] }, { @@ -488,143 +204,8 @@ ], "matched": true, "name": "github.com/google/go-querystring", - "purl": "pkg:golang/github.com/google/go-querystring@v1.0.0", - "version": "v1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "go", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "github.com/kr/pretty", - "purl": "pkg:golang/github.com/kr/pretty@v0.3.1", - "version": "v0.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "go", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "github.com/kr/text", - "purl": "pkg:golang/github.com/kr/text@v0.2.0", - "version": "v0.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "go", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "github.com/mattn/go-colorable", - "purl": "pkg:golang/github.com/mattn/go-colorable@v0.0.9", - "version": "v0.0.9", - "vulnerabilities": [] - }, - { - "ecosystem": "go", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "github.com/mattn/go-isatty", - "purl": "pkg:golang/github.com/mattn/go-isatty@v0.0.4", - "version": "v0.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "go", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "github.com/mattn/go-runewidth", - "purl": "pkg:golang/github.com/mattn/go-runewidth@v0.0.4", - "version": "v0.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "go", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "github.com/nsf/termbox-go", - "purl": "pkg:golang/github.com/nsf/termbox-go@v0.0.0-20181027232701-60ab7e3d12ed", - "version": "v0.0.0-20181027232701-60ab7e3d12ed", - "vulnerabilities": [] - }, - { - "ecosystem": "go", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "github.com/nwidger/jsoncolor", - "purl": "pkg:golang/github.com/nwidger/jsoncolor@v0.0.0-20170215171346-75a6de4340e5", - "version": "v0.0.0-20170215171346-75a6de4340e5", - "vulnerabilities": [] - }, - { - "ecosystem": "go", - "licenses": [ - { - "spdxExpression": "BSD-2-Clause", - "type": "external-depsdev", - "value": "BSD-2-Clause" - } - ], - "matched": true, - "name": "github.com/pkg/errors", - "purl": "pkg:golang/github.com/pkg/errors@v0.8.0", - "version": "v0.8.0", - "vulnerabilities": [] - }, - { - "ecosystem": "go", - "licenses": [ - { - "spdxExpression": "BSD-3-Clause", - "type": "external-depsdev", - "value": "BSD-3-Clause" - } - ], - "matched": true, - "name": "github.com/pmezard/go-difflib", - "purl": "pkg:golang/github.com/pmezard/go-difflib@v1.0.0", - "version": "v1.0.0", + "purl": "pkg:golang/github.com/google/go-querystring@v1.1.0", + "version": "v1.1.0", "vulnerabilities": [] }, { @@ -637,46 +218,9 @@ } ], "matched": true, - "name": "github.com/rogpeppe/go-internal", - "purl": "pkg:golang/github.com/rogpeppe/go-internal@v1.9.0", - "version": "v1.9.0", - "vulnerabilities": [] - }, - { - "ecosystem": "go", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "github.com/simeji/jid", - "purl": "pkg:golang/github.com/simeji/jid@v0.7.6", - "version": "v0.7.6", - "vulnerabilities": [] - }, - { - "ecosystem": "go", - "licenses": [], - "name": "github.com/srcclr/example-go-modules", - "purl": "pkg:golang/github.com/srcclr/example-go-modules", - "vulnerabilities": [] - }, - { - "ecosystem": "go", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "github.com/stretchr/testify", - "purl": "pkg:golang/github.com/stretchr/testify@v1.8.2", - "version": "v1.8.2", + "name": "github.com/google/uuid", + "purl": "pkg:golang/github.com/google/uuid@v1.6.0", + "version": "v1.6.0", "vulnerabilities": [] }, { @@ -718,9 +262,9 @@ "epss": [ { "cve": "CVE-2022-32149", - "date": "2026-06-14", - "epss": 0.00054, - "percentile": 0.17429 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -795,7 +339,7 @@ "url": "https://security.netapp.com/advisory/ntap-20230203-0006" } ], - "risk_score": 0.040499999999999994, + "risk_score": 1.071, "severity": "high", "severity_source": "github:language:go", "source": "grype", @@ -832,9 +376,9 @@ "epss": [ { "cve": "CVE-2021-38561", - "date": "2026-06-14", - "epss": 0.00053, - "percentile": 0.17071 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -904,7 +448,7 @@ "url": "https://pkg.go.dev/vuln/GO-2021-0113" } ], - "risk_score": 0.039749999999999994, + "risk_score": 1.017, "severity": "high", "severity_source": "github:language:go", "source": "grype", @@ -943,9 +487,9 @@ "epss": [ { "cve": "CVE-2021-38561", - "date": "2026-06-14", - "epss": 0.00053, - "percentile": 0.17071 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -985,7 +529,7 @@ "url": "https://go.googlesource.com/text/+/383b2e75a7a4198c42f8f87833eefb772868a56f" } ], - "risk_score": 0.039749999999999994, + "risk_score": 1.017, "severity": "high", "severity_source": "govulndb:language:go", "source": "grype", @@ -1018,9 +562,9 @@ "epss": [ { "cve": "CVE-2022-32149", - "date": "2026-06-14", - "epss": 0.00054, - "percentile": 0.17429 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -1065,7 +609,7 @@ "url": "https://groups.google.com/g/golang-announce/c/-hjNw559_tE/m/KlGTfid5CAAJ" } ], - "risk_score": 0.040499999999999994, + "risk_score": 1.071, "severity": "high", "severity_source": "govulndb:language:go", "source": "grype", @@ -1077,35 +621,15 @@ "ecosystem": "go", "licenses": [ { - "spdxExpression": "BSD-2-Clause", - "type": "external-depsdev", - "value": "BSD-2-Clause" - } - ], - "matched": true, - "name": "gopkg.in/check.v1", - "purl": "pkg:golang/gopkg.in/check.v1@v0.0.0-20161208181325-20d25e280405", - "version": "v0.0.0-20161208181325-20d25e280405", - "vulnerabilities": [] - }, - { - "ecosystem": "go", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - }, - { - "spdxExpression": "Apache-2.0", + "spdxExpression": "BSD-3-Clause", "type": "external-depsdev", - "value": "Apache-2.0" + "value": "BSD-3-Clause" } ], "matched": true, - "name": "gopkg.in/yaml.v3", - "purl": "pkg:golang/gopkg.in/yaml.v3@v3.0.1", - "version": "v3.0.1", + "name": "golang.org/x/xerrors", + "purl": "pkg:golang/golang.org/x/xerrors@v0.0.0-20191204190536-9bdfabe68543", + "version": "v0.0.0-20191204190536-9bdfabe68543", "vulnerabilities": [] } ], @@ -1114,7 +638,7 @@ "name": "\u003cnormalized\u003e", "package_manager": "gomod", "path": "\u003cnormalized\u003e", - "target_ref": "555ebe70813318ce80f46e3c4fc6623012e0317d", + "target_ref": "v1.0.0", "target_type": "git repository" }, "schema_version": "1.0" diff --git a/test/smoke/testdata/golden/scan-java-maven-reachability.golden.json b/test/smoke/testdata/golden/scan-java-maven-reachability.golden.json index 15d0ad32..735efa52 100644 --- a/test/smoke/testdata/golden/scan-java-maven-reachability.golden.json +++ b/test/smoke/testdata/golden/scan-java-maven-reachability.golden.json @@ -3,47 +3,32 @@ "manifests": [ { "dependencies": [ - { - "depends_on": [], - "id": "pkg:maven/aopalliance/aopalliance@1.0", - "licenses": [], - "matched": true, - "name": "aopalliance:aopalliance", - "package_ref": "pkg:maven/aopalliance/aopalliance@1.0", - "purl": "pkg:maven/aopalliance/aopalliance@1.0", - "scopes": [ - "runtime" - ], - "version": "1.0" - }, { "depends_on": [ - "pkg:maven/log4j/log4j@1.2.15", - "pkg:maven/org.slf4j/slf4j-api@1.6.1" - ], - "id": "pkg:maven/com.101tec/zkclient@0.7", - "licenses": [], - "matched": true, - "name": "com.101tec:zkclient", - "package_ref": "pkg:maven/com.101tec/zkclient@0.7", - "purl": "pkg:maven/com.101tec/zkclient@0.7", - "scopes": [ - "runtime" + "pkg:maven/com.h2database/h2@1.3.176", + "pkg:maven/com.orientechnologies/orientdb-server@2.1.9", + "pkg:maven/junit/junit@4.12", + "pkg:maven/net.bull.javamelody/javamelody-core@1.59.0", + "pkg:maven/org.apache.kafka/kafka_2.11@0.9.0.1", + "pkg:maven/org.apache.sling/org.apache.sling.engine@2.0.4-incubator", + "pkg:maven/org.apache.struts/struts2-core@2.5.13", + "pkg:maven/org.keycloak/keycloak-saml-core@1.8.1.Final", + "pkg:maven/org.mindrot/jbcrypt@0.4", + "pkg:maven/org.neo4j/neo4j-jmx@1.3", + "pkg:maven/org.springframework/spring-web@3.1.1.RELEASE" ], - "version": "0.7" - }, - { - "depends_on": [], - "id": "pkg:maven/com.googlecode.concurrentlinkedhashmap/concurrentlinkedhashmap-lru@1.4.1", + "id": "pkg:maven/com.bomly/example-java-maven@1.0-SNAPSHOT", "licenses": [], - "matched": true, - "name": "com.googlecode.concurrentlinkedhashmap:concurrentlinkedhashmap-lru", - "package_ref": "pkg:maven/com.googlecode.concurrentlinkedhashmap/concurrentlinkedhashmap-lru@1.4.1", - "purl": "pkg:maven/com.googlecode.concurrentlinkedhashmap/concurrentlinkedhashmap-lru@1.4.1", - "scopes": [ - "runtime" + "locations": [ + { + "access_path": "/pom.xml", + "real_path": "/pom.xml" + } ], - "version": "1.4.1" + "name": "com.bomly:example-java-maven", + "package_ref": "pkg:maven/com.bomly/example-java-maven@1.0-SNAPSHOT", + "purl": "pkg:maven/com.bomly/example-java-maven@1.0-SNAPSHOT", + "version": "1.0-snapshot" }, { "depends_on": [], @@ -51,983 +36,180 @@ "licenses": [], "locations": [ { - "access_path": "pom.xml", - "position": { - "file": "pom.xml", - "line": 0 - }, - "real_path": "pom.xml" + "access_path": "/pom.xml", + "real_path": "/pom.xml" } ], "matched": true, "name": "com.h2database:h2", "package_ref": "pkg:maven/com.h2database/h2@1.3.176", "purl": "pkg:maven/com.h2database/h2@1.3.176", - "scopes": [ - "runtime" - ], "version": "1.3.176" }, { - "depends_on": [ - "pkg:maven/com.orientechnologies/orientdb-enterprise@2.1.9" - ], - "id": "pkg:maven/com.orientechnologies/orientdb-client@2.1.9", - "licenses": [], - "matched": true, - "name": "com.orientechnologies:orientdb-client", - "package_ref": "pkg:maven/com.orientechnologies/orientdb-client@2.1.9", - "purl": "pkg:maven/com.orientechnologies/orientdb-client@2.1.9", - "scopes": [ - "runtime" - ], - "version": "2.1.9" - }, - { - "depends_on": [ - "pkg:maven/com.googlecode.concurrentlinkedhashmap/concurrentlinkedhashmap-lru@1.4.1", - "pkg:maven/net.java.dev.jna/jna-platform@4.0.0", - "pkg:maven/net.java.dev.jna/jna@4.0.0" - ], - "id": "pkg:maven/com.orientechnologies/orientdb-core@2.1.9", - "licenses": [], - "matched": true, - "name": "com.orientechnologies:orientdb-core", - "package_ref": "pkg:maven/com.orientechnologies/orientdb-core@2.1.9", - "purl": "pkg:maven/com.orientechnologies/orientdb-core@2.1.9", - "scopes": [ - "runtime" - ], - "version": "2.1.9" - }, - { - "depends_on": [ - "pkg:maven/com.orientechnologies/orientdb-core@2.1.9" - ], - "id": "pkg:maven/com.orientechnologies/orientdb-enterprise@2.1.9", - "licenses": [], - "matched": true, - "name": "com.orientechnologies:orientdb-enterprise", - "package_ref": "pkg:maven/com.orientechnologies/orientdb-enterprise@2.1.9", - "purl": "pkg:maven/com.orientechnologies/orientdb-enterprise@2.1.9", - "scopes": [ - "runtime" - ], - "version": "2.1.9" - }, - { - "depends_on": [ - "pkg:maven/com.orientechnologies/orientdb-client@2.1.9", - "pkg:maven/javax.mail/mail@1.4" - ], + "depends_on": [], "id": "pkg:maven/com.orientechnologies/orientdb-server@2.1.9", "licenses": [], "locations": [ { - "access_path": "pom.xml", - "position": { - "file": "pom.xml", - "line": 0 - }, - "real_path": "pom.xml" + "access_path": "/pom.xml", + "real_path": "/pom.xml" } ], "matched": true, "name": "com.orientechnologies:orientdb-server", "package_ref": "pkg:maven/com.orientechnologies/orientdb-server@2.1.9", "purl": "pkg:maven/com.orientechnologies/orientdb-server@2.1.9", - "scopes": [ - "runtime" - ], "version": "2.1.9" }, - { - "depends_on": [ - "pkg:maven/com.h2database/h2@1.3.176", - "pkg:maven/com.orientechnologies/orientdb-server@2.1.9", - "pkg:maven/junit/junit@4.12", - "pkg:maven/net.bull.javamelody/javamelody-core@1.59.0", - "pkg:maven/org.apache.kafka/kafka_2.11@0.9.0.1", - "pkg:maven/org.apache.sling/org.apache.sling.engine@2.0.4-incubator", - "pkg:maven/org.apache.struts/struts2-core@2.5.12", - "pkg:maven/org.keycloak/keycloak-saml-core@1.8.1.final", - "pkg:maven/org.mindrot/jbcrypt@0.3m", - "pkg:maven/org.neo4j/neo4j-jmx@1.3", - "pkg:maven/org.springframework/spring-web@3.1.1.release" - ], - "id": "pkg:maven/com.srcclr/example-java-maven@1.0-snapshot", - "licenses": [], - "name": "com.srcclr:example-java-maven", - "package_ref": "pkg:maven/com.srcclr/example-java-maven@1.0-snapshot", - "purl": "pkg:maven/com.srcclr/example-java-maven@1.0-snapshot", - "version": "1.0-snapshot" - }, - { - "depends_on": [], - "id": "pkg:maven/com.yammer.metrics/metrics-core@2.2.0", - "licenses": [], - "matched": true, - "name": "com.yammer.metrics:metrics-core", - "package_ref": "pkg:maven/com.yammer.metrics/metrics-core@2.2.0", - "purl": "pkg:maven/com.yammer.metrics/metrics-core@2.2.0", - "scopes": [ - "runtime" - ], - "version": "2.2.0" - }, - { - "depends_on": [], - "id": "pkg:maven/commons-collections/commons-collections@3.2.1", - "licenses": [], - "matched": true, - "name": "commons-collections:commons-collections", - "package_ref": "pkg:maven/commons-collections/commons-collections@3.2.1", - "purl": "pkg:maven/commons-collections/commons-collections@3.2.1", - "scopes": [ - "runtime" - ], - "version": "3.2.1" - }, - { - "depends_on": [], - "id": "pkg:maven/commons-fileupload/commons-fileupload@1.3.3", - "licenses": [], - "matched": true, - "name": "commons-fileupload:commons-fileupload", - "package_ref": "pkg:maven/commons-fileupload/commons-fileupload@1.3.3", - "purl": "pkg:maven/commons-fileupload/commons-fileupload@1.3.3", - "scopes": [ - "runtime" - ], - "version": "1.3.3" - }, - { - "depends_on": [], - "id": "pkg:maven/commons-io/commons-io@2.4", - "licenses": [], - "matched": true, - "name": "commons-io:commons-io", - "package_ref": "pkg:maven/commons-io/commons-io@2.4", - "purl": "pkg:maven/commons-io/commons-io@2.4", - "scopes": [ - "runtime" - ], - "version": "2.4" - }, - { - "depends_on": [], - "id": "pkg:maven/commons-logging/commons-logging@1.1.1", - "licenses": [], - "matched": true, - "name": "commons-logging:commons-logging", - "package_ref": "pkg:maven/commons-logging/commons-logging@1.1.1", - "purl": "pkg:maven/commons-logging/commons-logging@1.1.1", - "scopes": [ - "runtime" - ], - "version": "1.1.1" - }, { "depends_on": [], - "id": "pkg:maven/io.netty/netty@3.7.0.final", - "licenses": [], - "matched": true, - "name": "io.netty:netty", - "package_ref": "pkg:maven/io.netty/netty@3.7.0.final", - "purl": "pkg:maven/io.netty/netty@3.7.0.final", - "scopes": [ - "runtime" - ], - "version": "3.7.0.final" - }, - { - "depends_on": [], - "id": "pkg:maven/javax.activation/activation@1.1", - "licenses": [], - "matched": true, - "name": "javax.activation:activation", - "package_ref": "pkg:maven/javax.activation/activation@1.1", - "purl": "pkg:maven/javax.activation/activation@1.1", - "scopes": [ - "runtime" - ], - "version": "1.1" - }, - { - "depends_on": [], - "id": "pkg:maven/javax.jcr/jcr@1.0", - "licenses": [], - "matched": true, - "name": "javax.jcr:jcr", - "package_ref": "pkg:maven/javax.jcr/jcr@1.0", - "purl": "pkg:maven/javax.jcr/jcr@1.0", - "scopes": [ - "runtime" - ], - "version": "1.0" - }, - { - "depends_on": [ - "pkg:maven/javax.activation/activation@1.1" - ], - "id": "pkg:maven/javax.mail/mail@1.4", - "licenses": [], - "matched": true, - "name": "javax.mail:mail", - "package_ref": "pkg:maven/javax.mail/mail@1.4", - "purl": "pkg:maven/javax.mail/mail@1.4", - "scopes": [ - "runtime" - ], - "version": "1.4" - }, - { - "depends_on": [], - "id": "pkg:maven/jline/jline@0.9.94", - "licenses": [], - "matched": true, - "name": "jline:jline", - "package_ref": "pkg:maven/jline/jline@0.9.94", - "purl": "pkg:maven/jline/jline@0.9.94", - "scopes": [ - "runtime" - ], - "version": "0.9.94" - }, - { - "depends_on": [ - "pkg:maven/org.hamcrest/hamcrest-core@1.3" - ], "id": "pkg:maven/junit/junit@4.12", "licenses": [], "locations": [ { - "access_path": "pom.xml", - "position": { - "file": "pom.xml", - "line": 0 - }, - "real_path": "pom.xml" + "access_path": "/pom.xml", + "real_path": "/pom.xml" } ], "matched": true, "name": "junit:junit", "package_ref": "pkg:maven/junit/junit@4.12", "purl": "pkg:maven/junit/junit@4.12", - "scopes": [ - "development" - ], "version": "4.12" }, { "depends_on": [], - "id": "pkg:maven/log4j/log4j@1.2.15", - "licenses": [], - "matched": true, - "name": "log4j:log4j", - "package_ref": "pkg:maven/log4j/log4j@1.2.15", - "purl": "pkg:maven/log4j/log4j@1.2.15", - "scopes": [ - "runtime" - ], - "version": "1.2.15" - }, - { - "depends_on": [ - "pkg:maven/org.jrobin/jrobin@1.5.9" - ], "id": "pkg:maven/net.bull.javamelody/javamelody-core@1.59.0", "licenses": [], "locations": [ { - "access_path": "pom.xml", - "position": { - "file": "pom.xml", - "line": 0 - }, - "real_path": "pom.xml" + "access_path": "/pom.xml", + "real_path": "/pom.xml" } ], "matched": true, "name": "net.bull.javamelody:javamelody-core", "package_ref": "pkg:maven/net.bull.javamelody/javamelody-core@1.59.0", "purl": "pkg:maven/net.bull.javamelody/javamelody-core@1.59.0", - "scopes": [ - "runtime" - ], "version": "1.59.0" }, { "depends_on": [], - "id": "pkg:maven/net.java.dev.jna/jna-platform@4.0.0", - "licenses": [], - "matched": true, - "name": "net.java.dev.jna:jna-platform", - "package_ref": "pkg:maven/net.java.dev.jna/jna-platform@4.0.0", - "purl": "pkg:maven/net.java.dev.jna/jna-platform@4.0.0", - "scopes": [ - "runtime" - ], - "version": "4.0.0" - }, - { - "depends_on": [], - "id": "pkg:maven/net.java.dev.jna/jna@4.0.0", - "licenses": [], - "matched": true, - "name": "net.java.dev.jna:jna", - "package_ref": "pkg:maven/net.java.dev.jna/jna@4.0.0", - "purl": "pkg:maven/net.java.dev.jna/jna@4.0.0", - "scopes": [ - "runtime" - ], - "version": "4.0.0" - }, - { - "depends_on": [], - "id": "pkg:maven/net.jpountz.lz4/lz4@1.2.0", - "licenses": [], - "matched": true, - "name": "net.jpountz.lz4:lz4", - "package_ref": "pkg:maven/net.jpountz.lz4/lz4@1.2.0", - "purl": "pkg:maven/net.jpountz.lz4/lz4@1.2.0", - "scopes": [ - "runtime" - ], - "version": "1.2.0" - }, - { - "depends_on": [], - "id": "pkg:maven/net.sf.jopt-simple/jopt-simple@3.2", - "licenses": [], - "matched": true, - "name": "net.sf.jopt-simple:jopt-simple", - "package_ref": "pkg:maven/net.sf.jopt-simple/jopt-simple@3.2", - "purl": "pkg:maven/net.sf.jopt-simple/jopt-simple@3.2", - "scopes": [ - "runtime" - ], - "version": "3.2" - }, - { - "depends_on": [ - "pkg:maven/org.javassist/javassist@3.20.0-ga" - ], - "id": "pkg:maven/ognl/ognl@3.1.12", - "licenses": [], - "matched": true, - "name": "ognl:ognl", - "package_ref": "pkg:maven/ognl/ognl@3.1.12", - "purl": "pkg:maven/ognl/ognl@3.1.12", - "scopes": [ - "runtime" - ], - "version": "3.1.12" - }, - { - "depends_on": [], - "id": "pkg:maven/org.apache.commons/commons-lang3@3.6", - "licenses": [], - "matched": true, - "name": "org.apache.commons:commons-lang3", - "package_ref": "pkg:maven/org.apache.commons/commons-lang3@3.6", - "purl": "pkg:maven/org.apache.commons/commons-lang3@3.6", - "scopes": [ - "runtime" - ], - "version": "3.6" - }, - { - "depends_on": [], - "id": "pkg:maven/org.apache.jackrabbit/jackrabbit-api@1.4", - "licenses": [], - "matched": true, - "name": "org.apache.jackrabbit:jackrabbit-api", - "package_ref": "pkg:maven/org.apache.jackrabbit/jackrabbit-api@1.4", - "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-api@1.4", - "scopes": [ - "runtime" - ], - "version": "1.4" - }, - { - "depends_on": [ - "pkg:maven/org.apache.jackrabbit/jackrabbit-api@1.4", - "pkg:maven/org.apache.jackrabbit/jackrabbit-jcr-commons@1.4" - ], - "id": "pkg:maven/org.apache.jackrabbit/jackrabbit-classloader@1.4", - "licenses": [], - "matched": true, - "name": "org.apache.jackrabbit:jackrabbit-classloader", - "package_ref": "pkg:maven/org.apache.jackrabbit/jackrabbit-classloader@1.4", - "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-classloader@1.4", - "scopes": [ - "runtime" - ], - "version": "1.4" - }, - { - "depends_on": [], - "id": "pkg:maven/org.apache.jackrabbit/jackrabbit-jcr-commons@1.4", - "licenses": [], - "matched": true, - "name": "org.apache.jackrabbit:jackrabbit-jcr-commons", - "package_ref": "pkg:maven/org.apache.jackrabbit/jackrabbit-jcr-commons@1.4", - "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-jcr-commons@1.4", - "scopes": [ - "runtime" - ], - "version": "1.4" - }, - { - "depends_on": [ - "pkg:maven/net.jpountz.lz4/lz4@1.2.0", - "pkg:maven/org.xerial.snappy/snappy-java@1.1.1.7" - ], - "id": "pkg:maven/org.apache.kafka/kafka-clients@0.9.0.1", - "licenses": [], - "matched": true, - "name": "org.apache.kafka:kafka-clients", - "package_ref": "pkg:maven/org.apache.kafka/kafka-clients@0.9.0.1", - "purl": "pkg:maven/org.apache.kafka/kafka-clients@0.9.0.1", - "scopes": [ - "runtime" - ], - "version": "0.9.0.1" - }, - { - "depends_on": [ - "pkg:maven/com.101tec/zkclient@0.7", - "pkg:maven/com.yammer.metrics/metrics-core@2.2.0", - "pkg:maven/net.sf.jopt-simple/jopt-simple@3.2", - "pkg:maven/org.apache.kafka/kafka-clients@0.9.0.1", - "pkg:maven/org.apache.zookeeper/zookeeper@3.4.6", - "pkg:maven/org.scala-lang.modules/scala-parser-combinators_2.11@1.0.4", - "pkg:maven/org.scala-lang.modules/scala-xml_2.11@1.0.4", - "pkg:maven/org.scala-lang/scala-library@2.11.7", - "pkg:maven/org.slf4j/slf4j-log4j12@1.7.6" - ], "id": "pkg:maven/org.apache.kafka/kafka_2.11@0.9.0.1", "licenses": [], "locations": [ { - "access_path": "pom.xml", - "position": { - "file": "pom.xml", - "line": 0 - }, - "real_path": "pom.xml" + "access_path": "/pom.xml", + "real_path": "/pom.xml" } ], "matched": true, "name": "org.apache.kafka:kafka_2.11", "package_ref": "pkg:maven/org.apache.kafka/kafka_2.11@0.9.0.1", "purl": "pkg:maven/org.apache.kafka/kafka_2.11@0.9.0.1", - "scopes": [ - "runtime" - ], "version": "0.9.0.1" }, { "depends_on": [], - "id": "pkg:maven/org.apache.logging.log4j/log4j-api@2.8.2", + "id": "pkg:maven/org.apache.sling/org.apache.sling.engine@2.0.4-incubator", "licenses": [], - "matched": true, - "name": "org.apache.logging.log4j:log4j-api", - "package_ref": "pkg:maven/org.apache.logging.log4j/log4j-api@2.8.2", - "purl": "pkg:maven/org.apache.logging.log4j/log4j-api@2.8.2", - "scopes": [ - "runtime" + "locations": [ + { + "access_path": "/pom.xml", + "real_path": "/pom.xml" + } ], - "version": "2.8.2" + "matched": true, + "name": "org.apache.sling:org.apache.sling.engine", + "package_ref": "pkg:maven/org.apache.sling/org.apache.sling.engine@2.0.4-incubator", + "purl": "pkg:maven/org.apache.sling/org.apache.sling.engine@2.0.4-incubator", + "version": "2.0.4-incubator" }, { "depends_on": [], - "id": "pkg:maven/org.apache.santuario/xmlsec@1.5.1", + "id": "pkg:maven/org.apache.struts/struts2-core@2.5.13", "licenses": [], - "matched": true, - "name": "org.apache.santuario:xmlsec", - "package_ref": "pkg:maven/org.apache.santuario/xmlsec@1.5.1", - "purl": "pkg:maven/org.apache.santuario/xmlsec@1.5.1", - "scopes": [ - "runtime" - ], - "version": "1.5.1" - }, - { - "depends_on": [ - "pkg:maven/org.apache.sling/org.apache.sling.commons.osgi@2.0.2-incubator" + "locations": [ + { + "access_path": "/pom.xml", + "real_path": "/pom.xml" + } ], - "id": "pkg:maven/org.apache.sling/org.apache.sling.adapter@2.0.2-incubator", - "licenses": [], "matched": true, - "name": "org.apache.sling:org.apache.sling.adapter", - "package_ref": "pkg:maven/org.apache.sling/org.apache.sling.adapter@2.0.2-incubator", - "purl": "pkg:maven/org.apache.sling/org.apache.sling.adapter@2.0.2-incubator", - "scopes": [ - "runtime" - ], - "version": "2.0.2-incubator" + "name": "org.apache.struts:struts2-core", + "package_ref": "pkg:maven/org.apache.struts/struts2-core@2.5.13", + "purl": "pkg:maven/org.apache.struts/struts2-core@2.5.13", + "version": "2.5.13" }, { "depends_on": [], - "id": "pkg:maven/org.apache.sling/org.apache.sling.api@2.0.4-incubator", + "id": "pkg:maven/org.keycloak/keycloak-saml-core@1.8.1.Final", "licenses": [], - "matched": true, - "name": "org.apache.sling:org.apache.sling.api", - "package_ref": "pkg:maven/org.apache.sling/org.apache.sling.api@2.0.4-incubator", - "purl": "pkg:maven/org.apache.sling/org.apache.sling.api@2.0.4-incubator", - "scopes": [ - "runtime" + "locations": [ + { + "access_path": "/pom.xml", + "real_path": "/pom.xml" + } ], - "version": "2.0.4-incubator" + "matched": true, + "name": "org.keycloak:keycloak-saml-core", + "package_ref": "pkg:maven/org.keycloak/keycloak-saml-core@1.8.1.Final", + "purl": "pkg:maven/org.keycloak/keycloak-saml-core@1.8.1.Final", + "version": "1.8.1.final" }, { "depends_on": [], - "id": "pkg:maven/org.apache.sling/org.apache.sling.commons.mime@2.0.2-incubator", + "id": "pkg:maven/org.mindrot/jbcrypt@0.4", "licenses": [], - "matched": true, - "name": "org.apache.sling:org.apache.sling.commons.mime", - "package_ref": "pkg:maven/org.apache.sling/org.apache.sling.commons.mime@2.0.2-incubator", - "purl": "pkg:maven/org.apache.sling/org.apache.sling.commons.mime@2.0.2-incubator", - "scopes": [ - "runtime" + "locations": [ + { + "access_path": "/pom.xml", + "real_path": "/pom.xml" + } ], - "version": "2.0.2-incubator" + "matched": true, + "name": "org.mindrot:jbcrypt", + "package_ref": "pkg:maven/org.mindrot/jbcrypt@0.4", + "purl": "pkg:maven/org.mindrot/jbcrypt@0.4", + "version": "0.4" }, { "depends_on": [], - "id": "pkg:maven/org.apache.sling/org.apache.sling.commons.osgi@2.0.2-incubator", + "id": "pkg:maven/org.neo4j/neo4j-jmx@1.3", "licenses": [], - "matched": true, - "name": "org.apache.sling:org.apache.sling.commons.osgi", - "package_ref": "pkg:maven/org.apache.sling/org.apache.sling.commons.osgi@2.0.2-incubator", - "purl": "pkg:maven/org.apache.sling/org.apache.sling.commons.osgi@2.0.2-incubator", - "scopes": [ - "runtime" + "locations": [ + { + "access_path": "/pom.xml", + "real_path": "/pom.xml" + } ], - "version": "2.0.2-incubator" + "matched": true, + "name": "org.neo4j:neo4j-jmx", + "package_ref": "pkg:maven/org.neo4j/neo4j-jmx@1.3", + "purl": "pkg:maven/org.neo4j/neo4j-jmx@1.3", + "version": "1.3" }, { - "depends_on": [ - "pkg:maven/commons-collections/commons-collections@3.2.1", - "pkg:maven/org.apache.sling/org.apache.sling.api@2.0.4-incubator", - "pkg:maven/org.apache.sling/org.apache.sling.commons.mime@2.0.2-incubator", - "pkg:maven/org.apache.sling/org.apache.sling.jcr.api@2.0.2-incubator", - "pkg:maven/org.apache.sling/org.apache.sling.jcr.resource@2.0.2-incubator" - ], - "id": "pkg:maven/org.apache.sling/org.apache.sling.engine@2.0.4-incubator", + "depends_on": [], + "id": "pkg:maven/org.springframework/spring-web@3.1.1.RELEASE", "licenses": [], "locations": [ { - "access_path": "pom.xml", - "position": { - "file": "pom.xml", - "line": 0 - }, - "real_path": "pom.xml" - } - ], - "matched": true, - "name": "org.apache.sling:org.apache.sling.engine", - "package_ref": "pkg:maven/org.apache.sling/org.apache.sling.engine@2.0.4-incubator", - "purl": "pkg:maven/org.apache.sling/org.apache.sling.engine@2.0.4-incubator", - "scopes": [ - "runtime" - ], - "version": "2.0.4-incubator" - }, - { - "depends_on": [ - "pkg:maven/javax.jcr/jcr@1.0" - ], - "id": "pkg:maven/org.apache.sling/org.apache.sling.jcr.api@2.0.2-incubator", - "licenses": [], - "matched": true, - "name": "org.apache.sling:org.apache.sling.jcr.api", - "package_ref": "pkg:maven/org.apache.sling/org.apache.sling.jcr.api@2.0.2-incubator", - "purl": "pkg:maven/org.apache.sling/org.apache.sling.jcr.api@2.0.2-incubator", - "scopes": [ - "runtime" - ], - "version": "2.0.2-incubator" - }, - { - "depends_on": [ - "pkg:maven/org.apache.jackrabbit/jackrabbit-classloader@1.4", - "pkg:maven/org.apache.sling/org.apache.sling.adapter@2.0.2-incubator" - ], - "id": "pkg:maven/org.apache.sling/org.apache.sling.jcr.resource@2.0.2-incubator", - "licenses": [], - "matched": true, - "name": "org.apache.sling:org.apache.sling.jcr.resource", - "package_ref": "pkg:maven/org.apache.sling/org.apache.sling.jcr.resource@2.0.2-incubator", - "purl": "pkg:maven/org.apache.sling/org.apache.sling.jcr.resource@2.0.2-incubator", - "scopes": [ - "runtime" - ], - "version": "2.0.2-incubator" - }, - { - "depends_on": [ - "pkg:maven/commons-fileupload/commons-fileupload@1.3.3", - "pkg:maven/commons-io/commons-io@2.4", - "pkg:maven/ognl/ognl@3.1.12", - "pkg:maven/org.apache.commons/commons-lang3@3.6", - "pkg:maven/org.apache.logging.log4j/log4j-api@2.8.2", - "pkg:maven/org.freemarker/freemarker@2.3.23" - ], - "id": "pkg:maven/org.apache.struts/struts2-core@2.5.12", - "licenses": [], - "locations": [ - { - "access_path": "pom.xml", - "position": { - "file": "pom.xml", - "line": 0 - }, - "real_path": "pom.xml" - } - ], - "matched": true, - "name": "org.apache.struts:struts2-core", - "package_ref": "pkg:maven/org.apache.struts/struts2-core@2.5.12", - "purl": "pkg:maven/org.apache.struts/struts2-core@2.5.12", - "scopes": [ - "runtime" - ], - "version": "2.5.12" - }, - { - "depends_on": [ - "pkg:maven/io.netty/netty@3.7.0.final", - "pkg:maven/jline/jline@0.9.94" - ], - "id": "pkg:maven/org.apache.zookeeper/zookeeper@3.4.6", - "licenses": [], - "matched": true, - "name": "org.apache.zookeeper:zookeeper", - "package_ref": "pkg:maven/org.apache.zookeeper/zookeeper@3.4.6", - "purl": "pkg:maven/org.apache.zookeeper/zookeeper@3.4.6", - "scopes": [ - "runtime" - ], - "version": "3.4.6" - }, - { - "depends_on": [], - "id": "pkg:maven/org.freemarker/freemarker@2.3.23", - "licenses": [], - "matched": true, - "name": "org.freemarker:freemarker", - "package_ref": "pkg:maven/org.freemarker/freemarker@2.3.23", - "purl": "pkg:maven/org.freemarker/freemarker@2.3.23", - "scopes": [ - "runtime" - ], - "version": "2.3.23" - }, - { - "depends_on": [], - "id": "pkg:maven/org.hamcrest/hamcrest-core@1.3", - "licenses": [], - "matched": true, - "name": "org.hamcrest:hamcrest-core", - "package_ref": "pkg:maven/org.hamcrest/hamcrest-core@1.3", - "purl": "pkg:maven/org.hamcrest/hamcrest-core@1.3", - "scopes": [ - "development" - ], - "version": "1.3" - }, - { - "depends_on": [], - "id": "pkg:maven/org.javassist/javassist@3.20.0-ga", - "licenses": [], - "name": "org.javassist:javassist", - "package_ref": "pkg:maven/org.javassist/javassist@3.20.0-ga", - "purl": "pkg:maven/org.javassist/javassist@3.20.0-ga", - "scopes": [ - "runtime" - ], - "version": "3.20.0-ga" - }, - { - "depends_on": [], - "id": "pkg:maven/org.jrobin/jrobin@1.5.9", - "licenses": [], - "matched": true, - "name": "org.jrobin:jrobin", - "package_ref": "pkg:maven/org.jrobin/jrobin@1.5.9", - "purl": "pkg:maven/org.jrobin/jrobin@1.5.9", - "scopes": [ - "runtime" - ], - "version": "1.5.9" - }, - { - "depends_on": [ - "pkg:maven/org.apache.santuario/xmlsec@1.5.1" - ], - "id": "pkg:maven/org.keycloak/keycloak-saml-core@1.8.1.final", - "licenses": [], - "locations": [ - { - "access_path": "pom.xml", - "position": { - "file": "pom.xml", - "line": 0 - }, - "real_path": "pom.xml" - } - ], - "matched": true, - "name": "org.keycloak:keycloak-saml-core", - "package_ref": "pkg:maven/org.keycloak/keycloak-saml-core@1.8.1.final", - "purl": "pkg:maven/org.keycloak/keycloak-saml-core@1.8.1.final", - "scopes": [ - "runtime" - ], - "version": "1.8.1.final" - }, - { - "depends_on": [], - "id": "pkg:maven/org.mindrot/jbcrypt@0.3m", - "licenses": [], - "locations": [ - { - "access_path": "pom.xml", - "position": { - "file": "pom.xml", - "line": 0 - }, - "real_path": "pom.xml" - } - ], - "matched": true, - "name": "org.mindrot:jbcrypt", - "package_ref": "pkg:maven/org.mindrot/jbcrypt@0.3m", - "purl": "pkg:maven/org.mindrot/jbcrypt@0.3m", - "scopes": [ - "runtime" - ], - "version": "0.3m" - }, - { - "depends_on": [], - "id": "pkg:maven/org.neo4j/neo4j-jmx@1.3", - "licenses": [], - "locations": [ - { - "access_path": "pom.xml", - "position": { - "file": "pom.xml", - "line": 0 - }, - "real_path": "pom.xml" - } - ], - "matched": true, - "name": "org.neo4j:neo4j-jmx", - "package_ref": "pkg:maven/org.neo4j/neo4j-jmx@1.3", - "purl": "pkg:maven/org.neo4j/neo4j-jmx@1.3", - "scopes": [ - "runtime" - ], - "version": "1.3" - }, - { - "depends_on": [], - "id": "pkg:maven/org.scala-lang.modules/scala-parser-combinators_2.11@1.0.4", - "licenses": [], - "matched": true, - "name": "org.scala-lang.modules:scala-parser-combinators_2.11", - "package_ref": "pkg:maven/org.scala-lang.modules/scala-parser-combinators_2.11@1.0.4", - "purl": "pkg:maven/org.scala-lang.modules/scala-parser-combinators_2.11@1.0.4", - "scopes": [ - "runtime" - ], - "version": "1.0.4" - }, - { - "depends_on": [], - "id": "pkg:maven/org.scala-lang.modules/scala-xml_2.11@1.0.4", - "licenses": [], - "matched": true, - "name": "org.scala-lang.modules:scala-xml_2.11", - "package_ref": "pkg:maven/org.scala-lang.modules/scala-xml_2.11@1.0.4", - "purl": "pkg:maven/org.scala-lang.modules/scala-xml_2.11@1.0.4", - "scopes": [ - "runtime" - ], - "version": "1.0.4" - }, - { - "depends_on": [], - "id": "pkg:maven/org.scala-lang/scala-library@2.11.7", - "licenses": [], - "matched": true, - "name": "org.scala-lang:scala-library", - "package_ref": "pkg:maven/org.scala-lang/scala-library@2.11.7", - "purl": "pkg:maven/org.scala-lang/scala-library@2.11.7", - "scopes": [ - "runtime" - ], - "version": "2.11.7" - }, - { - "depends_on": [], - "id": "pkg:maven/org.slf4j/slf4j-api@1.6.1", - "licenses": [], - "matched": true, - "name": "org.slf4j:slf4j-api", - "package_ref": "pkg:maven/org.slf4j/slf4j-api@1.6.1", - "purl": "pkg:maven/org.slf4j/slf4j-api@1.6.1", - "scopes": [ - "runtime" - ], - "version": "1.6.1" - }, - { - "depends_on": [], - "id": "pkg:maven/org.slf4j/slf4j-log4j12@1.7.6", - "licenses": [], - "matched": true, - "name": "org.slf4j:slf4j-log4j12", - "package_ref": "pkg:maven/org.slf4j/slf4j-log4j12@1.7.6", - "purl": "pkg:maven/org.slf4j/slf4j-log4j12@1.7.6", - "scopes": [ - "runtime" - ], - "version": "1.7.6" - }, - { - "depends_on": [], - "id": "pkg:maven/org.springframework/spring-aop@3.1.1.release", - "licenses": [], - "name": "org.springframework:spring-aop", - "package_ref": "pkg:maven/org.springframework/spring-aop@3.1.1.release", - "purl": "pkg:maven/org.springframework/spring-aop@3.1.1.release", - "scopes": [ - "runtime" - ], - "version": "3.1.1.release" - }, - { - "depends_on": [], - "id": "pkg:maven/org.springframework/spring-asm@3.1.1.release", - "licenses": [], - "name": "org.springframework:spring-asm", - "package_ref": "pkg:maven/org.springframework/spring-asm@3.1.1.release", - "purl": "pkg:maven/org.springframework/spring-asm@3.1.1.release", - "scopes": [ - "runtime" - ], - "version": "3.1.1.release" - }, - { - "depends_on": [], - "id": "pkg:maven/org.springframework/spring-beans@3.1.1.release", - "licenses": [], - "matched": true, - "name": "org.springframework:spring-beans", - "package_ref": "pkg:maven/org.springframework/spring-beans@3.1.1.release", - "purl": "pkg:maven/org.springframework/spring-beans@3.1.1.release", - "scopes": [ - "runtime" - ], - "version": "3.1.1.release" - }, - { - "depends_on": [ - "pkg:maven/org.springframework/spring-aop@3.1.1.release", - "pkg:maven/org.springframework/spring-asm@3.1.1.release", - "pkg:maven/org.springframework/spring-expression@3.1.1.release" - ], - "id": "pkg:maven/org.springframework/spring-context@3.1.1.release", - "licenses": [], - "matched": true, - "name": "org.springframework:spring-context", - "package_ref": "pkg:maven/org.springframework/spring-context@3.1.1.release", - "purl": "pkg:maven/org.springframework/spring-context@3.1.1.release", - "scopes": [ - "runtime" - ], - "version": "3.1.1.release" - }, - { - "depends_on": [ - "pkg:maven/commons-logging/commons-logging@1.1.1" - ], - "id": "pkg:maven/org.springframework/spring-core@3.1.1.release", - "licenses": [], - "matched": true, - "name": "org.springframework:spring-core", - "package_ref": "pkg:maven/org.springframework/spring-core@3.1.1.release", - "purl": "pkg:maven/org.springframework/spring-core@3.1.1.release", - "scopes": [ - "runtime" - ], - "version": "3.1.1.release" - }, - { - "depends_on": [], - "id": "pkg:maven/org.springframework/spring-expression@3.1.1.release", - "licenses": [], - "matched": true, - "name": "org.springframework:spring-expression", - "package_ref": "pkg:maven/org.springframework/spring-expression@3.1.1.release", - "purl": "pkg:maven/org.springframework/spring-expression@3.1.1.release", - "scopes": [ - "runtime" - ], - "version": "3.1.1.release" - }, - { - "depends_on": [ - "pkg:maven/aopalliance/aopalliance@1.0", - "pkg:maven/org.springframework/spring-beans@3.1.1.release", - "pkg:maven/org.springframework/spring-context@3.1.1.release", - "pkg:maven/org.springframework/spring-core@3.1.1.release" - ], - "id": "pkg:maven/org.springframework/spring-web@3.1.1.release", - "licenses": [], - "locations": [ - { - "access_path": "pom.xml", - "position": { - "file": "pom.xml", - "line": 0 - }, - "real_path": "pom.xml" + "access_path": "/pom.xml", + "real_path": "/pom.xml" } ], "matched": true, "name": "org.springframework:spring-web", - "package_ref": "pkg:maven/org.springframework/spring-web@3.1.1.release", - "purl": "pkg:maven/org.springframework/spring-web@3.1.1.release", - "scopes": [ - "runtime" - ], + "package_ref": "pkg:maven/org.springframework/spring-web@3.1.1.RELEASE", + "purl": "pkg:maven/org.springframework/spring-web@3.1.1.RELEASE", "version": "3.1.1.release" - }, - { - "depends_on": [], - "id": "pkg:maven/org.xerial.snappy/snappy-java@1.1.1.7", - "licenses": [], - "matched": true, - "name": "org.xerial.snappy:snappy-java", - "package_ref": "pkg:maven/org.xerial.snappy/snappy-java@1.1.1.7", - "purl": "pkg:maven/org.xerial.snappy/snappy-java@1.1.1.7", - "scopes": [ - "runtime" - ], - "version": "1.1.1.7" } ], - "detector": "maven-detector", + "detector": "syft-detector", "ecosystem": "maven", - "kind": "pom.xml", + "kind": "maven", "package_manager": "maven", "path": "pom.xml", "subproject": "." @@ -1039,8 +221,8 @@ ], "analyzer_stats": { "jvmreach": { - "reachable": 33, - "unreachable": 65 + "reachable": 10, + "unreachable": 26 } }, "duration_ms": 0, @@ -1049,47 +231,10 @@ "packages": [ { "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "aopalliance", - "purl": "pkg:maven/aopalliance/aopalliance@1.0", - "version": "1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "zkclient", - "purl": "pkg:maven/com.101tec/zkclient@0.7", - "version": "0.7", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "concurrentlinkedhashmap-lru", - "purl": "pkg:maven/com.googlecode.concurrentlinkedhashmap/concurrentlinkedhashmap-lru@1.4.1", - "version": "1.4.1", + "licenses": [], + "name": "example-java-maven", + "purl": "pkg:maven/com.bomly/example-java-maven@1.0-SNAPSHOT", + "version": "1.0-snapshot", "vulnerabilities": [] }, { @@ -1137,9 +282,9 @@ "epss": [ { "cve": "CVE-2022-23221", - "date": "2026-06-14", - "epss": 0.26568, - "percentile": 0.96468 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -1230,7 +375,7 @@ "url": "https://security.netapp.com/advisory/ntap-20230818-0011/" } ], - "risk_score": 24.973920000000007, + "risk_score": 60.88004, "severity": "critical", "severity_source": "github:language:java", "source": "grype", @@ -1267,9 +412,9 @@ "epss": [ { "cve": "CVE-2021-42392", - "date": "2026-06-14", - "epss": 0.89418, - "percentile": 0.99568 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -1350,7 +495,7 @@ "url": "https://www.secpod.com/blog/log4shell-critical-remote-code-execution-vulnerability-in-h2database-console/" } ], - "risk_score": 84.05292, + "risk_score": 59.41834, "severity": "critical", "severity_source": "github:language:java", "source": "grype", @@ -1368,8 +513,8 @@ } ], "matched": true, - "name": "orientdb-client", - "purl": "pkg:maven/com.orientechnologies/orientdb-client@2.1.9", + "name": "orientdb-server", + "purl": "pkg:maven/com.orientechnologies/orientdb-server@2.1.9", "version": "2.1.9", "vulnerabilities": [] }, @@ -1377,10669 +522,293 @@ "ecosystem": "maven", "licenses": [ { - "spdxExpression": "Apache-2.0", + "spdxExpression": "non-standard", "type": "external-depsdev", - "value": "Apache-2.0" + "value": "non-standard" } ], "matched": true, - "name": "orientdb-core", - "purl": "pkg:maven/com.orientechnologies/orientdb-core@2.1.9", - "version": "2.1.9", + "name": "junit", + "purl": "pkg:maven/junit/junit@4.12", + "version": "4.12", "vulnerabilities": [ { - "affected_version_range": "\u003c2.2.23 (unknown)", + "affected_version_range": "\u003e=4.7,\u003c4.13.1 (unknown)", "aliases": [ - "CVE-2017-11467" + "CVE-2020-15250" ], "cvss": [ { - "score": 9.8, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.0" + "score": 4.4, + "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", + "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2017-11467", - "id": "CWE-269", + "cve": "CVE-2020-15250", + "id": "CWE-200", + "source": "security-advisories@github.com", + "type": "Secondary" + }, + { + "cve": "CVE-2020-15250", + "id": "CWE-732", "source": "nvd@nist.gov", "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-xm6r-4466-mr74", - "description": "OrientDB vulnerable to Improper Privilage Management leading to arbitrary command injection", + "data_source": "https://github.com/advisories/GHSA-269g-pwp5-87pp", + "description": "TemporaryFolder on unix-like systems does not limit access to created files", "epss": [ { - "cve": "CVE-2017-11467", - "date": "2026-06-14", - "epss": 0.76315, - "percentile": 0.98959 + "cve": "CVE-2020-15250", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2020-07-28", + "date": "2020-10-13", "kind": "first-observed", - "version": "2.2.23" + "version": "4.13.1" } ], "fix_state": "fixed", - "fixed_in": "2.2.23", + "fixed_in": "4.13.1", "fixed_versions": [ - "2.2.23" + "4.13.1" ], - "id": "GHSA-xm6r-4466-mr74", + "id": "GHSA-269g-pwp5-87pp", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", + "confidence": "low", "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-11467", - "Fix available: upgrade to 2.2.23", - "Fix state: fixed", - "https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017", - "https://nvd.nist.gov/vuln/detail/CVE-2017-11467", - "https://web.archive.org/web/20210403135751/http://www.heavensec.org/?p=1703" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xm6r-4466-mr74" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11467" - }, - { - "type": "advisory", - "url": "https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#2223---july-11-2017" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20210403135751/http://www.heavensec.org/?p=1703" - } - ], - "risk_score": 71.73610000000001, - "severity": "critical", - "severity_source": "github:language:java", - "source": "grype", - "title": "OrientDB vulnerable to Improper Privilage Management leading to arbitrary command injection" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "orientdb-enterprise", - "purl": "pkg:maven/com.orientechnologies/orientdb-enterprise@2.1.9", - "version": "2.1.9", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "orientdb-server", - "purl": "pkg:maven/com.orientechnologies/orientdb-server@2.1.9", - "version": "2.1.9", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [], - "name": "example-java-maven", - "purl": "pkg:maven/com.srcclr/example-java-maven@1.0-snapshot", - "version": "1.0-snapshot", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "metrics-core", - "purl": "pkg:maven/com.yammer.metrics/metrics-core@2.2.0", - "version": "2.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "commons-collections", - "purl": "pkg:maven/commons-collections/commons-collections@3.2.1", - "version": "3.2.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c3.2.2 (unknown)", - "aliases": [ - "CVE-2015-6420" - ], - "cwes": [ - { - "cve": "CVE-2015-6420", - "id": "CWE-502", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-6hgm-866r-3cjv", - "description": "Insecure Deserialization in Apache Commons Collection", - "epss": [ - { - "cve": "CVE-2015-6420", - "date": "2026-06-14", - "epss": 0.212, - "percentile": 0.95814 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "3.2.2" - } - ], - "fix_state": "fixed", - "fixed_in": "3.2.2", - "fixed_versions": [ - "3.2.2" - ], - "id": "GHSA-6hgm-866r-3cjv", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2015-6420", - "Fix available: upgrade to 3.2.2", - "Fix state: fixed", - "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization", - "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "http://www.securityfocus.com/bid/78872", - "https://arxiv.org/pdf/2306.05534", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722", - "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2015-6420", - "https://www.kb.cert.org/vuls/id/581311", - "https://www.tenable.com/security/research/tra-2017-14", - "https://www.tenable.com/security/research/tra-2017-23" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-6hgm-866r-3cjv" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-6420" - }, - { - "type": "advisory", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917" - }, - { - "type": "advisory", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722" - }, - { - "type": "advisory", - "url": "https://www.kb.cert.org/vuls/id/581311" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/research/tra-2017-14" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/research/tra-2017-23" - }, - { - "type": "advisory", - "url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization" - }, - { - "type": "advisory", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" - }, - { - "type": "advisory", - "url": "http://www.securityfocus.com/bid/78872" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://arxiv.org/pdf/2306.05534" - } - ], - "risk_score": 15.9, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Insecure Deserialization in Apache Commons Collection" - }, - { - "affected_version_range": "\u003c3.2.2 (unknown)", - "aliases": [ - "CVE-2015-7501" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2015-7501", - "id": "CWE-502", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-fjq5-5j5f-mvxh", - "description": "Deserialization of Untrusted Data in Apache commons collections", - "epss": [ - { - "cve": "CVE-2015-7501", - "date": "2026-06-14", - "epss": 0.71461, - "percentile": 0.98753 - } - ], - "fix_available": [ - { - "date": "2022-11-04", - "kind": "first-observed", - "version": "3.2.2" - } - ], - "fix_state": "fixed", - "fixed_in": "3.2.2", - "fixed_versions": [ - "3.2.2" - ], - "id": "GHSA-fjq5-5j5f-mvxh", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2015-7501", - "Fix available: upgrade to 3.2.2", - "Fix state: fixed", - "http://rhn.redhat.com/errata/RHSA-2016-1773.html", - "https://access.redhat.com/security/vulnerabilities/2059393", - "https://access.redhat.com/solutions/2045023", - "https://arxiv.org/pdf/2306.05534.pdf", - "https://bugzilla.redhat.com/show_bug.cgi?id=1279330", - "https://commons.apache.org/proper/commons-collections/release_4_1.html", - "https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", - "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501", - "https://issues.apache.org/jira/browse/COLLECTIONS-580.", - "https://nvd.nist.gov/vuln/detail/CVE-2015-7501", - "https://sourceforge.net/p/collections/code/HEAD/tree/" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-fjq5-5j5f-mvxh" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7501" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/security/vulnerabilities/2059393" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/solutions/2045023" - }, - { - "type": "advisory", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1279330" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2016-1773.html" - }, - { - "type": "advisory", - "url": "https://commons.apache.org/proper/commons-collections/release_4_1.html" - }, - { - "type": "advisory", - "url": "https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/" - }, - { - "type": "advisory", - "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580." - }, - { - "type": "advisory", - "url": "https://arxiv.org/pdf/2306.05534.pdf" - }, - { - "type": "advisory", - "url": "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2015-7501" - }, - { - "type": "advisory", - "url": "https://sourceforge.net/p/collections/code/HEAD/tree/" - } - ], - "risk_score": 67.17334000000001, - "severity": "critical", - "severity_source": "github:language:java", - "source": "grype", - "title": "Deserialization of Untrusted Data in Apache commons collections" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "commons-fileupload", - "purl": "pkg:maven/commons-fileupload/commons-fileupload@1.3.3", - "version": "1.3.3", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.5 (unknown)", - "aliases": [ - "CVE-2023-24998" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2023-24998", - "id": "CWE-770", - "source": "security@apache.org", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-hfrx-6qgj-fp6c", - "description": "Apache Commons FileUpload denial of service vulnerability", - "epss": [ - { - "cve": "CVE-2023-24998", - "date": "2026-06-14", - "epss": 0.37165, - "percentile": 0.97277 - } - ], - "fix_available": [ - { - "date": "2023-02-23", - "kind": "first-observed", - "version": "1.5" - } - ], - "fix_state": "fixed", - "fixed_in": "1.5", - "fixed_versions": [ - "1.5" - ], - "id": "GHSA-hfrx-6qgj-fp6c", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "confidence": "low", - "dynamic_imports_detected": true, - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-24998", - "Fix available: upgrade to 1.5", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2023/05/22/1", - "https://commons.apache.org/proper/commons-fileupload/security-reports.html", - "https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17", - "https://github.com/apache/tomcat/commit/8a2285f13affa961cc65595aad999db5efae45ce", - "https://github.com/apache/tomcat/commit/9ca96c8c1eba86c0aaa2e6be581ba2a7d4d4ae6e", - "https://github.com/apache/tomcat/commit/cf77cc545de0488fb89e24294151504a7432df74", - "https://github.com/apache/tomcat/commit/d53d8e7f77042cc32a3b98f589496a1ef5088e38", - "https://github.com/search?q=repo%3Aapache%2Ftomcat+util.http+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F\u0026type=code", - "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy", - "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-24998", - "https://security.gentoo.org/glsa/202305-37", - "https://security.netapp.com/advisory/ntap-20230302-0013", - "https://security.netapp.com/advisory/ntap-20241108-0002", - "https://tomcat.apache.org/security-10.html", - "https://tomcat.apache.org/security-11.html", - "https://tomcat.apache.org/security-8.html", - "https://tomcat.apache.org/security-9.html", - "https://www.debian.org/security/2023/dsa-5522" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-hfrx-6qgj-fp6c" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy" - }, - { - "type": "advisory", - "url": "https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17" - }, - { - "type": "advisory", - "url": "https://commons.apache.org/proper/commons-fileupload/security-reports.html" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2023/05/22/1" - }, - { - "type": "advisory", - "url": "https://security.gentoo.org/glsa/202305-37" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00020.html" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2023/dsa-5522" - }, - { - "type": "advisory", - "url": "https://github.com/apache/tomcat/commit/8a2285f13affa961cc65595aad999db5efae45ce" - }, - { - "type": "advisory", - "url": "https://github.com/apache/tomcat/commit/9ca96c8c1eba86c0aaa2e6be581ba2a7d4d4ae6e" - }, - { - "type": "advisory", - "url": "https://github.com/apache/tomcat/commit/cf77cc545de0488fb89e24294151504a7432df74" - }, - { - "type": "advisory", - "url": "https://github.com/apache/tomcat/commit/d53d8e7f77042cc32a3b98f589496a1ef5088e38" - }, - { - "type": "advisory", - "url": "https://tomcat.apache.org/security-10.html" - }, - { - "type": "advisory", - "url": "https://tomcat.apache.org/security-11.html" - }, - { - "type": "advisory", - "url": "https://tomcat.apache.org/security-8.html" - }, - { - "type": "advisory", - "url": "https://tomcat.apache.org/security-9.html" - }, - { - "type": "advisory", - "url": "https://github.com/search?q=repo%3Aapache%2Ftomcat+util.http+path%3A%2F%5Eres%5C%2Fbnd%5C%2F%2F\u0026type=code" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20230302-0013" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241108-0002" - } - ], - "risk_score": 27.873749999999998, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Commons FileUpload denial of service vulnerability" - }, - { - "affected_version_range": "\u003e=1.0,\u003c1.6.0 (unknown)", - "aliases": [ - "CVE-2025-48976" - ], - "cvss": [ - { - "score": 8.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-48976", - "id": "CWE-770", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-vv7r-c36w-3prj", - "description": "Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers", - "epss": [ - { - "cve": "CVE-2025-48976", - "date": "2026-06-14", - "epss": 0.01278, - "percentile": 0.80049 - } - ], - "fix_available": [ - { - "date": "2025-07-10", - "kind": "first-observed", - "version": "1.6.0" - } - ], - "fix_state": "fixed", - "fixed_in": "1.6.0", - "fixed_versions": [ - "1.6.0" - ], - "id": "GHSA-vv7r-c36w-3prj", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "confidence": "low", - "dynamic_imports_detected": true, - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-48976", - "Fix available: upgrade to 1.6.0", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2025/06/16/4", - "https://github.com/apache/commons-fileupload/commit/b247774a72a044f5d5380ae947140ee80af4e78b", - "https://github.com/apache/commons-fileupload/commit/bf68f63cfb312ef4710fb3dfb4d8e4e1665f4497", - "https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93", - "https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html", - "https://nvd.nist.gov/vuln/detail/CVE-2025-48976" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-vv7r-c36w-3prj" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48976" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread/fbs3wrr3p67vkjcxogqqqqz45pqtso12" - }, - { - "type": "advisory", - "url": "https://github.com/apache/commons-fileupload/commit/bf68f63cfb312ef4710fb3dfb4d8e4e1665f4497" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2025/06/16/4" - }, - { - "type": "advisory", - "url": "https://github.com/apache/tomcat/commit/97790a35a27d236fa053e660676c3f8196284d93" - }, - { - "type": "advisory", - "url": "https://github.com/apache/commons-fileupload/commit/b247774a72a044f5d5380ae947140ee80af4e78b" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00008.html" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html" - } - ], - "risk_score": 1.03518, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "commons-io", - "purl": "pkg:maven/commons-io/commons-io@2.4", - "version": "2.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=2.0,\u003c2.14.0 (unknown)", - "aliases": [ - "CVE-2024-47554" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - }, - { - "score": 8.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-47554", - "id": "CWE-400", - "source": "security@apache.org", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-78wr-2p64-hpwj", - "description": "Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader", - "epss": [ - { - "cve": "CVE-2024-47554", - "date": "2026-06-14", - "epss": 0.00127, - "percentile": 0.31798 - } - ], - "fix_available": [ - { - "date": "2024-10-04", - "kind": "first-observed", - "version": "2.14.0" - } - ], - "fix_state": "fixed", - "fixed_in": "2.14.0", - "fixed_versions": [ - "2.14.0" - ], - "id": "GHSA-78wr-2p64-hpwj", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-47554", - "Fix available: upgrade to 2.14.0", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2024/10/03/2", - "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1", - "https://nvd.nist.gov/vuln/detail/CVE-2024-47554", - "https://security.netapp.com/advisory/ntap-20250131-0010" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-78wr-2p64-hpwj" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2024/10/03/2" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20250131-0010" - } - ], - "risk_score": 0.09906000000000001, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Commons IO: Possible denial of service attack on untrusted input to XmlStreamReader" - }, - { - "affected_version_range": "\u003c2.7 (unknown)", - "aliases": [ - "CVE-2021-29425" - ], - "cvss": [ - { - "score": 4.8, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-29425", - "id": "CWE-20", - "source": "security@apache.org", - "type": "Secondary" - }, - { - "cve": "CVE-2021-29425", - "id": "CWE-22", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-gwrp-pvrq-jmwv", - "description": "Path Traversal and Improper Input Validation in Apache Commons IO", - "epss": [ - { - "cve": "CVE-2021-29425", - "date": "2026-06-14", - "epss": 0.00606, - "percentile": 0.70247 - } - ], - "fix_available": [ - { - "date": "2021-04-27", - "kind": "first-observed", - "version": "2.7" - } - ], - "fix_state": "fixed", - "fixed_in": "2.7", - "fixed_versions": [ - "2.7" - ], - "id": "GHSA-gwrp-pvrq-jmwv", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-29425", - "Fix available: upgrade to 2.7", - "Fix state: fixed", - "https://arxiv.org/pdf/2306.05534.pdf", - "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2021-29425", - "https://issues.apache.org/jira/browse/IO-556", - "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E", - "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E", - "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E", - "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E", - "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E", - "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E", - "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E", - "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E", - "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-29425", - "https://security.netapp.com/advisory/ntap-20220210-0004", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-gwrp-pvrq-jmwv" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425" - }, - { - "type": "advisory", - "url": "https://issues.apache.org/jira/browse/IO-556" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://arxiv.org/pdf/2306.05534.pdf" - }, - { - "type": "advisory", - "url": "https://github.com/jensdietrich/xshady-release/tree/main/CVE-2021-29425" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20220210-0004" - } - ], - "risk_score": 0.29694, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Path Traversal and Improper Input Validation in Apache Commons IO" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "commons-logging", - "purl": "pkg:maven/commons-logging/commons-logging@1.1.1", - "version": "1.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [], - "matched": true, - "name": "netty", - "purl": "pkg:maven/io.netty/netty@3.7.0.final", - "version": "3.7.0.final", - "vulnerabilities": [ - { - "affected_version_range": "\u003c4.0.0 (unknown)", - "aliases": [ - "CVE-2021-21290" - ], - "cvss": [ - { - "score": 6.2, - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-21290", - "id": "CWE-378", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2021-21290", - "id": "CWE-379", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2021-21290", - "id": "CWE-668", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-5mcr-gq6c-3hq2", - "description": "Local Information Disclosure Vulnerability in Netty on Unix-Like systems", - "epss": [ - { - "cve": "CVE-2021-21290", - "date": "2026-06-14", - "epss": 0.00024, - "percentile": 0.07232 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-5mcr-gq6c-3hq2", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-21290", - "Fix state: not-fixed", - "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec", - "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2", - "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E", - "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020@%3Cdev.tinkerpop.apache.org%3E", - "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29@%3Cusers.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214@%3Ccommits.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f@%3Ccommits.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E", - "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18@%3Cjira.kafka.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-21290", - "https://security.netapp.com/advisory/ntap-20220210-0011/", - "https://www.debian.org/security/2021/dsa-4885", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-5mcr-gq6c-3hq2" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4@%3Cdev.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b@%3Cdev.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214@%3Ccommits.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f@%3Ccommits.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020@%3Cdev.tinkerpop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2021/dsa-4885" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29@%3Cusers.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20220210-0011/" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - } - ], - "risk_score": 0.01344, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Local Information Disclosure Vulnerability in Netty on Unix-Like systems" - }, - { - "affected_version_range": "\u003e=3.7.0.Final,\u003c3.7.1.Final (unknown)", - "aliases": [ - "CVE-2014-0193" - ], - "cwes": [ - { - "cve": "CVE-2014-0193", - "id": "CWE-399", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-7vpq-g998-qpv7", - "description": "Netty denial of service vulnerability", - "epss": [ - { - "cve": "CVE-2014-0193", - "date": "2026-06-14", - "epss": 0.04075, - "percentile": 0.88847 - } - ], - "fix_available": [ - { - "date": "2024-04-17", - "kind": "first-observed", - "version": "3.7.1.Final" - } - ], - "fix_state": "fixed", - "fixed_in": "3.7.1.Final", - "fixed_versions": [ - "3.7.1.Final" - ], - "id": "GHSA-7vpq-g998-qpv7", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2014-0193", - "Fix available: upgrade to 3.7.1.Final", - "Fix state: fixed", - "http://netty.io/news/2014/04/30/release-day.html", - "http://rhn.redhat.com/errata/RHSA-2014-1019.html", - "http://rhn.redhat.com/errata/RHSA-2014-1020.html", - "http://rhn.redhat.com/errata/RHSA-2014-1021.html", - "http://rhn.redhat.com/errata/RHSA-2014-1351.html", - "http://rhn.redhat.com/errata/RHSA-2015-0675.html", - "http://rhn.redhat.com/errata/RHSA-2015-0720.html", - "http://rhn.redhat.com/errata/RHSA-2015-0765.html", - "https://github.com/netty/netty/commit/8599ab5bdb761bb99d41a975d689f74c12e4892b", - "https://github.com/netty/netty/issues/2441", - "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html", - "https://nvd.nist.gov/vuln/detail/CVE-2014-0193", - "https://web.archive.org/web/20140509033427/http://www.securityfocus.com/bid/67182", - "https://web.archive.org/web/20140509044857/http://secunia.com/advisories/58280", - "https://web.archive.org/web/20161119201425/http://secunia.com/advisories/59290" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-7vpq-g998-qpv7" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0193" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/issues/2441" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" - }, - { - "type": "advisory", - "url": "http://netty.io/news/2014/04/30/release-day.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2014-1019.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2014-1020.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2014-1021.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2014-1351.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20140509033427/http://www.securityfocus.com/bid/67182" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20140509044857/http://secunia.com/advisories/58280" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20161119201425/http://secunia.com/advisories/59290" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/commit/8599ab5bdb761bb99d41a975d689f74c12e4892b" - } - ], - "risk_score": 2.0375, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Netty denial of service vulnerability" - }, - { - "affected_version_range": "\u003c4.0.0 (unknown)", - "aliases": [ - "CVE-2021-37137" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-37137", - "id": "CWE-400", - "source": "reefs@jfrog.com", - "type": "Secondary" - }, - { - "cve": "CVE-2021-37137", - "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-9vjp-v76f-g363", - "description": "SnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way", - "epss": [ - { - "cve": "CVE-2021-37137", - "date": "2026-06-14", - "epss": 0.02383, - "percentile": 0.85391 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-9vjp-v76f-g363", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-37137", - "Fix state: not-fixed", - "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171", - "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185", - "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79", - "https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f", - "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363", - "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-37137", - "https://security.netapp.com/advisory/ntap-20220210-0012/", - "https://www.debian.org/security/2023/dsa-5316", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-9vjp-v76f-g363" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/security/advisories/GHSA-9vjp-v76f-g363" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/commit/6da4956b31023ae967451e1d94ff51a746a9194f" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L171" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L185" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/SnappyFrameDecoder.java#L79" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37137" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20220210-0012/" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2023/dsa-5316" - } - ], - "risk_score": 1.78725, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "SnappyFrameDecoder doesn't restrict chunk length any may buffer skippable chunks in an unnecessary way" - }, - { - "affected_version_range": "\u003c4.0.0 (unknown)", - "aliases": [ - "CVE-2019-20444" - ], - "cvss": [ - { - "score": 9.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-20444", - "id": "CWE-444", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-cqqj-4p63-rrmm", - "description": "HTTP Request Smuggling in Netty", - "epss": [ - { - "cve": "CVE-2019-20444", - "date": "2026-06-14", - "epss": 0.17932, - "percentile": 0.95319 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-cqqj-4p63-rrmm", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-20444", - "Fix state: not-fixed", - "https://access.redhat.com/errata/RHSA-2020:0497", - "https://access.redhat.com/errata/RHSA-2020:0567", - "https://access.redhat.com/errata/RHSA-2020:0601", - "https://access.redhat.com/errata/RHSA-2020:0605", - "https://access.redhat.com/errata/RHSA-2020:0606", - "https://access.redhat.com/errata/RHSA-2020:0804", - "https://access.redhat.com/errata/RHSA-2020:0805", - "https://access.redhat.com/errata/RHSA-2020:0806", - "https://access.redhat.com/errata/RHSA-2020:0811", - "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final", - "https://github.com/netty/netty/issues/9866", - "https://github.com/netty/netty/pull/9871", - "https://github.com/netty/netty/pull/9871/files#diff-e26989b9171ef22c27c9f7d80689cfb059d568c9bd10e75970d96c02d0654878", - "https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-20444/5.0.0.Alpha1/exploit", - "https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7%40%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e%40%3Ccommits.camel.apache.org%3E", - "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E", - "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7%40%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d%40%3Cdev.geode.apache.org%3E", - "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E", - "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E", - "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E", - "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b%40%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5%40%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749%40%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E", - "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E", - "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2%40%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4%40%3Ccommon-commits.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319%40%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E", - "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E", - "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986%40%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f%40%3Cdev.geode.apache.org%3E", - "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E", - "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6%40%3Ccommon-commits.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9%40%3Ccommon-commits.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114%40%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html", - "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html", - "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html", - "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46", - "https://nvd.nist.gov/vuln/detail/CVE-2019-20444", - "https://usn.ubuntu.com/4532-1", - "https://www.debian.org/security/2021/dsa-4885" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-cqqj-4p63-rrmm" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20444" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/issues/9866" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/pull/9871" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0497" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0567" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0601" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0605" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0606" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0804" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0805" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0806" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0811" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4@%3Ccommon-commits.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6@%3Ccommon-commits.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9@%3Ccommon-commits.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e@%3Ccommits.camel.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2021/dsa-4885" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/pull/9871/files#diff-e26989b9171ef22c27c9f7d80689cfb059d568c9bd10e75970d96c02d0654878" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb3361f6c6a5f834ad3db5e998c352760d393c0891b8d3bea90baa836%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f%40%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc7eb5634b71d284483e58665b22bf274a69bd184d9bd7ede52015d91%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rcb2c59428f34d4757702f9ae739a8795bda7bea97b857e708a9c62c6%40%3Ccommon-commits.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb%40%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f%40%3Cdev.geode.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60%40%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986%40%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d%40%3Ccommits.cassandra.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r91e0fa345c86c128b75a4a791b4b503b53173ff4c13049ac7129d319%40%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://usn.ubuntu.com/4532-1" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114%40%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b%40%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f%40%3Cdev.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf2bf8e2eb0a03227f5bc100b544113f8cafea01e887bb068e8d1fa41%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re78eaef7d01ad65c370df30e45c686fffff00b37f7bfd78b26a08762%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948%40%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re0b78a3d0a4ba2cf9f4e14e1d05040bde9051d5c78071177186336c9%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdd5d243a5f8ed8b83c0104e321aa420e5e98792a95749e3c9a54c0b9%40%3Ccommon-commits.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2%40%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d%40%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f%40%3Cissues.spark.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d%40%3Cdev.geode.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0f5e72d5f69b4720dfe64fcbc2da9afae949ed1e9cbffa84bb7d92d7%40%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0c3d49bfdbc62fd3915676433cc5899c5506d06da1c552ef1b7923a5%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0aa8b28e76ec01c697b15e161e6797e88fc8d406ed762e253401106e%40%3Ccommits.camel.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r059b042bca47be53ff8a51fd04d95eb01bb683f1afa209db136e8cb7%40%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://github.com/poc-effectiveness/PoCAdaptation/tree/main/Adapted/CVE-2019-20444/5.0.0.Alpha1/exploit" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r90030b0117490caed526e57271bf4d7f9b012091ac5083c895d16543%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r86befa74c5cd1482c711134104aec339bf7ae879f2c4437d7ec477d4%40%3Ccommon-commits.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8402d67fdfe9cf169f859d52a7670b28a08eff31e54b522cc1432532%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec%40%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b%40%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4%40%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2%40%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3%40%3Ccommits.cassandra.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4c675b2d0cc2a5e506b11ee10d60a378859ee340aca052e4c7ef4749%40%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r489886fe72a98768eed665474cba13bad8d6fe0654f24987706636c5%40%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r34912a9b1a5c269a77b8be94ef6fb6d1e9b3c69129719dc00f01cf0b%40%3Cdev.zookeeper.apache.org%3E" - } - ], - "risk_score": 16.22846, - "severity": "critical", - "severity_source": "github:language:java", - "source": "grype", - "title": "HTTP Request Smuggling in Netty" - }, - { - "affected_version_range": "\u003c4.0.0 (unknown)", - "aliases": [ - "CVE-2021-21409" - ], - "cvss": [ - { - "score": 5.9, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-21409", - "id": "CWE-444", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2021-21409", - "id": "CWE-444", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-f256-j965-7f32", - "description": "Possible request smuggling in HTTP/2 due missing validation of content-length", - "epss": [ - { - "cve": "CVE-2021-21409", - "date": "2026-06-14", - "epss": 0.0316, - "percentile": 0.8725 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-f256-j965-7f32", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-21409", - "Fix state: not-fixed", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295", - "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432", - "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", - "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", - "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E", - "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E", - "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E", - "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E", - "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-21409", - "https://security.netapp.com/advisory/ntap-20210604-0003/", - "https://www.debian.org/security/2021/dsa-4885", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-f256-j965-7f32" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432" - }, - { - "type": "advisory", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2021/dsa-4885" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210604-0003/" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - } - ], - "risk_score": 1.7222000000000004, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Possible request smuggling in HTTP/2 due missing validation of content-length" - }, - { - "affected_version_range": "\u003c4.0.0 (unknown)", - "aliases": [ - "CVE-2021-37136" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-37136", - "id": "CWE-400", - "source": "reefs@jfrog.com", - "type": "Secondary" - }, - { - "cve": "CVE-2021-37136", - "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-grg4-wf29-r9vv", - "description": "Bzip2Decoder doesn't allow setting size restrictions for decompressed data", - "epss": [ - { - "cve": "CVE-2021-37136", - "date": "2026-06-14", - "epss": 0.01187, - "percentile": 0.79289 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-grg4-wf29-r9vv", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-37136", - "Fix state: not-fixed", - "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294", - "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305", - "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80", - "https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020", - "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv", - "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-37136", - "https://security.netapp.com/advisory/ntap-20220210-0012/", - "https://www.debian.org/security/2023/dsa-5316", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-grg4-wf29-r9vv" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/security/advisories/GHSA-grg4-wf29-r9vv" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/commit/41d3d61a61608f2223bb364955ab2045dd5e4020" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L294" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L305" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/blob/4.1/codec/src/main/java/io/netty/handler/codec/compression/Bzip2Decoder.java#L80" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37136" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rfb2bf8597e53364ccab212fbcbb2a4e9f0a9e1429b1dc08023c6868e@%3Cdev.tinkerpop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r06a145c9bd41a7344da242cef07977b24abe3349161ede948e30913d@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5406eaf3b07577d233b9f07cfc8f26e28369e6bab5edfcab41f28abb@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5e05eba32476c580412f9fbdfc9b8782d5b40558018ac4ac07192a04@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd262f59b1586a108e320e5c966feeafbb1b8cdc96965debc7cc10b16@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20220210-0012/" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2023/dsa-5316" - } - ], - "risk_score": 0.8902500000000001, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Bzip2Decoder doesn't allow setting size restrictions for decompressed data" - }, - { - "affected_version_range": "\u003c4.0.0 (unknown)", - "aliases": [ - "CVE-2019-20445" - ], - "cwes": [ - { - "cve": "CVE-2019-20445", - "id": "CWE-444", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-p2v9-g2qv-p635", - "description": "HTTP Request Smuggling in Netty", - "epss": [ - { - "cve": "CVE-2019-20445", - "date": "2026-06-14", - "epss": 0.03562, - "percentile": 0.88025 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-p2v9-g2qv-p635", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-20445", - "Fix state: not-fixed", - "https://access.redhat.com/errata/RHSA-2020:0497", - "https://access.redhat.com/errata/RHSA-2020:0567", - "https://access.redhat.com/errata/RHSA-2020:0601", - "https://access.redhat.com/errata/RHSA-2020:0605", - "https://access.redhat.com/errata/RHSA-2020:0606", - "https://access.redhat.com/errata/RHSA-2020:0804", - "https://access.redhat.com/errata/RHSA-2020:0805", - "https://access.redhat.com/errata/RHSA-2020:0806", - "https://access.redhat.com/errata/RHSA-2020:0811", - "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final", - "https://github.com/netty/netty/issues/9861", - "https://github.com/netty/netty/pull/9865", - "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663@%3Cissues.flume.apache.org%3E", - "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E", - "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E", - "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d@%3Creviews.spark.apache.org%3E", - "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E", - "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74@%3Cissues.flume.apache.org%3E", - "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E", - "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E", - "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11@%3Cissues.spark.apache.org%3E", - "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2@%3Cissues.flume.apache.org%3E", - "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html", - "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html", - "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html", - "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/", - "https://nvd.nist.gov/vuln/detail/CVE-2019-20445", - "https://usn.ubuntu.com/4532-1/", - "https://www.debian.org/security/2021/dsa-4885" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-p2v9-g2qv-p635" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20445" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/issues/9861" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/pull/9865" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/compare/netty-4.1.43.Final...netty-4.1.44.Final" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r310d2ce22304d5298ff87f10134f918c87919b452734f9841d95682d@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r36fcf538b28f2029e8b4f6b9a772f3b107913a78f09b095c5b153a62@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r640eb9b3213058a963e18291f903fc1584e577f60035f941e32f760a@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r70b1ff22ee80e8101805b9a473116dd33265709007d2deb6f8c80bf2@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r804895eedd72c9ec67898286eb185e04df852b0dd5fe53cf5b6138f9@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r81700644754e66ffea465c869cb477de25f8041e21598e8818fc2c45@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r96e08f929234e8ba1ef4a93a0fd2870f535a1f9ab628fabc46115986@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9b20cdac704cf9a583400350e2d5b576fa8417c18ddb961201676c60@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra2ace4bcb5cf487f72cbcbfa0f8cc08e755ec2b93d7e69f276148b08@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra9fbfe7d4830ae675bf34c7c0f8c22fc8a4099f65706c1bc4f54c593@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rce71d33747010d32d31d90f5d737dae26291d96552f513a266c92fbb@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re45ee9256d3233c31d78e59ee59c7dc841c7fbd83d0769285b41e948@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rfb55f245b08d8a6ec0fb4dc159022227cd22de34c4419c2fbb18802b@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rff210a24f3a924829790e69eaefa84820902b7b31f17c3bf2def9114@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0497" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0567" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0601" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0605" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0606" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0804" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0805" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0806" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0811" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r030beff88aeb6d7a2d6cd21342bd18686153ce6e26a4171d0e035663@%3Cissues.flume.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1fcccf8bdb3531c28bc9aa605a6a1bea7e68cef6fc12e01faafb2fb5@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r205937c85817a911b0c72655c2377e7a2c9322d6ef6ce1b118d34d8d@%3Cdev.geode.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r46f93de62b1e199f3f9babb18128681677c53493546f532ed88c359d@%3Creviews.spark.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4d3f1d3e333d9c2b2f6e6ae8ed8750d4de03410ac294bcd12c7eefa3@%3Ccommits.cassandra.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4ff40646e9ccce13560458419accdfc227b8b6ca4ead3a8a91decc74@%3Cissues.flume.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6945f3c346b7af89bbd3526a7c9b705b1e3569070ebcd0964bcedd7d@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r819aaeb9944bdcfca438dcc51f05650dc728daf64dfd7d774fc2499b@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r959474dcf7f88565ed89f6252ca5a274419006cb71348f14764b183d@%3Ccommits.cassandra.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra1a71b576a45426af5ee65255be9596ff3181a342f4ba73b800db78f@%3Cdev.geode.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb5c065e7bd701b0744f9f28ad769943f91745102716c1eb516325f11@%3Cissues.spark.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb84c57670ec48ef23f4d07973b7fa69f629b8e7fcfb48874362feb6f@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbdb59c683d666130906a9c05a1d2b034c4cc08cda7ed41322bd54fe2@%3Cissues.flume.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00017.html" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00018.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/raaac04b7567c554786132144bea3dcb72568edd410c1e6f0101742e7@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf5b2dfb7401666a19915f8eaef3ba9f5c3386e2066fcd2ae66e16a2f@%3Cdev.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00003.html" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/09/msg00004.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TS6VX7OMXPDJIU5LRGUAHRK6MENAVJ46/" - }, - { - "type": "advisory", - "url": "https://usn.ubuntu.com/4532-1/" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7790b9d99696d9eddce8a8c96f13bb68460984294ea6fea3800143e4@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r832724df393a7ef25ca4c7c2eb83ad2d6c21c74569acda5233f9f1ec@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdb69125652311d0c41f6066ff44072a3642cf33a4b5e3c4f9c1ec9c2@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2021/dsa-4885" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2f2989b7815d809ff3fda8ce330f553e5f133505afd04ffbc135f35f@%3Cissues.spark.apache.org%3E" - } - ], - "risk_score": 1.781, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "HTTP Request Smuggling in Netty" - }, - { - "affected_version_range": "\u003c4.0.0 (unknown)", - "aliases": [ - "CVE-2021-21295" - ], - "cvss": [ - { - "score": 5.9, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-21295", - "id": "CWE-444", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2021-21295", - "id": "CWE-444", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-wm47-8v5p-wjpj", - "description": "Possible request smuggling in HTTP/2 due missing validation", - "epss": [ - { - "cve": "CVE-2021-21295", - "date": "2026-06-14", - "epss": 0.0061, - "percentile": 0.70341 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-wm47-8v5p-wjpj", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-21295", - "Fix state: not-fixed", - "https://github.com/Netflix/zuul/pull/980", - "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4", - "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", - "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E", - "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b@%3Cissues.hbase.apache.org%3E", - "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1@%3Cissues.hbase.apache.org%3E", - "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190@%3Cissues.hbase.apache.org%3E", - "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece@%3Cissues.hbase.apache.org%3E", - "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064@%3Cissues.hbase.apache.org%3E", - "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3@%3Cdev.jackrabbit.apache.org%3E", - "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E", - "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6@%3Cissues.hbase.apache.org%3E", - "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E", - "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf@%3Cissues.hbase.apache.org%3E", - "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd@%3Cdev.hbase.apache.org%3E", - "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E", - "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81@%3Cissues.hbase.apache.org%3E", - "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb@%3Cissues.hbase.apache.org%3E", - "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E", - "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8@%3Ccommits.hbase.apache.org%3E", - "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E", - "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E", - "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E", - "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3Cissues.zookeeper.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-21295", - "https://security.netapp.com/advisory/ntap-20210604-0003/", - "https://www.debian.org/security/2021/dsa-4885", - "https://www.oracle.com/security-alerts/cpuapr2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-wm47-8v5p-wjpj" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj" - }, - { - "type": "advisory", - "url": "https://github.com/Netflix/zuul/pull/980" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b@%3Cissues.hbase.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1@%3Cissues.hbase.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190@%3Cissues.hbase.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece@%3Cissues.hbase.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064@%3Cissues.hbase.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c@%3Cdev.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6@%3Cissues.hbase.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf@%3Cissues.hbase.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd@%3Cdev.hbase.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81@%3Cissues.hbase.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb@%3Cissues.hbase.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8@%3Ccommits.hbase.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2021/dsa-4885" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210604-0003/" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3@%3Cdev.jackrabbit.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - } - ], - "risk_score": 0.3324500000000001, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Possible request smuggling in HTTP/2 due missing validation" - }, - { - "affected_version_range": "\u003c4.0.0 (unknown)", - "aliases": [ - "CVE-2021-43797" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-43797", - "id": "CWE-444", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2021-43797", - "id": "CWE-444", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-wx5j-54mm-rqqq", - "description": "HTTP request smuggling in netty", - "epss": [ - { - "cve": "CVE-2021-43797", - "date": "2026-06-14", - "epss": 0.00381, - "percentile": 0.60076 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-wx5j-54mm-rqqq", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-43797", - "Fix state: not-fixed", - "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323", - "https://github.com/netty/netty/pull/11891", - "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq", - "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-43797", - "https://security.netapp.com/advisory/ntap-20220107-0003/", - "https://www.debian.org/security/2023/dsa-5316", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-wx5j-54mm-rqqq" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/security/advisories/GHSA-wx5j-54mm-rqqq" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/commit/07aa6b5938a8b6ed7a6586e066400e2643897323" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43797" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/pull/11891" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20220107-0003/" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00008.html" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2023/dsa-5316" - } - ], - "risk_score": 0.219075, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "HTTP request smuggling in netty" - }, - { - "affected_version_range": "\u003c3.9.8.Final (unknown)", - "aliases": [ - "CVE-2015-2156" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2015-2156", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xfv3-rrfm-f2rv", - "description": "Information Exposure in Netty", - "epss": [ - { - "cve": "CVE-2015-2156", - "date": "2026-06-14", - "epss": 0.03271, - "percentile": 0.87496 - } - ], - "fix_available": [ - { - "date": "2023-08-08", - "kind": "first-observed", - "version": "3.9.8.Final" - } - ], - "fix_state": "fixed", - "fixed_in": "3.9.8.Final", - "fixed_versions": [ - "3.9.8.Final" - ], - "id": "GHSA-xfv3-rrfm-f2rv", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2015-2156", - "Fix available: upgrade to 3.9.8.Final", - "Fix state: fixed", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html", - "http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html", - "http://www.openwall.com/lists/oss-security/2015/05/17/1", - "http://www.securityfocus.com/bid/74704", - "https://bugzilla.redhat.com/show_bug.cgi?id=1222923", - "https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55", - "https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752", - "https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9", - "https://github.com/netty/netty/pull/3754", - "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E", - "https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E", - "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2015-2156", - "https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571", - "https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xfv3-rrfm-f2rv" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2156" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/pull/3748/commits/4ac519f534493bb0ca7a77e1c779138a54faa7b9" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/pull/3754" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/commit/2caa38a2795fe1f1ae6ceda4d69e826ed7c55e55" - }, - { - "type": "advisory", - "url": "https://github.com/netty/netty/commit/31815598a2af37f0b71ea94eada70d6659c23752" - }, - { - "type": "advisory", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1222923" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/a19bb1003b0d6cd22475ba83c019b4fc7facfef2a9e13f71132529d3@%3Ccommits.cassandra.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/dc1275aef115bda172851a231c76c0932d973f9ffd8bc375c4aba769@%3Ccommits.cassandra.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-IONETTY-73571" - }, - { - "type": "advisory", - "url": "https://www.playframework.com/security/vulnerability/CVE-2015-2156-HttpOnlyBypass" - }, - { - "type": "advisory", - "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159379.html" - }, - { - "type": "advisory", - "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159166.html" - }, - { - "type": "advisory", - "url": "http://netty.io/news/2015/05/08/3-9-8-Final-and-3.html" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2015/05/17/1" - }, - { - "type": "advisory", - "url": "http://www.securityfocus.com/bid/74704" - } - ], - "risk_score": 2.45325, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Information Exposure in Netty" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "activation", - "purl": "pkg:maven/javax.activation/activation@1.1", - "version": "1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "jcr", - "purl": "pkg:maven/javax.jcr/jcr@1.0", - "version": "1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "mail", - "purl": "pkg:maven/javax.mail/mail@1.4", - "version": "1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "jline", - "purl": "pkg:maven/jline/jline@0.9.94", - "version": "0.9.94", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "junit", - "purl": "pkg:maven/junit/junit@4.12", - "version": "4.12", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=4.7,\u003c4.13.1 (unknown)", - "aliases": [ - "CVE-2020-15250" - ], - "cvss": [ - { - "score": 4.4, - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-15250", - "id": "CWE-200", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2020-15250", - "id": "CWE-732", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-269g-pwp5-87pp", - "description": "TemporaryFolder on unix-like systems does not limit access to created files", - "epss": [ - { - "cve": "CVE-2020-15250", - "date": "2026-06-14", - "epss": 0.00056, - "percentile": 0.17925 - } - ], - "fix_available": [ - { - "date": "2020-10-13", - "kind": "first-observed", - "version": "4.13.1" - } - ], - "fix_state": "fixed", - "fixed_in": "4.13.1", - "fixed_versions": [ - "4.13.1" - ], - "id": "GHSA-269g-pwp5-87pp", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "confidence": "low", - "dynamic_imports_detected": true, - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-15250", - "Fix available: upgrade to 4.13.1", - "Fix state: fixed", - "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md", - "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae", - "https://github.com/junit-team/junit4/issues/1676", - "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp", - "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html", - "https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d@%3Cpluto-dev.portals.apache.org%3E", - "https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774@%3Cdev.knox.apache.org%3E", - "https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e@%3Cpluto-scm.portals.apache.org%3E", - "https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943@%3Cdev.knox.apache.org%3E", - "https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094@%3Ccommits.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b@%3Cdev.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41@%3Cdev.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b@%3Cdev.knox.apache.org%3E", - "https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672@%3Ccommits.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f@%3Cdev.knox.apache.org%3E", - "https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279@%3Cdev.knox.apache.org%3E", - "https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390@%3Cpluto-dev.portals.apache.org%3E", - "https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40@%3Cdev.knox.apache.org%3E", - "https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0@%3Ccommits.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a@%3Ccommits.knox.apache.org%3E", - "https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b@%3Cdev.pdfbox.apache.org%3E", - "https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457@%3Cdev.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb@%3Cdev.knox.apache.org%3E", - "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E", - "https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9@%3Cdev.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872@%3Cdev.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc@%3Ccommits.creadur.apache.org%3E", - "https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353@%3Cdev.knox.apache.org%3E", - "https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467@%3Ccommits.pulsar.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-15250", - "https://www.oracle.com/security-alerts/cpuapr2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-269g-pwp5-87pp" - }, - { - "type": "advisory", - "url": "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp" - }, - { - "type": "advisory", - "url": "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae" - }, - { - "type": "advisory", - "url": "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md" - }, - { - "type": "advisory", - "url": "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15250" - }, - { - "type": "advisory", - "url": "https://github.com/junit-team/junit4/issues/1676" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc@%3Ccommits.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b@%3Cdev.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41@%3Cdev.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672@%3Ccommits.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0@%3Ccommits.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b@%3Cdev.pdfbox.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457@%3Cdev.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9@%3Cdev.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872@%3Cdev.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094@%3Ccommits.creadur.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d@%3Cpluto-dev.portals.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e@%3Cpluto-scm.portals.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943@%3Cdev.knox.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b@%3Cdev.knox.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390@%3Cpluto-dev.portals.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40@%3Cdev.knox.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353@%3Cdev.knox.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774@%3Cdev.knox.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f@%3Cdev.knox.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279@%3Cdev.knox.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a@%3Ccommits.knox.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb@%3Cdev.knox.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - } - ], - "risk_score": 0.02632, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "TemporaryFolder on unix-like systems does not limit access to created files" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "log4j", - "purl": "pkg:maven/log4j/log4j@1.2.15", - "version": "1.2.15", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=1.2,\u003c=1.2.17 (unknown)", - "aliases": [ - "CVE-2019-17571" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-17571", - "id": "CWE-502", - "source": "security@apache.org", - "type": "Primary" - }, - { - "cve": "CVE-2019-17571", - "id": "CWE-502", - "source": "nvd@nist.gov", - "type": "Secondary" - }, - { - "cve": "CVE-2019-17571", - "id": "CWE-502", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-2qrg-x229-3v8q", - "description": "Deserialization of Untrusted Data in Log4j", - "epss": [ - { - "cve": "CVE-2019-17571", - "date": "2026-06-14", - "epss": 0.28502, - "percentile": 0.9665 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-2qrg-x229-3v8q", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-17571", - "Fix state: not-fixed", - "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html", - "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1%40%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1@%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c%40%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c@%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6%40%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6@%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002718fa8edcc4325e4%40%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002718fa8edcc4325e4@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c%40%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec5bb41b53ffdf358d%40%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec5bb41b53ffdf358d@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac%40%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E", - "https://lists.apache.org/thread.html/r05755112a8c164abc1004bb44f198b1e3d8ca3d546a8f13ebd3aa05f%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r05755112a8c164abc1004bb44f198b1e3d8ca3d546a8f13ebd3aa05f@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d%40%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r13d4b5c60ff63f3c4fab51d6ff266655be503b8a1884e2f2fab67c3a%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r13d4b5c60ff63f3c4fab51d6ff266655be503b8a1884e2f2fab67c3a@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r189aaeaad897f7d6b96f7c43a8ef2dfb9f6e9f8c1cc9ad182ce9b9ae%40%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r189aaeaad897f7d6b96f7c43a8ef2dfb9f6e9f8c1cc9ad182ce9b9ae@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c%40%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r1b7734dfdfd938640f2f5fb6f4231a267145c71ed60cc7faa1cbac07%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r1b7734dfdfd938640f2f5fb6f4231a267145c71ed60cc7faa1cbac07@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r26244f9f7d9a8a27a092eb0b2a0ca9395e88fcde8b5edaeca7ce569c%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r26244f9f7d9a8a27a092eb0b2a0ca9395e88fcde8b5edaeca7ce569c@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r2756fd570b6709d55a61831ca028405bcb3e312175a60bc5d911c81f%40%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r2756fd570b6709d55a61831ca028405bcb3e312175a60bc5d911c81f@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3%40%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211%40%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r3543ead2317dcd3306f69ee37b07dd383dbba6e2f47ff11eb55879ad%40%3Cusers.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r3543ead2317dcd3306f69ee37b07dd383dbba6e2f47ff11eb55879ad@%3Cusers.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r356d57d6225f91fdc30f8b0a2bed229d1ece55e16e552878c5fa809a%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r356d57d6225f91fdc30f8b0a2bed229d1ece55e16e552878c5fa809a@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397%40%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8%40%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8@%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/r3bf7b982dfa0779f8a71f843d2aa6b4184a53e6be7f149ee079387fd%40%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r3bf7b982dfa0779f8a71f843d2aa6b4184a53e6be7f149ee079387fd@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r3c575cabc7386e646fb12cb82b0b38ae5a6ade8a800f827107824495%40%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r3c575cabc7386e646fb12cb82b0b38ae5a6ade8a800f827107824495@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r3cf50d05ce8cec8c09392624b7bae750e7643dae60ef2438641ee015%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r3cf50d05ce8cec8c09392624b7bae750e7643dae60ef2438641ee015@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919%40%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8%40%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809%40%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r4ac89cbecd9e298ae9fafb5afda6fa77ac75c78d1ac957837e066c4e%40%3Cuser.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r4ac89cbecd9e298ae9fafb5afda6fa77ac75c78d1ac957837e066c4e@%3Cuser.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad%40%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad@%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef63596306506a89fdc7328%40%3Cusers.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef63596306506a89fdc7328@%3Cusers.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r594411f4bddebaf48a4c70266d0b7849e0d82bb72826f61b3a35bba7%40%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r594411f4bddebaf48a4c70266d0b7849e0d82bb72826f61b3a35bba7@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r5c084578b3e3b40bd903c9d9e525097421bcd88178e672f612102eb2%40%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r5c084578b3e3b40bd903c9d9e525097421bcd88178e672f612102eb2@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78%40%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r6236b5f8646d48af8b66d5050f288304016840788e508c883356fe0e%40%3Clog4j-user.logging.apache.org%3E", - "https://lists.apache.org/thread.html/r6236b5f8646d48af8b66d5050f288304016840788e508c883356fe0e@%3Clog4j-user.logging.apache.org%3E", - "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1%40%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1@%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/r696507338dd5f44efc23d98cafe30f217cf3ba78e77ed1324c7a5179%40%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r696507338dd5f44efc23d98cafe30f217cf3ba78e77ed1324c7a5179@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r6aec6b8f70167fa325fb98b3b5c9ce0ffaed026e697b69b85ac24628%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r6aec6b8f70167fa325fb98b3b5c9ce0ffaed026e697b69b85ac24628@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r6b45a2fcc8e98ac93a179183dbb7f340027bdb8e3ab393418076b153%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r6b45a2fcc8e98ac93a179183dbb7f340027bdb8e3ab393418076b153@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r6d34da5a0ca17ab08179a30c971446c7421af0e96f6d60867eabfc52%40%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r6d34da5a0ca17ab08179a30c971446c7421af0e96f6d60867eabfc52@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r71e26f9c2d5826c6f95ad60f7d052d75e1e70b0d2dd853db6fc26d5f%40%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r71e26f9c2d5826c6f95ad60f7d052d75e1e70b0d2dd853db6fc26d5f@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5%40%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5@%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/r7a1acc95373105169bd44df710c2f462cad31fb805364d2958a5ee03%40%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r7a1acc95373105169bd44df710c2f462cad31fb805364d2958a5ee03@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826%40%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r7f462c69d5ded4c0223e014d95a3496690423c5f6f05c09e2f2a407a%40%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r7f462c69d5ded4c0223e014d95a3496690423c5f6f05c09e2f2a407a@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r8418a0dff1729f19cf1024937e23a2db4c0f94f2794a423f5c10e8e7%40%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r8418a0dff1729f19cf1024937e23a2db4c0f94f2794a423f5c10e8e7@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740%40%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740@%3Ccommits.druid.apache.org%3E", - "https://lists.apache.org/thread.html/r8a1cfd4705258c106e488091fcec85f194c82f2bbde6bd151e201870%40%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r8a1cfd4705258c106e488091fcec85f194c82f2bbde6bd151e201870@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/r8c392ca48bb7e50754e4bc05865e9731b23d568d18a520fe3d8c1f75%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r8c392ca48bb7e50754e4bc05865e9731b23d568d18a520fe3d8c1f75@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r8c6300245c0bcef095e9f07b48157e2c6471df0816db3408fcf1d748%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r8c6300245c0bcef095e9f07b48157e2c6471df0816db3408fcf1d748@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r8d78a0fbb56d505461e29868d1026e98c402e6a568c13a6da67896a2%40%3Cdev.jena.apache.org%3E", - "https://lists.apache.org/thread.html/r8d78a0fbb56d505461e29868d1026e98c402e6a568c13a6da67896a2@%3Cdev.jena.apache.org%3E", - "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177%40%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r909b8e3a36913944d3b7bafe9635d4ca84f8f0e2cd146a1784f667c2%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r909b8e3a36913944d3b7bafe9635d4ca84f8f0e2cd146a1784f667c2@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r90c23eb8c82835fa82df85ae5e88c81fd9241e20a22971b0fb8f2c34%40%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r90c23eb8c82835fa82df85ae5e88c81fd9241e20a22971b0fb8f2c34@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r944183c871594fe9a555b8519a7c945bbcf6714d72461aa6c929028f%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r944183c871594fe9a555b8519a7c945bbcf6714d72461aa6c929028f@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r9a9e3b42cd5d1c4536a14ef04f75048dec8e2740ac6a138ea912177f%40%3Cpluto-dev.portals.apache.org%3E", - "https://lists.apache.org/thread.html/r9a9e3b42cd5d1c4536a14ef04f75048dec8e2740ac6a138ea912177f@%3Cpluto-dev.portals.apache.org%3E", - "https://lists.apache.org/thread.html/r9d0d03f2e7d9e13c68b530f81d02b0fec33133edcf27330d8089fcfb%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r9d0d03f2e7d9e13c68b530f81d02b0fec33133edcf27330d8089fcfb@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r9d2e28e71f91ba0b6f4114c8ecd96e2b1f7e0d06bdf8eb768c183aa9%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r9d2e28e71f91ba0b6f4114c8ecd96e2b1f7e0d06bdf8eb768c183aa9@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882%40%3Cusers.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882@%3Cusers.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/r9fb3238cfc3222f2392ca6517353aadae18f76866157318ac562e706%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/r9fb3238cfc3222f2392ca6517353aadae18f76866157318ac562e706@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/ra18a903f785aed9403aea38bc6f36844a056283c00dcfc6936b6318c%40%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/ra18a903f785aed9403aea38bc6f36844a056283c00dcfc6936b6318c@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60%40%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60@%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/ra54fa49be3e773d99ccc9c2a422311cf77e3ecd3b8594ee93043a6b1%40%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/ra54fa49be3e773d99ccc9c2a422311cf77e3ecd3b8594ee93043a6b1@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/ra9611a8431cb62369bce8909d7645597e1dd45c24b448836b1e54940%40%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/ra9611a8431cb62369bce8909d7645597e1dd45c24b448836b1e54940@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead%40%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf%40%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/rb3c94619728c8f8c176d8e175e0a1086ca737ecdfcd5a2214bb768bc%40%3Ccommits.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rb3c94619728c8f8c176d8e175e0a1086ca737ecdfcd5a2214bb768bc@%3Ccommits.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3%40%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rbd19de368abf0764e4383ec44d527bc9870176f488a494f09a40500d%40%3Ccommon-dev.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/rbd19de368abf0764e4383ec44d527bc9870176f488a494f09a40500d@%3Ccommon-dev.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/rbdf18e39428b5c80fc35113470198b1fe53b287a76a46b0f8780b5fd%40%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rbdf18e39428b5c80fc35113470198b1fe53b287a76a46b0f8780b5fd@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rc17d8491beee51607693019857e41e769795366b85be00aa2f4b3159%40%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rc17d8491beee51607693019857e41e769795366b85be00aa2f4b3159@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7%40%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7@%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/rc628307962ae1b8cc2d21b8e4b7dd6d7755b2dd52fa56a151a27e4fd%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rc628307962ae1b8cc2d21b8e4b7dd6d7755b2dd52fa56a151a27e4fd@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2%40%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2@%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/rcd71280585425dad7e232f239c5709e425efdd0d3de4a92f808a4767%40%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rcd71280585425dad7e232f239c5709e425efdd0d3de4a92f808a4767@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E", - "https://lists.apache.org/thread.html/rd3a9511eebab60e23f224841390a3f8cd5358cff605c5f7042171e47%40%3Cdev.tinkerpop.apache.org%3E", - "https://lists.apache.org/thread.html/rd3a9511eebab60e23f224841390a3f8cd5358cff605c5f7042171e47@%3Cdev.tinkerpop.apache.org%3E", - "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e%40%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/rd6254837403e8cbfc7018baa9be29705f3f06bd007c83708f9a97679%40%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rd6254837403e8cbfc7018baa9be29705f3f06bd007c83708f9a97679@%3Cissues.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rd7805c1bf9388968508c6c8f84588773216e560055ddcc813d19f347%40%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/rd7805c1bf9388968508c6c8f84588773216e560055ddcc813d19f347@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.apache.org/thread.html/rd882ab6b642fe59cbbe94dc02bd197342058208f482e57b537940a4b%40%3Cpluto-dev.portals.apache.org%3E", - "https://lists.apache.org/thread.html/rd882ab6b642fe59cbbe94dc02bd197342058208f482e57b537940a4b@%3Cpluto-dev.portals.apache.org%3E", - "https://lists.apache.org/thread.html/rda4849c6823dd3e83c7a356eb883180811d5c28359fe46865fd151c3%40%3Cusers.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rda4849c6823dd3e83c7a356eb883180811d5c28359fe46865fd151c3@%3Cusers.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rdb7ddf28807e27c7801f6e56a0dfb31092d34c61bdd4fa2de9182119%40%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rdb7ddf28807e27c7801f6e56a0dfb31092d34c61bdd4fa2de9182119@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26%40%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26@%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573%40%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/re36da78e4f3955ba6c1c373a2ab85a4deb215ca74b85fcd66142fea1%40%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/re36da78e4f3955ba6c1c373a2ab85a4deb215ca74b85fcd66142fea1@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374%40%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/reaf6b996f74f12b4557bc221abe88f58270ac583942fa41293c61f94%40%3Cpluto-scm.portals.apache.org%3E", - "https://lists.apache.org/thread.html/reaf6b996f74f12b4557bc221abe88f58270ac583942fa41293c61f94@%3Cpluto-scm.portals.apache.org%3E", - "https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f%40%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f@%3Ccommits.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rf1b434e11834a4449cd7addb69ed0aef0923112b5938182b363a968c%40%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rf1b434e11834a4449cd7addb69ed0aef0923112b5938182b363a968c@%3Cnotifications.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f%40%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f@%3Cdev.tika.apache.org%3E", - "https://lists.apache.org/thread.html/rf53eeefb7e7e524deaacb9f8671cbf01b8a253e865fb94e7656722c0%40%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rf53eeefb7e7e524deaacb9f8671cbf01b8a253e865fb94e7656722c0@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rf77f79699c8d7e430c14cf480f12ed1297e6e8cf2ed379a425941e80%40%3Cpluto-dev.portals.apache.org%3E", - "https://lists.apache.org/thread.html/rf77f79699c8d7e430c14cf480f12ed1297e6e8cf2ed379a425941e80@%3Cpluto-dev.portals.apache.org%3E", - "https://lists.apache.org/thread.html/rf9c19bcc2f7a98a880fa3e3456c003d331812b55836b34ef648063c9%40%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rf9c19bcc2f7a98a880fa3e3456c003d331812b55836b34ef648063c9@%3Cjira.kafka.apache.org%3E", - "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E", - "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E", - "https://lists.apache.org/thread.html/rfdf65fa675c64a64459817344e0e6c44d51ee264beea6e5851fb60dc%40%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/rfdf65fa675c64a64459817344e0e6c44d51ee264beea6e5851fb60dc@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html", - "https://nvd.nist.gov/vuln/detail/CVE-2019-17571", - "https://security.netapp.com/advisory/ntap-20200110-0001", - "https://usn.ubuntu.com/4495-1", - "https://www.debian.org/security/2020/dsa-4686", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuapr2020.html", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujul2020.html", - "https://www.oracle.com/security-alerts/cpujul2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-2qrg-x229-3v8q" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17571" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1@%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c@%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac@%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6@%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002718fa8edcc4325e4@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c@%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec5bb41b53ffdf358d@%3Cdev.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r05755112a8c164abc1004bb44f198b1e3d8ca3d546a8f13ebd3aa05f@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r189aaeaad897f7d6b96f7c43a8ef2dfb9f6e9f8c1cc9ad182ce9b9ae@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2756fd570b6709d55a61831ca028405bcb3e312175a60bc5d911c81f@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r356d57d6225f91fdc30f8b0a2bed229d1ece55e16e552878c5fa809a@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8@%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3c575cabc7386e646fb12cb82b0b38ae5a6ade8a800f827107824495@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1@%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6aec6b8f70167fa325fb98b3b5c9ce0ffaed026e697b69b85ac24628@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5@%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8a1cfd4705258c106e488091fcec85f194c82f2bbde6bd151e201870@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r944183c871594fe9a555b8519a7c945bbcf6714d72461aa6c929028f@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60@%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbdf18e39428b5c80fc35113470198b1fe53b287a76a46b0f8780b5fd@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7@%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc628307962ae1b8cc2d21b8e4b7dd6d7755b2dd52fa56a151a27e4fd@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26@%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf1b434e11834a4449cd7addb69ed0aef0923112b5938182b363a968c@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f@%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html" - }, - { - "type": "advisory", - "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c@%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3@%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211@%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919@%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4ac89cbecd9e298ae9fafb5afda6fa77ac75c78d1ac957837e066c4e@%3Cuser.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad@%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78@%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6236b5f8646d48af8b66d5050f288304016840788e508c883356fe0e@%3Clog4j-user.logging.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826@%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8d78a0fbb56d505461e29868d1026e98c402e6a568c13a6da67896a2@%3Cdev.jena.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r909b8e3a36913944d3b7bafe9635d4ca84f8f0e2cd146a1784f667c2@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead@%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf@%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc17d8491beee51607693019857e41e769795366b85be00aa2f4b3159@%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2@%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e@%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd6254837403e8cbfc7018baa9be29705f3f06bd007c83708f9a97679@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374@%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r696507338dd5f44efc23d98cafe30f217cf3ba78e77ed1324c7a5179@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740@%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f@%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2020/dsa-4686" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf9c19bcc2f7a98a880fa3e3456c003d331812b55836b34ef648063c9@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r71e26f9c2d5826c6f95ad60f7d052d75e1e70b0d2dd853db6fc26d5f@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7a1acc95373105169bd44df710c2f462cad31fb805364d2958a5ee03@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7f462c69d5ded4c0223e014d95a3496690423c5f6f05c09e2f2a407a@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397@%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r13d4b5c60ff63f3c4fab51d6ff266655be503b8a1884e2f2fab67c3a@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1b7734dfdfd938640f2f5fb6f4231a267145c71ed60cc7faa1cbac07@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r26244f9f7d9a8a27a092eb0b2a0ca9395e88fcde8b5edaeca7ce569c@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3cf50d05ce8cec8c09392624b7bae750e7643dae60ef2438641ee015@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6b45a2fcc8e98ac93a179183dbb7f340027bdb8e3ab393418076b153@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8c392ca48bb7e50754e4bc05865e9731b23d568d18a520fe3d8c1f75@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8c6300245c0bcef095e9f07b48157e2c6471df0816db3408fcf1d748@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9d0d03f2e7d9e13c68b530f81d02b0fec33133edcf27330d8089fcfb@%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9fb3238cfc3222f2392ca6517353aadae18f76866157318ac562e706@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra54fa49be3e773d99ccc9c2a422311cf77e3ecd3b8594ee93043a6b1@%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbd19de368abf0764e4383ec44d527bc9870176f488a494f09a40500d@%3Ccommon-dev.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd7805c1bf9388968508c6c8f84588773216e560055ddcc813d19f347@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5c084578b3e3b40bd903c9d9e525097421bcd88178e672f612102eb2@%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd3a9511eebab60e23f224841390a3f8cd5358cff605c5f7042171e47@%3Cdev.tinkerpop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rda4849c6823dd3e83c7a356eb883180811d5c28359fe46865fd151c3@%3Cusers.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3543ead2317dcd3306f69ee37b07dd383dbba6e2f47ff11eb55879ad@%3Cusers.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3bf7b982dfa0779f8a71f843d2aa6b4184a53e6be7f149ee079387fd@%3Cdev.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef63596306506a89fdc7328@%3Cusers.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9a9e3b42cd5d1c4536a14ef04f75048dec8e2740ac6a138ea912177f@%3Cpluto-dev.portals.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882@%3Cusers.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd882ab6b642fe59cbbe94dc02bd197342058208f482e57b537940a4b@%3Cpluto-dev.portals.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/reaf6b996f74f12b4557bc221abe88f58270ac583942fa41293c61f94@%3Cpluto-scm.portals.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf77f79699c8d7e430c14cf480f12ed1297e6e8cf2ed379a425941e80@%3Cpluto-dev.portals.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r594411f4bddebaf48a4c70266d0b7849e0d82bb72826f61b3a35bba7@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9d2e28e71f91ba0b6f4114c8ecd96e2b1f7e0d06bdf8eb768c183aa9@%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re36da78e4f3955ba6c1c373a2ab85a4deb215ca74b85fcd66142fea1@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6d34da5a0ca17ab08179a30c971446c7421af0e96f6d60867eabfc52@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra18a903f785aed9403aea38bc6f36844a056283c00dcfc6936b6318c@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdb7ddf28807e27c7801f6e56a0dfb31092d34c61bdd4fa2de9182119@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf53eeefb7e7e524deaacb9f8671cbf01b8a253e865fb94e7656722c0@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r90c23eb8c82835fa82df85ae5e88c81fd9241e20a22971b0fb8f2c34@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8418a0dff1729f19cf1024937e23a2db4c0f94f2794a423f5c10e8e7@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra9611a8431cb62369bce8909d7645597e1dd45c24b448836b1e54940@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb3c94619728c8f8c176d8e175e0a1086ca737ecdfcd5a2214bb768bc@%3Ccommits.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rcd71280585425dad7e232f239c5709e425efdd0d3de4a92f808a4767@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rfdf65fa675c64a64459817344e0e6c44d51ee264beea6e5851fb60dc@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra9611a8431cb62369bce8909d7645597e1dd45c24b448836b1e54940%40%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead%40%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf%40%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb3c94619728c8f8c176d8e175e0a1086ca737ecdfcd5a2214bb768bc%40%3Ccommits.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3%40%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbd19de368abf0764e4383ec44d527bc9870176f488a494f09a40500d%40%3Ccommon-dev.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbdf18e39428b5c80fc35113470198b1fe53b287a76a46b0f8780b5fd%40%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cdev.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7%40%3Cusers.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc17d8491beee51607693019857e41e769795366b85be00aa2f4b3159%40%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7%40%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc628307962ae1b8cc2d21b8e4b7dd6d7755b2dd52fa56a151a27e4fd%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2%40%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/reaf6b996f74f12b4557bc221abe88f58270ac583942fa41293c61f94%40%3Cpluto-scm.portals.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1b7734dfdfd938640f2f5fb6f4231a267145c71ed60cc7faa1cbac07%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8d78a0fbb56d505461e29868d1026e98c402e6a568c13a6da67896a2%40%3Cdev.jena.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177%40%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r909b8e3a36913944d3b7bafe9635d4ca84f8f0e2cd146a1784f667c2%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r90c23eb8c82835fa82df85ae5e88c81fd9241e20a22971b0fb8f2c34%40%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r944183c871594fe9a555b8519a7c945bbcf6714d72461aa6c929028f%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9a9e3b42cd5d1c4536a14ef04f75048dec8e2740ac6a138ea912177f%40%3Cpluto-dev.portals.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9d0d03f2e7d9e13c68b530f81d02b0fec33133edcf27330d8089fcfb%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9d2e28e71f91ba0b6f4114c8ecd96e2b1f7e0d06bdf8eb768c183aa9%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882%40%3Cusers.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9fb3238cfc3222f2392ca6517353aadae18f76866157318ac562e706%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra18a903f785aed9403aea38bc6f36844a056283c00dcfc6936b6318c%40%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60%40%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra54fa49be3e773d99ccc9c2a422311cf77e3ecd3b8594ee93043a6b1%40%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f%40%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf1b434e11834a4449cd7addb69ed0aef0923112b5938182b363a968c%40%3Cnotifications.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f%40%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf53eeefb7e7e524deaacb9f8671cbf01b8a253e865fb94e7656722c0%40%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf77f79699c8d7e430c14cf480f12ed1297e6e8cf2ed379a425941e80%40%3Cpluto-dev.portals.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf9c19bcc2f7a98a880fa3e3456c003d331812b55836b34ef648063c9%40%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rfdf65fa675c64a64459817344e0e6c44d51ee264beea6e5851fb60dc%40%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20200110-0001" - }, - { - "type": "advisory", - "url": "https://usn.ubuntu.com/4495-1" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rcd71280585425dad7e232f239c5709e425efdd0d3de4a92f808a4767%40%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26%40%3Ccommits.pulsar.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd3a9511eebab60e23f224841390a3f8cd5358cff605c5f7042171e47%40%3Cdev.tinkerpop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e%40%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd6254837403e8cbfc7018baa9be29705f3f06bd007c83708f9a97679%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd7805c1bf9388968508c6c8f84588773216e560055ddcc813d19f347%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd882ab6b642fe59cbbe94dc02bd197342058208f482e57b537940a4b%40%3Cpluto-dev.portals.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rda4849c6823dd3e83c7a356eb883180811d5c28359fe46865fd151c3%40%3Cusers.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdb7ddf28807e27c7801f6e56a0dfb31092d34c61bdd4fa2de9182119%40%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26%40%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573%40%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re36da78e4f3955ba6c1c373a2ab85a4deb215ca74b85fcd66142fea1%40%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374%40%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r26244f9f7d9a8a27a092eb0b2a0ca9395e88fcde8b5edaeca7ce569c%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2756fd570b6709d55a61831ca028405bcb3e312175a60bc5d911c81f%40%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3%40%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211%40%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3543ead2317dcd3306f69ee37b07dd383dbba6e2f47ff11eb55879ad%40%3Cusers.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r356d57d6225f91fdc30f8b0a2bed229d1ece55e16e552878c5fa809a%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397%40%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8%40%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3bf7b982dfa0779f8a71f843d2aa6b4184a53e6be7f149ee079387fd%40%3Cdev.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3c575cabc7386e646fb12cb82b0b38ae5a6ade8a800f827107824495%40%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3cf50d05ce8cec8c09392624b7bae750e7643dae60ef2438641ee015%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919%40%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1%40%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c%40%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6%40%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002718fa8edcc4325e4%40%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c%40%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec5bb41b53ffdf358d%40%3Cdev.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac%40%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r05755112a8c164abc1004bb44f198b1e3d8ca3d546a8f13ebd3aa05f%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d%40%3Cdev.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r13d4b5c60ff63f3c4fab51d6ff266655be503b8a1884e2f2fab67c3a%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r189aaeaad897f7d6b96f7c43a8ef2dfb9f6e9f8c1cc9ad182ce9b9ae%40%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c%40%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6aec6b8f70167fa325fb98b3b5c9ce0ffaed026e697b69b85ac24628%40%3Cissues.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6b45a2fcc8e98ac93a179183dbb7f340027bdb8e3ab393418076b153%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6d34da5a0ca17ab08179a30c971446c7421af0e96f6d60867eabfc52%40%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r71e26f9c2d5826c6f95ad60f7d052d75e1e70b0d2dd853db6fc26d5f%40%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5%40%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7a1acc95373105169bd44df710c2f462cad31fb805364d2958a5ee03%40%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826%40%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7f462c69d5ded4c0223e014d95a3496690423c5f6f05c09e2f2a407a%40%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd%40%3Cusers.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8418a0dff1729f19cf1024937e23a2db4c0f94f2794a423f5c10e8e7%40%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740%40%3Ccommits.druid.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8a1cfd4705258c106e488091fcec85f194c82f2bbde6bd151e201870%40%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8c392ca48bb7e50754e4bc05865e9731b23d568d18a520fe3d8c1f75%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8c6300245c0bcef095e9f07b48157e2c6471df0816db3408fcf1d748%40%3Ccommon-issues.hadoop.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8%40%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809%40%3Ccommits.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4ac89cbecd9e298ae9fafb5afda6fa77ac75c78d1ac957837e066c4e%40%3Cuser.zookeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad%40%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef63596306506a89fdc7328%40%3Cusers.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r594411f4bddebaf48a4c70266d0b7849e0d82bb72826f61b3a35bba7%40%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5c084578b3e3b40bd903c9d9e525097421bcd88178e672f612102eb2%40%3Cjira.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78%40%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cdev.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc%40%3Cusers.kafka.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6236b5f8646d48af8b66d5050f288304016840788e508c883356fe0e%40%3Clog4j-user.logging.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1%40%3Cdev.tika.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r696507338dd5f44efc23d98cafe30f217cf3ba78e77ed1324c7a5179%40%3Cjira.kafka.apache.org%3E" - } - ], - "risk_score": 26.791880000000003, - "severity": "critical", - "severity_source": "github:language:java", - "source": "grype", - "title": "Deserialization of Untrusted Data in Log4j" - }, - { - "affected_version_range": "\u003c=1.2.17 (unknown)", - "aliases": [ - "CVE-2022-23305" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-23305", - "id": "CWE-89", - "source": "security@apache.org", - "type": "Secondary" - }, - { - "cve": "CVE-2022-23305", - "id": "CWE-89", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-65fg-84f6-3jq3", - "description": "SQL Injection in Log4j 1.2.x", - "epss": [ - { - "cve": "CVE-2022-23305", - "date": "2026-06-14", - "epss": 0.09452, - "percentile": 0.93017 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-65fg-84f6-3jq3", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-23305", - "Fix state: not-fixed", - "http://www.openwall.com/lists/oss-security/2022/01/18/4", - "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y", - "https://logging.apache.org/log4j/1.2/index.html", - "https://nvd.nist.gov/vuln/detail/CVE-2022-23305", - "https://security.netapp.com/advisory/ntap-20220217-0007", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-65fg-84f6-3jq3" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23305" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y" - }, - { - "type": "advisory", - "url": "https://logging.apache.org/log4j/1.2/index.html" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2022/01/18/4" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20220217-0007" - } - ], - "risk_score": 8.88488, - "severity": "critical", - "severity_source": "github:language:java", - "source": "grype", - "title": "SQL Injection in Log4j 1.2.x" - }, - { - "affected_version_range": "\u003c=1.2.17 (unknown)", - "aliases": [ - "CVE-2022-23307" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-23307", - "id": "CWE-502", - "source": "security@apache.org", - "type": "Secondary" - }, - { - "cve": "CVE-2022-23307", - "id": "CWE-502", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-f7vh-qwp3-x37m", - "description": "Deserialization of Untrusted Data in Apache Log4j", - "epss": [ - { - "cve": "CVE-2022-23307", - "date": "2026-06-14", - "epss": 0.02603, - "percentile": 0.85998 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-f7vh-qwp3-x37m", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-23307", - "Fix state: not-fixed", - "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", - "https://logging.apache.org/log4j/1.2/index.html", - "https://nvd.nist.gov/vuln/detail/CVE-2022-23307", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-f7vh-qwp3-x37m" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23307" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh" - }, - { - "type": "advisory", - "url": "https://logging.apache.org/log4j/1.2/index.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - } - ], - "risk_score": 2.44682, - "severity": "critical", - "severity_source": "github:language:java", - "source": "grype", - "title": "Deserialization of Untrusted Data in Apache Log4j" - }, - { - "affected_version_range": "\u003e=1.2.0,\u003c=1.2.17 (unknown)", - "aliases": [ - "CVE-2021-4104" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-4104", - "id": "CWE-502", - "source": "security@apache.org", - "type": "Secondary" - }, - { - "cve": "CVE-2021-4104", - "id": "CWE-502", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-fp5r-v3w9-4333", - "description": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data", - "epss": [ - { - "cve": "CVE-2021-4104", - "date": "2026-06-14", - "epss": 0.72202, - "percentile": 0.98783 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-fp5r-v3w9-4333", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-4104", - "Fix state: not-fixed", - "http://www.openwall.com/lists/oss-security/2022/01/18/3", - "https://access.redhat.com/security/cve/CVE-2021-4104", - "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", - "https://nvd.nist.gov/vuln/detail/CVE-2021-4104", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033", - "https://security.gentoo.org/glsa/202209-02", - "https://security.gentoo.org/glsa/202310-16", - "https://security.gentoo.org/glsa/202312-02", - "https://security.gentoo.org/glsa/202312-04", - "https://security.netapp.com/advisory/ntap-20211223-0007/", - "https://www.cve.org/CVERecord?id=CVE-2021-44228", - "https://www.kb.cert.org/vuls/id/930724", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-fp5r-v3w9-4333" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4104" - }, - { - "type": "advisory", - "url": "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/security/cve/CVE-2021-4104" - }, - { - "type": "advisory", - "url": "https://www.cve.org/CVERecord?id=CVE-2021-44228" - }, - { - "type": "advisory", - "url": "https://www.kb.cert.org/vuls/id/930724" - }, - { - "type": "advisory", - "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0033" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20211223-0007/" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://security.gentoo.org/glsa/202209-02" - }, - { - "type": "advisory", - "url": "https://security.gentoo.org/glsa/202310-16" - }, - { - "type": "advisory", - "url": "https://security.gentoo.org/glsa/202312-02" - }, - { - "type": "advisory", - "url": "https://security.gentoo.org/glsa/202312-04" - } - ], - "risk_score": 54.1515, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data" - }, - { - "affected_version_range": "\u003e=1.0.4,\u003c2.0 (unknown)", - "aliases": [ - "CVE-2023-26464" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2023-26464", - "id": "CWE-502", - "source": "security@apache.org", - "type": "Secondary" - }, - { - "cve": "CVE-2023-26464", - "id": "CWE-502", - "source": "nvd@nist.gov", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-vp98-w2p3-mv35", - "description": "Apache Log4j 1.x (EOL) allows Denial of Service (DoS)", - "epss": [ - { - "cve": "CVE-2023-26464", - "date": "2026-06-14", - "epss": 0.00125, - "percentile": 0.31507 - } - ], - "fix_available": [ - { - "date": "2025-09-03", - "kind": "first-observed", - "version": "2.0" - } - ], - "fix_state": "fixed", - "fixed_in": "2.0", - "fixed_versions": [ - "2.0" - ], - "id": "GHSA-vp98-w2p3-mv35", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-26464", - "Fix available: upgrade to 2.0", - "Fix state: fixed", - "https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t", - "https://nvd.nist.gov/vuln/detail/CVE-2023-26464", - "https://security.netapp.com/advisory/ntap-20230505-0008" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-vp98-w2p3-mv35" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26464" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20230505-0008" - } - ], - "risk_score": 0.09375, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Log4j 1.x (EOL) allows Denial of Service (DoS)" - }, - { - "affected_version_range": "\u003c=1.2.17 (unknown)", - "aliases": [ - "CVE-2022-23302" - ], - "cvss": [ - { - "score": 8.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-23302", - "id": "CWE-502", - "source": "security@apache.org", - "type": "Secondary" - }, - { - "cve": "CVE-2022-23302", - "id": "CWE-502", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-w9p3-5cr8-m3jj", - "description": "Deserialization of Untrusted Data in Log4j 1.x", - "epss": [ - { - "cve": "CVE-2022-23302", - "date": "2026-06-14", - "epss": 0.00785, - "percentile": 0.74308 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-w9p3-5cr8-m3jj", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-23302", - "Fix state: not-fixed", - "http://www.openwall.com/lists/oss-security/2022/01/18/3", - "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w", - "https://logging.apache.org/log4j/1.2/index.html", - "https://nvd.nist.gov/vuln/detail/CVE-2022-23302", - "https://security.netapp.com/advisory/ntap-20220217-0006", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html", - "https://www.vicarius.io/vsociety/posts/cve-2022-23302-detect-log4j-1217-vulnerability", - "https://www.vicarius.io/vsociety/posts/cve-2022-23302-mitigate-log4j-1217-vulnerability" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-w9p3-5cr8-m3jj" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-23302" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w" - }, - { - "type": "advisory", - "url": "https://logging.apache.org/log4j/1.2/index.html" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2022/01/18/3" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20220217-0006" - }, - { - "type": "advisory", - "url": "https://www.vicarius.io/vsociety/posts/cve-2022-23302-detect-log4j-1217-vulnerability" - }, - { - "type": "advisory", - "url": "https://www.vicarius.io/vsociety/posts/cve-2022-23302-mitigate-log4j-1217-vulnerability" - } - ], - "risk_score": 0.639775, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Deserialization of Untrusted Data in Log4j 1.x" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "javamelody-core", - "purl": "pkg:maven/net.bull.javamelody/javamelody-core@1.59.0", - "version": "1.59.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.74.0 (unknown)", - "aliases": [ - "CVE-2018-15531" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2018-15531", - "id": "CWE-611", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-6fvx-r7hx-3vh6", - "description": "JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.", - "epss": [ - { - "cve": "CVE-2018-15531", - "date": "2026-06-14", - "epss": 0.22432, - "percentile": 0.95978 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "1.74.0" - } - ], - "fix_state": "fixed", - "fixed_in": "1.74.0", - "fixed_versions": [ - "1.74.0" - ], - "id": "GHSA-6fvx-r7hx-3vh6", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2018-15531", - "Fix available: upgrade to 1.74.0", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2018/09/25/3", - "https://github.com/javamelody/javamelody/commit/ef111822562d0b9365bd3e671a75b65bd0613353", - "https://github.com/javamelody/javamelody/wiki/ReleaseNotes", - "https://jenkins.io/security/advisory/2018-09-25/", - "https://nvd.nist.gov/vuln/detail/CVE-2018-15531" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-6fvx-r7hx-3vh6" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15531" - }, - { - "type": "advisory", - "url": "https://github.com/javamelody/javamelody/commit/ef111822562d0b9365bd3e671a75b65bd0613353" - }, - { - "type": "advisory", - "url": "https://github.com/javamelody/javamelody/wiki/ReleaseNotes" - }, - { - "type": "advisory", - "url": "https://jenkins.io/security/advisory/2018-09-25/" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2018/09/25/3" - } - ], - "risk_score": 21.086080000000003, - "severity": "critical", - "severity_source": "github:language:java", - "source": "grype", - "title": "JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java." - }, - { - "affected_version_range": "\u003c1.61.0 (unknown)", - "aliases": [ - "CVE-2016-1000273" - ], - "cvss": [ - { - "score": 10, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-cqhr-jqvc-qw9p", - "description": "Java Melody vulnerable to cross-site scripting", - "epss": [ - { - "cve": "CVE-2016-1000273", - "date": "2026-06-14", - "epss": 0.0227, - "percentile": 0.85057 - } - ], - "fix_available": [ - { - "date": "2022-07-21", - "kind": "first-observed", - "version": "1.61.0" - } - ], - "fix_state": "fixed", - "fixed_in": "1.61.0", - "fixed_versions": [ - "1.61.0" - ], - "id": "GHSA-cqhr-jqvc-qw9p", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2016-1000273", - "Fix available: upgrade to 1.61.0", - "Fix state: fixed", - "https://github.com/javamelody/javamelody/commit/e0497c1980acebd257d3da78dfde29ae9bdffdf6", - "https://github.com/javamelody/javamelody/wiki/ReleaseNotes#1620" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-cqhr-jqvc-qw9p" - }, - { - "type": "advisory", - "url": "https://github.com/javamelody/javamelody/commit/e0497c1980acebd257d3da78dfde29ae9bdffdf6" - }, - { - "type": "advisory", - "url": "https://github.com/javamelody/javamelody/wiki/ReleaseNotes#1620" - } - ], - "risk_score": 2.1565000000000003, - "severity": "critical", - "severity_source": "github:language:java", - "source": "grype", - "title": "Java Melody vulnerable to cross-site scripting" - }, - { - "affected_version_range": "\u003c=1.60.0 (unknown)", - "aliases": [ - "CVE-2018-12432" - ], - "cvss": [ - { - "score": 6.1, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2018-12432", - "id": "CWE-79", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-g66q-grxc-64j3", - "description": "Cross-site Scripting in JavaMelody", - "epss": [ - { - "cve": "CVE-2018-12432", - "date": "2026-06-14", - "epss": 0.0024, - "percentile": 0.47664 - } - ], - "fix_available": [ - { - "date": "2022-07-01", - "kind": "first-observed", - "version": "1.61.0" - } - ], - "fix_state": "fixed", - "fixed_in": "1.61.0", - "fixed_versions": [ - "1.61.0" - ], - "id": "GHSA-g66q-grxc-64j3", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2018-12432", - "Fix available: upgrade to 1.61.0", - "Fix state: fixed", - "https://github.com/Hurdano/JavaMelody-XSS/wiki/Attack-Vector---JavaMelody", - "https://github.com/javamelody/javamelody/commit/e0497c1980acebd257d3da78dfde29ae9bdffdf6", - "https://nvd.nist.gov/vuln/detail/CVE-2018-12432" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-g66q-grxc-64j3" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12432" - }, - { - "type": "advisory", - "url": "https://github.com/Hurdano/JavaMelody-XSS/wiki/Attack-Vector---JavaMelody" - }, - { - "type": "advisory", - "url": "https://github.com/javamelody/javamelody/commit/e0497c1980acebd257d3da78dfde29ae9bdffdf6" - } - ], - "risk_score": 0.13319999999999996, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Cross-site Scripting in JavaMelody" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "LGPL-2.1", - "type": "external-depsdev", - "value": "LGPL-2.1" - }, - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "jna-platform", - "purl": "pkg:maven/net.java.dev.jna/jna-platform@4.0.0", - "version": "4.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "LGPL-2.1", - "type": "external-depsdev", - "value": "LGPL-2.1" - }, - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "jna", - "purl": "pkg:maven/net.java.dev.jna/jna@4.0.0", - "version": "4.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "lz4", - "purl": "pkg:maven/net.jpountz.lz4/lz4@1.2.0", - "version": "1.2.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c=1.8.1 (unknown)", - "aliases": [ - "CVE-2025-66566" - ], - "cvss": [ - { - "score": 8.2, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-66566", - "id": "CWE-201", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-cmp6-m4wj-q63q", - "description": "yawkat LZ4 Java has a possible information leak in Java safe decompressor", - "epss": [ - { - "cve": "CVE-2025-66566", - "date": "2026-06-14", - "epss": 0.00066, - "percentile": 0.20832 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-cmp6-m4wj-q63q", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-66566", - "Fix state: not-fixed", - "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840", - "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q", - "https://nvd.nist.gov/vuln/detail/CVE-2025-66566" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-cmp6-m4wj-q63q" - }, - { - "type": "advisory", - "url": "https://github.com/yawkat/lz4-java/security/advisories/GHSA-cmp6-m4wj-q63q" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66566" - }, - { - "type": "advisory", - "url": "https://github.com/yawkat/lz4-java/commit/33d180cb70c4d93c80fb0dc3ab3002f457e93840" - } - ], - "risk_score": 0.051809999999999995, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "yawkat LZ4 Java has a possible information leak in Java safe decompressor" - }, - { - "affected_version_range": "\u003c=1.3.0 (unknown)", - "aliases": [ - "CVE-2025-12183" - ], - "cvss": [ - { - "score": 8.8, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-12183", - "id": "CWE-125", - "source": "103e4ec9-0a87-450b-af77-479448ddef11", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-vqf4-7m7x-wgfc", - "description": "LZ4 Java Compression has Out-of-bounds memory operations which can cause DoS", - "epss": [ - { - "cve": "CVE-2025-12183", - "date": "2026-06-14", - "epss": 0.00103, - "percentile": 0.28003 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-vqf4-7m7x-wgfc", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-12183", - "Fix state: not-fixed", - "http://www.openwall.com/lists/oss-security/2025/12/01/5", - "https://github.com/yawkat/lz4-java/releases/tag/v1.8.1", - "https://nvd.nist.gov/vuln/detail/CVE-2025-12183", - "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183", - "https://www.sonatype.com/security-advisories/cve-2025-12183" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-vqf4-7m7x-wgfc" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12183" - }, - { - "type": "advisory", - "url": "https://github.com/yawkat/lz4-java/releases/tag/v1.8.1" - }, - { - "type": "advisory", - "url": "https://sites.google.com/sonatype.com/vulnerabilities/cve-2025-12183" - }, - { - "type": "advisory", - "url": "https://www.sonatype.com/security-advisories/cve-2025-12183" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2025/12/01/5" - } - ], - "risk_score": 0.08394500000000002, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "LZ4 Java Compression has Out-of-bounds memory operations which can cause DoS" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "jopt-simple", - "purl": "pkg:maven/net.sf.jopt-simple/jopt-simple@3.2", - "version": "3.2", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "ognl", - "purl": "pkg:maven/ognl/ognl@3.1.12", - "version": "3.1.12", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "commons-lang3", - "purl": "pkg:maven/org.apache.commons/commons-lang3@3.6", - "version": "3.6", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=3.0,\u003c3.18.0 (unknown)", - "aliases": [ - "CVE-2025-48924" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2025-48924", - "id": "CWE-674", - "source": "security@apache.org", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-j288-q9x7-2f5v", - "description": "Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs", - "epss": [ - { - "cve": "CVE-2025-48924", - "date": "2026-06-14", - "epss": 0.00099, - "percentile": 0.27301 - } - ], - "fix_available": [ - { - "date": "2025-07-12", - "kind": "first-observed", - "version": "3.18.0" - } - ], - "fix_state": "fixed", - "fixed_in": "3.18.0", - "fixed_versions": [ - "3.18.0" - ], - "id": "GHSA-j288-q9x7-2f5v", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-48924", - "Fix available: upgrade to 3.18.0", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2025/07/11/1", - "https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53", - "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1", - "https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html", - "https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html", - "https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html", - "https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html", - "https://nvd.nist.gov/vuln/detail/CVE-2025-48924" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-j288-q9x7-2f5v" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1" - }, - { - "type": "advisory", - "url": "https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2025/07/11/1" - } - ], - "risk_score": 0.056924999999999996, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "jackrabbit-api", - "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-api@1.4", - "version": "1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "jackrabbit-classloader", - "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-classloader@1.4", - "version": "1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "jackrabbit-jcr-commons", - "purl": "pkg:maven/org.apache.jackrabbit/jackrabbit-jcr-commons@1.4", - "version": "1.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=1.0.0,\u003c2.22.2 (unknown)", - "aliases": [ - "CVE-2025-58782" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2025-58782", - "id": "CWE-502", - "source": "security@apache.org", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-cxvc-g8f2-4gmm", - "description": "Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data", - "epss": [ - { - "cve": "CVE-2025-58782", - "date": "2026-06-14", - "epss": 0.00426, - "percentile": 0.62828 - } - ], - "fix_available": [ - { - "date": "2025-09-10", - "kind": "first-observed", - "version": "2.22.2" - } - ], - "fix_state": "fixed", - "fixed_in": "2.22.2", - "fixed_versions": [ - "2.22.2" - ], - "id": "GHSA-cxvc-g8f2-4gmm", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-58782", - "Fix available: upgrade to 2.22.2", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2025/09/06/3", - "https://github.com/apache/jackrabbit/pull/229", - "https://issues.apache.org/jira/browse/JCR-5135", - "https://lists.apache.org/thread/t4wdrost6dh17dh406g792j9wq6xmy6v", - "https://nvd.nist.gov/vuln/detail/CVE-2025-58782" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-cxvc-g8f2-4gmm" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58782" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread/t4wdrost6dh17dh406g792j9wq6xmy6v" - }, - { - "type": "advisory", - "url": "https://github.com/apache/jackrabbit/pull/229" - }, - { - "type": "advisory", - "url": "https://issues.apache.org/jira/browse/JCR-5135" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2025/09/06/3" - } - ], - "risk_score": 0.24494999999999997, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Jackrabbit: Core and JCR Commons are vulnerable to Deserialization of Untrusted Data" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "kafka-clients", - "purl": "pkg:maven/org.apache.kafka/kafka-clients@0.9.0.1", - "version": "0.9.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "kafka_2.11", - "purl": "pkg:maven/org.apache.kafka/kafka_2.11@0.9.0.1", - "version": "0.9.0.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c3.4.0 (unknown)", - "aliases": [ - "CVE-2025-27819" - ], - "cvss": [ - { - "score": 8.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2025-27819", - "id": "CWE-502", - "source": "security@apache.org", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-mcwh-c9pg-xw43", - "description": "Apache Kafka Deserialization of Untrusted Data vulnerability", - "epss": [ - { - "cve": "CVE-2025-27819", - "date": "2026-06-14", - "epss": 0.00897, - "percentile": 0.76154 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-mcwh-c9pg-xw43", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-27819", - "Fix state: not-fixed", - "https://github.com/advisories/GHSA-26f8-x7cc-wqpc", - "https://kafka.apache.org/cve-list", - "https://nvd.nist.gov/vuln/detail/CVE-2025-27819" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-mcwh-c9pg-xw43" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27819" - }, - { - "type": "advisory", - "url": "https://kafka.apache.org/cve-list" - }, - { - "type": "advisory", - "url": "https://github.com/advisories/GHSA-26f8-x7cc-wqpc" - } - ], - "risk_score": 0.7310550000000001, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Kafka Deserialization of Untrusted Data vulnerability" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "log4j-api", - "purl": "pkg:maven/org.apache.logging.log4j/log4j-api@2.8.2", - "version": "2.8.2", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "xmlsec", - "purl": "pkg:maven/org.apache.santuario/xmlsec@1.5.1", - "version": "1.5.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.5.6 (unknown)", - "aliases": [ - "CVE-2013-4517" - ], - "cwes": [ - { - "cve": "CVE-2013-4517", - "id": "CWE-399", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-4p4w-6h54-g885", - "description": "Improper Input Validation in Apache Santuario XML Security", - "epss": [ - { - "cve": "CVE-2013-4517", - "date": "2026-06-14", - "epss": 0.08392, - "percentile": 0.92531 - } - ], - "fix_available": [ - { - "date": "2022-07-08", - "kind": "first-observed", - "version": "1.5.6" - } - ], - "fix_state": "fixed", - "fixed_in": "1.5.6", - "fixed_versions": [ - "1.5.6" - ], - "id": "GHSA-4p4w-6h54-g885", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "confidence": "low", - "dynamic_imports_detected": true, - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2013-4517", - "Fix available: upgrade to 1.5.6", - "Fix state: fixed", - "http://packetstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html", - "http://rhn.redhat.com/errata/RHSA-2014-0170.html", - "http://rhn.redhat.com/errata/RHSA-2014-0171.html", - "http://rhn.redhat.com/errata/RHSA-2014-0172.html", - "http://rhn.redhat.com/errata/RHSA-2014-0195.html", - "http://rhn.redhat.com/errata/RHSA-2014-1725.html", - "http://rhn.redhat.com/errata/RHSA-2014-1726.html", - "http://rhn.redhat.com/errata/RHSA-2014-1727.html", - "http://rhn.redhat.com/errata/RHSA-2014-1728.html", - "http://rhn.redhat.com/errata/RHSA-2015-0675.html", - "http://rhn.redhat.com/errata/RHSA-2015-0850.html", - "http://rhn.redhat.com/errata/RHSA-2015-0851.html", - "http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc", - "http://seclists.org/fulldisclosure/2013/Dec/169", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/89891", - "https://github.com/apache/santuario-java/commit/a09b9042f7759d094f2d49f40fc7bcf145164b25", - "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3@%3Ccommits.santuario.apache.org%3E", - "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd@%3Ccommits.santuario.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2013-4517", - "https://www.tenable.com/security/tns-2018-15" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-4p4w-6h54-g885" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4517" - }, - { - "type": "advisory", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89891" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3@%3Ccommits.santuario.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd@%3Ccommits.santuario.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2018-15" - }, - { - "type": "advisory", - "url": "http://packetstormsecurity.com/files/124554/Java-XML-Signature-Denial-Of-Service-Attack.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0170.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0171.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0172.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0195.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2014-1725.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2014-1726.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2014-1727.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2014-1728.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html" - }, - { - "type": "advisory", - "url": "http://santuario.apache.org/secadv.data/cve-2013-4517.txt.asc" - }, - { - "type": "advisory", - "url": "http://seclists.org/fulldisclosure/2013/Dec/169" - }, - { - "type": "advisory", - "url": "https://github.com/apache/santuario-java/commit/a09b9042f7759d094f2d49f40fc7bcf145164b25" - } - ], - "risk_score": 4.196, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Improper Input Validation in Apache Santuario XML Security" - }, - { - "affected_version_range": "\u003e=1.5.0,\u003c1.5.3 (unknown)", - "aliases": [ - "CVE-2013-5823" - ], - "data_source": "https://github.com/advisories/GHSA-8gwc-x7mg-7p7p", - "description": "Apache XML Security For Java vulnerable to Infinite Loop", - "epss": [ - { - "cve": "CVE-2013-5823", - "date": "2026-06-14", - "epss": 0.05761, - "percentile": 0.90705 - } - ], - "fix_available": [ - { - "date": "2022-11-09", - "kind": "first-observed", - "version": "1.5.3" - } - ], - "fix_state": "fixed", - "fixed_in": "1.5.3", - "fixed_versions": [ - "1.5.3" - ], - "id": "GHSA-8gwc-x7mg-7p7p", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "confidence": "low", - "dynamic_imports_detected": true, - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2013-5823", - "Fix available: upgrade to 1.5.3", - "Fix state: fixed", - "https://access.redhat.com/errata/RHSA-2014:0414", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5823", - "https://github.com/apache/santuario-java/commit/55a48497dfbf3fe63a81e67c13160b3f41ebb1f3", - "https://github.com/apache/santuario-java/commit/cea3c91106fb8be35e2f1bb3f1fe0cfddd0ec710", - "https://github.com/apache/santuario-java/commit/f9a61f2df9473237aa71308c28113540b4063d33", - "https://issues.apache.org/jira/browse/SANTUARIO-334", - "https://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html", - "https://marc.info/?l=bugtraq\u0026m=138674031212883\u0026w=2", - "https://marc.info/?l=bugtraq\u0026m=138674073720143\u0026w=2", - "https://nvd.nist.gov/vuln/detail/CVE-2013-5823", - "https://security.gentoo.org/glsa/glsa-201406-32.xml" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-8gwc-x7mg-7p7p" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-5823" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2014:0414" - }, - { - "type": "advisory", - "url": "https://github.com/apache/santuario-java/commit/cea3c91106fb8be35e2f1bb3f1fe0cfddd0ec710" - }, - { - "type": "advisory", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5823" - }, - { - "type": "advisory", - "url": "https://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html" - }, - { - "type": "advisory", - "url": "https://marc.info/?l=bugtraq\u0026m=138674031212883\u0026w=2" - }, - { - "type": "advisory", - "url": "https://marc.info/?l=bugtraq\u0026m=138674073720143\u0026w=2" - }, - { - "type": "advisory", - "url": "https://security.gentoo.org/glsa/glsa-201406-32.xml" - }, - { - "type": "advisory", - "url": "https://github.com/apache/santuario-java/commit/55a48497dfbf3fe63a81e67c13160b3f41ebb1f3" - }, - { - "type": "advisory", - "url": "https://github.com/apache/santuario-java/commit/f9a61f2df9473237aa71308c28113540b4063d33" - }, - { - "type": "advisory", - "url": "https://issues.apache.org/jira/browse/SANTUARIO-334" - } - ], - "risk_score": 2.8805, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache XML Security For Java vulnerable to Infinite Loop" - }, - { - "affected_version_range": "\u003c2.1.7 (unknown)", - "aliases": [ - "CVE-2021-40690" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-40690", - "id": "CWE-200", - "source": "security@apache.org", - "type": "Secondary" - }, - { - "cve": "CVE-2021-40690", - "id": "CWE-200", - "source": "nvd@nist.gov", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-j8wc-gxx9-82hx", - "description": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Santuario", - "epss": [ - { - "cve": "CVE-2021-40690", - "date": "2026-06-14", - "epss": 0.00413, - "percentile": 0.6206 - } - ], - "fix_available": [ - { - "date": "2021-09-21", - "kind": "first-observed", - "version": "2.1.7" - } - ], - "fix_state": "fixed", - "fixed_in": "2.1.7", - "fixed_versions": [ - "2.1.7" - ], - "id": "GHSA-j8wc-gxx9-82hx", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "confidence": "low", - "dynamic_imports_detected": true, - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-40690", - "Fix available: upgrade to 2.1.7", - "Fix state: fixed", - "https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa@%3Ccommits.tomee.apache.org%3E", - "https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59@%3Cissues.cxf.apache.org%3E", - "https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E", - "https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28@%3Ccommits.tomee.apache.org%3E", - "https://lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4@%3Ccommits.tomee.apache.org%3E", - "https://lists.apache.org/thread.html/raf352f95c19c0c4051af3180752cb69acbea88d0d066ab176c6170e8@%3Cuser.poi.apache.org%3E", - "https://lists.apache.org/thread.html/rbbbac0759b12472abd0c278d32b5e0867bb21934df8e14e5e641597c@%3Ccommits.tomee.apache.org%3E", - "https://lists.apache.org/thread.html/rbdac116aef912b563da54f4c152222c0754e32fb2f785519ac5e059f@%3Ccommits.tomee.apache.org%3E", - "https://lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d54ac378ffa7a4880c8@%3Ccommits.tomee.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-40690", - "https://security.netapp.com/advisory/ntap-20230818-0002/", - "https://www.debian.org/security/2021/dsa-5010", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-j8wc-gxx9-82hx" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-40690" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8848751b6a5dd78cc9e99d627e74fecfaffdfa1bb615dce827aad633%40%3Cdev.santuario.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbdac116aef912b563da54f4c152222c0754e32fb2f785519ac5e059f@%3Ccommits.tomee.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3b3f5ba9b0de8c9c125077b71af06026d344a709a8ba67db81ee9faa@%3Ccommits.tomee.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8a5c0ce9014bd07303aec1e5eed55951704878016465d3dae00e0c28@%3Ccommits.tomee.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9c100d53c84d54cf71975e3f0cfcc2856a8846554a04c99390156ce4@%3Ccommits.tomee.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/raf352f95c19c0c4051af3180752cb69acbea88d0d066ab176c6170e8@%3Cuser.poi.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re294cfc61f509512874ea514d8d64fd276253d54ac378ffa7a4880c8@%3Ccommits.tomee.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r401ecb7274794f040cd757b259ebe3e8c463ae74f7961209ccad3c59@%3Cissues.cxf.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbbbac0759b12472abd0c278d32b5e0867bb21934df8e14e5e641597c@%3Ccommits.tomee.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2021/dsa-5010" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20230818-0002/" - } - ], - "risk_score": 0.30975, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Exposure of Sensitive Information to an Unauthorized Actor in Apache Santuario" - }, - { - "affected_version_range": "\u003e=1.5.0,\u003c1.5.5 (unknown)", - "aliases": [ - "CVE-2013-2172" - ], - "cwes": [ - { - "cve": "CVE-2013-2172", - "id": "CWE-310", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-r237-w2w6-jq3p", - "description": "Inefficient Algorithmic Complexity in Apache Santuario XML Security", - "epss": [ - { - "cve": "CVE-2013-2172", - "date": "2026-06-14", - "epss": 0.03643, - "percentile": 0.88164 - } - ], - "fix_available": [ - { - "date": "2022-08-17", - "kind": "first-observed", - "version": "1.5.5" - } - ], - "fix_state": "fixed", - "fixed_in": "1.5.5", - "fixed_versions": [ - "1.5.5" - ], - "id": "GHSA-r237-w2w6-jq3p", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "confidence": "low", - "dynamic_imports_detected": true, - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2013-2172", - "Fix available: upgrade to 1.5.5", - "Fix state: fixed", - "http://rhn.redhat.com/errata/RHSA-2013-1207.html", - "http://rhn.redhat.com/errata/RHSA-2013-1208.html", - "http://rhn.redhat.com/errata/RHSA-2013-1209.html", - "http://rhn.redhat.com/errata/RHSA-2013-1217.html", - "http://rhn.redhat.com/errata/RHSA-2013-1218.html", - "http://rhn.redhat.com/errata/RHSA-2013-1219.html", - "http://rhn.redhat.com/errata/RHSA-2013-1220.html", - "http://rhn.redhat.com/errata/RHSA-2013-1375.html", - "http://rhn.redhat.com/errata/RHSA-2013-1437.html", - "http://rhn.redhat.com/errata/RHSA-2013-1853.html", - "http://rhn.redhat.com/errata/RHSA-2014-0212.html", - "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc", - "http://seclists.org/fulldisclosure/2014/Dec/23", - "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h", - "http://www.debian.org/security/2014/dsa-3065", - "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", - "http://www.ubuntu.com/usn/USN-2028-1", - "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", - "https://github.com/apache/santuario-java/commit/25e0e11493b061749f778030036cb5c406b34590", - "https://github.com/apache/santuario-java/commit/8e8f8bf92a43608d7d5f9e357fae19244454a61f", - "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E", - "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3@%3Ccommits.santuario.apache.org%3E", - "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E", - "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd@%3Ccommits.santuario.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2013-2172", - "https://web.archive.org/web/20160317145515/http://www.securityfocus.com/archive/1/534161/100/0/threaded", - "https://web.archive.org/web/20200228060314/http://www.securityfocus.com/bid/60846" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-r237-w2w6-jq3p" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2172" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3@%3Ccommits.santuario.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd@%3Ccommits.santuario.apache.org%3E" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2013-1207.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2013-1208.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2013-1209.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2013-1217.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2013-1218.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2013-1219.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2013-1220.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2013-1375.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2013-1437.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2013-1853.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0212.html" - }, - { - "type": "advisory", - "url": "http://santuario.apache.org/secadv.data/CVE-2013-2172.txt.asc" - }, - { - "type": "advisory", - "url": "http://seclists.org/fulldisclosure/2014/Dec/23" - }, - { - "type": "advisory", - "url": "http://svn.apache.org/viewvc/santuario/xml-security-java/branches/1.5.x-fixes/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java?r1=1353876\u0026r2=1493772\u0026pathrev=1493772\u0026diff_format=h" - }, - { - "type": "advisory", - "url": "http://www.debian.org/security/2014/dsa-3065" - }, - { - "type": "advisory", - "url": "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html" - }, - { - "type": "advisory", - "url": "http://www.ubuntu.com/usn/USN-2028-1" - }, - { - "type": "advisory", - "url": "http://www.vmware.com/security/advisories/VMSA-2014-0012.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/680e6938b6412e26d5446054fd31de2011d33af11786b989127d1cc3%40%3Ccommits.santuario.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1c07a561426ec5579073046ad7f4207cdcef452bb3100abaf908e0cd%40%3Ccommits.santuario.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20160317145515/http://www.securityfocus.com/archive/1/534161/100/0/threaded" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20200228060314/http://www.securityfocus.com/bid/60846" - }, - { - "type": "advisory", - "url": "https://github.com/apache/santuario-java/commit/25e0e11493b061749f778030036cb5c406b34590" - }, - { - "type": "advisory", - "url": "https://github.com/apache/santuario-java/commit/8e8f8bf92a43608d7d5f9e357fae19244454a61f" - } - ], - "risk_score": 1.8215, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Inefficient Algorithmic Complexity in Apache Santuario XML Security" - }, - { - "affected_version_range": "\u003c2.2.6 (unknown)", - "aliases": [ - "CVE-2023-44483" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2023-44483", - "id": "CWE-532", - "source": "security@apache.org", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xfrj-6vvc-3xm2", - "description": "Apache Santuario - XML Security for Java are vulnerable to private key disclosure", - "epss": [ - { - "cve": "CVE-2023-44483", - "date": "2026-06-14", - "epss": 0.00173, - "percentile": 0.38758 - } - ], - "fix_available": [ - { - "date": "2023-10-21", - "kind": "first-observed", - "version": "2.2.6" - } - ], - "fix_state": "fixed", - "fixed_in": "2.2.6", - "fixed_versions": [ - "2.2.6" - ], - "id": "GHSA-xfrj-6vvc-3xm2", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "confidence": "low", - "dynamic_imports_detected": true, - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-44483", - "Fix available: upgrade to 2.2.6", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2023/10/20/5", - "https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55", - "https://nvd.nist.gov/vuln/detail/CVE-2023-44483", - "https://santuario.apache.org/secadv.data/CVE-2023-44483.txt.asc?version=1\u0026modificationDate=1697782758000\u0026api=v2", - "https://security.netapp.com/advisory/ntap-20241108-0002" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xfrj-6vvc-3xm2" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44483" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread/vmqbp9mfxtrf0kmbnnmbn3h9j6dr9q55" - }, - { - "type": "advisory", - "url": "https://santuario.apache.org/secadv.data/CVE-2023-44483.txt.asc?version=1\u0026modificationDate=1697782758000\u0026api=v2" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2023/10/20/5" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241108-0002" - } - ], - "risk_score": 0.099475, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Santuario - XML Security for Java are vulnerable to private key disclosure" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "org.apache.sling.adapter", - "purl": "pkg:maven/org.apache.sling/org.apache.sling.adapter@2.0.2-incubator", - "version": "2.0.2-incubator", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "org.apache.sling.api", - "purl": "pkg:maven/org.apache.sling/org.apache.sling.api@2.0.4-incubator", - "version": "2.0.4-incubator", - "vulnerabilities": [ - { - "affected_version_range": "\u003c=2.3.0 (unknown)", - "aliases": [ - "CVE-2013-2254" - ], - "cwes": [ - { - "cve": "CVE-2013-2254", - "id": "CWE-119", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-cxwh-vmhg-39r2", - "description": "Improper Restriction of Operations within the Bounds of a Memory Buffer in Apache Sling", - "epss": [ - { - "cve": "CVE-2013-2254", - "date": "2026-06-14", - "epss": 0.00992, - "percentile": 0.77411 - } - ], - "fix_available": [ - { - "date": "2022-07-09", - "kind": "first-observed", - "version": "2.4.0" - } - ], - "fix_state": "fixed", - "fixed_in": "2.4.0", - "fixed_versions": [ - "2.4.0" - ], - "id": "GHSA-cxwh-vmhg-39r2", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2013-2254", - "Fix available: upgrade to 2.4.0", - "Fix state: fixed", - "http://mail-archives.apache.org/mod_mbox/sling-dev/201310.mbox/%3CCAKkCf4pue6PnESsP1KTdEDJm1gpkANFaK%2BvUd9mzEVT7tXL%2B3A%40mail.gmail.com%3E", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/87765", - "https://issues.apache.org/jira/browse/SLING-2913", - "https://nvd.nist.gov/vuln/detail/CVE-2013-2254" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-cxwh-vmhg-39r2" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2254" - }, - { - "type": "advisory", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/87765" - }, - { - "type": "advisory", - "url": "https://issues.apache.org/jira/browse/SLING-2913" - }, - { - "type": "advisory", - "url": "http://mail-archives.apache.org/mod_mbox/sling-dev/201310.mbox/%3CCAKkCf4pue6PnESsP1KTdEDJm1gpkANFaK%2BvUd9mzEVT7tXL%2B3A%40mail.gmail.com%3E" - } - ], - "risk_score": 0.496, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Improper Restriction of Operations within the Bounds of a Memory Buffer in Apache Sling" - }, - { - "affected_version_range": "\u003c=2.25.0 (unknown)", - "aliases": [ - "CVE-2022-32549" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-32549", - "id": "CWE-117", - "source": "security@apache.org", - "type": "Secondary" - }, - { - "cve": "CVE-2022-32549", - "id": "CWE-116", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-qmx3-m648-hr74", - "description": "Log Injection in Apache Sling Commons Log and Apache Sling API", - "epss": [ - { - "cve": "CVE-2022-32549", - "date": "2026-06-14", - "epss": 0.02862, - "percentile": 0.86625 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-qmx3-m648-hr74", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-32549", - "Fix state: not-fixed", - "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v", - "https://nvd.nist.gov/vuln/detail/CVE-2022-32549" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-qmx3-m648-hr74" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32549" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread/7z6h3806mwcov5kx6l96pq839sn0po1v" - } - ], - "risk_score": 1.47393, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Log Injection in Apache Sling Commons Log and Apache Sling API" - }, - { - "affected_version_range": "\u003c=2.2.1 (unknown)", - "aliases": [ - "CVE-2015-2944" - ], - "cwes": [ - { - "cve": "CVE-2015-2944", - "id": "CWE-79", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-rxvx-44w5-44r7", - "description": "Improper Neutralization of Input During Web Page Generation in Apache Sling", - "epss": [ - { - "cve": "CVE-2015-2944", - "date": "2026-06-14", - "epss": 0.02866, - "percentile": 0.86631 - } - ], - "fix_available": [ - { - "date": "2022-07-08", - "kind": "first-observed", - "version": "2.2.2" - } - ], - "fix_state": "fixed", - "fixed_in": "2.2.2", - "fixed_versions": [ - "2.2.2" - ], - "id": "GHSA-rxvx-44w5-44r7", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2015-2944", - "Fix available: upgrade to 2.2.2", - "Fix state: fixed", - "http://jvn.jp/en/jp/JVN61328139/index.html", - "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069", - "https://issues.apache.org/jira/browse/SLING-2082", - "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31@%3Cdev.sling.apache.org%3E", - "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70@%3Cdev.sling.apache.org%3E", - "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea@%3Cdev.sling.apache.org%3E", - "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16@%3Cdev.sling.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2015-2944" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-rxvx-44w5-44r7" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2944" - }, - { - "type": "advisory", - "url": "https://issues.apache.org/jira/browse/SLING-2082" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r04237d561f3e5bced0a26287454450a34275162aa6b1dbae1b707b31@%3Cdev.sling.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4f41dd891a52133abdbf7f74ad1dde80c46f157c1f1cf8c23ba60a70@%3Cdev.sling.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r93d68359eb0ea8c0f26d71ca3998143f99209a24db7b4dacfc688cea@%3Cdev.sling.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd2a352858630721e7b1655bbdf85e692d6156fcfe68109e12b017b16@%3Cdev.sling.apache.org%3E" - }, - { - "type": "advisory", - "url": "http://jvn.jp/en/jp/JVN61328139/index.html" - }, - { - "type": "advisory", - "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000069" - } - ], - "risk_score": 1.433, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Improper Neutralization of Input During Web Page Generation in Apache Sling" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "org.apache.sling.commons.mime", - "purl": "pkg:maven/org.apache.sling/org.apache.sling.commons.mime@2.0.2-incubator", - "version": "2.0.2-incubator", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "org.apache.sling.commons.osgi", - "purl": "pkg:maven/org.apache.sling/org.apache.sling.commons.osgi@2.0.2-incubator", - "version": "2.0.2-incubator", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "org.apache.sling.engine", - "purl": "pkg:maven/org.apache.sling/org.apache.sling.engine@2.0.4-incubator", - "version": "2.0.4-incubator", - "vulnerabilities": [ - { - "affected_version_range": "\u003c2.14.0 (unknown)", - "aliases": [ - "CVE-2022-45064" - ], - "cvss": [ - { - "score": 8, - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-45064", - "id": "CWE-79", - "source": "security@apache.org", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-mg46-f9h5-g27x", - "description": "Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to privilege escalation", - "epss": [ - { - "cve": "CVE-2022-45064", - "date": "2026-06-14", - "epss": 0.05094, - "percentile": 0.9007 - } - ], - "fix_available": [ - { - "date": "2023-04-19", - "kind": "first-observed", - "version": "2.14.0" - } - ], - "fix_state": "fixed", - "fixed_in": "2.14.0", - "fixed_versions": [ - "2.14.0" - ], - "id": "GHSA-mg46-f9h5-g27x", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-45064", - "Fix available: upgrade to 2.14.0", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2023/04/18/6", - "https://lists.apache.org/thread/hhp611hltby3whk03vx2mv7cmy3vs0ok", - "https://nvd.nist.gov/vuln/detail/CVE-2022-45064" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-mg46-f9h5-g27x" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45064" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread/hhp611hltby3whk03vx2mv7cmy3vs0ok" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2023/04/18/6" - } - ], - "risk_score": 3.94785, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to privilege escalation" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "org.apache.sling.jcr.api", - "purl": "pkg:maven/org.apache.sling/org.apache.sling.jcr.api@2.0.2-incubator", - "version": "2.0.2-incubator", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "org.apache.sling.jcr.resource", - "purl": "pkg:maven/org.apache.sling/org.apache.sling.jcr.resource@2.0.2-incubator", - "version": "2.0.2-incubator", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "struts2-core", - "purl": "pkg:maven/org.apache.struts/struts2-core@2.5.12", - "version": "2.5.12", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=2.0.0,\u003c2.5.33 (unknown)", - "aliases": [ - "CVE-2023-50164" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2023-50164", - "id": "CWE-552", - "source": "security@apache.org", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-2j39-qcjm-428w", - "description": "Apache Struts vulnerable to path traversal", - "epss": [ - { - "cve": "CVE-2023-50164", - "date": "2026-06-14", - "epss": 0.93657, - "percentile": 0.99853 - } - ], - "fix_available": [ - { - "date": "2023-12-08", - "kind": "first-observed", - "version": "2.5.33" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.33", - "fixed_versions": [ - "2.5.33" - ], - "id": "GHSA-2j39-qcjm-428w", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-50164", - "Fix available: upgrade to 2.5.33", - "Fix state: fixed", - "http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html", - "http://www.openwall.com/lists/oss-security/2023/12/07/1", - "https://cwiki.apache.org/confluence/display/WW/S2-066", - "https://github.com/apache/struts/commit/162e29fee9136f4bfd9b2376da2cbf590f9ea163", - "https://github.com/apache/struts/commit/d8c69691ef1d15e76a5f4fcf33039316da2340b6", - "https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj", - "https://nvd.nist.gov/vuln/detail/CVE-2023-50164", - "https://security.netapp.com/advisory/ntap-20231214-0010", - "https://www.openwall.com/lists/oss-security/2023/12/07/1" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-2j39-qcjm-428w" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50164" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2023/12/07/1" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/162e29fee9136f4bfd9b2376da2cbf590f9ea163" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/d8c69691ef1d15e76a5f4fcf33039316da2340b6" - }, - { - "type": "advisory", - "url": "https://www.openwall.com/lists/oss-security/2023/12/07/1" - }, - { - "type": "advisory", - "url": "http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html" - }, - { - "type": "advisory", - "url": "https://cwiki.apache.org/confluence/display/WW/S2-066" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20231214-0010" - } - ], - "risk_score": 88.03758, - "severity": "critical", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Struts vulnerable to path traversal" - }, - { - "affected_version_range": "\u003c6.4.0 (unknown)", - "aliases": [ - "CVE-2024-53677" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - }, - { - "score": 9.5, - "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:A/V:C/RE:L/U:Red", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-53677", - "id": "CWE-434", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-43mq-6xmg-29vm", - "description": "Apache Struts file upload logic is flawed", - "epss": [ - { - "cve": "CVE-2024-53677", - "date": "2026-06-14", - "epss": 0.93161, - "percentile": 0.99807 - } - ], - "fix_available": [ - { - "date": "2024-12-12", - "kind": "first-observed", - "version": "6.4.0" - } - ], - "fix_state": "fixed", - "fixed_in": "6.4.0", - "fixed_versions": [ - "6.4.0" - ], - "id": "GHSA-43mq-6xmg-29vm", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-53677", - "Fix available: upgrade to 6.4.0", - "Fix state: fixed", - "https://cwiki.apache.org/confluence/display/WW/S2-067", - "https://github.com/apache/struts/commit/1ecfbae46543a83e131404f8dcc84b3d0d554854", - "https://github.com/apache/struts/commit/3ef9ade8902a63bb560892453eeca02bfddefc78", - "https://github.com/apache/struts/commit/930fef7679d7247db9e460c146b1698a9d7ad1e4", - "https://nvd.nist.gov/vuln/detail/CVE-2024-53677", - "https://security.netapp.com/advisory/ntap-20250103-0005", - "https://struts.apache.org/core-developers/file-upload", - "https://www.dynatrace.com/news/blog/the-anatomy-of-broken-apache-struts-2-a-technical-deep-dive-into-cve-2024-53677" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-43mq-6xmg-29vm" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53677" - }, - { - "type": "advisory", - "url": "https://cwiki.apache.org/confluence/display/WW/S2-067" - }, - { - "type": "advisory", - "url": "https://struts.apache.org/core-developers/file-upload" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20250103-0005" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/1ecfbae46543a83e131404f8dcc84b3d0d554854" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/3ef9ade8902a63bb560892453eeca02bfddefc78" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/930fef7679d7247db9e460c146b1698a9d7ad1e4" - }, - { - "type": "advisory", - "url": "https://www.dynatrace.com/news/blog/the-anatomy-of-broken-apache-struts-2-a-technical-deep-dive-into-cve-2024-53677" - } - ], - "risk_score": 86.87263250000001, - "severity": "critical", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Struts file upload logic is flawed" - }, - { - "affected_version_range": "\u003c2.5.31 (unknown)", - "aliases": [ - "CVE-2023-34396" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2023-34396", - "id": "CWE-770", - "source": "security@apache.org", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-4g42-gqrg-4633", - "description": "Apache Struts vulnerable to memory exhaustion", - "epss": [ - { - "cve": "CVE-2023-34396", - "date": "2026-06-14", - "epss": 0.00123, - "percentile": 0.31154 - } - ], - "fix_available": [ - { - "date": "2023-06-15", - "kind": "first-observed", - "version": "2.5.31" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.31", - "fixed_versions": [ - "2.5.31" - ], - "id": "GHSA-4g42-gqrg-4633", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-34396", - "Fix available: upgrade to 2.5.31", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2023/06/14/3", - "https://cwiki.apache.org/confluence/display/WW/S2-064", - "https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21", - "https://github.com/apache/struts/releases/tag/STRUTS_2_5_31", - "https://github.com/apache/struts/releases/tag/STRUTS_6_1_2_1", - "https://nvd.nist.gov/vuln/detail/CVE-2023-34396", - "https://security.netapp.com/advisory/ntap-20230706-0005" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-4g42-gqrg-4633" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34396" - }, - { - "type": "advisory", - "url": "https://cwiki.apache.org/confluence/display/WW/S2-064" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/releases/tag/STRUTS_2_5_31" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/releases/tag/STRUTS_6_1_2_1" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2023/06/14/3" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20230706-0005" - } - ], - "risk_score": 0.09225, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Struts vulnerable to memory exhaustion" - }, - { - "affected_version_range": "\u003c2.5.32 (unknown)", - "aliases": [ - "CVE-2023-41835" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2023-41835", - "id": "CWE-459", - "source": "security@apache.org", - "type": "Secondary" - }, - { - "cve": "CVE-2023-41835", - "id": "CWE-459", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-729q-fcgp-r5xh", - "description": "Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability", - "epss": [ - { - "cve": "CVE-2023-41835", - "date": "2026-06-14", - "epss": 0.00224, - "percentile": 0.45382 - } - ], - "fix_available": [ - { - "date": "2023-12-06", - "kind": "first-observed", - "version": "2.5.32" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.32", - "fixed_versions": [ - "2.5.32" - ], - "id": "GHSA-729q-fcgp-r5xh", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-41835", - "Fix available: upgrade to 2.5.32", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2023/12/09/1", - "https://github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a", - "https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7", - "https://github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711", - "https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft", - "https://nvd.nist.gov/vuln/detail/CVE-2023-41835", - "https://security.netapp.com/advisory/ntap-20231013-0001", - "https://www.openwall.com/lists/oss-security/2023/12/09/1" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-729q-fcgp-r5xh" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41835" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2023/12/09/1" - }, - { - "type": "advisory", - "url": "https://www.openwall.com/lists/oss-security/2023/12/09/1" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20231013-0001" - } - ], - "risk_score": 0.16799999999999998, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability" - }, - { - "affected_version_range": "\u003e=2.5.0,\u003c2.5.13 (unknown)", - "aliases": [ - "CVE-2016-8738" - ], - "cvss": [ - { - "score": 5.9, - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2016-8738", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-86vq-8qhc-5rqw", - "description": "Apache Struts vulnerable to possible DoS attack when using URLValidator", - "epss": [ - { - "cve": "CVE-2016-8738", - "date": "2026-06-14", - "epss": 0.01107, - "percentile": 0.78603 - } - ], - "fix_available": [ - { - "date": "2022-11-04", - "kind": "first-observed", - "version": "2.5.13" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.13", - "fixed_versions": [ - "2.5.13" - ], - "id": "GHSA-86vq-8qhc-5rqw", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2016-8738", - "Fix available: upgrade to 2.5.13", - "Fix state: fixed", - "https://github.com/apache/struts/commit/554b9dddb0fbd1e581ef577dd62a7c22955ad0f6", - "https://nvd.nist.gov/vuln/detail/CVE-2016-8738", - "https://security.netapp.com/advisory/ntap-20180629-0003/", - "https://struts.apache.org/docs/s2-044.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-86vq-8qhc-5rqw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8738" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20180629-0003/" - }, - { - "type": "advisory", - "url": "https://struts.apache.org/docs/s2-044.html" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/554b9dddb0fbd1e581ef577dd62a7c22955ad0f6" - } - ], - "risk_score": 0.603315, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Struts vulnerable to possible DoS attack when using URLValidator" - }, - { - "affected_version_range": "\u003c2.5.31 (unknown)", - "aliases": [ - "CVE-2023-34149" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2023-34149", - "id": "CWE-770", - "source": "security@apache.org", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-8f6x-v685-g2xc", - "description": "Apache Struts vulnerable to memory exhaustion", - "epss": [ - { - "cve": "CVE-2023-34149", - "date": "2026-06-14", - "epss": 0.00066, - "percentile": 0.20953 - } - ], - "fix_available": [ - { - "date": "2023-06-15", - "kind": "first-observed", - "version": "2.5.31" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.31", - "fixed_versions": [ - "2.5.31" - ], - "id": "GHSA-8f6x-v685-g2xc", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-34149", - "Fix available: upgrade to 2.5.31", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2023/06/14/2", - "https://cwiki.apache.org/confluence/display/WW/S2-063", - "https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21", - "https://github.com/apache/struts/releases/tag/STRUTS_2_5_31", - "https://github.com/apache/struts/releases/tag/STRUTS_6_1_2_1", - "https://nvd.nist.gov/vuln/detail/CVE-2023-34149", - "https://security.netapp.com/advisory/ntap-20230706-0005" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-8f6x-v685-g2xc" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34149" - }, - { - "type": "advisory", - "url": "https://cwiki.apache.org/confluence/display/WW/S2-063" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/releases/tag/STRUTS_2_5_31" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/releases/tag/STRUTS_6_1_2_1" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2023/06/14/2" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20230706-0005" - } - ], - "risk_score": 0.03795, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Struts vulnerable to memory exhaustion" - }, - { - "affected_version_range": "\u003e=2.0,\u003c2.5.22 (unknown)", - "aliases": [ - "CVE-2012-1592" - ], - "cvss": [ - { - "score": 8.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2012-1592", - "id": "CWE-434", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-8m5q-crqq-6pmf", - "description": "Unrestricted Upload of File with Dangerous Type in Apache Struts2", - "epss": [ - { - "cve": "CVE-2012-1592", - "date": "2026-06-14", - "epss": 0.00588, - "percentile": 0.69717 - } - ], - "fix_available": [ - { - "date": "2022-07-14", - "kind": "first-observed", - "version": "2.5.22" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.22", - "fixed_versions": [ - "2.5.22" - ], - "id": "GHSA-8m5q-crqq-6pmf", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2012-1592", - "Fix available: upgrade to 2.5.22", - "Fix state: fixed", - "https://access.redhat.com/security/cve/cve-2012-1592", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1592", - "https://github.com/apache/struts/blob/master/core/src/main/resources/struts-default.xml#L39-L76", - "https://issues.apache.org/jira/browse/WW-5055", - "https://lists.apache.org/thread.html/r348ed455a140273c40b974f0615dee692f7c9b26c6de2118b4280ef2%40%3Cissues.struts.apache.org%3E", - "https://lists.apache.org/thread.html/r348ed455a140273c40b974f0615dee692f7c9b26c6de2118b4280ef2@%3Cissues.struts.apache.org%3E", - "https://lists.apache.org/thread.html/r593ebb2f4c95b064e6901fd273eff256c493db952bdb484395948ffc%40%3Cissues.struts.apache.org%3E", - "https://lists.apache.org/thread.html/r593ebb2f4c95b064e6901fd273eff256c493db952bdb484395948ffc@%3Cissues.struts.apache.org%3E", - "https://lists.apache.org/thread.html/r93c4e3f6cb138cd117c739714f07e47af547183ba099ba46be2b2a5b%40%3Cissues.struts.apache.org%3E", - "https://lists.apache.org/thread.html/r93c4e3f6cb138cd117c739714f07e47af547183ba099ba46be2b2a5b@%3Cissues.struts.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2012-1592", - "https://seclists.org/bugtraq/2012/Mar/110", - "https://security-tracker.debian.org/tracker/CVE-2012-1592", - "https://struts.apache.org/security/#internal-security-mechanism", - "https://www.openwall.com/lists/oss-security/2012/03/28/12" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-8m5q-crqq-6pmf" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1592" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/security/cve/cve-2012-1592" - }, - { - "type": "advisory", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1592" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r348ed455a140273c40b974f0615dee692f7c9b26c6de2118b4280ef2@%3Cissues.struts.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r593ebb2f4c95b064e6901fd273eff256c493db952bdb484395948ffc@%3Cissues.struts.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r93c4e3f6cb138cd117c739714f07e47af547183ba099ba46be2b2a5b@%3Cissues.struts.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://security-tracker.debian.org/tracker/CVE-2012-1592" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/blob/master/core/src/main/resources/struts-default.xml#L39-L76" - }, - { - "type": "advisory", - "url": "https://issues.apache.org/jira/browse/WW-5055" - }, - { - "type": "advisory", - "url": "https://seclists.org/bugtraq/2012/Mar/110" - }, - { - "type": "advisory", - "url": "https://struts.apache.org/security/#internal-security-mechanism" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r348ed455a140273c40b974f0615dee692f7c9b26c6de2118b4280ef2%40%3Cissues.struts.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r593ebb2f4c95b064e6901fd273eff256c493db952bdb484395948ffc%40%3Cissues.struts.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r93c4e3f6cb138cd117c739714f07e47af547183ba099ba46be2b2a5b%40%3Cissues.struts.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.openwall.com/lists/oss-security/2012/03/28/12" - } - ], - "risk_score": 0.47922, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Unrestricted Upload of File with Dangerous Type in Apache Struts2" - }, - { - "affected_version_range": "\u003e=2.0.0,\u003c2.5.22 (unknown)", - "aliases": [ - "CVE-2019-0233" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-0233", - "id": "CWE-281", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-ccp5-gg58-pxfm", - "description": "Improper Preservation of Permissions in Apache Struts", - "epss": [ - { - "cve": "CVE-2019-0233", - "date": "2026-06-14", - "epss": 0.0778, - "percentile": 0.92182 - } - ], - "fix_available": [ - { - "date": "2022-06-30", - "kind": "first-observed", - "version": "2.5.22" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.22", - "fixed_versions": [ - "2.5.22" - ], - "id": "GHSA-ccp5-gg58-pxfm", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-0233", - "Fix available: upgrade to 2.5.22", - "Fix state: fixed", - "https://cwiki.apache.org/confluence/display/ww/s2-060", - "https://launchpad.support.sap.com/#/notes/2982840", - "https://nvd.nist.gov/vuln/detail/CVE-2019-0233", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-ccp5-gg58-pxfm" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0233" - }, - { - "type": "advisory", - "url": "https://cwiki.apache.org/confluence/display/ww/s2-060" - }, - { - "type": "advisory", - "url": "https://launchpad.support.sap.com/#/notes/2982840" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - } - ], - "risk_score": 5.835, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Improper Preservation of Permissions in Apache Struts" - }, - { - "affected_version_range": "\u003e=2.5,\u003c=2.5.16 (unknown)", - "aliases": [ - "CVE-2018-11776" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "version": "3.0" - } - ], - "data_source": "https://github.com/advisories/GHSA-cr6j-3jp9-rw65", - "description": "Apache Struts vulnerable to remote command execution (RCE) due to improper input validation", - "epss": [ - { - "cve": "CVE-2018-11776", - "date": "2026-06-14", - "epss": 0.94431, - "percentile": 0.99986 - } - ], - "fix_available": [ - { - "date": "2021-03-30", - "kind": "first-observed", - "version": "2.5.17" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.17", - "fixed_versions": [ - "2.5.17" - ], - "id": "GHSA-cr6j-3jp9-rw65", - "kev_exploited": true, - "known_exploited": [ - { - "cve": "CVE-2018-11776", - "cwes": [ - "CWE-20" - ], - "date_added": "2021-11-03", - "due_date": "2022-05-03", - "known_ransomware_campaign_use": "unknown", - "product": "Struts", - "required_action": "Apply updates per vendor instructions.", - "urls": [ - "https://nvd.nist.gov/vuln/detail/CVE-2018-11776" - ], - "vendor_project": "Apache" - } - ], - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2018-11776", - "Fix available: upgrade to 2.5.17", - "Fix state: fixed", - "http://packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.html", - "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt", - "http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html", - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/105125", - "http://www.securitytracker.com/id/1041547", - "http://www.securitytracker.com/id/1041888", - "https://cwiki.apache.org/confluence/display/WW/S2-057", - "https://github.com/apache/struts/commit/6e87474f9ad0549f07dd2c37d50a9ccd0977c6e", - "https://github.com/hook-s3c/CVE-2018-11776-Python-PoC", - "https://lgtm.com/blog/apache_struts_CVE-2018-11776", - "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E", - "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2018-11776", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012", - "https://security.netapp.com/advisory/ntap-20180822-0001", - "https://security.netapp.com/advisory/ntap-20181018-0002", - "https://web.archive.org/web/20180822160726/http://www.securityfocus.com/bid/105125", - "https://web.archive.org/web/20200807025819/http://www.securitytracker.com/id/1041888", - "https://web.archive.org/web/20201208145803/https://securitytracker.com/id/1041547", - "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-11776", - "https://www.exploit-db.com/exploits/45260", - "https://www.exploit-db.com/exploits/45262", - "https://www.exploit-db.com/exploits/45367", - "https://www.oracle.com/security-alerts/cpujul2020.html", - "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-cr6j-3jp9-rw65" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11776" - }, - { - "type": "advisory", - "url": "https://cwiki.apache.org/confluence/display/WW/S2-057" - }, - { - "type": "advisory", - "url": "https://github.com/hook-s3c/CVE-2018-11776-Python-PoC" - }, - { - "type": "advisory", - "url": "https://lgtm.com/blog/apache_struts_CVE-2018-11776" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" - }, - { - "type": "advisory", - "url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt" - }, - { - "type": "advisory", - "url": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html" - }, - { - "type": "advisory", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" - }, - { - "type": "advisory", - "url": "http://packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.html" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/6e87474f9ad0549f07dd2c37d50a9ccd0977c6e" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20180822160726/http://www.securityfocus.com/bid/105125" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20200807025819/http://www.securitytracker.com/id/1041888" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20201208145803/https://securitytracker.com/id/1041547" - }, - { - "type": "advisory", - "url": "https://www.exploit-db.com/exploits/45367" - }, - { - "type": "advisory", - "url": "https://www.exploit-db.com/exploits/45262" - }, - { - "type": "advisory", - "url": "https://www.exploit-db.com/exploits/45260" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20181018-0002" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20180822-0001" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E" - }, - { - "type": "advisory", - "url": "http://www.securityfocus.com/bid/105125" - }, - { - "type": "advisory", - "url": "http://www.securitytracker.com/id/1041547" - }, - { - "type": "advisory", - "url": "http://www.securitytracker.com/id/1041888" - }, - { - "type": "advisory", - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-11776" - } - ], - "risk_score": 81.9, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Struts vulnerable to remote command execution (RCE) due to improper input validation" - }, - { - "affected_version_range": "\u003e=2.0.0,\u003c2.5.26 (unknown)", - "aliases": [ - "CVE-2020-17530" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-17530", - "id": "CWE-917", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2020-17530", - "id": "CWE-917", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-jc35-q369-45pv", - "description": "Remote code execution in Apache Struts", - "epss": [ - { - "cve": "CVE-2020-17530", - "date": "2026-06-14", - "epss": 0.94373, - "percentile": 0.99967 - } - ], - "fix_available": [ - { - "date": "2022-02-10", - "kind": "first-observed", - "version": "2.5.26" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.26", - "fixed_versions": [ - "2.5.26" - ], - "id": "GHSA-jc35-q369-45pv", - "kev_exploited": true, - "known_exploited": [ - { - "cve": "CVE-2020-17530", - "cwes": [ - "CWE-917" - ], - "date_added": "2021-11-03", - "due_date": "2022-05-03", - "known_ransomware_campaign_use": "unknown", - "product": "Struts", - "required_action": "Apply updates per vendor instructions.", - "urls": [ - "https://nvd.nist.gov/vuln/detail/CVE-2020-17530" - ], - "vendor_project": "Apache" - } - ], - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-17530", - "Fix available: upgrade to 2.5.26", - "Fix state: fixed", - "http://jvn.jp/en/jp/JVN43969166/index.html", - "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html", - "http://www.openwall.com/lists/oss-security/2022/04/12/6", - "https://cwiki.apache.org/confluence/display/WW/S2-061", - "https://nvd.nist.gov/vuln/detail/CVE-2020-17530", - "https://security.netapp.com/advisory/ntap-20210115-0005", - "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-jc35-q369-45pv" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17530" - }, - { - "type": "advisory", - "url": "https://cwiki.apache.org/confluence/display/WW/S2-061" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2021.html" - }, - { - "type": "advisory", - "url": "http://jvn.jp/en/jp/JVN43969166/index.html" - }, - { - "type": "advisory", - "url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2022/04/12/6" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210115-0005" - }, - { - "type": "advisory", - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530" - } - ], - "risk_score": 98.70000000000002, - "severity": "critical", - "severity_source": "github:language:java", - "source": "grype", - "title": "Remote code execution in Apache Struts" - }, - { - "affected_version_range": "\u003e=2.5.0,\u003c=2.5.33 (unknown)", - "aliases": [ - "CVE-2025-68493" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2025-68493", - "id": "CWE-611", - "source": "security@apache.org", - "type": "Primary" - }, - { - "cve": "CVE-2025-68493", - "id": "CWE-611", - "source": "nvd@nist.gov", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-qcfc-hmrc-59x7", - "description": "Apache Struts 2 is Missing XML Validation", - "epss": [ - { - "cve": "CVE-2025-68493", - "date": "2026-06-14", - "epss": 0.00026, - "percentile": 0.07826 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-qcfc-hmrc-59x7", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-68493", - "Fix state: not-fixed", - "http://www.openwall.com/lists/oss-security/2026/01/11/2", - "https://cwiki.apache.org/confluence/display/WW/S2-069", - "https://nvd.nist.gov/vuln/detail/CVE-2025-68493" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-qcfc-hmrc-59x7" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68493" - }, - { - "type": "advisory", - "url": "https://cwiki.apache.org/confluence/display/WW/S2-069" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2026/01/11/2" - } - ], - "risk_score": 0.02028, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Struts 2 is Missing XML Validation" - }, - { - "affected_version_range": "\u003e=2.0.0,\u003c6.8.0 (unknown)", - "aliases": [ - "CVE-2025-66675" - ], - "cvss": [ - { - "score": 8.2, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2025-66675", - "id": "CWE-459", - "source": "security@apache.org", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-rg58-xhh7-mqjw", - "description": "Apache Struts has a Denial of Service vulnerability", - "epss": [ - { - "cve": "CVE-2025-66675", - "date": "2026-06-14", - "epss": 0.00201, - "percentile": 0.42357 - } - ], - "fix_available": [ - { - "date": "2025-12-10", - "kind": "first-observed", - "version": "6.8.0" - } - ], - "fix_state": "fixed", - "fixed_in": "6.8.0", - "fixed_versions": [ - "6.8.0" - ], - "id": "GHSA-rg58-xhh7-mqjw", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-66675", - "Fix available: upgrade to 6.8.0", - "Fix state: fixed", - "https://cve.org/CVERecord?id=CVE-2025-64775", - "https://cwiki.apache.org/confluence/display/WW/S2-068", - "https://github.com/apache/struts/commit/831568929cfba700f790f6ebe6e335f9f33fb468", - "https://nvd.nist.gov/vuln/detail/CVE-2025-66675" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-rg58-xhh7-mqjw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66675" - }, - { - "type": "advisory", - "url": "https://cve.org/CVERecord?id=CVE-2025-64775" - }, - { - "type": "advisory", - "url": "https://cwiki.apache.org/confluence/display/WW/S2-068" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/831568929cfba700f790f6ebe6e335f9f33fb468" - } - ], - "risk_score": 0.157785, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Struts has a Denial of Service vulnerability" - }, - { - "affected_version_range": "\u003e=2.0.0,\u003c2.5.30 (unknown)", - "aliases": [ - "CVE-2021-31805" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-31805", - "id": "CWE-917", - "source": "security@apache.org", - "type": "Secondary" - }, - { - "cve": "CVE-2021-31805", - "id": "CWE-917", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-v8j6-6c2r-r27c", - "description": "Expression Language Injection in Apache Struts", - "epss": [ - { - "cve": "CVE-2021-31805", - "date": "2026-06-14", - "epss": 0.93788, - "percentile": 0.99866 - } - ], - "fix_available": [ - { - "date": "2022-04-27", - "kind": "first-observed", - "version": "2.5.30" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.30", - "fixed_versions": [ - "2.5.30" - ], - "id": "GHSA-v8j6-6c2r-r27c", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-31805", - "Fix available: upgrade to 2.5.30", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2022/04/12/6", - "https://cwiki.apache.org/confluence/display/WW/S2-062", - "https://nvd.nist.gov/vuln/detail/CVE-2021-31805", - "https://security.netapp.com/advisory/ntap-20220420-0001/", - "https://www.oracle.com/security-alerts/cpujul2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-v8j6-6c2r-r27c" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31805" - }, - { - "type": "advisory", - "url": "https://cwiki.apache.org/confluence/display/WW/S2-062" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2022/04/12/6" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20220420-0001/" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - } - ], - "risk_score": 88.16072000000001, - "severity": "critical", - "severity_source": "github:language:java", - "source": "grype", - "title": "Expression Language Injection in Apache Struts" - }, - { - "affected_version_range": "\u003e=2.0.0,\u003c2.5.22 (unknown)", - "aliases": [ - "CVE-2019-0230" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-0230", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-wp4h-pvgw-5727", - "description": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", - "epss": [ - { - "cve": "CVE-2019-0230", - "date": "2026-06-14", - "epss": 0.93849, - "percentile": 0.99877 - } - ], - "fix_available": [ - { - "date": "2021-12-03", - "kind": "first-observed", - "version": "2.5.22" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.22", - "fixed_versions": [ - "2.5.22" - ], - "id": "GHSA-wp4h-pvgw-5727", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-0230", - "Fix available: upgrade to 2.5.22", - "Fix state: fixed", - "http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html", - "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html", - "https://cwiki.apache.org/confluence/display/ww/s2-059", - "https://launchpad.support.sap.com/#/notes/2982840", - "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E", - "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2019-0230", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-wp4h-pvgw-5727" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0230" - }, - { - "type": "advisory", - "url": "https://cwiki.apache.org/confluence/display/ww/s2-059" - }, - { - "type": "advisory", - "url": "https://launchpad.support.sap.com/#/notes/2982840" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "type": "advisory", - "url": "http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html" - }, - { - "type": "advisory", - "url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html" - } - ], - "risk_score": 88.21806000000001, - "severity": "critical", - "severity_source": "github:language:java", - "source": "grype", - "title": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts" - }, - { - "affected_version_range": "\u003e=2.5.0,\u003c=2.5.12 (unknown)", - "aliases": [ - "CVE-2017-9804" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-9804", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-x5x7-3v85-wpc4", - "description": "Apache Struts allows entering a custom URL in a form field if built-in URLValidator is used", - "epss": [ - { - "cve": "CVE-2017-9804", - "date": "2026-06-14", - "epss": 0.04618, - "percentile": 0.89544 - } - ], - "fix_available": [ - { - "date": "2021-03-30", - "kind": "first-observed", - "version": "2.5.13" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.13", - "fixed_versions": [ - "2.5.13" - ], - "id": "GHSA-x5x7-3v85-wpc4", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-9804", - "Fix available: upgrade to 2.5.13", - "Fix state: fixed", - "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt", - "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html", - "https://github.com/apache/struts/commit/418a20c0594f23764fe29ced400c1219239899a", - "https://nvd.nist.gov/vuln/detail/CVE-2017-9804", - "https://security.netapp.com/advisory/ntap-20180629-0001/", - "https://struts.apache.org/docs/s2-050.html", - "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2", - "https://web.archive.org/web/20171113165852/http://www.securityfocus.com/bid/100612", - "https://web.archive.org/web/20201021075553/http://www.securitytracker.com/id/1039261" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-x5x7-3v85-wpc4" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-9804" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20180629-0001/" - }, - { - "type": "advisory", - "url": "https://struts.apache.org/docs/s2-050.html" - }, - { - "type": "advisory", - "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170907-struts2" - }, - { - "type": "advisory", - "url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2017-003.txt" - }, - { - "type": "advisory", - "url": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/418a20c0594f23764fe29ced400c1219239899a" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20171113165852/http://www.securityfocus.com/bid/100612" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20201021075553/http://www.securitytracker.com/id/1039261" - } - ], - "risk_score": 3.4635, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Struts allows entering a custom URL in a form field if built-in URLValidator is used" - }, - { - "affected_version_range": "\u003e=2.5.0,\u003c2.5.13 (unknown)", - "aliases": [ - "CVE-2016-4465" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2016-4465", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xg75-68x3-7p3q", - "description": "Apache Struts vulnerable to possible DoS attack when using URLValidator", - "epss": [ - { - "cve": "CVE-2016-4465", - "date": "2026-06-14", - "epss": 0.10357, - "percentile": 0.93391 - } - ], - "fix_available": [ - { - "date": "2022-11-04", - "kind": "first-observed", - "version": "2.5.13" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.13", - "fixed_versions": [ - "2.5.13" - ], - "id": "GHSA-xg75-68x3-7p3q", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2016-4465", - "Fix available: upgrade to 2.5.13", - "Fix state: fixed", - "http://jvn.jp/en/jp/JVN12352818/index.html", - "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000114", - "http://www-01.ibm.com/support/docview.wss?uid=swg21987854", - "https://bugzilla.redhat.com/show_bug.cgi?id=1348253", - "https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152", - "https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9", - "https://nvd.nist.gov/vuln/detail/CVE-2016-4465", - "https://struts.apache.org/docs/s2-041.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xg75-68x3-7p3q" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-4465" - }, - { - "type": "advisory", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1348253" - }, - { - "type": "advisory", - "url": "https://struts.apache.org/docs/s2-041.html" - }, - { - "type": "advisory", - "url": "http://jvn.jp/en/jp/JVN12352818/index.html" - }, - { - "type": "advisory", - "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000114" - }, - { - "type": "advisory", - "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21987854" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/a0fdca138feec2c2e94eb75ca1f8b76678b4d152" - }, - { - "type": "advisory", - "url": "https://github.com/apache/struts/commit/eccc31ebce5430f9e91b9684c63eaaf885e603f9" - } - ], - "risk_score": 5.333855, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Struts vulnerable to possible DoS attack when using URLValidator" - }, - { - "affected_version_range": "\u003e=2.5.0,\u003c=2.5.33 (unknown)", - "aliases": [ - "CVE-2025-64775" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2025-64775", - "id": "CWE-459", - "source": "security@apache.org", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xx7v-hqxh-cjr9", - "description": "Apache Struts is Vulnerable to DoS via File Leak", - "epss": [ - { - "cve": "CVE-2025-64775", - "date": "2026-06-14", - "epss": 0.00171, - "percentile": 0.38311 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-xx7v-hqxh-cjr9", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-64775", - "Fix state: not-fixed", - "http://www.openwall.com/lists/oss-security/2025/12/01/2", - "https://cwiki.apache.org/confluence/display/WW/S2-068", - "https://nvd.nist.gov/vuln/detail/CVE-2025-64775" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xx7v-hqxh-cjr9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64775" - }, - { - "type": "advisory", - "url": "https://cwiki.apache.org/confluence/display/WW/S2-068" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2025/12/01/2" - } - ], - "risk_score": 0.12825, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Apache Struts is Vulnerable to DoS via File Leak" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [], - "matched": true, - "name": "zookeeper", - "purl": "pkg:maven/org.apache.zookeeper/zookeeper@3.4.6", - "version": "3.4.6", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=1.0.0,\u003c3.4.14 (unknown)", - "aliases": [ - "CVE-2019-0201" - ], - "cvss": [ - { - "score": 5.9, - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2019-0201", - "id": "CWE-862", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-2hw2-62cp-p9p7", - "description": "Access control bypass in Apache ZooKeeper", - "epss": [ - { - "cve": "CVE-2019-0201", - "date": "2026-06-14", - "epss": 0.00212, - "percentile": 0.43972 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "3.4.14" - } - ], - "fix_state": "fixed", - "fixed_in": "3.4.14", - "fixed_versions": [ - "3.4.14" - ], - "id": "GHSA-2hw2-62cp-p9p7", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2019-0201", - "Fix available: upgrade to 3.4.14", + "Also known as: CVE-2020-15250", + "Fix available: upgrade to 4.13.1", "Fix state: fixed", - "http://www.securityfocus.com/bid/108427", - "https://access.redhat.com/errata/RHSA-2019:3140", - "https://access.redhat.com/errata/RHSA-2019:3892", - "https://access.redhat.com/errata/RHSA-2019:4352", - "https://issues.apache.org/jira/browse/ZOOKEEPER-1392", - "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", - "https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E", - "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", - "https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@%3Cissues.bookkeeper.apache.org%3E", - "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", - "https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b@%3Ccommon-issues.hadoop.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html", - "https://nvd.nist.gov/vuln/detail/CVE-2019-0201", - "https://seclists.org/bugtraq/2019/Jun/13", - "https://security.netapp.com/advisory/ntap-20190619-0001/", - "https://www.debian.org/security/2019/dsa-4461", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpujul2020.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html", - "https://zookeeper.apache.org/security.html#CVE-2019-0201" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-2hw2-62cp-p9p7" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0201" - }, - { - "type": "advisory", - "url": "http://www.securityfocus.com/bid/108427" - }, - { - "type": "advisory", - "url": "https://issues.apache.org/jira/browse/ZOOKEEPER-1392" - }, - { - "type": "advisory", - "url": "https://zookeeper.apache.org/security.html#CVE-2019-0201" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2019:3140" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2019:3892" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/5d9a1cf41a5880557bf680b7321b4ab9a4d206c601ffb15fef6f196a@%3Ccommits.accumulo.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/f6112882e30a31992a79e0a8c31ac179e9d0de7c708de3a9258d4391@%3Cissues.bookkeeper.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00033.html" - }, - { - "type": "advisory", - "url": "https://seclists.org/bugtraq/2019/Jun/13" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20190619-0001/" - }, + "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md", + "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae", + "https://github.com/junit-team/junit4/issues/1676", + "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp", + "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html", + "https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917@%3Ccommits.pulsar.apache.org%3E", + "https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d@%3Cpluto-dev.portals.apache.org%3E", + "https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774@%3Cdev.knox.apache.org%3E", + "https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e@%3Cpluto-scm.portals.apache.org%3E", + "https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943@%3Cdev.knox.apache.org%3E", + "https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094@%3Ccommits.creadur.apache.org%3E", + "https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b@%3Cdev.creadur.apache.org%3E", + "https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41@%3Cdev.creadur.apache.org%3E", + "https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b@%3Cdev.knox.apache.org%3E", + "https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672@%3Ccommits.creadur.apache.org%3E", + "https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f@%3Cdev.knox.apache.org%3E", + "https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279@%3Cdev.knox.apache.org%3E", + "https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390@%3Cpluto-dev.portals.apache.org%3E", + "https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40@%3Cdev.knox.apache.org%3E", + "https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0@%3Ccommits.creadur.apache.org%3E", + "https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a@%3Ccommits.knox.apache.org%3E", + "https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b@%3Cdev.pdfbox.apache.org%3E", + "https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99@%3Ccommits.pulsar.apache.org%3E", + "https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457@%3Cdev.creadur.apache.org%3E", + "https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb@%3Cdev.knox.apache.org%3E", + "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E", + "https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9@%3Cdev.creadur.apache.org%3E", + "https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872@%3Cdev.creadur.apache.org%3E", + "https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb@%3Ccommits.pulsar.apache.org%3E", + "https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc@%3Ccommits.creadur.apache.org%3E", + "https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6@%3Ccommits.pulsar.apache.org%3E", + "https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4@%3Ccommits.pulsar.apache.org%3E", + "https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb@%3Ccommits.pulsar.apache.org%3E", + "https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486@%3Ccommits.pulsar.apache.org%3E", + "https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b@%3Ccommits.pulsar.apache.org%3E", + "https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353@%3Cdev.knox.apache.org%3E", + "https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467@%3Ccommits.pulsar.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html", + "https://nvd.nist.gov/vuln/detail/CVE-2020-15250", + "https://www.oracle.com/security-alerts/cpuapr2022.html" + ], + "references": [ { - "type": "advisory", - "url": "https://www.debian.org/security/2019/dsa-4461" + "type": "data_source", + "url": "https://github.com/advisories/GHSA-269g-pwp5-87pp" }, { "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2019:4352" + "url": "https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + "url": "https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" + "url": "https://github.com/junit-team/junit4/blob/7852b90cfe1cea1e0cdaa19d490c83f0d8684b50/doc/ReleaseNotes4.13.1.md" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/r40f32125c1d97ad82404cc918171d9e0fcf78e534256674e9da1eb4b@%3Ccommon-issues.hadoop.apache.org%3E" + "url": "https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html" }, { "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - } - ], - "risk_score": 0.11554, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Access control bypass in Apache ZooKeeper" - }, - { - "affected_version_range": "\u003c3.7.2 (unknown)", - "aliases": [ - "CVE-2023-44981" - ], - "cvss": [ - { - "score": 9.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2023-44981", - "id": "CWE-639", - "source": "security@apache.org", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-7286-pgfv-vxvh", - "description": "Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper", - "epss": [ - { - "cve": "CVE-2023-44981", - "date": "2026-06-14", - "epss": 0.00025, - "percentile": 0.0734 - } - ], - "fix_available": [ - { - "date": "2023-10-12", - "kind": "first-observed", - "version": "3.7.2" - } - ], - "fix_state": "fixed", - "fixed_in": "3.7.2", - "fixed_versions": [ - "3.7.2" - ], - "id": "GHSA-7286-pgfv-vxvh", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-44981", - "Fix available: upgrade to 3.7.2", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2023/10/11/4", - "https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b", - "https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-44981", - "https://security.netapp.com/advisory/ntap-20240621-0007", - "https://www.debian.org/security/2023/dsa-5544" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-7286-pgfv-vxvh" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15250" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-44981" + "url": "https://github.com/junit-team/junit4/issues/1676" }, { "type": "advisory", - "url": "https://lists.apache.org/thread/wf0yrk84dg1942z1o74kd8nycg6pgm5b" + "url": "https://lists.apache.org/thread.html/rde385b8b53ed046600ef68dd6b4528dea7566aaddb02c3e702cc28bc@%3Ccommits.creadur.apache.org%3E" }, { "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2023/10/11/4" + "url": "https://lists.debian.org/debian-lts-announce/2020/11/msg00003.html" }, { "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00029.html" + "url": "https://lists.apache.org/thread.html/r500517c23200fb2fdb0b82770a62dd6c88b3521cfb01cfd0c76e3f8b@%3Cdev.creadur.apache.org%3E" }, { "type": "advisory", - "url": "https://www.debian.org/security/2023/dsa-5544" + "url": "https://lists.apache.org/thread.html/r5f8841507576f595bb783ccec6a7cb285ea90d4e6f5043eae0e61a41@%3Cdev.creadur.apache.org%3E" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240621-0007" - } - ], - "risk_score": 0.022625000000000003, - "severity": "critical", - "severity_source": "github:language:java", - "source": "grype", - "title": "Authorization Bypass Through User-Controlled Key vulnerability in Apache ZooKeeper" - }, - { - "affected_version_range": "\u003e=3.4.0,\u003c=3.4.9 (unknown)", - "aliases": [ - "CVE-2017-5637" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-5637", - "id": "CWE-306", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2017-5637", - "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-7cwj-j333-x7f7", - "description": "Uncontrolled Resource Consumption in Apache ZooKeeper", - "epss": [ - { - "cve": "CVE-2017-5637", - "date": "2026-06-14", - "epss": 0.17446, - "percentile": 0.95241 - } - ], - "fix_available": [ - { - "date": "2022-07-02", - "kind": "first-observed", - "version": "3.4.10" - } - ], - "fix_state": "fixed", - "fixed_in": "3.4.10", - "fixed_versions": [ - "3.4.10" - ], - "id": "GHSA-7cwj-j333-x7f7", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-5637", - "Fix available: upgrade to 3.4.10", - "Fix state: fixed", - "http://www.debian.org/security/2017/dsa-3871", - "http://www.securityfocus.com/bid/98814", - "https://access.redhat.com/errata/RHSA-2017:2477", - "https://access.redhat.com/errata/RHSA-2017:3354", - "https://access.redhat.com/errata/RHSA-2017:3355", - "https://issues.apache.org/jira/browse/ZOOKEEPER-2693", - "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E", - "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2017-5637", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpujul2020.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-7cwj-j333-x7f7" + "url": "https://lists.apache.org/thread.html/r717877028482c55acf604d7a0106af4ca05da4208c708fb157b53672@%3Ccommits.creadur.apache.org%3E" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-5637" + "url": "https://lists.apache.org/thread.html/r95f8ef60c4b3a5284b647bb3132cda08e6fadad888a66b84f49da0b0@%3Ccommits.creadur.apache.org%3E" }, { "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2017:2477" + "url": "https://lists.apache.org/thread.html/ra1bdb9efae84794e8ffa2f8474be8290ba57830eefe9714b95da714b@%3Cdev.pdfbox.apache.org%3E" }, { "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2017:3354" + "url": "https://lists.apache.org/thread.html/rb2771949c676ca984e58a5cd5ca79c2634dee1945e0406e48e0f8457@%3Cdev.creadur.apache.org%3E" }, { "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2017:3355" + "url": "https://lists.apache.org/thread.html/rbaec90e699bc7c7bd9a053f76707a36fda48b6d558f31dc79147dbf9@%3Cdev.creadur.apache.org%3E" }, { "type": "advisory", - "url": "https://issues.apache.org/jira/browse/ZOOKEEPER-2693" + "url": "https://lists.apache.org/thread.html/rc49cf1547ef6cac1be4b3c92339b2cae0acacf5acaba13cfa429a872@%3Cdev.creadur.apache.org%3E" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" + "url": "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/58170aeb7a681d462b7fa31cae81110cbb749d2dc83c5736a0bb8370@%3Cdev.zookeeper.apache.org%3E" + "url": "https://lists.apache.org/thread.html/raebf13f53cd5d23d990712e3d11c80da9a7bae94a6284050f148ed99@%3Ccommits.pulsar.apache.org%3E" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" + "url": "https://lists.apache.org/thread.html/r01110833b63616ddbef59ae4e10c0fbd0060f0a51206defd4cb4d917@%3Ccommits.pulsar.apache.org%3E" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" + "url": "https://lists.apache.org/thread.html/rde8e70b95c992378e8570e4df400c6008a9839eabdfb8f800a3e5af6@%3Ccommits.pulsar.apache.org%3E" }, { "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" + "url": "https://lists.apache.org/thread.html/rdbdd30510a7c4d0908fd22075c02b75bbc2e0d977ec22249ef3133cb@%3Ccommits.pulsar.apache.org%3E" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + "url": "https://lists.apache.org/thread.html/rdef7d1380c86e7c0edf8a0f89a2a8db86fce5e363457d56b722691b4@%3Ccommits.pulsar.apache.org%3E" }, { "type": "advisory", - "url": "http://www.debian.org/security/2017/dsa-3871" + "url": "https://lists.apache.org/thread.html/rea812d8612fdc46842a2a57248cad4b01ddfdb1e9b037c49e68fdbfb@%3Ccommits.pulsar.apache.org%3E" }, { "type": "advisory", - "url": "http://www.securityfocus.com/bid/98814" - } - ], - "risk_score": 13.084499999999998, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Uncontrolled Resource Consumption in Apache ZooKeeper" - }, - { - "affected_version_range": "\u003c=3.4.9 (unknown)", - "aliases": [ - "CVE-2018-8012" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2018-8012", - "id": "CWE-862", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-ccqf-c5hq-77mp", - "description": "Missing Authorization in Apache ZooKeeper", - "epss": [ - { - "cve": "CVE-2018-8012", - "date": "2026-06-14", - "epss": 0.00582, - "percentile": 0.69541 - } - ], - "fix_available": [ - { - "date": "2022-07-01", - "kind": "first-observed", - "version": "3.4.10" - } - ], - "fix_state": "fixed", - "fixed_in": "3.4.10", - "fixed_versions": [ - "3.4.10" - ], - "id": "GHSA-ccqf-c5hq-77mp", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2018-8012", - "Fix available: upgrade to 3.4.10", - "Fix state: fixed", - "http://www.securityfocus.com/bid/104253", - "http://www.securitytracker.com/id/1040948", - "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E", - "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E", - "https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E", - "https://lists.apache.org/thread.html/r73daf1fc5d85677d9a854707e1908d14e174b7bbb0c603709c0ab33f@%3Coak-commits.jackrabbit.apache.org%3E", - "https://lists.apache.org/thread.html/r8f0d920805af93033c488af89104e2d682662bacfb8406db865d5e14@%3Cdev.jackrabbit.apache.org%3E", - "https://lists.apache.org/thread.html/rc5bc4ddb0deabf8cfb69378cecee56fcdc76929bea9e6373cb863870@%3Cdev.jackrabbit.apache.org%3E", - "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E", - "https://lists.apache.org/thread.html/re3a4048e9515d4afea416df907a612ed384a16c57cf99e97ee4a12f2@%3Cdev.jackrabbit.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2018-8012", - "https://www.debian.org/security/2018/dsa-4214", - "https://www.oracle.com/security-alerts/cpujul2020.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-ccqf-c5hq-77mp" + "url": "https://lists.apache.org/thread.html/reb700e60b9642eafa4b7922bfee80796394135aa09c7a239ef9f7486@%3Ccommits.pulsar.apache.org%3E" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8012" + "url": "https://lists.apache.org/thread.html/rf2ec93f4ca9a97d1958eb4a31b1830f723419ce9bf2018a6e5741d5b@%3Ccommits.pulsar.apache.org%3E" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E" + "url": "https://lists.apache.org/thread.html/rf797d119cc3f51a8d7c3c5cbe50cb4524c8487282b986edde83a9467@%3Ccommits.pulsar.apache.org%3E" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" + "url": "https://lists.apache.org/thread.html/r30f502d2f79e8d635361adb8108dcbb73095163fcbd776ee7984a094@%3Ccommits.creadur.apache.org%3E" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/c75147028c1c79bdebd4f8fa5db2b77da85de2b05ecc0d54d708b393@%3Cdev.zookeeper.apache.org%3E" + "url": "https://lists.apache.org/thread.html/r09cfbb5aedd76023691bbce9ca4ce2e16bb07dd37554a17efc19935d@%3Cpluto-dev.portals.apache.org%3E" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/r73daf1fc5d85677d9a854707e1908d14e174b7bbb0c603709c0ab33f@%3Coak-commits.jackrabbit.apache.org%3E" + "url": "https://lists.apache.org/thread.html/r29d703d1986d9b871466ff24082a1828ac8ad27bb0965a93a383872e@%3Cpluto-scm.portals.apache.org%3E" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8f0d920805af93033c488af89104e2d682662bacfb8406db865d5e14@%3Cdev.jackrabbit.apache.org%3E" + "url": "https://lists.apache.org/thread.html/r2b78f23bc2711a76a7fc73ad67b7fcd6817c5cfccefd6f30a4f54943@%3Cdev.knox.apache.org%3E" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/rc5bc4ddb0deabf8cfb69378cecee56fcdc76929bea9e6373cb863870@%3Cdev.jackrabbit.apache.org%3E" + "url": "https://lists.apache.org/thread.html/r687f489b10b0d14e46f626aa88476545e1a2600b24c4ebd3c0d2a10b@%3Cdev.knox.apache.org%3E" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" + "url": "https://lists.apache.org/thread.html/r925eaae7dd8f77dd61eefc49c1fcf54bd9ecfe605486870d7b1e9390@%3Cpluto-dev.portals.apache.org%3E" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/re3a4048e9515d4afea416df907a612ed384a16c57cf99e97ee4a12f2@%3Cdev.jackrabbit.apache.org%3E" + "url": "https://lists.apache.org/thread.html/r934208a520b38f5cf0cae199b6b076bfe7d081809528b0eff2459e40@%3Cdev.knox.apache.org%3E" }, { "type": "advisory", - "url": "https://www.debian.org/security/2018/dsa-4214" + "url": "https://lists.apache.org/thread.html/rf6e5d894d4b03bef537c9d6641272e0197c047c0d1982b4e176d0353@%3Cdev.knox.apache.org%3E" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + "url": "https://lists.apache.org/thread.html/r1209986f79359b518d09513ff05a88e5b3c398540e775edea76a4774@%3Cdev.knox.apache.org%3E" }, { "type": "advisory", - "url": "http://www.securityfocus.com/bid/104253" + "url": "https://lists.apache.org/thread.html/r742b44fd75215fc75963b8ecc22b2e4372e68d67d3d859d2b5e8743f@%3Cdev.knox.apache.org%3E" }, { "type": "advisory", - "url": "http://www.securitytracker.com/id/1040948" - } - ], - "risk_score": 0.4365, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Missing Authorization in Apache ZooKeeper" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "freemarker", - "purl": "pkg:maven/org.freemarker/freemarker@2.3.23", - "version": "2.3.23", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" + "url": "https://lists.apache.org/thread.html/r8b02dc6f18df11ff39eedb3038f1e31e6f90a779b1959bae65107279@%3Cdev.knox.apache.org%3E" + }, + { + "type": "advisory", + "url": "https://lists.apache.org/thread.html/r9710067c7096b83cb6ae8f53a2f6f94e9c042d1bf1d6929f8f2a2b7a@%3Ccommits.knox.apache.org%3E" + }, + { + "type": "advisory", + "url": "https://lists.apache.org/thread.html/rb2ffe2993f4dccc48d832e1a0f1c419477781b6ea16e725ca2276dbb@%3Cdev.knox.apache.org%3E" + }, + { + "type": "advisory", + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + } + ], + "risk_score": 0.7867800000000001, + "severity": "medium", + "severity_source": "github:language:java", + "source": "grype", + "title": "TemporaryFolder on unix-like systems does not limit access to created files" } - ], - "matched": true, - "name": "hamcrest-core", - "purl": "pkg:maven/org.hamcrest/hamcrest-core@1.3", - "version": "1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [], - "name": "javassist", - "purl": "pkg:maven/org.javassist/javassist@3.20.0-ga", - "version": "3.20.0-ga", - "vulnerabilities": [] + ] }, { "ecosystem": "maven", @@ -12051,68 +820,53 @@ } ], "matched": true, - "name": "jrobin", - "purl": "pkg:maven/org.jrobin/jrobin@1.5.9", - "version": "1.5.9", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [], - "matched": true, - "name": "keycloak-saml-core", - "purl": "pkg:maven/org.keycloak/keycloak-saml-core@1.8.1.final", - "version": "1.8.1.final", + "name": "javamelody-core", + "purl": "pkg:maven/net.bull.javamelody/javamelody-core@1.59.0", + "version": "1.59.0", "vulnerabilities": [ { - "affected_version_range": "\u003c18.0.0 (unknown)", + "affected_version_range": "\u003c1.74.0 (unknown)", "aliases": [ - "CVE-2021-3827" + "CVE-2018-15531" ], "cvss": [ { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", - "version": "3.1" + "score": 9.8, + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.0" } ], "cwes": [ { - "cve": "CVE-2021-3827", - "id": "CWE-287", - "source": "secalert@redhat.com", - "type": "Secondary" - }, - { - "cve": "CVE-2021-3827", - "id": "CWE-287", + "cve": "CVE-2018-15531", + "id": "CWE-611", "source": "nvd@nist.gov", "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-4pc7-vqv5-5r3v", - "description": "ECP SAML binding bypasses authentication flows", + "data_source": "https://github.com/advisories/GHSA-6fvx-r7hx-3vh6", + "description": "JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java.", "epss": [ { - "cve": "CVE-2021-3827", - "date": "2026-06-14", - "epss": 0.00208, - "percentile": 0.43483 + "cve": "CVE-2018-15531", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2022-04-28", + "date": "2020-07-28", "kind": "first-observed", - "version": "18.0.0" + "version": "1.74.0" } ], "fix_state": "fixed", - "fixed_in": "18.0.0", + "fixed_in": "1.74.0", "fixed_versions": [ - "18.0.0" + "1.74.0" ], - "id": "GHSA-4pc7-vqv5-5r3v", + "id": "GHSA-6fvx-r7hx-3vh6", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", @@ -12123,90 +877,74 @@ "tier": "package" }, "reasons": [ - "Also known as: CVE-2021-3827", - "Fix available: upgrade to 18.0.0", + "Also known as: CVE-2018-15531", + "Fix available: upgrade to 1.74.0", "Fix state: fixed", - "https://access.redhat.com/security/cve/CVE-2021-3827", - "https://bugzilla.redhat.com/show_bug.cgi?id=2007512", - "https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d", - "https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3827" + "http://www.openwall.com/lists/oss-security/2018/09/25/3", + "https://github.com/javamelody/javamelody/commit/ef111822562d0b9365bd3e671a75b65bd0613353", + "https://github.com/javamelody/javamelody/wiki/ReleaseNotes", + "https://jenkins.io/security/advisory/2018-09-25/", + "https://nvd.nist.gov/vuln/detail/CVE-2018-15531" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-4pc7-vqv5-5r3v" + "url": "https://github.com/advisories/GHSA-6fvx-r7hx-3vh6" }, { "type": "advisory", - "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15531" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3827" + "url": "https://github.com/javamelody/javamelody/commit/ef111822562d0b9365bd3e671a75b65bd0613353" }, { "type": "advisory", - "url": "https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d" + "url": "https://github.com/javamelody/javamelody/wiki/ReleaseNotes" }, { "type": "advisory", - "url": "https://access.redhat.com/security/cve/CVE-2021-3827" + "url": "https://jenkins.io/security/advisory/2018-09-25/" }, { "type": "advisory", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007512" + "url": "http://www.openwall.com/lists/oss-security/2018/09/25/3" } ], - "risk_score": 0.16224, - "severity": "high", + "risk_score": 26.20062, + "severity": "critical", "severity_source": "github:language:java", "source": "grype", - "title": "ECP SAML binding bypasses authentication flows" + "title": "JavaMelody has XXE via parseSoapMethodName in bull/javamelody/PayloadNameRequestWrapper.java." }, { - "affected_version_range": "\u003c26.6.2 (unknown)", + "affected_version_range": "\u003c1.61.0 (unknown)", "aliases": [ - "CVE-2026-7307" + "CVE-2016-1000273" ], "cvss": [ { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "score": 10, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" } ], - "cwes": [ - { - "cve": "CVE-2026-7307", - "id": "CWE-1286", - "source": "secalert@redhat.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-p5mv-gj8j-xqgf", - "description": "Keycloak: Denial of Service via specially crafted SAML input", - "epss": [ - { - "cve": "CVE-2026-7307", - "date": "2026-06-14", - "epss": 0.00059, - "percentile": 0.18876 - } - ], + "data_source": "https://github.com/advisories/GHSA-cqhr-jqvc-qw9p", + "description": "Java Melody vulnerable to cross-site scripting", "fix_available": [ { - "date": "2026-06-04", + "date": "2022-07-21", "kind": "first-observed", - "version": "26.6.2" + "version": "1.61.0" } ], "fix_state": "fixed", - "fixed_in": "26.6.2", + "fixed_in": "1.61.0", "fixed_versions": [ - "26.6.2" + "1.61.0" ], - "id": "GHSA-p5mv-gj8j-xqgf", + "id": "GHSA-cqhr-jqvc-qw9p", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", @@ -12217,115 +955,163 @@ "tier": "package" }, "reasons": [ - "Also known as: CVE-2026-7307", - "Fix available: upgrade to 26.6.2", + "Also known as: CVE-2016-1000273", + "Fix available: upgrade to 1.61.0", "Fix state: fixed", - "https://access.redhat.com/errata/RHSA-2026:19594", - "https://access.redhat.com/errata/RHSA-2026:19595", - "https://access.redhat.com/errata/RHSA-2026:19596", - "https://access.redhat.com/errata/RHSA-2026:19597", - "https://access.redhat.com/security/cve/CVE-2026-7307", - "https://bugzilla.redhat.com/show_bug.cgi?id=2476526", - "https://github.com/keycloak/keycloak/commit/be84d28ce4c69c038d542f11405d5ede1d61f4a9", - "https://github.com/keycloak/keycloak/pull/49119", - "https://github.com/keycloak/keycloak/releases/tag/26.6.2", - "https://nvd.nist.gov/vuln/detail/CVE-2026-7307" + "https://github.com/javamelody/javamelody/commit/e0497c1980acebd257d3da78dfde29ae9bdffdf6", + "https://github.com/javamelody/javamelody/wiki/ReleaseNotes#1620" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-p5mv-gj8j-xqgf" + "url": "https://github.com/advisories/GHSA-cqhr-jqvc-qw9p" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7307" + "url": "https://github.com/javamelody/javamelody/commit/e0497c1980acebd257d3da78dfde29ae9bdffdf6" }, { "type": "advisory", - "url": "https://access.redhat.com/security/cve/CVE-2026-7307" - }, + "url": "https://github.com/javamelody/javamelody/wiki/ReleaseNotes#1620" + } + ], + "severity": "critical", + "severity_source": "github:language:java", + "source": "grype", + "title": "Java Melody vulnerable to cross-site scripting" + }, + { + "affected_version_range": "\u003c=1.60.0 (unknown)", + "aliases": [ + "CVE-2018-12432" + ], + "cvss": [ { - "type": "advisory", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476526" - }, + "score": 6.1, + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "version": "3.0" + } + ], + "cwes": [ { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2026:19594" - }, + "cve": "CVE-2018-12432", + "id": "CWE-79", + "source": "nvd@nist.gov", + "type": "Primary" + } + ], + "data_source": "https://github.com/advisories/GHSA-g66q-grxc-64j3", + "description": "Cross-site Scripting in JavaMelody", + "epss": [ { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2026:19597" - }, + "cve": "CVE-2018-12432", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 + } + ], + "fix_available": [ { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2026:19595" - }, + "date": "2022-07-01", + "kind": "first-observed", + "version": "1.61.0" + } + ], + "fix_state": "fixed", + "fixed_in": "1.61.0", + "fixed_versions": [ + "1.61.0" + ], + "id": "GHSA-g66q-grxc-64j3", + "namespace": "github:language:java", + "reachability": { + "analyzed_at": "\u003ctimestamp\u003e", + "analyzer": "jvmreach", + "dynamic_imports_detected": true, + "reason": "package-not-imported", + "status": "unreachable", + "tier": "package" + }, + "reasons": [ + "Also known as: CVE-2018-12432", + "Fix available: upgrade to 1.61.0", + "Fix state: fixed", + "https://github.com/Hurdano/JavaMelody-XSS/wiki/Attack-Vector---JavaMelody", + "https://github.com/javamelody/javamelody/commit/e0497c1980acebd257d3da78dfde29ae9bdffdf6", + "https://nvd.nist.gov/vuln/detail/CVE-2018-12432" + ], + "references": [ { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2026:19596" + "type": "data_source", + "url": "https://github.com/advisories/GHSA-g66q-grxc-64j3" }, { "type": "advisory", - "url": "https://github.com/keycloak/keycloak/pull/49119" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-12432" }, { "type": "advisory", - "url": "https://github.com/keycloak/keycloak/commit/be84d28ce4c69c038d542f11405d5ede1d61f4a9" + "url": "https://github.com/Hurdano/JavaMelody-XSS/wiki/Attack-Vector---JavaMelody" }, { "type": "advisory", - "url": "https://github.com/keycloak/keycloak/releases/tag/26.6.2" + "url": "https://github.com/javamelody/javamelody/commit/e0497c1980acebd257d3da78dfde29ae9bdffdf6" } ], - "risk_score": 0.044250000000000005, - "severity": "high", + "risk_score": 0.392385, + "severity": "medium", "severity_source": "github:language:java", "source": "grype", - "title": "Keycloak: Denial of Service via specially crafted SAML input" - }, + "title": "Cross-site Scripting in JavaMelody" + } + ] + }, + { + "ecosystem": "maven", + "licenses": [ { - "affected_version_range": "\u003c26.2.14 (unknown)", + "spdxExpression": "Apache-2.0", + "type": "external-depsdev", + "value": "Apache-2.0" + } + ], + "matched": true, + "name": "kafka_2.11", + "purl": "pkg:maven/org.apache.kafka/kafka_2.11@0.9.0.1", + "version": "0.9.0.1", + "vulnerabilities": [ + { + "affected_version_range": "\u003c3.4.0 (unknown)", "aliases": [ - "CVE-2026-2092" + "CVE-2025-27819" ], "cvss": [ { - "score": 7.7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", + "score": 8.8, + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2026-2092", - "id": "CWE-1287", - "source": "secalert@redhat.com", - "type": "Primary" + "cve": "CVE-2025-27819", + "id": "CWE-502", + "source": "security@apache.org", + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-wmxr-6j5f-838p", - "description": "Keycloak: Unauthorized access via improper validation of encrypted SAML assertions", + "data_source": "https://github.com/advisories/GHSA-mcwh-c9pg-xw43", + "description": "Apache Kafka Deserialization of Untrusted Data vulnerability", "epss": [ { - "cve": "CVE-2026-2092", - "date": "2026-06-14", - "epss": 0.00105, - "percentile": 0.28328 - } - ], - "fix_available": [ - { - "date": "2026-04-09", - "kind": "first-observed", - "version": "26.2.14" + "cve": "CVE-2025-27819", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], - "fix_state": "fixed", - "fixed_in": "26.2.14", - "fixed_versions": [ - "26.2.14" - ], - "id": "GHSA-wmxr-6j5f-838p", + "fix_state": "not-fixed", + "id": "GHSA-mcwh-c9pg-xw43", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", @@ -12336,105 +1122,95 @@ "tier": "package" }, "reasons": [ - "Also known as: CVE-2026-2092", - "Fix available: upgrade to 26.2.14", - "Fix state: fixed", - "https://access.redhat.com/errata/RHSA-2026:3925", - "https://access.redhat.com/errata/RHSA-2026:3926", - "https://access.redhat.com/errata/RHSA-2026:3947", - "https://access.redhat.com/errata/RHSA-2026:3948", - "https://access.redhat.com/security/cve/CVE-2026-2092", - "https://bugzilla.redhat.com/show_bug.cgi?id=2437296", - "https://github.com/keycloak/keycloak/commit/b40a25908d937bb0563ea516487bc2c7c1d92508", - "https://nvd.nist.gov/vuln/detail/CVE-2026-2092" + "Also known as: CVE-2025-27819", + "Fix state: not-fixed", + "https://github.com/advisories/GHSA-26f8-x7cc-wqpc", + "https://kafka.apache.org/cve-list", + "https://nvd.nist.gov/vuln/detail/CVE-2025-27819" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-wmxr-6j5f-838p" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2092" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2026:3925" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2026:3926" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2026:3947" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2026:3948" + "url": "https://github.com/advisories/GHSA-mcwh-c9pg-xw43" }, { "type": "advisory", - "url": "https://access.redhat.com/security/cve/CVE-2026-2092" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27819" }, { "type": "advisory", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437296" + "url": "https://kafka.apache.org/cve-list" }, { "type": "advisory", - "url": "https://github.com/keycloak/keycloak/commit/b40a25908d937bb0563ea516487bc2c7c1d92508" + "url": "https://github.com/advisories/GHSA-26f8-x7cc-wqpc" } ], - "risk_score": 0.0798, + "risk_score": 0.7098650000000002, "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "Keycloak: Unauthorized access via improper validation of encrypted SAML assertions" - }, + "title": "Apache Kafka Deserialization of Untrusted Data vulnerability" + } + ] + }, + { + "ecosystem": "maven", + "licenses": [ { - "affected_version_range": "\u003c=22.0.12 (unknown)", + "spdxExpression": "Apache-2.0", + "type": "external-depsdev", + "value": "Apache-2.0" + } + ], + "matched": true, + "name": "org.apache.sling.engine", + "purl": "pkg:maven/org.apache.sling/org.apache.sling.engine@2.0.4-incubator", + "version": "2.0.4-incubator", + "vulnerabilities": [ + { + "affected_version_range": "\u003c2.14.0 (unknown)", "aliases": [ - "CVE-2024-8698" + "CVE-2022-45064" ], "cvss": [ { - "score": 7.7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", + "score": 8, + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2024-8698", - "id": "CWE-347", - "source": "secalert@redhat.com", + "cve": "CVE-2022-45064", + "id": "CWE-79", + "source": "security@apache.org", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-xgfv-xpx8-qhcr", - "description": "Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak", + "data_source": "https://github.com/advisories/GHSA-mg46-f9h5-g27x", + "description": "Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to privilege escalation", "epss": [ { - "cve": "CVE-2024-8698", - "date": "2026-06-14", - "epss": 0.82215, - "percentile": 0.99242 + "cve": "CVE-2022-45064", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2024-10-15", + "date": "2023-04-19", "kind": "first-observed", - "version": "22.0.13" + "version": "2.14.0" } ], "fix_state": "fixed", - "fixed_in": "22.0.13", + "fixed_in": "2.14.0", "fixed_versions": [ - "22.0.13" + "2.14.0" ], - "id": "GHSA-xgfv-xpx8-qhcr", + "id": "GHSA-mg46-f9h5-g27x", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", @@ -12445,150 +1221,96 @@ "tier": "package" }, "reasons": [ - "Also known as: CVE-2024-8698", - "Fix available: upgrade to 22.0.13", + "Also known as: CVE-2022-45064", + "Fix available: upgrade to 2.14.0", "Fix state: fixed", - "https://access.redhat.com/errata/RHSA-2024:6878", - "https://access.redhat.com/errata/RHSA-2024:6879", - "https://access.redhat.com/errata/RHSA-2024:6880", - "https://access.redhat.com/errata/RHSA-2024:6882", - "https://access.redhat.com/errata/RHSA-2024:6886", - "https://access.redhat.com/errata/RHSA-2024:6887", - "https://access.redhat.com/errata/RHSA-2024:6888", - "https://access.redhat.com/errata/RHSA-2024:6889", - "https://access.redhat.com/errata/RHSA-2024:6890", - "https://access.redhat.com/errata/RHSA-2024:8823", - "https://access.redhat.com/errata/RHSA-2024:8824", - "https://access.redhat.com/errata/RHSA-2024:8826", - "https://access.redhat.com/security/cve/CVE-2024-8698", - "https://bugzilla.redhat.com/show_bug.cgi?id=2311641", - "https://github.com/keycloak/keycloak/releases/tag/25.0.6", - "https://github.com/keycloak/keycloak/security/advisories/GHSA-xgfv-xpx8-qhcr", - "https://nvd.nist.gov/vuln/detail/CVE-2024-8698" + "http://www.openwall.com/lists/oss-security/2023/04/18/6", + "https://lists.apache.org/thread/hhp611hltby3whk03vx2mv7cmy3vs0ok", + "https://nvd.nist.gov/vuln/detail/CVE-2022-45064" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-xgfv-xpx8-qhcr" - }, - { - "type": "advisory", - "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-xgfv-xpx8-qhcr" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8698" - }, - { - "type": "advisory", - "url": "https://github.com/keycloak/keycloak/releases/tag/25.0.6" - }, - { - "type": "advisory", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311641" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/security/cve/CVE-2024-8698" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2024:8826" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2024:8824" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2024:8823" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2024:6890" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2024:6889" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2024:6888" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2024:6887" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2024:6886" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2024:6882" + "url": "https://github.com/advisories/GHSA-mg46-f9h5-g27x" }, { "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2024:6880" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45064" }, { "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2024:6879" + "url": "https://lists.apache.org/thread/hhp611hltby3whk03vx2mv7cmy3vs0ok" }, { "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2024:6878" + "url": "http://www.openwall.com/lists/oss-security/2023/04/18/6" } ], - "risk_score": 62.4834, + "risk_score": 0.868775, "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak" - }, + "title": "Apache Sling Engine vulnerable to cross-site scripting (XSS) that can lead to privilege escalation" + } + ] + }, + { + "ecosystem": "maven", + "licenses": [ { - "affected_version_range": "\u003c26.5.4 (unknown)", + "spdxExpression": "Apache-2.0", + "type": "external-depsdev", + "value": "Apache-2.0" + } + ], + "matched": true, + "name": "struts2-core", + "purl": "pkg:maven/org.apache.struts/struts2-core@2.5.13", + "version": "2.5.13", + "vulnerabilities": [ + { + "affected_version_range": "\u003e=2.0.0,\u003c2.5.33 (unknown)", "aliases": [ - "CVE-2026-2575" + "CVE-2023-50164" ], "cvss": [ { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "score": 9.8, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2026-2575", - "id": "CWE-409", - "source": "secalert@redhat.com", - "type": "Primary" + "cve": "CVE-2023-50164", + "id": "CWE-552", + "source": "security@apache.org", + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-xv6h-r36f-3gp5", - "description": "Keycloak: Denial of Service due to excessive SAMLRequest decompression", + "data_source": "https://github.com/advisories/GHSA-2j39-qcjm-428w", + "description": "Apache Struts vulnerable to path traversal", "epss": [ { - "cve": "CVE-2026-2575", - "date": "2026-06-14", - "epss": 0.0003, - "percentile": 0.09255 + "cve": "CVE-2023-50164", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2026-03-19", + "date": "2023-12-08", "kind": "first-observed", - "version": "26.5.4" + "version": "2.5.33" } ], "fix_state": "fixed", - "fixed_in": "26.5.4", + "fixed_in": "2.5.33", "fixed_versions": [ - "26.5.4" + "2.5.33" ], - "id": "GHSA-xv6h-r36f-3gp5", + "id": "GHSA-2j39-qcjm-428w", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", @@ -12599,961 +1321,868 @@ "tier": "package" }, "reasons": [ - "Also known as: CVE-2026-2575", - "Fix available: upgrade to 26.5.4", + "Also known as: CVE-2023-50164", + "Fix available: upgrade to 2.5.33", "Fix state: fixed", - "https://access.redhat.com/errata/RHSA-2026:3947", - "https://access.redhat.com/errata/RHSA-2026:3948", - "https://access.redhat.com/security/cve/CVE-2026-2575", - "https://bugzilla.redhat.com/show_bug.cgi?id=2440149", - "https://github.com/keycloak/keycloak/commit/4f90ef67f698dfb45df0d2f4981271a7c8b47f04", - "https://github.com/keycloak/keycloak/issues/46372", - "https://nvd.nist.gov/vuln/detail/CVE-2026-2575" + "http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html", + "http://www.openwall.com/lists/oss-security/2023/12/07/1", + "https://cwiki.apache.org/confluence/display/WW/S2-066", + "https://github.com/apache/struts/commit/162e29fee9136f4bfd9b2376da2cbf590f9ea163", + "https://github.com/apache/struts/commit/d8c69691ef1d15e76a5f4fcf33039316da2340b6", + "https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj", + "https://nvd.nist.gov/vuln/detail/CVE-2023-50164", + "https://security.netapp.com/advisory/ntap-20231214-0010", + "https://www.openwall.com/lists/oss-security/2023/12/07/1" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-xv6h-r36f-3gp5" + "url": "https://github.com/advisories/GHSA-2j39-qcjm-428w" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2575" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50164" }, { "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2026:3947" + "url": "https://lists.apache.org/thread/yh09b3fkf6vz5d6jdgrlvmg60lfwtqhj" }, { "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2026:3948" + "url": "http://www.openwall.com/lists/oss-security/2023/12/07/1" }, { "type": "advisory", - "url": "https://access.redhat.com/security/cve/CVE-2026-2575" + "url": "https://github.com/apache/struts/commit/162e29fee9136f4bfd9b2376da2cbf590f9ea163" }, { "type": "advisory", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440149" + "url": "https://github.com/apache/struts/commit/d8c69691ef1d15e76a5f4fcf33039316da2340b6" }, { "type": "advisory", - "url": "https://github.com/keycloak/keycloak/issues/46372" + "url": "https://www.openwall.com/lists/oss-security/2023/12/07/1" }, { "type": "advisory", - "url": "https://github.com/keycloak/keycloak/commit/4f90ef67f698dfb45df0d2f4981271a7c8b47f04" + "url": "http://packetstormsecurity.com/files/176157/Struts-S2-066-File-Upload-Remote-Code-Execution.html" + }, + { + "type": "advisory", + "url": "https://cwiki.apache.org/confluence/display/WW/S2-066" + }, + { + "type": "advisory", + "url": "https://security.netapp.com/advisory/ntap-20231214-0010" } ], - "risk_score": 0.015449999999999998, - "severity": "medium", + "risk_score": 75.96986, + "severity": "critical", "severity_source": "github:language:java", "source": "grype", - "title": "Keycloak: Denial of Service due to excessive SAMLRequest decompression" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "jbcrypt", - "purl": "pkg:maven/org.mindrot/jbcrypt@0.3m", - "version": "0.3m", - "vulnerabilities": [ + "title": "Apache Struts vulnerable to path traversal" + }, { - "affected_version_range": "\u003c0.4 (unknown)", + "affected_version_range": "\u003c6.4.0 (unknown)", "aliases": [ - "CVE-2015-0886" + "CVE-2024-53677" + ], + "cvss": [ + { + "score": 9.8, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + }, + { + "score": 9.5, + "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/S:N/AU:Y/R:A/V:C/RE:L/U:Red", + "version": "4.0" + } ], "cwes": [ { - "cve": "CVE-2015-0886", - "id": "CWE-190", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2024-53677", + "id": "CWE-434", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-9h6p-92jq-888x", - "description": "Integer Overflow or Wraparound in JBCrypt", + "data_source": "https://github.com/advisories/GHSA-43mq-6xmg-29vm", + "description": "Apache Struts file upload logic is flawed", "epss": [ { - "cve": "CVE-2015-0886", - "date": "2026-06-14", - "epss": 0.02478, - "percentile": 0.85662 + "cve": "CVE-2024-53677", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2022-07-08", + "date": "2024-12-12", "kind": "first-observed", - "version": "0.4" + "version": "6.4.0" } ], "fix_state": "fixed", - "fixed_in": "0.4", + "fixed_in": "6.4.0", "fixed_versions": [ - "0.4" + "6.4.0" ], - "id": "GHSA-9h6p-92jq-888x", + "id": "GHSA-43mq-6xmg-29vm", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 0, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2015-0886", - "Fix available: upgrade to 0.4", + "Also known as: CVE-2024-53677", + "Fix available: upgrade to 6.4.0", "Fix state: fixed", - "http://jvn.jp/en/jp/JVN77718330/index.html", - "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000033", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151496.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151786.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151797.html", - "http://www.mindrot.org/projects/jBCrypt/news/rel04.html", - "https://bugzilla.mindrot.org/show_bug.cgi?id=2097", - "https://lists.apache.org/thread.html/rbd23e3ac8113b4da0a025c0e45170b6ec317383a1cf06090c2c717aa@%3Ccommits.cassandra.apache.org%3E", - "https://lists.apache.org/thread.html/rd5c2256b8dc9935e4bb5e9be90adce58408054bb42523730a40c5548@%3Ccommits.cassandra.apache.org%3E", - "https://lists.apache.org/thread.html/re330cfe9e5d84e3f7da8ace23ec32f38cb3fbd328bf177badd7ad942@%3Ccommits.cassandra.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2015-0886" + "https://cwiki.apache.org/confluence/display/WW/S2-067", + "https://github.com/apache/struts/commit/1ecfbae46543a83e131404f8dcc84b3d0d554854", + "https://github.com/apache/struts/commit/3ef9ade8902a63bb560892453eeca02bfddefc78", + "https://github.com/apache/struts/commit/930fef7679d7247db9e460c146b1698a9d7ad1e4", + "https://nvd.nist.gov/vuln/detail/CVE-2024-53677", + "https://security.netapp.com/advisory/ntap-20250103-0005", + "https://struts.apache.org/core-developers/file-upload", + "https://www.dynatrace.com/news/blog/the-anatomy-of-broken-apache-struts-2-a-technical-deep-dive-into-cve-2024-53677" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-9h6p-92jq-888x" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0886" - }, - { - "type": "advisory", - "url": "https://bugzilla.mindrot.org/show_bug.cgi?id=2097" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbd23e3ac8113b4da0a025c0e45170b6ec317383a1cf06090c2c717aa@%3Ccommits.cassandra.apache.org%3E" + "url": "https://github.com/advisories/GHSA-43mq-6xmg-29vm" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd5c2256b8dc9935e4bb5e9be90adce58408054bb42523730a40c5548@%3Ccommits.cassandra.apache.org%3E" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53677" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/re330cfe9e5d84e3f7da8ace23ec32f38cb3fbd328bf177badd7ad942@%3Ccommits.cassandra.apache.org%3E" + "url": "https://cwiki.apache.org/confluence/display/WW/S2-067" }, { "type": "advisory", - "url": "http://jvn.jp/en/jp/JVN77718330/index.html" + "url": "https://struts.apache.org/core-developers/file-upload" }, { "type": "advisory", - "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2015-000033" + "url": "https://security.netapp.com/advisory/ntap-20250103-0005" }, { "type": "advisory", - "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151496.html" + "url": "https://github.com/apache/struts/commit/1ecfbae46543a83e131404f8dcc84b3d0d554854" }, { "type": "advisory", - "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151786.html" + "url": "https://github.com/apache/struts/commit/3ef9ade8902a63bb560892453eeca02bfddefc78" }, { "type": "advisory", - "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151797.html" + "url": "https://github.com/apache/struts/commit/930fef7679d7247db9e460c146b1698a9d7ad1e4" }, { "type": "advisory", - "url": "http://www.mindrot.org/projects/jBCrypt/news/rel04.html" + "url": "https://www.dynatrace.com/news/blog/the-anatomy-of-broken-apache-struts-2-a-technical-deep-dive-into-cve-2024-53677" } ], - "risk_score": 1.239, - "severity": "medium", + "risk_score": 72.919635, + "severity": "critical", "severity_source": "github:language:java", "source": "grype", - "title": "Integer Overflow or Wraparound in JBCrypt" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "GPL-3.0", - "type": "external-depsdev", - "value": "GPL-3.0" - } - ], - "matched": true, - "name": "neo4j-jmx", - "purl": "pkg:maven/org.neo4j/neo4j-jmx@1.3", - "version": "1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "BSD-3-Clause", - "type": "external-depsdev", - "value": "BSD-3-Clause" - } - ], - "matched": true, - "name": "scala-parser-combinators_2.11", - "purl": "pkg:maven/org.scala-lang.modules/scala-parser-combinators_2.11@1.0.4", - "version": "1.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "BSD-3-Clause", - "type": "external-depsdev", - "value": "BSD-3-Clause" - } - ], - "matched": true, - "name": "scala-xml_2.11", - "purl": "pkg:maven/org.scala-lang.modules/scala-xml_2.11@1.0.4", - "version": "1.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "BSD-3-Clause", - "type": "external-depsdev", - "value": "BSD-3-Clause" - } - ], - "matched": true, - "name": "scala-library", - "purl": "pkg:maven/org.scala-lang/scala-library@2.11.7", - "version": "2.11.7", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "slf4j-api", - "purl": "pkg:maven/org.slf4j/slf4j-api@1.6.1", - "version": "1.6.1", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "slf4j-log4j12", - "purl": "pkg:maven/org.slf4j/slf4j-log4j12@1.7.6", - "version": "1.7.6", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [], - "name": "spring-aop", - "purl": "pkg:maven/org.springframework/spring-aop@3.1.1.release", - "version": "3.1.1.release", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [], - "name": "spring-asm", - "purl": "pkg:maven/org.springframework/spring-asm@3.1.1.release", - "version": "3.1.1.release", - "vulnerabilities": [] - }, - { - "ecosystem": "maven", - "licenses": [], - "matched": true, - "name": "spring-beans", - "purl": "pkg:maven/org.springframework/spring-beans@3.1.1.release", - "version": "3.1.1.release", - "vulnerabilities": [ + "title": "Apache Struts file upload logic is flawed" + }, { - "affected_version_range": "\u003c5.2.20.RELEASE (unknown)", + "affected_version_range": "\u003c2.5.31 (unknown)", "aliases": [ - "CVE-2022-22965" + "CVE-2023-34396" ], "cvss": [ { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2022-22965", - "id": "CWE-94", - "source": "security@vmware.com", + "cve": "CVE-2023-34396", + "id": "CWE-770", + "source": "security@apache.org", "type": "Secondary" - }, - { - "cve": "CVE-2022-22965", - "id": "CWE-94", - "source": "nvd@nist.gov", - "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-36p3-wjmg-h94x", - "description": "Remote Code Execution in Spring Framework", + "data_source": "https://github.com/advisories/GHSA-4g42-gqrg-4633", + "description": "Apache Struts vulnerable to memory exhaustion", "epss": [ { - "cve": "CVE-2022-22965", - "date": "2026-06-14", - "epss": 0.94439, - "percentile": 0.9999 + "cve": "CVE-2023-34396", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2022-12-16", + "date": "2023-06-15", "kind": "first-observed", - "version": "5.2.20.RELEASE" + "version": "2.5.31" } ], "fix_state": "fixed", - "fixed_in": "5.2.20.RELEASE", + "fixed_in": "2.5.31", "fixed_versions": [ - "5.2.20.RELEASE" - ], - "id": "GHSA-36p3-wjmg-h94x", - "kev_exploited": true, - "known_exploited": [ - { - "cve": "CVE-2022-22965", - "cwes": [ - "CWE-94" - ], - "date_added": "2022-04-04", - "due_date": "2022-04-25", - "known_ransomware_campaign_use": "unknown", - "product": "Spring Framework", - "required_action": "Apply updates per vendor instructions.", - "urls": [ - "https://nvd.nist.gov/vuln/detail/CVE-2022-22965" - ], - "vendor_project": "VMware" - } + "2.5.31" ], + "id": "GHSA-4g42-gqrg-4633", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 1, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-22965", - "Fix available: upgrade to 5.2.20.RELEASE", + "Also known as: CVE-2023-34396", + "Fix available: upgrade to 2.5.31", "Fix state: fixed", - "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html", - "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html", - "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf", - "https://github.com/spring-projects/spring-boot/releases/tag/v2.5.12", - "https://github.com/spring-projects/spring-boot/releases/tag/v2.6.6", - "https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15", - "https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE", - "https://github.com/spring-projects/spring-framework/releases/tag/v5.3.18", - "https://nvd.nist.gov/vuln/detail/CVE-2022-22965", - "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005", - "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement", - "https://tanzu.vmware.com/security/cve-2022-22965", - "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67", - "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22965", - "https://www.kb.cert.org/vuls/id/970766", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html" + "http://www.openwall.com/lists/oss-security/2023/06/14/3", + "https://cwiki.apache.org/confluence/display/WW/S2-064", + "https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21", + "https://github.com/apache/struts/releases/tag/STRUTS_2_5_31", + "https://github.com/apache/struts/releases/tag/STRUTS_6_1_2_1", + "https://nvd.nist.gov/vuln/detail/CVE-2023-34396", + "https://security.netapp.com/advisory/ntap-20230706-0005" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-36p3-wjmg-h94x" + "url": "https://github.com/advisories/GHSA-4g42-gqrg-4633" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22965" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34396" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15" + "url": "https://cwiki.apache.org/confluence/display/WW/S2-064" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-boot/releases/tag/v2.5.12" + "url": "https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-boot/releases/tag/v2.6.6" + "url": "https://github.com/apache/struts/releases/tag/STRUTS_2_5_31" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE" + "url": "https://github.com/apache/struts/releases/tag/STRUTS_6_1_2_1" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/releases/tag/v5.3.18" + "url": "http://www.openwall.com/lists/oss-security/2023/06/14/3" }, { "type": "advisory", - "url": "https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement" - }, + "url": "https://security.netapp.com/advisory/ntap-20230706-0005" + } + ], + "risk_score": 4.100250000000001, + "severity": "high", + "severity_source": "github:language:java", + "source": "grype", + "title": "Apache Struts vulnerable to memory exhaustion" + }, + { + "affected_version_range": "\u003c2.5.32 (unknown)", + "aliases": [ + "CVE-2023-41835" + ], + "cvss": [ { - "type": "advisory", - "url": "https://tanzu.vmware.com/security/cve-2022-22965" + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + ], + "cwes": [ + { + "cve": "CVE-2023-41835", + "id": "CWE-459", + "source": "security@apache.org", + "type": "Secondary" }, { - "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf" + "cve": "CVE-2023-41835", + "id": "CWE-459", + "source": "nvd@nist.gov", + "type": "Primary" + } + ], + "data_source": "https://github.com/advisories/GHSA-729q-fcgp-r5xh", + "description": "Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability", + "epss": [ + { + "cve": "CVE-2023-41835", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 + } + ], + "fix_available": [ + { + "date": "2023-12-06", + "kind": "first-observed", + "version": "2.5.32" + } + ], + "fix_state": "fixed", + "fixed_in": "2.5.32", + "fixed_versions": [ + "2.5.32" + ], + "id": "GHSA-729q-fcgp-r5xh", + "namespace": "github:language:java", + "reachability": { + "analyzed_at": "\u003ctimestamp\u003e", + "analyzer": "jvmreach", + "dynamic_imports_detected": true, + "reason": "package-not-imported", + "status": "unreachable", + "tier": "package" + }, + "reasons": [ + "Also known as: CVE-2023-41835", + "Fix available: upgrade to 2.5.32", + "Fix state: fixed", + "http://www.openwall.com/lists/oss-security/2023/12/09/1", + "https://github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a", + "https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7", + "https://github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711", + "https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft", + "https://nvd.nist.gov/vuln/detail/CVE-2023-41835", + "https://security.netapp.com/advisory/ntap-20231013-0001", + "https://www.openwall.com/lists/oss-security/2023/12/09/1" + ], + "references": [ + { + "type": "data_source", + "url": "https://github.com/advisories/GHSA-729q-fcgp-r5xh" }, { "type": "advisory", - "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-41835" }, { "type": "advisory", - "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67" + "url": "https://lists.apache.org/thread/6wj530kh3ono8phr642y9sqkl67ys2ft" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" + "url": "https://github.com/apache/struts/commit/3292152f8c0a77ee4827beede82b6580478a2c2a" }, { "type": "advisory", - "url": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html" + "url": "https://github.com/apache/struts/commit/4c044f12560e22e00520595412830f9582d6dac7" }, { "type": "advisory", - "url": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html" + "url": "https://github.com/apache/struts/commit/bf54436869c264941dd192c752a4abfaa65d3711" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + "url": "http://www.openwall.com/lists/oss-security/2023/12/09/1" }, { "type": "advisory", - "url": "https://www.kb.cert.org/vuls/id/970766" + "url": "https://www.openwall.com/lists/oss-security/2023/12/09/1" }, { "type": "advisory", - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22965" + "url": "https://security.netapp.com/advisory/ntap-20231013-0001" } ], - "risk_score": 98.70000000000002, - "severity": "critical", + "risk_score": 4.7145, + "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "Remote Code Execution in Spring Framework" + "title": "Apache Struts Improper Control of Dynamically-Managed Code Resources vulnerability" }, { - "affected_version_range": "\u003c=5.2.21.RELEASE (unknown)", + "affected_version_range": "\u003c2.5.31 (unknown)", "aliases": [ - "CVE-2022-22970" + "CVE-2023-34149" ], "cvss": [ { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "score": 6.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2022-22970", + "cve": "CVE-2023-34149", "id": "CWE-770", - "source": "security@vmware.com", + "source": "security@apache.org", "type": "Secondary" - }, - { - "cve": "CVE-2022-22970", - "id": "CWE-770", - "source": "nvd@nist.gov", - "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-hh26-6xwr-ggv7", - "description": "Denial of service in Spring Framework", + "data_source": "https://github.com/advisories/GHSA-8f6x-v685-g2xc", + "description": "Apache Struts vulnerable to memory exhaustion", "epss": [ { - "cve": "CVE-2022-22970", - "date": "2026-06-14", - "epss": 0.00164, - "percentile": 0.37322 + "cve": "CVE-2023-34149", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2024-02-03", + "date": "2023-06-15", "kind": "first-observed", - "version": "5.2.22.RELEASE" + "version": "2.5.31" } ], "fix_state": "fixed", - "fixed_in": "5.2.22.RELEASE", + "fixed_in": "2.5.31", "fixed_versions": [ - "5.2.22.RELEASE" + "2.5.31" ], - "id": "GHSA-hh26-6xwr-ggv7", + "id": "GHSA-8f6x-v685-g2xc", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 1, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-22970", - "Fix available: upgrade to 5.2.22.RELEASE", + "Also known as: CVE-2023-34149", + "Fix available: upgrade to 2.5.31", "Fix state: fixed", - "https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2", - "https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583", - "https://nvd.nist.gov/vuln/detail/CVE-2022-22970", - "https://security.netapp.com/advisory/ntap-20220616-0006", - "https://tanzu.vmware.com/security/cve-2022-22970", - "https://www.oracle.com/security-alerts/cpujul2022.html" + "http://www.openwall.com/lists/oss-security/2023/06/14/2", + "https://cwiki.apache.org/confluence/display/WW/S2-063", + "https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21", + "https://github.com/apache/struts/releases/tag/STRUTS_2_5_31", + "https://github.com/apache/struts/releases/tag/STRUTS_6_1_2_1", + "https://nvd.nist.gov/vuln/detail/CVE-2023-34149", + "https://security.netapp.com/advisory/ntap-20230706-0005" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-hh26-6xwr-ggv7" + "url": "https://github.com/advisories/GHSA-8f6x-v685-g2xc" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22970" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34149" }, { "type": "advisory", - "url": "https://tanzu.vmware.com/security/cve-2022-22970" + "url": "https://cwiki.apache.org/confluence/display/WW/S2-063" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + "url": "https://github.com/apache/struts/commit/2d6f1bc0a6f5ac575a56784ac6461816b67c4f21" + }, + { + "type": "advisory", + "url": "https://github.com/apache/struts/releases/tag/STRUTS_2_5_31" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/83186b689f11f5e6efe7ccc08fdeb92f66fcd583" + "url": "https://github.com/apache/struts/releases/tag/STRUTS_6_1_2_1" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/50177b1ad3485bd44239b1756f6c14607476fcf2" + "url": "http://www.openwall.com/lists/oss-security/2023/06/14/2" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20220616-0006" + "url": "https://security.netapp.com/advisory/ntap-20230706-0005" } ], - "risk_score": 0.123, - "severity": "high", + "risk_score": 3.106725, + "severity": "medium", "severity_source": "github:language:java", "source": "grype", - "title": "Denial of service in Spring Framework" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [], - "matched": true, - "name": "spring-context", - "purl": "pkg:maven/org.springframework/spring-context@3.1.1.release", - "version": "3.1.1.release", - "vulnerabilities": [ + "title": "Apache Struts vulnerable to memory exhaustion" + }, { - "affected_version_range": "\u003c=5.3.40 (unknown)", + "affected_version_range": "\u003e=2.0,\u003c2.5.22 (unknown)", "aliases": [ - "CVE-2024-38820" + "CVE-2012-1592" ], "cvss": [ { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "score": 8.8, + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2024-38820", - "id": "CWE-178", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2012-1592", + "id": "CWE-434", + "source": "nvd@nist.gov", + "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-4gc7-5j7h-4qph", - "description": "Spring Framework DataBinder Case Sensitive Match Exception", + "data_source": "https://github.com/advisories/GHSA-8m5q-crqq-6pmf", + "description": "Unrestricted Upload of File with Dangerous Type in Apache Struts2", "epss": [ { - "cve": "CVE-2024-38820", - "date": "2026-06-14", - "epss": 0.01473, - "percentile": 0.81422 + "cve": "CVE-2012-1592", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], - "fix_state": "not-fixed", - "id": "GHSA-4gc7-5j7h-4qph", + "fix_available": [ + { + "date": "2022-07-14", + "kind": "first-observed", + "version": "2.5.22" + } + ], + "fix_state": "fixed", + "fixed_in": "2.5.22", + "fixed_versions": [ + "2.5.22" + ], + "id": "GHSA-8m5q-crqq-6pmf", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 1, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2024-38820", - "Fix state: not-fixed", - "https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c", - "https://github.com/spring-projects/spring-framework/commits/v6.2.0-RC2", - "https://nvd.nist.gov/vuln/detail/CVE-2024-38820", - "https://security.netapp.com/advisory/ntap-20241129-0003", - "https://spring.io/security/cve-2024-38820" + "Also known as: CVE-2012-1592", + "Fix available: upgrade to 2.5.22", + "Fix state: fixed", + "https://access.redhat.com/security/cve/cve-2012-1592", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1592", + "https://github.com/apache/struts/blob/master/core/src/main/resources/struts-default.xml#L39-L76", + "https://issues.apache.org/jira/browse/WW-5055", + "https://lists.apache.org/thread.html/r348ed455a140273c40b974f0615dee692f7c9b26c6de2118b4280ef2%40%3Cissues.struts.apache.org%3E", + "https://lists.apache.org/thread.html/r348ed455a140273c40b974f0615dee692f7c9b26c6de2118b4280ef2@%3Cissues.struts.apache.org%3E", + "https://lists.apache.org/thread.html/r593ebb2f4c95b064e6901fd273eff256c493db952bdb484395948ffc%40%3Cissues.struts.apache.org%3E", + "https://lists.apache.org/thread.html/r593ebb2f4c95b064e6901fd273eff256c493db952bdb484395948ffc@%3Cissues.struts.apache.org%3E", + "https://lists.apache.org/thread.html/r93c4e3f6cb138cd117c739714f07e47af547183ba099ba46be2b2a5b%40%3Cissues.struts.apache.org%3E", + "https://lists.apache.org/thread.html/r93c4e3f6cb138cd117c739714f07e47af547183ba099ba46be2b2a5b@%3Cissues.struts.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2012-1592", + "https://seclists.org/bugtraq/2012/Mar/110", + "https://security-tracker.debian.org/tracker/CVE-2012-1592", + "https://struts.apache.org/security/#internal-security-mechanism", + "https://www.openwall.com/lists/oss-security/2012/03/28/12" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-4gc7-5j7h-4qph" + "url": "https://github.com/advisories/GHSA-8m5q-crqq-6pmf" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38820" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1592" }, { "type": "advisory", - "url": "https://spring.io/security/cve-2024-38820" + "url": "https://access.redhat.com/security/cve/cve-2012-1592" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c" + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-1592" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commits/v6.2.0-RC2" + "url": "https://lists.apache.org/thread.html/r348ed455a140273c40b974f0615dee692f7c9b26c6de2118b4280ef2@%3Cissues.struts.apache.org%3E" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241129-0003" - } - ], - "risk_score": 0.758595, - "severity": "medium", - "severity_source": "github:language:java", - "source": "grype", - "title": "Spring Framework DataBinder Case Sensitive Match Exception" - }, - { - "affected_version_range": "\u003c=5.3.39 (unknown)", - "aliases": [ - "CVE-2025-22233" - ], - "cvss": [ + "url": "https://lists.apache.org/thread.html/r593ebb2f4c95b064e6901fd273eff256c493db952bdb484395948ffc@%3Cissues.struts.apache.org%3E" + }, { - "score": 3.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ + "type": "advisory", + "url": "https://lists.apache.org/thread.html/r93c4e3f6cb138cd117c739714f07e47af547183ba099ba46be2b2a5b@%3Cissues.struts.apache.org%3E" + }, { - "cve": "CVE-2025-22233", - "id": "CWE-20", - "source": "security@vmware.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-4wp7-92pw-q264", - "description": "Spring Framework DataBinder Case Sensitive Match Exception", - "epss": [ + "type": "advisory", + "url": "https://security-tracker.debian.org/tracker/CVE-2012-1592" + }, { - "cve": "CVE-2025-22233", - "date": "2026-06-14", - "epss": 0.00083, - "percentile": 0.24412 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-4wp7-92pw-q264", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "confidence": "low", - "dynamic_imports_detected": true, - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-22233", - "Fix state: not-fixed", - "https://github.com/spring-projects/spring-framework/commit/edfcc6ffb188e4614ec9b212e3208b666981851c", - "https://github.com/spring-projects/spring-framework/commit/ee62701f5634e904e42e218baad142cea2bcd332", - "https://github.com/spring-projects/spring-framework/issues/34801", - "https://nvd.nist.gov/vuln/detail/CVE-2025-22233", - "https://spring.io/security/cve-2025-22233" - ], - "references": [ + "type": "advisory", + "url": "https://github.com/apache/struts/blob/master/core/src/main/resources/struts-default.xml#L39-L76" + }, { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-4wp7-92pw-q264" + "type": "advisory", + "url": "https://issues.apache.org/jira/browse/WW-5055" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22233" + "url": "https://seclists.org/bugtraq/2012/Mar/110" + }, + { + "type": "advisory", + "url": "https://struts.apache.org/security/#internal-security-mechanism" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/34801" + "url": "https://lists.apache.org/thread.html/r348ed455a140273c40b974f0615dee692f7c9b26c6de2118b4280ef2%40%3Cissues.struts.apache.org%3E" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/edfcc6ffb188e4614ec9b212e3208b666981851c" + "url": "https://lists.apache.org/thread.html/r593ebb2f4c95b064e6901fd273eff256c493db952bdb484395948ffc%40%3Cissues.struts.apache.org%3E" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/ee62701f5634e904e42e218baad142cea2bcd332" + "url": "https://lists.apache.org/thread.html/r93c4e3f6cb138cd117c739714f07e47af547183ba099ba46be2b2a5b%40%3Cissues.struts.apache.org%3E" }, { "type": "advisory", - "url": "https://spring.io/security/cve-2025-22233" + "url": "https://www.openwall.com/lists/oss-security/2012/03/28/12" } ], - "risk_score": 0.025315, - "severity": "low", + "risk_score": 23.26825, + "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "Spring Framework DataBinder Case Sensitive Match Exception" + "title": "Unrestricted Upload of File with Dangerous Type in Apache Struts2" }, { - "affected_version_range": "\u003c5.2.21.RELEASE (unknown)", + "affected_version_range": "\u003e=2.0.0,\u003c2.5.22 (unknown)", "aliases": [ - "CVE-2022-22968" + "CVE-2019-0233" ], "cvss": [ { "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2022-22968", - "id": "CWE-178", + "cve": "CVE-2019-0233", + "id": "CWE-281", "source": "nvd@nist.gov", "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-g5mm-vmx4-3rg7", - "description": "Improper handling of case sensitivity in Spring Framework", + "data_source": "https://github.com/advisories/GHSA-ccp5-gg58-pxfm", + "description": "Improper Preservation of Permissions in Apache Struts", "epss": [ { - "cve": "CVE-2022-22968", - "date": "2026-06-14", - "epss": 0.2051, - "percentile": 0.9571 + "cve": "CVE-2019-0233", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2024-05-16", + "date": "2022-06-30", "kind": "first-observed", - "version": "5.2.21.RELEASE" + "version": "2.5.22" } ], "fix_state": "fixed", - "fixed_in": "5.2.21.RELEASE", + "fixed_in": "2.5.22", "fixed_versions": [ - "5.2.21.RELEASE" + "2.5.22" ], - "id": "GHSA-g5mm-vmx4-3rg7", + "id": "GHSA-ccp5-gg58-pxfm", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 1, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-22968", - "Fix available: upgrade to 5.2.21.RELEASE", + "Also known as: CVE-2019-0233", + "Fix available: upgrade to 2.5.22", "Fix state: fixed", - "https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea", - "https://github.com/spring-projects/spring-framework/commit/a7cf19cec5ebd270f97a194d749e2d5701ad2ab7", - "https://nvd.nist.gov/vuln/detail/CVE-2022-22968", - "https://security.netapp.com/advisory/ntap-20220602-0004", - "https://tanzu.vmware.com/security/cve-2022-22968", - "https://www.oracle.com/security-alerts/cpujul2022.html" + "https://cwiki.apache.org/confluence/display/ww/s2-060", + "https://launchpad.support.sap.com/#/notes/2982840", + "https://nvd.nist.gov/vuln/detail/CVE-2019-0233", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-g5mm-vmx4-3rg7" + "url": "https://github.com/advisories/GHSA-ccp5-gg58-pxfm" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22968" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0233" }, { "type": "advisory", - "url": "https://tanzu.vmware.com/security/cve-2022-22968" + "url": "https://cwiki.apache.org/confluence/display/ww/s2-060" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + "url": "https://launchpad.support.sap.com/#/notes/2982840" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/833e750175349ab4fd502109a8b41af77e25cdea" + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/a7cf19cec5ebd270f97a194d749e2d5701ad2ab7" + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20220602-0004" + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], - "risk_score": 15.382499999999999, + "risk_score": 52.561499999999995, "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "Improper handling of case sensitivity in Spring Framework" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [], - "matched": true, - "name": "spring-core", - "purl": "pkg:maven/org.springframework/spring-core@3.1.1.release", - "version": "3.1.1.release", - "vulnerabilities": [ + "title": "Improper Preservation of Permissions in Apache Struts" + }, { - "affected_version_range": "\u003c4.3.15 (unknown)", + "affected_version_range": "\u003e=2.5,\u003c=2.5.16 (unknown)", "aliases": [ - "CVE-2018-1272" + "CVE-2018-11776" ], "cvss": [ { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "score": 8.1, + "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", "version": "3.0" } ], - "data_source": "https://github.com/advisories/GHSA-4487-x383-qpph", - "description": "Possible privilege escalation in org.springframework:spring-core", + "data_source": "https://github.com/advisories/GHSA-cr6j-3jp9-rw65", + "description": "Apache Struts vulnerable to remote command execution (RCE) due to improper input validation", "epss": [ { - "cve": "CVE-2018-1272", - "date": "2026-06-14", - "epss": 0.02166, - "percentile": 0.84729 + "cve": "CVE-2018-11776", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2020-07-28", + "date": "2021-03-30", "kind": "first-observed", - "version": "4.3.15" + "version": "2.5.17" } ], "fix_state": "fixed", - "fixed_in": "4.3.15", + "fixed_in": "2.5.17", "fixed_versions": [ - "4.3.15" + "2.5.17" + ], + "id": "GHSA-cr6j-3jp9-rw65", + "kev_exploited": true, + "known_exploited": [ + { + "cve": "CVE-2018-11776", + "cwes": [ + "CWE-20" + ], + "date_added": "2021-11-03", + "due_date": "2022-05-03", + "known_ransomware_campaign_use": "unknown", + "product": "Struts", + "required_action": "Apply updates per vendor instructions.", + "urls": [ + "https://nvd.nist.gov/vuln/detail/CVE-2018-11776" + ], + "vendor_project": "Apache" + } ], - "id": "GHSA-4487-x383-qpph", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 1, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2018-1272", - "Fix available: upgrade to 4.3.15", + "Also known as: CVE-2018-11776", + "Fix available: upgrade to 2.5.17", "Fix state: fixed", - "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "http://packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.html", + "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt", + "http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html", "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/103697", - "https://access.redhat.com/errata/RHSA-2018:1320", - "https://access.redhat.com/errata/RHSA-2018:2669", - "https://github.com/spring-projects/spring-framework/commit/ab2410c754b67902f002bfcc0c3895bd7772d39", - "https://github.com/spring-projects/spring-framework/commit/e02ff3a0da50744b0980d5d665fd242eedea767", - "https://nvd.nist.gov/vuln/detail/CVE-2018-1272", - "https://pivotal.io/security/cve-2018-1272", + "http://www.securityfocus.com/bid/105125", + "http://www.securitytracker.com/id/1041547", + "http://www.securitytracker.com/id/1041888", + "https://cwiki.apache.org/confluence/display/WW/S2-057", + "https://github.com/apache/struts/commit/6e87474f9ad0549f07dd2c37d50a9ccd0977c6e", + "https://github.com/hook-s3c/CVE-2018-11776-Python-PoC", + "https://lgtm.com/blog/apache_struts_CVE-2018-11776", + "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E", + "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2018-11776", + "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012", + "https://security.netapp.com/advisory/ntap-20180822-0001", + "https://security.netapp.com/advisory/ntap-20181018-0002", + "https://web.archive.org/web/20180822160726/http://www.securityfocus.com/bid/105125", + "https://web.archive.org/web/20200807025819/http://www.securitytracker.com/id/1041888", + "https://web.archive.org/web/20201208145803/https://securitytracker.com/id/1041547", + "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-11776", + "https://www.exploit-db.com/exploits/45260", + "https://www.exploit-db.com/exploits/45262", + "https://www.exploit-db.com/exploits/45367", "https://www.oracle.com/security-alerts/cpujul2020.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-4487-x383-qpph" + "url": "https://github.com/advisories/GHSA-cr6j-3jp9-rw65" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-11776" + }, + { + "type": "advisory", + "url": "https://cwiki.apache.org/confluence/display/WW/S2-057" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1272" + "url": "https://github.com/hook-s3c/CVE-2018-11776-Python-PoC" }, { "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2018:1320" + "url": "https://lgtm.com/blog/apache_struts_CVE-2018-11776" }, { "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2018:2669" + "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E" }, { "type": "advisory", - "url": "https://pivotal.io/security/cve-2018-1272" + "url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0012" }, { "type": "advisory", @@ -13565,11 +2194,11 @@ }, { "type": "advisory", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + "url": "http://www.arubanetworks.com/assets/alert/ARUBA-PSA-2018-005.txt" }, { "type": "advisory", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + "url": "http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-11776-5072787.html" }, { "type": "advisory", @@ -13577,269 +2206,197 @@ }, { "type": "advisory", - "url": "http://www.securityfocus.com/bid/103697" + "url": "http://packetstormsecurity.com/files/172830/Apache-Struts-Remote-Code-Execution.html" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + "url": "https://github.com/apache/struts/commit/6e87474f9ad0549f07dd2c37d50a9ccd0977c6e" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/ab2410c754b67902f002bfcc0c3895bd7772d39" + "url": "https://web.archive.org/web/20180822160726/http://www.securityfocus.com/bid/105125" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/e02ff3a0da50744b0980d5d665fd242eedea767" - } - ], - "risk_score": 1.6244999999999998, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Possible privilege escalation in org.springframework:spring-core" - }, - { - "affected_version_range": "\u003c4.3.1 (unknown)", - "aliases": [ - "CVE-2016-5007" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2016-5007", - "id": "CWE-264", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-8crv-49fr-2h6j", - "description": "Spring Security and Spring Framework may not recognize certain paths that should be protected", - "epss": [ + "url": "https://web.archive.org/web/20200807025819/http://www.securitytracker.com/id/1041888" + }, { - "cve": "CVE-2016-5007", - "date": "2026-06-14", - "epss": 0.00155, - "percentile": 0.36181 - } - ], - "fix_available": [ + "type": "advisory", + "url": "https://web.archive.org/web/20201208145803/https://securitytracker.com/id/1041547" + }, { - "date": "2020-07-28", - "kind": "first-observed", - "version": "4.3.1" - } - ], - "fix_state": "fixed", - "fixed_in": "4.3.1", - "fixed_versions": [ - "4.3.1" - ], - "id": "GHSA-8crv-49fr-2h6j", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "confidence": "low", - "dynamic_imports_detected": true, - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2016-5007", - "Fix available: upgrade to 4.3.1", - "Fix state: fixed", - "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", - "http://www.securityfocus.com/bid/91687", - "https://github.com/spring-projects/spring-framework/commit/a30ab30e4e9ae021fdda04e9abfc228476b846b5", - "https://github.com/spring-projects/spring-security/commit/e4c13e3c0ee7f06f59d3b43ca6734215ad7d8974", - "https://github.com/spring-projects/spring-security/issues/3964", - "https://nvd.nist.gov/vuln/detail/CVE-2016-5007", - "https://pivotal.io/security/cve-2016-5007", - "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" - ], - "references": [ + "type": "advisory", + "url": "https://www.exploit-db.com/exploits/45367" + }, { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-8crv-49fr-2h6j" + "type": "advisory", + "url": "https://www.exploit-db.com/exploits/45262" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5007" + "url": "https://www.exploit-db.com/exploits/45260" }, { "type": "advisory", - "url": "https://pivotal.io/security/cve-2016-5007" + "url": "https://security.netapp.com/advisory/ntap-20181018-0002" }, { "type": "advisory", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + "url": "https://security.netapp.com/advisory/ntap-20180822-0001" }, { "type": "advisory", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" + "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E" }, { "type": "advisory", - "url": "http://www.securityfocus.com/bid/91687" + "url": "http://www.securityfocus.com/bid/105125" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-security/issues/3964" + "url": "http://www.securitytracker.com/id/1041547" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/a30ab30e4e9ae021fdda04e9abfc228476b846b5" + "url": "http://www.securitytracker.com/id/1041888" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-security/commit/e4c13e3c0ee7f06f59d3b43ca6734215ad7d8974" + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-11776" } ], - "risk_score": 0.11624999999999999, + "risk_score": 81.9, "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "Spring Security and Spring Framework may not recognize certain paths that should be protected" + "title": "Apache Struts vulnerable to remote command execution (RCE) due to improper input validation" }, { - "affected_version_range": "\u003c4.3.15 (unknown)", + "affected_version_range": "\u003e=2.0.0,\u003c2.5.26 (unknown)", "aliases": [ - "CVE-2018-1271" + "CVE-2020-17530" ], "cvss": [ { - "score": 5.9, - "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "version": "3.0" + "score": 9.8, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H", + "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2018-1271", - "id": "CWE-22", - "source": "security_alert@emc.com", - "type": "Secondary" + "cve": "CVE-2020-17530", + "id": "CWE-917", + "source": "nvd@nist.gov", + "type": "Primary" }, { - "cve": "CVE-2018-1271", - "id": "CWE-22", - "source": "nvd@nist.gov", + "cve": "CVE-2020-17530", + "id": "CWE-917", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-g8hw-794c-4j9g", - "description": "Path Traversal in org.springframework:spring-core", + "data_source": "https://github.com/advisories/GHSA-jc35-q369-45pv", + "description": "Remote code execution in Apache Struts", "epss": [ { - "cve": "CVE-2018-1271", - "date": "2026-06-14", - "epss": 0.90599, - "percentile": 0.99635 + "cve": "CVE-2020-17530", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2020-07-28", + "date": "2022-02-10", "kind": "first-observed", - "version": "4.3.15" + "version": "2.5.26" } ], "fix_state": "fixed", - "fixed_in": "4.3.15", + "fixed_in": "2.5.26", "fixed_versions": [ - "4.3.15" + "2.5.26" + ], + "id": "GHSA-jc35-q369-45pv", + "kev_exploited": true, + "known_exploited": [ + { + "cve": "CVE-2020-17530", + "cwes": [ + "CWE-917" + ], + "date_added": "2021-11-03", + "due_date": "2022-05-03", + "known_ransomware_campaign_use": "unknown", + "product": "Struts", + "required_action": "Apply updates per vendor instructions.", + "urls": [ + "https://nvd.nist.gov/vuln/detail/CVE-2020-17530" + ], + "vendor_project": "Apache" + } ], - "id": "GHSA-g8hw-794c-4j9g", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 1, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2018-1271", - "Fix available: upgrade to 4.3.15", + "Also known as: CVE-2020-17530", + "Fix available: upgrade to 2.5.26", "Fix state: fixed", - "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/103699", - "https://access.redhat.com/errata/RHSA-2018:1320", - "https://access.redhat.com/errata/RHSA-2018:2669", - "https://access.redhat.com/errata/RHSA-2018:2939", - "https://github.com/spring-projects/spring-framework/commit/0e28bee0f155b9bf240b4bafc4646e4810cb23f8", - "https://github.com/spring-projects/spring-framework/commit/13356a7ee2240f740737c5c83bdccdacc30603ab", - "https://github.com/spring-projects/spring-framework/commit/695bf2961feffd35b5560ccc982a2189dcca611f", - "https://github.com/spring-projects/spring-framework/commit/91b803a2310344d925e5d4b1709bbcea90375548", - "https://github.com/spring-projects/spring-framework/commit/98ad23bef8e2e04143f8f5b201380543a8d8c0c3", - "https://github.com/spring-projects/spring-framework/commit/b9ebdaaf3710db473a2e1fec8641c316483a22aa", - "https://github.com/spring-projects/spring-framework/commit/f046a066eceefa0799d1bc89bd6e1318f39bdf69", - "https://github.com/spring-projects/spring-framework/commit/f59ea610dfcf55cd0b42f6dd76a9b3dab0218aaa", - "https://nvd.nist.gov/vuln/detail/CVE-2018-1271", - "https://pivotal.io/security/cve-2018-1271", - "https://www.oracle.com/security-alerts/cpujul2020.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + "http://jvn.jp/en/jp/JVN43969166/index.html", + "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html", + "http://www.openwall.com/lists/oss-security/2022/04/12/6", + "https://cwiki.apache.org/confluence/display/WW/S2-061", + "https://nvd.nist.gov/vuln/detail/CVE-2020-17530", + "https://security.netapp.com/advisory/ntap-20210115-0005", + "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-g8hw-794c-4j9g" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1271" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2018:1320" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2018:2669" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2018:2939" + "url": "https://github.com/advisories/GHSA-jc35-q369-45pv" }, { "type": "advisory", - "url": "https://pivotal.io/security/cve-2018-1271" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-17530" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html" + "url": "https://cwiki.apache.org/confluence/display/WW/S2-061" }, { "type": "advisory", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "advisory", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + "url": "http://jvn.jp/en/jp/JVN43969166/index.html" }, { "type": "advisory", - "url": "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + "url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html" }, { "type": "advisory", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "advisory", - "url": "http://www.securityfocus.com/bid/103699" + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "advisory", @@ -13847,733 +2404,609 @@ }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/0e28bee0f155b9bf240b4bafc4646e4810cb23f8" - }, - { - "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/13356a7ee2240f740737c5c83bdccdacc30603ab" - }, - { - "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/695bf2961feffd35b5560ccc982a2189dcca611f" - }, - { - "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/91b803a2310344d925e5d4b1709bbcea90375548" + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/98ad23bef8e2e04143f8f5b201380543a8d8c0c3" + "url": "http://www.openwall.com/lists/oss-security/2022/04/12/6" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/b9ebdaaf3710db473a2e1fec8641c316483a22aa" + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/f046a066eceefa0799d1bc89bd6e1318f39bdf69" + "url": "https://security.netapp.com/advisory/ntap-20210115-0005" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/f59ea610dfcf55cd0b42f6dd76a9b3dab0218aaa" + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-17530" } ], - "risk_score": 49.376455, - "severity": "medium", + "risk_score": 98.70000000000002, + "severity": "critical", "severity_source": "github:language:java", "source": "grype", - "title": "Path Traversal in org.springframework:spring-core" + "title": "Remote code execution in Apache Struts" }, { - "affected_version_range": "\u003c3.2.15 (unknown)", + "affected_version_range": "\u003e=2.5.0,\u003c=2.5.33 (unknown)", "aliases": [ - "CVE-2015-5211" + "CVE-2025-68493" ], "cvss": [ { - "score": 8.6, - "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", - "version": "3.0" + "score": 8.1, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", + "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2015-5211", - "id": "CWE-552", + "cve": "CVE-2025-68493", + "id": "CWE-611", + "source": "security@apache.org", + "type": "Secondary" + }, + { + "cve": "CVE-2025-68493", + "id": "CWE-611", "source": "nvd@nist.gov", - "type": "Primary" + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-pgf9-h69p-pcgf", - "description": "Files or Directories Accessible to External Parties in org.springframework:spring-core", + "data_source": "https://github.com/advisories/GHSA-qcfc-hmrc-59x7", + "description": "Apache Struts 2 is Missing XML Validation", "epss": [ { - "cve": "CVE-2015-5211", - "date": "2026-06-14", - "epss": 0.01877, - "percentile": 0.8361 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "3.2.15" + "cve": "CVE-2025-68493", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], - "fix_state": "fixed", - "fixed_in": "3.2.15", - "fixed_versions": [ - "3.2.15" - ], - "id": "GHSA-pgf9-h69p-pcgf", + "fix_state": "not-fixed", + "id": "GHSA-qcfc-hmrc-59x7", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 1, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2015-5211", - "Fix available: upgrade to 3.2.15", - "Fix state: fixed", - "https://github.com/spring-projects/spring-framework/commit/03f547eb9868f48f44d59b56067d4ac4740672c3", - "https://github.com/spring-projects/spring-framework/commit/2bd1daa75ee0b8ec33608ca6ab065ef3e1815543", - "https://github.com/spring-projects/spring-framework/commit/a95c3d820dbc4c3ae752f1b3ee22ee860b162402", - "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html", - "https://nvd.nist.gov/vuln/detail/CVE-2015-5211", - "https://pivotal.io/security/cve-2015-5211", - "https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector" + "Also known as: CVE-2025-68493", + "Fix state: not-fixed", + "http://www.openwall.com/lists/oss-security/2026/01/11/2", + "https://cwiki.apache.org/confluence/display/WW/S2-069", + "https://nvd.nist.gov/vuln/detail/CVE-2025-68493" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-pgf9-h69p-pcgf" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-5211" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html" - }, - { - "type": "advisory", - "url": "https://pivotal.io/security/cve-2015-5211" - }, - { - "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/03f547eb9868f48f44d59b56067d4ac4740672c3" + "url": "https://github.com/advisories/GHSA-qcfc-hmrc-59x7" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/2bd1daa75ee0b8ec33608ca6ab065ef3e1815543" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68493" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/a95c3d820dbc4c3ae752f1b3ee22ee860b162402" + "url": "https://cwiki.apache.org/confluence/display/WW/S2-069" }, { "type": "advisory", - "url": "https://www.trustwave.com/Resources/SpiderLabs-Blog/Reflected-File-Download---A-New-Web-Attack-Vector" + "url": "http://www.openwall.com/lists/oss-security/2026/01/11/2" } ], - "risk_score": 1.5109849999999998, + "risk_score": 17.5305, "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "Files or Directories Accessible to External Parties in org.springframework:spring-core" + "title": "Apache Struts 2 is Missing XML Validation" }, { - "affected_version_range": "\u003c4.3.17 (unknown)", + "affected_version_range": "\u003e=2.0.0,\u003c6.8.0 (unknown)", "aliases": [ - "CVE-2018-1257" + "CVE-2025-66675" ], "cvss": [ { - "score": 6.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "version": "3.0" + "score": 8.2, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", + "version": "3.1" + } + ], + "cwes": [ + { + "cve": "CVE-2025-66675", + "id": "CWE-459", + "source": "security@apache.org", + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-rcpf-vj53-7h2m", - "description": "Denial of Service in org.springframework:spring-core", + "data_source": "https://github.com/advisories/GHSA-rg58-xhh7-mqjw", + "description": "Apache Struts has a Denial of Service vulnerability", "epss": [ { - "cve": "CVE-2018-1257", - "date": "2026-06-14", - "epss": 0.01176, - "percentile": 0.79211 + "cve": "CVE-2025-66675", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2020-07-28", + "date": "2025-12-10", "kind": "first-observed", - "version": "4.3.17" + "version": "6.8.0" } ], "fix_state": "fixed", - "fixed_in": "4.3.17", + "fixed_in": "6.8.0", "fixed_versions": [ - "4.3.17" + "6.8.0" ], - "id": "GHSA-rcpf-vj53-7h2m", + "id": "GHSA-rg58-xhh7-mqjw", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 1, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2018-1257", - "Fix available: upgrade to 4.3.17", + "Also known as: CVE-2025-66675", + "Fix available: upgrade to 6.8.0", "Fix state: fixed", - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "http://www.securityfocus.com/bid/104260", - "https://access.redhat.com/errata/RHSA-2018:1809", - "https://access.redhat.com/errata/RHSA-2018:3768", - "https://github.com/spring-projects/spring-framework/commit/246a6db1cad205ca9b6fca00c544ab7443ba202", - "https://github.com/spring-projects/spring-framework/commit/ff2228fdaf131d57b5c8c5918ee8d07c6dd9bba", - "https://nvd.nist.gov/vuln/detail/CVE-2018-1257", - "https://pivotal.io/security/cve-2018-1257", - "https://www.oracle.com/security-alerts/cpujan2020.html", - "https://www.oracle.com/security-alerts/cpujul2020.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + "https://cve.org/CVERecord?id=CVE-2025-64775", + "https://cwiki.apache.org/confluence/display/WW/S2-068", + "https://github.com/apache/struts/commit/831568929cfba700f790f6ebe6e335f9f33fb468", + "https://nvd.nist.gov/vuln/detail/CVE-2025-66675" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-rcpf-vj53-7h2m" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1257" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2018:1809" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2018:3768" - }, - { - "type": "advisory", - "url": "https://pivotal.io/security/cve-2018-1257" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2020.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" - }, - { - "type": "advisory", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + "url": "https://github.com/advisories/GHSA-rg58-xhh7-mqjw" }, { "type": "advisory", - "url": "http://www.securityfocus.com/bid/104260" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66675" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" + "url": "https://cve.org/CVERecord?id=CVE-2025-64775" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/246a6db1cad205ca9b6fca00c544ab7443ba202" + "url": "https://cwiki.apache.org/confluence/display/WW/S2-068" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/ff2228fdaf131d57b5c8c5918ee8d07c6dd9bba" + "url": "https://github.com/apache/struts/commit/831568929cfba700f790f6ebe6e335f9f33fb468" } ], - "risk_score": 0.6761999999999999, - "severity": "medium", + "risk_score": 0.39877999999999997, + "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "Denial of Service in org.springframework:spring-core" + "title": "Apache Struts has a Denial of Service vulnerability" }, { - "affected_version_range": "\u003e=3.0.0,\u003c3.2.9 (unknown)", + "affected_version_range": "\u003e=2.0.0,\u003c2.5.30 (unknown)", "aliases": [ - "CVE-2014-3578" + "CVE-2021-31805" + ], + "cvss": [ + { + "score": 9.8, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + } ], "cwes": [ { - "cve": "CVE-2014-3578", - "id": "CWE-22", + "cve": "CVE-2021-31805", + "id": "CWE-917", + "source": "security@apache.org", + "type": "Secondary" + }, + { + "cve": "CVE-2021-31805", + "id": "CWE-917", "source": "nvd@nist.gov", "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-rhcg-rwhx-qj3j", - "description": "Improper Limitation of a Pathname to a Restricted Directory in Spring Framework", + "data_source": "https://github.com/advisories/GHSA-v8j6-6c2r-r27c", + "description": "Expression Language Injection in Apache Struts", "epss": [ { - "cve": "CVE-2014-3578", - "date": "2026-06-14", - "epss": 0.04358, - "percentile": 0.89232 + "cve": "CVE-2021-31805", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2022-07-08", + "date": "2022-04-27", "kind": "first-observed", - "version": "3.2.9" + "version": "2.5.30" } ], "fix_state": "fixed", - "fixed_in": "3.2.9", + "fixed_in": "2.5.30", "fixed_versions": [ - "3.2.9" + "2.5.30" ], - "id": "GHSA-rhcg-rwhx-qj3j", + "id": "GHSA-v8j6-6c2r-r27c", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 1, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2014-3578", - "Fix available: upgrade to 3.2.9", + "Also known as: CVE-2021-31805", + "Fix available: upgrade to 2.5.30", "Fix state: fixed", - "http://jvn.jp/en/jp/JVN49154900/index.html", - "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000054", - "http://pivotal.io/security/cve-2014-3578", - "http://rhn.redhat.com/errata/RHSA-2015-0720.html", - "https://bugzilla.redhat.com/show_bug.cgi?id=1131882", - "https://github.com/spring-projects/spring-framework/commit/748167bfa33c3c69db2d8dbdc3a0e9da692da3a0", - "https://github.com/spring-projects/spring-framework/commit/8ee465103850a3dca018273fe5952e40d5c45a66", - "https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d", - "https://github.com/spring-projects/spring-framework/issues/16414", - "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html", - "https://nvd.nist.gov/vuln/detail/CVE-2014-3578", - "https://rhn.redhat.com/errata/RHSA-2015-0234.html", - "https://rhn.redhat.com/errata/RHSA-2015-0235.html" + "http://www.openwall.com/lists/oss-security/2022/04/12/6", + "https://cwiki.apache.org/confluence/display/WW/S2-062", + "https://nvd.nist.gov/vuln/detail/CVE-2021-31805", + "https://security.netapp.com/advisory/ntap-20220420-0001/", + "https://www.oracle.com/security-alerts/cpujul2022.html" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-rhcg-rwhx-qj3j" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3578" - }, - { - "type": "advisory", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131882" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html" - }, - { - "type": "advisory", - "url": "https://rhn.redhat.com/errata/RHSA-2015-0234.html" - }, - { - "type": "advisory", - "url": "https://rhn.redhat.com/errata/RHSA-2015-0235.html" - }, - { - "type": "advisory", - "url": "http://jvn.jp/en/jp/JVN49154900/index.html" - }, - { - "type": "advisory", - "url": "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000054" - }, - { - "type": "advisory", - "url": "http://pivotal.io/security/cve-2014-3578" + "url": "https://github.com/advisories/GHSA-v8j6-6c2r-r27c" }, { "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31805" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/16414" + "url": "https://cwiki.apache.org/confluence/display/WW/S2-062" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/748167bfa33c3c69db2d8dbdc3a0e9da692da3a0" + "url": "http://www.openwall.com/lists/oss-security/2022/04/12/6" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/8ee465103850a3dca018273fe5952e40d5c45a66" + "url": "https://security.netapp.com/advisory/ntap-20220420-0001/" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/f6fddeb6eb7da625fd711ab371ff16512f431e8d" + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], - "risk_score": 2.179, - "severity": "medium", + "risk_score": 79.99494000000001, + "severity": "critical", "severity_source": "github:language:java", "source": "grype", - "title": "Improper Limitation of a Pathname to a Restricted Directory in Spring Framework" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [], - "matched": true, - "name": "spring-expression", - "purl": "pkg:maven/org.springframework/spring-expression@3.1.1.release", - "version": "3.1.1.release", - "vulnerabilities": [ + "title": "Expression Language Injection in Apache Struts" + }, { - "affected_version_range": "\u003c5.2.20.RELEASE (unknown)", + "affected_version_range": "\u003e=2.0.0,\u003c2.5.22 (unknown)", "aliases": [ - "CVE-2022-22950" + "CVE-2019-0230" ], "cvss": [ { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "score": 9.8, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2022-22950", - "id": "CWE-770", - "source": "security@vmware.com", - "type": "Secondary" - }, - { - "cve": "CVE-2022-22950", - "id": "CWE-770", + "cve": "CVE-2019-0230", + "id": "CWE-1321", "source": "nvd@nist.gov", "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-558x-2xjg-6232", - "description": "Allocation of Resources Without Limits or Throttling in Spring Framework", + "data_source": "https://github.com/advisories/GHSA-wp4h-pvgw-5727", + "description": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts", "epss": [ { - "cve": "CVE-2022-22950", - "date": "2026-06-14", - "epss": 0.02461, - "percentile": 0.85623 + "cve": "CVE-2019-0230", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2023-03-29", + "date": "2021-12-03", "kind": "first-observed", - "version": "5.2.20.RELEASE" + "version": "2.5.22" } ], "fix_state": "fixed", - "fixed_in": "5.2.20.RELEASE", + "fixed_in": "2.5.22", "fixed_versions": [ - "5.2.20.RELEASE" + "2.5.22" ], - "id": "GHSA-558x-2xjg-6232", + "id": "GHSA-wp4h-pvgw-5727", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 2, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-22950", - "Fix available: upgrade to 5.2.20.RELEASE", + "Also known as: CVE-2019-0230", + "Fix available: upgrade to 2.5.22", "Fix state: fixed", - "https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11", - "https://github.com/spring-projects/spring-framework/issues/28145", - "https://github.com/spring-projects/spring-framework/issues/28257", - "https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE", - "https://github.com/spring-projects/spring-framework/releases/tag/v5.3.17", - "https://nvd.nist.gov/vuln/detail/CVE-2022-22950", - "https://tanzu.vmware.com/security/cve-2022-22950" + "http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html", + "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html", + "https://cwiki.apache.org/confluence/display/ww/s2-059", + "https://launchpad.support.sap.com/#/notes/2982840", + "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E", + "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2019-0230", + "https://www.oracle.com/security-alerts/cpuApr2021.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-558x-2xjg-6232" + "url": "https://github.com/advisories/GHSA-wp4h-pvgw-5727" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0230" + }, + { + "type": "advisory", + "url": "https://cwiki.apache.org/confluence/display/ww/s2-059" + }, + { + "type": "advisory", + "url": "https://launchpad.support.sap.com/#/notes/2982840" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22950" + "url": "https://lists.apache.org/thread.html/r1125f3044a0946d1e7e6f125a6170b58d413ebd4a95157e4608041c7@%3Cannounce.apache.org%3E" }, { "type": "advisory", - "url": "https://tanzu.vmware.com/security/cve-2022-22950" + "url": "https://lists.apache.org/thread.html/r90890afea72a9571d666820b2fe5942a0a5f86be406fa31da3dd0922@%3Cannounce.apache.org%3E" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/28145" + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/28257" + "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/83ac65915871067c39a4fb255e0d484c785c0c11" + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/releases/tag/v5.2.20.RELEASE" + "url": "http://packetstormsecurity.com/files/160108/Apache-Struts-2.5.20-Double-OGNL-Evaluation.html" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/releases/tag/v5.3.17" + "url": "http://packetstormsecurity.com/files/160721/Apache-Struts-2-Forced-Multi-OGNL-Evaluation.html" } ], - "risk_score": 1.4150749999999999, - "severity": "medium", + "risk_score": 91.55506000000001, + "severity": "critical", "severity_source": "github:language:java", "source": "grype", - "title": "Allocation of Resources Without Limits or Throttling in Spring Framework" + "title": "Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Struts" }, { - "affected_version_range": "\u003c5.2.23.RELEASE (unknown)", + "affected_version_range": "\u003e=2.5.0,\u003c=2.5.33 (unknown)", "aliases": [ - "CVE-2023-20861" + "CVE-2025-64775" ], "cvss": [ { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2023-20861", - "id": "CWE-400", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "cve": "CVE-2025-64775", + "id": "CWE-459", + "source": "security@apache.org", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-564r-hj7v-mcr5", - "description": "Spring Framework vulnerable to denial of service via specially crafted SpEL expression", + "data_source": "https://github.com/advisories/GHSA-xx7v-hqxh-cjr9", + "description": "Apache Struts is Vulnerable to DoS via File Leak", "epss": [ { - "cve": "CVE-2023-20861", - "date": "2026-06-14", - "epss": 0.00542, - "percentile": 0.68249 - } - ], - "fix_available": [ - { - "date": "2024-02-03", - "kind": "first-observed", - "version": "5.2.23.RELEASE" + "cve": "CVE-2025-64775", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], - "fix_state": "fixed", - "fixed_in": "5.2.23.RELEASE", - "fixed_versions": [ - "5.2.23.RELEASE" - ], - "id": "GHSA-564r-hj7v-mcr5", + "fix_state": "not-fixed", + "id": "GHSA-xx7v-hqxh-cjr9", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 2, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2023-20861", - "Fix available: upgrade to 5.2.23.RELEASE", - "Fix state: fixed", - "https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1", - "https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f", - "https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5", - "https://nvd.nist.gov/vuln/detail/CVE-2023-20861", - "https://security.netapp.com/advisory/ntap-20230420-0007", - "https://spring.io/security/cve-2023-20861" + "Also known as: CVE-2025-64775", + "Fix state: not-fixed", + "http://www.openwall.com/lists/oss-security/2025/12/01/2", + "https://cwiki.apache.org/confluence/display/WW/S2-068", + "https://nvd.nist.gov/vuln/detail/CVE-2025-64775" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-564r-hj7v-mcr5" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20861" - }, - { - "type": "advisory", - "url": "https://spring.io/security/cve-2023-20861" - }, - { - "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/430fc25acad2e85cbdddcd52b64481691f03ebd1" + "url": "https://github.com/advisories/GHSA-xx7v-hqxh-cjr9" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/52c93b1c4b24d70de233a958e60e7c5822bd274f" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64775" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/935c29e3ddba5b19951e54f6685c70ed45d9cbe5" + "url": "https://cwiki.apache.org/confluence/display/WW/S2-068" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20230420-0007" + "url": "http://www.openwall.com/lists/oss-security/2025/12/01/2" } ], - "risk_score": 0.31165, - "severity": "medium", + "risk_score": 1.0732499999999998, + "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "Spring Framework vulnerable to denial of service via specially crafted SpEL expression" - }, + "title": "Apache Struts is Vulnerable to DoS via File Leak" + } + ] + }, + { + "ecosystem": "maven", + "licenses": [ + { + "spdxExpression": "Apache-2.0", + "type": "external-depsdev", + "value": "Apache-2.0" + } + ], + "matched": true, + "name": "keycloak-saml-core", + "purl": "pkg:maven/org.keycloak/keycloak-saml-core@1.8.1.Final", + "version": "1.8.1.final", + "vulnerabilities": [ { - "affected_version_range": "\u003c5.3.39 (unknown)", + "affected_version_range": "\u003c18.0.0 (unknown)", "aliases": [ - "CVE-2024-38808" + "CVE-2021-3827" ], "cvss": [ { - "score": 4.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", + "score": 8.1, + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1" - }, - { - "score": 5.1, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", - "version": "4.0" } ], "cwes": [ { - "cve": "CVE-2024-38808", - "id": "CWE-770", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "cve": "CVE-2021-3827", + "id": "CWE-287", + "source": "secalert@redhat.com", "type": "Secondary" + }, + { + "cve": "CVE-2021-3827", + "id": "CWE-287", + "source": "nvd@nist.gov", + "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-9cmq-m9j5-mvww", - "description": "Spring Framework vulnerable to Denial of Service", + "data_source": "https://github.com/advisories/GHSA-4pc7-vqv5-5r3v", + "description": "ECP SAML binding bypasses authentication flows", "epss": [ { - "cve": "CVE-2024-38808", - "date": "2026-06-14", - "epss": 0.00809, - "percentile": 0.74734 + "cve": "CVE-2021-3827", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2024-08-21", + "date": "2022-04-28", "kind": "first-observed", - "version": "5.3.39" + "version": "18.0.0" } ], "fix_state": "fixed", - "fixed_in": "5.3.39", + "fixed_in": "18.0.0", "fixed_versions": [ - "5.3.39" + "18.0.0" ], - "id": "GHSA-9cmq-m9j5-mvww", + "id": "GHSA-4pc7-vqv5-5r3v", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 2, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2024-38808", - "Fix available: upgrade to 5.3.39", + "Also known as: CVE-2021-3827", + "Fix available: upgrade to 18.0.0", "Fix state: fixed", - "https://github.com/spring-projects/spring-framework/commit/26f2dad388499faecf99e75b8856788e95d8d658", - "https://github.com/spring-projects/spring-framework/commit/f44d13cb7816e586b86c02421af4f5498391111c", - "https://nvd.nist.gov/vuln/detail/CVE-2024-38808", - "https://security.netapp.com/advisory/ntap-20240920-0002", - "https://spring.io/security/cve-2024-38808" + "https://access.redhat.com/security/cve/CVE-2021-3827", + "https://bugzilla.redhat.com/show_bug.cgi?id=2007512", + "https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d", + "https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3827" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-9cmq-m9j5-mvww" + "url": "https://github.com/advisories/GHSA-4pc7-vqv5-5r3v" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38808" + "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v" }, { "type": "advisory", - "url": "https://spring.io/security/cve-2024-38808" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3827" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/26f2dad388499faecf99e75b8856788e95d8d658" + "url": "https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/f44d13cb7816e586b86c02421af4f5498391111c" + "url": "https://access.redhat.com/security/cve/CVE-2021-3827" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240920-0002" + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2007512" } ], - "risk_score": 0.39236499999999996, - "severity": "medium", + "risk_score": 0.65754, + "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "Spring Framework vulnerable to Denial of Service" + "title": "ECP SAML binding bypasses authentication flows" }, { - "affected_version_range": "\u003c5.2.24.RELEASE (unknown)", + "affected_version_range": "\u003c26.6.2 (unknown)", "aliases": [ - "CVE-2023-20863" + "CVE-2026-7307" ], "cvss": [ { @@ -14584,586 +3017,567 @@ ], "cwes": [ { - "cve": "CVE-2023-20863", - "id": "CWE-400", - "source": "security@vmware.com", - "type": "Secondary" - }, - { - "cve": "CVE-2023-20863", - "id": "CWE-917", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2023-20863", - "id": "CWE-400", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "cve": "CVE-2026-7307", + "id": "CWE-1286", + "source": "secalert@redhat.com", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-wxqc-pxw9-g2p8", - "description": "Spring Framework vulnerable to denial of service", + "data_source": "https://github.com/advisories/GHSA-p5mv-gj8j-xqgf", + "description": "Keycloak: Denial of Service via specially crafted SAML input", "epss": [ { - "cve": "CVE-2023-20863", - "date": "2026-06-14", - "epss": 0.00926, - "percentile": 0.76572 + "cve": "CVE-2026-7307", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2024-02-03", + "date": "2026-06-04", "kind": "first-observed", - "version": "5.2.24.RELEASE" + "version": "26.6.2" } ], "fix_state": "fixed", - "fixed_in": "5.2.24.RELEASE", + "fixed_in": "26.6.2", "fixed_versions": [ - "5.2.24.RELEASE" + "26.6.2" ], - "id": "GHSA-wxqc-pxw9-g2p8", + "id": "GHSA-p5mv-gj8j-xqgf", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 2, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2023-20863", - "Fix available: upgrade to 5.2.24.RELEASE", + "Also known as: CVE-2026-7307", + "Fix available: upgrade to 26.6.2", "Fix state: fixed", - "https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15", - "https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e", - "https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f", - "https://nvd.nist.gov/vuln/detail/CVE-2023-20863", - "https://security.netapp.com/advisory/ntap-20240524-0015", - "https://spring.io/security/cve-2023-20863" + "https://access.redhat.com/errata/RHSA-2026:19594", + "https://access.redhat.com/errata/RHSA-2026:19595", + "https://access.redhat.com/errata/RHSA-2026:19596", + "https://access.redhat.com/errata/RHSA-2026:19597", + "https://access.redhat.com/security/cve/CVE-2026-7307", + "https://bugzilla.redhat.com/show_bug.cgi?id=2476526", + "https://github.com/keycloak/keycloak/commit/be84d28ce4c69c038d542f11405d5ede1d61f4a9", + "https://github.com/keycloak/keycloak/pull/49119", + "https://github.com/keycloak/keycloak/releases/tag/26.6.2", + "https://nvd.nist.gov/vuln/detail/CVE-2026-7307" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-wxqc-pxw9-g2p8" + "url": "https://github.com/advisories/GHSA-p5mv-gj8j-xqgf" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7307" + }, + { + "type": "advisory", + "url": "https://access.redhat.com/security/cve/CVE-2026-7307" + }, + { + "type": "advisory", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476526" + }, + { + "type": "advisory", + "url": "https://access.redhat.com/errata/RHSA-2026:19594" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20863" + "url": "https://access.redhat.com/errata/RHSA-2026:19597" }, { "type": "advisory", - "url": "https://spring.io/security/cve-2023-20863" + "url": "https://access.redhat.com/errata/RHSA-2026:19595" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/b73f5fcac22555f844cf27a7eeb876cb9d7f7f7e" + "url": "https://access.redhat.com/errata/RHSA-2026:19596" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/965a6392757d20f9db19241126fcc719a51eac15" + "url": "https://github.com/keycloak/keycloak/pull/49119" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/ebc82654282bda547fbc20a9749ab1bda886a46f" + "url": "https://github.com/keycloak/keycloak/commit/be84d28ce4c69c038d542f11405d5ede1d61f4a9" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240524-0015" + "url": "https://github.com/keycloak/keycloak/releases/tag/26.6.2" } ], - "risk_score": 0.6945, + "risk_score": 0.5452500000000001, "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "Spring Framework vulnerable to denial of service" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [], - "matched": true, - "name": "spring-web", - "purl": "pkg:maven/org.springframework/spring-web@3.1.1.release", - "version": "3.1.1.release", - "vulnerabilities": [ + "title": "Keycloak: Denial of Service via specially crafted SAML input" + }, { - "affected_version_range": "\u003c5.3.38 (unknown)", + "affected_version_range": "\u003c26.2.14 (unknown)", "aliases": [ - "CVE-2024-38809" + "CVE-2026-2092" ], "cvss": [ { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "score": 7.7, + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2024-38809", - "id": "CWE-400", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "cve": "CVE-2026-2092", + "id": "CWE-1287", + "source": "secalert@redhat.com", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-2rmj-mq67-h97g", - "description": "Spring Framework DoS via conditional HTTP request", + "data_source": "https://github.com/advisories/GHSA-wmxr-6j5f-838p", + "description": "Keycloak: Unauthorized access via improper validation of encrypted SAML assertions", "epss": [ { - "cve": "CVE-2024-38809", - "date": "2026-06-14", - "epss": 0.0014, - "percentile": 0.3409 + "cve": "CVE-2026-2092", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2024-09-25", + "date": "2026-04-09", "kind": "first-observed", - "version": "5.3.38" + "version": "26.2.14" } ], "fix_state": "fixed", - "fixed_in": "5.3.38", + "fixed_in": "26.2.14", "fixed_versions": [ - "5.3.38" + "26.2.14" ], - "id": "GHSA-2rmj-mq67-h97g", + "id": "GHSA-wmxr-6j5f-838p", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 0, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2024-38809", - "Fix available: upgrade to 5.3.38", + "Also known as: CVE-2026-2092", + "Fix available: upgrade to 26.2.14", "Fix state: fixed", - "https://github.com/spring-projects/spring-framework/commit/582bfccbb72e5c8959a0b472d1dc7d03a20520f3", - "https://github.com/spring-projects/spring-framework/commit/8d16a50907c11f7e6b407d878a26e84eba08a533", - "https://github.com/spring-projects/spring-framework/commit/bb17ad8314b81850a939fd265fb53b3361705e85", - "https://github.com/spring-projects/spring-framework/issues/33372", - "https://nvd.nist.gov/vuln/detail/CVE-2024-38809", - "https://spring.io/security/cve-2024-38809" + "https://access.redhat.com/errata/RHSA-2026:3925", + "https://access.redhat.com/errata/RHSA-2026:3926", + "https://access.redhat.com/errata/RHSA-2026:3947", + "https://access.redhat.com/errata/RHSA-2026:3948", + "https://access.redhat.com/security/cve/CVE-2026-2092", + "https://bugzilla.redhat.com/show_bug.cgi?id=2437296", + "https://github.com/keycloak/keycloak/commit/b40a25908d937bb0563ea516487bc2c7c1d92508", + "https://nvd.nist.gov/vuln/detail/CVE-2026-2092" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-2rmj-mq67-h97g" + "url": "https://github.com/advisories/GHSA-wmxr-6j5f-838p" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/33372" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2092" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/582bfccbb72e5c8959a0b472d1dc7d03a20520f3" + "url": "https://access.redhat.com/errata/RHSA-2026:3925" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/8d16a50907c11f7e6b407d878a26e84eba08a533" + "url": "https://access.redhat.com/errata/RHSA-2026:3926" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/bb17ad8314b81850a939fd265fb53b3361705e85" + "url": "https://access.redhat.com/errata/RHSA-2026:3947" }, { "type": "advisory", - "url": "https://spring.io/security/cve-2024-38809" + "url": "https://access.redhat.com/errata/RHSA-2026:3948" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38809" + "url": "https://access.redhat.com/security/cve/CVE-2026-2092" + }, + { + "type": "advisory", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437296" + }, + { + "type": "advisory", + "url": "https://github.com/keycloak/keycloak/commit/b40a25908d937bb0563ea516487bc2c7c1d92508" } ], - "risk_score": 0.0721, - "severity": "medium", + "risk_score": 0.17936, + "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "Spring Framework DoS via conditional HTTP request" + "title": "Keycloak: Unauthorized access via improper validation of encrypted SAML assertions" }, { - "affected_version_range": "\u003c5.3.34 (unknown)", + "affected_version_range": "\u003c=22.0.12 (unknown)", "aliases": [ - "CVE-2024-22262" + "CVE-2024-8698" ], "cvss": [ { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "score": 7.7, + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2024-22262", - "id": "CWE-601", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - }, - { - "cve": "CVE-2024-22262", - "id": "CWE-918", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "cve": "CVE-2024-8698", + "id": "CWE-347", + "source": "secalert@redhat.com", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-2wrp-6fg6-hmc5", - "description": "Spring Framework URL Parsing with Host Validation", + "data_source": "https://github.com/advisories/GHSA-xgfv-xpx8-qhcr", + "description": "Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak", "epss": [ { - "cve": "CVE-2024-22262", - "date": "2026-06-14", - "epss": 0.12634, - "percentile": 0.94155 + "cve": "CVE-2024-8698", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2024-04-26", + "date": "2024-10-15", "kind": "first-observed", - "version": "5.3.34" + "version": "22.0.13" } ], "fix_state": "fixed", - "fixed_in": "5.3.34", + "fixed_in": "22.0.13", "fixed_versions": [ - "5.3.34" + "22.0.13" ], - "id": "GHSA-2wrp-6fg6-hmc5", + "id": "GHSA-xgfv-xpx8-qhcr", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 0, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2024-22262", - "Fix available: upgrade to 5.3.34", + "Also known as: CVE-2024-8698", + "Fix available: upgrade to 22.0.13", "Fix state: fixed", - "https://github.com/spring-projects/spring-framework/blob/main/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java", - "https://nvd.nist.gov/vuln/detail/CVE-2024-22262", - "https://security.netapp.com/advisory/ntap-20240524-0003", - "https://spring.io/security/cve-2024-22262" + "https://access.redhat.com/errata/RHSA-2024:6878", + "https://access.redhat.com/errata/RHSA-2024:6879", + "https://access.redhat.com/errata/RHSA-2024:6880", + "https://access.redhat.com/errata/RHSA-2024:6882", + "https://access.redhat.com/errata/RHSA-2024:6886", + "https://access.redhat.com/errata/RHSA-2024:6887", + "https://access.redhat.com/errata/RHSA-2024:6888", + "https://access.redhat.com/errata/RHSA-2024:6889", + "https://access.redhat.com/errata/RHSA-2024:6890", + "https://access.redhat.com/errata/RHSA-2024:8823", + "https://access.redhat.com/errata/RHSA-2024:8824", + "https://access.redhat.com/errata/RHSA-2024:8826", + "https://access.redhat.com/security/cve/CVE-2024-8698", + "https://bugzilla.redhat.com/show_bug.cgi?id=2311641", + "https://github.com/keycloak/keycloak/releases/tag/25.0.6", + "https://github.com/keycloak/keycloak/security/advisories/GHSA-xgfv-xpx8-qhcr", + "https://nvd.nist.gov/vuln/detail/CVE-2024-8698" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-2wrp-6fg6-hmc5" + "url": "https://github.com/advisories/GHSA-xgfv-xpx8-qhcr" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22262" + "url": "https://github.com/keycloak/keycloak/security/advisories/GHSA-xgfv-xpx8-qhcr" }, { "type": "advisory", - "url": "https://spring.io/security/cve-2024-22262" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8698" + }, + { + "type": "advisory", + "url": "https://github.com/keycloak/keycloak/releases/tag/25.0.6" + }, + { + "type": "advisory", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2311641" + }, + { + "type": "advisory", + "url": "https://access.redhat.com/security/cve/CVE-2024-8698" + }, + { + "type": "advisory", + "url": "https://access.redhat.com/errata/RHSA-2024:8826" + }, + { + "type": "advisory", + "url": "https://access.redhat.com/errata/RHSA-2024:8824" + }, + { + "type": "advisory", + "url": "https://access.redhat.com/errata/RHSA-2024:8823" + }, + { + "type": "advisory", + "url": "https://access.redhat.com/errata/RHSA-2024:6890" + }, + { + "type": "advisory", + "url": "https://access.redhat.com/errata/RHSA-2024:6889" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/blob/main/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java" + "url": "https://access.redhat.com/errata/RHSA-2024:6888" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240524-0003" - } - ], - "risk_score": 9.85452, - "severity": "high", - "severity_source": "github:language:java", - "source": "grype", - "title": "Spring Framework URL Parsing with Host Validation" - }, - { - "affected_version_range": "\u003c=5.3.40 (unknown)", - "aliases": [ - "CVE-2024-38820" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2024-38820", - "id": "CWE-178", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-4gc7-5j7h-4qph", - "description": "Spring Framework DataBinder Case Sensitive Match Exception", - "epss": [ - { - "cve": "CVE-2024-38820", - "date": "2026-06-14", - "epss": 0.01473, - "percentile": 0.81422 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-4gc7-5j7h-4qph", - "namespace": "github:language:java", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jvmreach", - "confidence": "low", - "dynamic_imports_detected": true, - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-38820", - "Fix state: not-fixed", - "https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c", - "https://github.com/spring-projects/spring-framework/commits/v6.2.0-RC2", - "https://nvd.nist.gov/vuln/detail/CVE-2024-38820", - "https://security.netapp.com/advisory/ntap-20241129-0003", - "https://spring.io/security/cve-2024-38820" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-4gc7-5j7h-4qph" + "url": "https://access.redhat.com/errata/RHSA-2024:6887" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38820" + "url": "https://access.redhat.com/errata/RHSA-2024:6886" }, { "type": "advisory", - "url": "https://spring.io/security/cve-2024-38820" + "url": "https://access.redhat.com/errata/RHSA-2024:6882" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c" + "url": "https://access.redhat.com/errata/RHSA-2024:6880" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commits/v6.2.0-RC2" + "url": "https://access.redhat.com/errata/RHSA-2024:6879" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241129-0003" + "url": "https://access.redhat.com/errata/RHSA-2024:6878" } ], - "risk_score": 0.758595, - "severity": "medium", + "risk_score": 1.55268, + "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "Spring Framework DataBinder Case Sensitive Match Exception" + "title": "Improper Verification of SAML Responses Leading to Privilege Escalation in Keycloak" }, { - "affected_version_range": "\u003c6.0.0 (unknown)", + "affected_version_range": "\u003c26.5.4 (unknown)", "aliases": [ - "CVE-2016-1000027" + "CVE-2026-2575" ], "cvss": [ { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "score": 5.3, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2016-1000027", - "id": "CWE-502", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2026-2575", + "id": "CWE-409", + "source": "secalert@redhat.com", + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-4wrc-f8pq-fpqp", - "description": "Pivotal Spring Framework contains unsafe Java deserialization methods", + "data_source": "https://github.com/advisories/GHSA-xv6h-r36f-3gp5", + "description": "Keycloak: Denial of Service due to excessive SAMLRequest decompression", "epss": [ { - "cve": "CVE-2016-1000027", - "date": "2026-06-14", - "epss": 0.60417, - "percentile": 0.98322 + "cve": "CVE-2026-2575", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2022-12-10", + "date": "2026-03-19", "kind": "first-observed", - "version": "6.0.0" + "version": "26.5.4" } ], "fix_state": "fixed", - "fixed_in": "6.0.0", + "fixed_in": "26.5.4", "fixed_versions": [ - "6.0.0" + "26.5.4" ], - "id": "GHSA-4wrc-f8pq-fpqp", + "id": "GHSA-xv6h-r36f-3gp5", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", - "confidence": "low", "dynamic_imports_detected": true, - "hops": 0, - "status": "reachable", + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2016-1000027", - "Fix available: upgrade to 6.0.0", + "Also known as: CVE-2026-2575", + "Fix available: upgrade to 26.5.4", "Fix state: fixed", - "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027", - "https://github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f", - "https://github.com/spring-projects/spring-framework/commit/5cbe90b2cd91b866a5a9586e460f311860e11cfa", - "https://github.com/spring-projects/spring-framework/issues/21680", - "https://github.com/spring-projects/spring-framework/issues/24434", - "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-1231625331", - "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626", - "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417", - "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525", - "https://jira.spring.io/browse/SPR-17143?redirect=false", - "https://nvd.nist.gov/vuln/detail/CVE-2016-1000027", - "https://security-tracker.debian.org/tracker/CVE-2016-1000027", - "https://security.netapp.com/advisory/ntap-20230420-0009/", - "https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now", - "https://support.contrastsecurity.com/hc/en-us/articles/4402400830612-Spring-web-Java-Deserialization-CVE-2016-1000027", - "https://www.tenable.com/security/research/tra-2016-20" + "https://access.redhat.com/errata/RHSA-2026:3947", + "https://access.redhat.com/errata/RHSA-2026:3948", + "https://access.redhat.com/security/cve/CVE-2026-2575", + "https://bugzilla.redhat.com/show_bug.cgi?id=2440149", + "https://github.com/keycloak/keycloak/commit/4f90ef67f698dfb45df0d2f4981271a7c8b47f04", + "https://github.com/keycloak/keycloak/issues/46372", + "https://nvd.nist.gov/vuln/detail/CVE-2026-2575" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-4wrc-f8pq-fpqp" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000027" - }, - { - "type": "advisory", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027" - }, - { - "type": "advisory", - "url": "https://security-tracker.debian.org/tracker/CVE-2016-1000027" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/research/tra-2016-20" - }, - { - "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/24434" - }, - { - "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-1231625331" - }, - { - "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/5cbe90b2cd91b866a5a9586e460f311860e11cfa" - }, - { - "type": "advisory", - "url": "https://support.contrastsecurity.com/hc/en-us/articles/4402400830612-Spring-web-Java-Deserialization-CVE-2016-1000027" - }, - { - "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/21680" + "url": "https://github.com/advisories/GHSA-xv6h-r36f-3gp5" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2575" }, { "type": "advisory", - "url": "https://jira.spring.io/browse/SPR-17143?redirect=false" + "url": "https://access.redhat.com/errata/RHSA-2026:3947" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626" + "url": "https://access.redhat.com/errata/RHSA-2026:3948" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417" + "url": "https://access.redhat.com/security/cve/CVE-2026-2575" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525" + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440149" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20230420-0009/" + "url": "https://github.com/keycloak/keycloak/issues/46372" }, { "type": "advisory", - "url": "https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now" + "url": "https://github.com/keycloak/keycloak/commit/4f90ef67f698dfb45df0d2f4981271a7c8b47f04" } ], - "risk_score": 56.791979999999995, - "severity": "critical", + "risk_score": 0.25853, + "severity": "medium", "severity_source": "github:language:java", "source": "grype", - "title": "Pivotal Spring Framework contains unsafe Java deserialization methods" - }, + "title": "Keycloak: Denial of Service due to excessive SAMLRequest decompression" + } + ] + }, + { + "ecosystem": "maven", + "licenses": [ { - "affected_version_range": "\u003c3.2.14 (unknown)", + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "jbcrypt", + "purl": "pkg:maven/org.mindrot/jbcrypt@0.4", + "version": "0.4", + "vulnerabilities": [] + }, + { + "ecosystem": "maven", + "licenses": [ + { + "spdxExpression": "GPL-3.0", + "type": "external-depsdev", + "value": "GPL-3.0" + } + ], + "matched": true, + "name": "neo4j-jmx", + "purl": "pkg:maven/org.neo4j/neo4j-jmx@1.3", + "version": "1.3", + "vulnerabilities": [] + }, + { + "ecosystem": "maven", + "licenses": [ + { + "spdxExpression": "Apache-2.0", + "type": "external-depsdev", + "value": "Apache-2.0" + } + ], + "matched": true, + "name": "spring-web", + "purl": "pkg:maven/org.springframework/spring-web@3.1.1.RELEASE", + "version": "3.1.1.release", + "vulnerabilities": [ + { + "affected_version_range": "\u003c5.3.38 (unknown)", "aliases": [ - "CVE-2015-3192" + "CVE-2024-38809" ], "cvss": [ { - "score": 5.5, - "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "version": "3.0" + "score": 5.3, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" } ], - "cwes": [ - { - "cve": "CVE-2015-3192", - "id": "CWE-119", - "source": "nvd@nist.gov", - "type": "Primary" + "cwes": [ + { + "cve": "CVE-2024-38809", + "id": "CWE-400", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-6v7w-535j-rq5m", - "description": "Pivotal Spring Framework DoS Attack with XML Input", + "data_source": "https://github.com/advisories/GHSA-2rmj-mq67-h97g", + "description": "Spring Framework DoS via conditional HTTP request", "epss": [ { - "cve": "CVE-2015-3192", - "date": "2026-06-14", - "epss": 0.01378, - "percentile": 0.80736 + "cve": "CVE-2024-38809", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2023-09-27", + "date": "2024-09-25", "kind": "first-observed", - "version": "3.2.14" + "version": "5.3.38" } ], "fix_state": "fixed", - "fixed_in": "3.2.14", + "fixed_in": "5.3.38", "fixed_versions": [ - "3.2.14" + "5.3.38" ], - "id": "GHSA-6v7w-535j-rq5m", + "id": "GHSA-2rmj-mq67-h97g", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", @@ -15175,141 +3589,56 @@ "tier": "package" }, "reasons": [ - "Also known as: CVE-2015-3192", - "Fix available: upgrade to 3.2.14", + "Also known as: CVE-2024-38809", + "Fix available: upgrade to 5.3.38", "Fix state: fixed", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html", - "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html", - "http://rhn.redhat.com/errata/RHSA-2016-1592.html", - "http://rhn.redhat.com/errata/RHSA-2016-1593.html", - "http://rhn.redhat.com/errata/RHSA-2016-2035.html", - "http://rhn.redhat.com/errata/RHSA-2016-2036.html", - "http://www.securityfocus.com/bid/90853", - "http://www.securitytracker.com/id/1036587", - "https://access.redhat.com/errata/RHSA-2016:1218", - "https://access.redhat.com/errata/RHSA-2016:1219", - "https://github.com/spring-projects/spring-framework/commit/0411435bac835de88a80a64b3f67b1b89244e907", - "https://github.com/spring-projects/spring-framework/commit/38b8262e1e2db9be9d2171d81547da5c65ba7e09", - "https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee7962424", - "https://github.com/spring-projects/spring-framework/commit/9c3580d04e84d25a90ef4c249baee1b4e02df15e", - "https://github.com/spring-projects/spring-framework/commit/d79ec68db40c381b8e205af52748ebd3163ee33b", - "https://github.com/spring-projects/spring-framework/commit/e4651d6b50c5bc85c84ff537859c212ac4e33434", - "https://github.com/spring-projects/spring-framework/issues/17727", - "https://github.com/spring-projects/spring-framework/issues/20352", - "https://jira.spring.io/browse/SPR-13136", - "https://jira.spring.io/browse/SPR-13136?redirect=false", - "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html", - "https://nvd.nist.gov/vuln/detail/CVE-2015-3192", - "https://spring.io/security/cve-2015-3192" + "https://github.com/spring-projects/spring-framework/commit/582bfccbb72e5c8959a0b472d1dc7d03a20520f3", + "https://github.com/spring-projects/spring-framework/commit/8d16a50907c11f7e6b407d878a26e84eba08a533", + "https://github.com/spring-projects/spring-framework/commit/bb17ad8314b81850a939fd265fb53b3361705e85", + "https://github.com/spring-projects/spring-framework/issues/33372", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38809", + "https://spring.io/security/cve-2024-38809" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-6v7w-535j-rq5m" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3192" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2016:1218" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2016:1219" - }, - { - "type": "advisory", - "url": "https://jira.spring.io/browse/SPR-13136" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html" - }, - { - "type": "advisory", - "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html" - }, - { - "type": "advisory", - "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2016-1592.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2016-1593.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html" - }, - { - "type": "advisory", - "url": "http://www.securityfocus.com/bid/90853" - }, - { - "type": "advisory", - "url": "http://www.securitytracker.com/id/1036587" - }, - { - "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/17727" - }, - { - "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/20352" - }, - { - "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/e4651d6b50c5bc85c84ff537859c212ac4e33434" - }, - { - "type": "advisory", - "url": "https://jira.spring.io/browse/SPR-13136?redirect=false" + "url": "https://github.com/advisories/GHSA-2rmj-mq67-h97g" }, { "type": "advisory", - "url": "https://spring.io/security/cve-2015-3192" + "url": "https://github.com/spring-projects/spring-framework/issues/33372" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/0411435bac835de88a80a64b3f67b1b89244e907" + "url": "https://github.com/spring-projects/spring-framework/commit/582bfccbb72e5c8959a0b472d1dc7d03a20520f3" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/38b8262e1e2db9be9d2171d81547da5c65ba7e09" + "url": "https://github.com/spring-projects/spring-framework/commit/8d16a50907c11f7e6b407d878a26e84eba08a533" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee7962424" + "url": "https://github.com/spring-projects/spring-framework/commit/bb17ad8314b81850a939fd265fb53b3361705e85" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/9c3580d04e84d25a90ef4c249baee1b4e02df15e" + "url": "https://spring.io/security/cve-2024-38809" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/d79ec68db40c381b8e205af52748ebd3163ee33b" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38809" } ], - "risk_score": 0.72345, + "risk_score": 0.44187000000000004, "severity": "medium", "severity_source": "github:language:java", "source": "grype", - "title": "Pivotal Spring Framework DoS Attack with XML Input" + "title": "Spring Framework DoS via conditional HTTP request" }, { - "affected_version_range": "\u003c=5.2.25.RELEASE (unknown)", + "affected_version_range": "\u003c5.3.34 (unknown)", "aliases": [ - "CVE-2024-22243" + "CVE-2024-22262" ], "cvss": [ { @@ -15320,24 +3649,41 @@ ], "cwes": [ { - "cve": "CVE-2024-22243", + "cve": "CVE-2024-22262", "id": "CWE-601", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" + }, + { + "cve": "CVE-2024-22262", + "id": "CWE-918", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-ccgv-vj62-xf9h", - "description": "Spring Web vulnerable to Open Redirect or Server Side Request Forgery", + "data_source": "https://github.com/advisories/GHSA-2wrp-6fg6-hmc5", + "description": "Spring Framework URL Parsing with Host Validation", "epss": [ { - "cve": "CVE-2024-22243", - "date": "2026-06-14", - "epss": 0.59593, - "percentile": 0.98296 + "cve": "CVE-2024-22262", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], - "fix_state": "not-fixed", - "id": "GHSA-ccgv-vj62-xf9h", + "fix_available": [ + { + "date": "2024-04-26", + "kind": "first-observed", + "version": "5.3.34" + } + ], + "fix_state": "fixed", + "fixed_in": "5.3.34", + "fixed_versions": [ + "5.3.34" + ], + "id": "GHSA-2wrp-6fg6-hmc5", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", @@ -15349,26 +3695,26 @@ "tier": "package" }, "reasons": [ - "Also known as: CVE-2024-22243", - "Fix state: not-fixed", - "http://seclists.org/fulldisclosure/2024/Sep/24", + "Also known as: CVE-2024-22262", + "Fix available: upgrade to 5.3.34", + "Fix state: fixed", "https://github.com/spring-projects/spring-framework/blob/main/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java", - "https://nvd.nist.gov/vuln/detail/CVE-2024-22243", - "https://security.netapp.com/advisory/ntap-20240524-0001", - "https://spring.io/security/cve-2024-22243" + "https://nvd.nist.gov/vuln/detail/CVE-2024-22262", + "https://security.netapp.com/advisory/ntap-20240524-0003", + "https://spring.io/security/cve-2024-22262" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-ccgv-vj62-xf9h" + "url": "https://github.com/advisories/GHSA-2wrp-6fg6-hmc5" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22243" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22262" }, { "type": "advisory", - "url": "https://spring.io/security/cve-2024-22243" + "url": "https://spring.io/security/cve-2024-22262" }, { "type": "advisory", @@ -15376,61 +3722,47 @@ }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240524-0001" - }, - { - "type": "advisory", - "url": "http://seclists.org/fulldisclosure/2024/Sep/24" + "url": "https://security.netapp.com/advisory/ntap-20240524-0003" } ], - "risk_score": 46.48254, + "risk_score": 0.9289800000000001, "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "Spring Web vulnerable to Open Redirect or Server Side Request Forgery" + "title": "Spring Framework URL Parsing with Host Validation" }, { - "affected_version_range": "\u003c=3.2.4.RELEASE (unknown)", + "affected_version_range": "\u003c=5.3.40 (unknown)", "aliases": [ - "CVE-2013-6429" + "CVE-2024-38820" ], - "cwes": [ - { - "cve": "CVE-2013-6429", - "id": "CWE-352", - "source": "nvd@nist.gov", - "type": "Primary" - }, + "cvss": [ { - "cve": "CVE-2013-6429", - "id": "CWE-611", - "source": "nvd@nist.gov", - "type": "Primary" + "score": 5.3, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "version": "3.1" } ], - "data_source": "https://github.com/advisories/GHSA-g6hf-f9cq-q7w7", - "description": "Cross-Site Request Forgery in Spring Framework", - "epss": [ + "cwes": [ { - "cve": "CVE-2013-6429", - "date": "2026-06-14", - "epss": 0.38725, - "percentile": 0.97363 + "cve": "CVE-2024-38820", + "id": "CWE-178", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], - "fix_available": [ + "data_source": "https://github.com/advisories/GHSA-4gc7-5j7h-4qph", + "description": "Spring Framework DataBinder Case Sensitive Match Exception", + "epss": [ { - "date": "2022-07-08", - "kind": "first-observed", - "version": "3.2.5.RELEASE" + "cve": "CVE-2024-38820", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], - "fix_state": "fixed", - "fixed_in": "3.2.5.RELEASE", - "fixed_versions": [ - "3.2.5.RELEASE" - ], - "id": "GHSA-g6hf-f9cq-q7w7", + "fix_state": "not-fixed", + "id": "GHSA-4gc7-5j7h-4qph", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", @@ -15439,108 +3771,92 @@ "dynamic_imports_detected": true, "hops": 0, "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2013-6429", - "Fix available: upgrade to 3.2.5.RELEASE", - "Fix state: fixed", - "http://rhn.redhat.com/errata/RHSA-2014-0400.html", - "http://secunia.com/advisories/57915", - "https://github.com/spring-projects/spring-framework/commit/2ae6a6a3415eebc57babcb9d3e5505887eda6d8", - "https://github.com/spring-projects/spring-framework/commit/7387cb990e35b0f1b573faf29d4f9ae183d7a5e", - "https://github.com/spring-projects/spring-framework/issues/15704", - "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", - "https://jira.spring.io/browse/SPR-11078?redirect=false", - "https://nvd.nist.gov/vuln/detail/CVE-2013-6429" + "tier": "package" + }, + "reasons": [ + "Also known as: CVE-2024-38820", + "Fix state: not-fixed", + "https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c", + "https://github.com/spring-projects/spring-framework/commits/v6.2.0-RC2", + "https://nvd.nist.gov/vuln/detail/CVE-2024-38820", + "https://security.netapp.com/advisory/ntap-20241129-0003", + "https://spring.io/security/cve-2024-38820" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-g6hf-f9cq-q7w7" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6429" - }, - { - "type": "advisory", - "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" - }, - { - "type": "advisory", - "url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html" + "url": "https://github.com/advisories/GHSA-4gc7-5j7h-4qph" }, { "type": "advisory", - "url": "http://secunia.com/advisories/57915" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-38820" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/15704" + "url": "https://spring.io/security/cve-2024-38820" }, { "type": "advisory", - "url": "https://jira.spring.io/browse/SPR-11078?redirect=false" + "url": "https://github.com/spring-projects/spring-framework/commit/23656aebc6c7d0f9faff1080981eb4d55eff296c" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/2ae6a6a3415eebc57babcb9d3e5505887eda6d8" + "url": "https://github.com/spring-projects/spring-framework/commits/v6.2.0-RC2" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/7387cb990e35b0f1b573faf29d4f9ae183d7a5e" + "url": "https://security.netapp.com/advisory/ntap-20241129-0003" } ], - "risk_score": 19.3625, + "risk_score": 0.32496499999999995, "severity": "medium", "severity_source": "github:language:java", "source": "grype", - "title": "Cross-Site Request Forgery in Spring Framework" + "title": "Spring Framework DataBinder Case Sensitive Match Exception" }, { - "affected_version_range": "\u003c5.3.33 (unknown)", + "affected_version_range": "\u003c6.0.0 (unknown)", "aliases": [ - "CVE-2024-22259" + "CVE-2016-1000027" ], "cvss": [ { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", + "score": 9.8, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2024-22259", - "id": "CWE-601", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2016-1000027", + "id": "CWE-502", + "source": "nvd@nist.gov", + "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-hgjh-9rj2-g67j", - "description": "Spring Framework URL Parsing with Host Validation Vulnerability", + "data_source": "https://github.com/advisories/GHSA-4wrc-f8pq-fpqp", + "description": "Pivotal Spring Framework contains unsafe Java deserialization methods", "epss": [ { - "cve": "CVE-2024-22259", - "date": "2026-06-14", - "epss": 0.56395, - "percentile": 0.98164 + "cve": "CVE-2016-1000027", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2024-03-19", + "date": "2022-12-10", "kind": "first-observed", - "version": "5.3.33" + "version": "6.0.0" } ], "fix_state": "fixed", - "fixed_in": "5.3.33", + "fixed_in": "6.0.0", "fixed_versions": [ - "5.3.33" + "6.0.0" ], - "id": "GHSA-hgjh-9rj2-g67j", + "id": "GHSA-4wrc-f8pq-fpqp", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", @@ -15552,95 +3868,145 @@ "tier": "package" }, "reasons": [ - "Also known as: CVE-2024-22259", - "Fix available: upgrade to 5.3.33", + "Also known as: CVE-2016-1000027", + "Fix available: upgrade to 6.0.0", "Fix state: fixed", - "https://github.com/spring-projects/spring-framework/commit/297cbae2990e1413537c55845a7e0ea0ffd9f9bb", - "https://github.com/spring-projects/spring-framework/commit/381f790329a48b74c2a49fc1384dd68ca9153501", - "https://github.com/spring-projects/spring-framework/commit/f2fd2f12269c6a781c5b2c20b3c24141055a3d68", - "https://nvd.nist.gov/vuln/detail/CVE-2024-22259", - "https://security.netapp.com/advisory/ntap-20240524-0002", - "https://spring.io/security/cve-2024-22259" + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027", + "https://github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f", + "https://github.com/spring-projects/spring-framework/commit/5cbe90b2cd91b866a5a9586e460f311860e11cfa", + "https://github.com/spring-projects/spring-framework/issues/21680", + "https://github.com/spring-projects/spring-framework/issues/24434", + "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-1231625331", + "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626", + "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417", + "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525", + "https://jira.spring.io/browse/SPR-17143?redirect=false", + "https://nvd.nist.gov/vuln/detail/CVE-2016-1000027", + "https://security-tracker.debian.org/tracker/CVE-2016-1000027", + "https://security.netapp.com/advisory/ntap-20230420-0009/", + "https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now", + "https://support.contrastsecurity.com/hc/en-us/articles/4402400830612-Spring-web-Java-Deserialization-CVE-2016-1000027", + "https://www.tenable.com/security/research/tra-2016-20" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-hgjh-9rj2-g67j" + "url": "https://github.com/advisories/GHSA-4wrc-f8pq-fpqp" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22259" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000027" }, { "type": "advisory", - "url": "https://spring.io/security/cve-2024-22259" + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1000027" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/297cbae2990e1413537c55845a7e0ea0ffd9f9bb" + "url": "https://security-tracker.debian.org/tracker/CVE-2016-1000027" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/381f790329a48b74c2a49fc1384dd68ca9153501" + "url": "https://www.tenable.com/security/research/tra-2016-20" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/f2fd2f12269c6a781c5b2c20b3c24141055a3d68" + "url": "https://github.com/spring-projects/spring-framework/issues/24434" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240524-0002" + "url": "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-1231625331" + }, + { + "type": "advisory", + "url": "https://github.com/spring-projects/spring-framework/commit/5cbe90b2cd91b866a5a9586e460f311860e11cfa" + }, + { + "type": "advisory", + "url": "https://support.contrastsecurity.com/hc/en-us/articles/4402400830612-Spring-web-Java-Deserialization-CVE-2016-1000027" + }, + { + "type": "advisory", + "url": "https://github.com/spring-projects/spring-framework/issues/21680" + }, + { + "type": "advisory", + "url": "https://github.com/spring-projects/spring-framework/commit/2b051b8b321768a4cfef83077db65c6328ffd60f" + }, + { + "type": "advisory", + "url": "https://jira.spring.io/browse/SPR-17143?redirect=false" + }, + { + "type": "advisory", + "url": "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-579669626" + }, + { + "type": "advisory", + "url": "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-582313417" + }, + { + "type": "advisory", + "url": "https://github.com/spring-projects/spring-framework/issues/24434#issuecomment-744519525" + }, + { + "type": "advisory", + "url": "https://security.netapp.com/advisory/ntap-20230420-0009/" + }, + { + "type": "advisory", + "url": "https://spring.io/blog/2022/05/11/spring-framework-5-3-20-and-5-2-22-available-now" } ], - "risk_score": 43.988099999999996, - "severity": "high", + "risk_score": 30.321580000000004, + "severity": "critical", "severity_source": "github:language:java", "source": "grype", - "title": "Spring Framework URL Parsing with Host Validation Vulnerability" + "title": "Pivotal Spring Framework contains unsafe Java deserialization methods" }, { - "affected_version_range": "\u003c=3.2.1.RELEASE (unknown)", + "affected_version_range": "\u003c3.2.14 (unknown)", "aliases": [ - "CVE-2013-6430" + "CVE-2015-3192" ], "cvss": [ { - "score": 5.4, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", - "version": "3.1" + "score": 5.5, + "vector": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", + "version": "3.0" } ], "cwes": [ { - "cve": "CVE-2013-6430", - "id": "CWE-79", + "cve": "CVE-2015-3192", + "id": "CWE-119", "source": "nvd@nist.gov", "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-xjrf-8x4f-43h4", - "description": "Improper Neutralization of Input During Web Page Generation in Spring Framework", + "data_source": "https://github.com/advisories/GHSA-6v7w-535j-rq5m", + "description": "Pivotal Spring Framework DoS Attack with XML Input", "epss": [ { - "cve": "CVE-2013-6430", - "date": "2026-06-14", - "epss": 0.00315, - "percentile": 0.55146 + "cve": "CVE-2015-3192", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2022-07-08", + "date": "2023-09-27", "kind": "first-observed", - "version": "3.2.2.RELEASE" + "version": "3.2.14" } ], "fix_state": "fixed", - "fixed_in": "3.2.2.RELEASE", + "fixed_in": "3.2.14", "fixed_versions": [ - "3.2.2.RELEASE" + "3.2.14" ], - "id": "GHSA-xjrf-8x4f-43h4", + "id": "GHSA-6v7w-535j-rq5m", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", @@ -15652,459 +4018,533 @@ "tier": "package" }, "reasons": [ - "Also known as: CVE-2013-6430", - "Fix available: upgrade to 3.2.2.RELEASE", + "Also known as: CVE-2015-3192", + "Fix available: upgrade to 3.2.14", "Fix state: fixed", - "https://github.com/spring-projects/spring-framework/commit/7a7df6637478607bef0277bf52a4e0a03e20a248", - "https://github.com/spring-projects/spring-framework/commit/9982b4c01a8c7be0961e58b58ed83731c40449ff", - "https://github.com/spring-projects/spring-framework/commit/f5c9fe69a444607af667911bd4c5074b5b073e7b", - "https://github.com/spring-projects/spring-framework/issues/14617", - "https://jira.spring.io/browse/SPR-9983?redirect=false", - "https://nvd.nist.gov/vuln/detail/CVE-2013-6430", - "https://spring.io/security/cve-2013-6430" + "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html", + "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html", + "http://rhn.redhat.com/errata/RHSA-2016-1592.html", + "http://rhn.redhat.com/errata/RHSA-2016-1593.html", + "http://rhn.redhat.com/errata/RHSA-2016-2035.html", + "http://rhn.redhat.com/errata/RHSA-2016-2036.html", + "http://www.securityfocus.com/bid/90853", + "http://www.securitytracker.com/id/1036587", + "https://access.redhat.com/errata/RHSA-2016:1218", + "https://access.redhat.com/errata/RHSA-2016:1219", + "https://github.com/spring-projects/spring-framework/commit/0411435bac835de88a80a64b3f67b1b89244e907", + "https://github.com/spring-projects/spring-framework/commit/38b8262e1e2db9be9d2171d81547da5c65ba7e09", + "https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee7962424", + "https://github.com/spring-projects/spring-framework/commit/9c3580d04e84d25a90ef4c249baee1b4e02df15e", + "https://github.com/spring-projects/spring-framework/commit/d79ec68db40c381b8e205af52748ebd3163ee33b", + "https://github.com/spring-projects/spring-framework/commit/e4651d6b50c5bc85c84ff537859c212ac4e33434", + "https://github.com/spring-projects/spring-framework/issues/17727", + "https://github.com/spring-projects/spring-framework/issues/20352", + "https://jira.spring.io/browse/SPR-13136", + "https://jira.spring.io/browse/SPR-13136?redirect=false", + "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html", + "https://nvd.nist.gov/vuln/detail/CVE-2015-3192", + "https://spring.io/security/cve-2015-3192" ], "references": [ { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xjrf-8x4f-43h4" + "type": "data_source", + "url": "https://github.com/advisories/GHSA-6v7w-535j-rq5m" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3192" + }, + { + "type": "advisory", + "url": "https://access.redhat.com/errata/RHSA-2016:1218" + }, + { + "type": "advisory", + "url": "https://access.redhat.com/errata/RHSA-2016:1219" + }, + { + "type": "advisory", + "url": "https://jira.spring.io/browse/SPR-13136" + }, + { + "type": "advisory", + "url": "https://lists.debian.org/debian-lts-announce/2019/07/msg00012.html" + }, + { + "type": "advisory", + "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162015.html" + }, + { + "type": "advisory", + "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-July/162017.html" + }, + { + "type": "advisory", + "url": "http://rhn.redhat.com/errata/RHSA-2016-1592.html" + }, + { + "type": "advisory", + "url": "http://rhn.redhat.com/errata/RHSA-2016-1593.html" + }, + { + "type": "advisory", + "url": "http://rhn.redhat.com/errata/RHSA-2016-2035.html" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6430" + "url": "http://rhn.redhat.com/errata/RHSA-2016-2036.html" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/7a7df6637478607bef0277bf52a4e0a03e20a248" + "url": "http://www.securityfocus.com/bid/90853" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/issues/14617" + "url": "http://www.securitytracker.com/id/1036587" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/9982b4c01a8c7be0961e58b58ed83731c40449ff" + "url": "https://github.com/spring-projects/spring-framework/issues/17727" }, { "type": "advisory", - "url": "https://github.com/spring-projects/spring-framework/commit/f5c9fe69a444607af667911bd4c5074b5b073e7b" + "url": "https://github.com/spring-projects/spring-framework/issues/20352" }, { "type": "advisory", - "url": "https://jira.spring.io/browse/SPR-9983?redirect=false" + "url": "https://github.com/spring-projects/spring-framework/commit/e4651d6b50c5bc85c84ff537859c212ac4e33434" }, { "type": "advisory", - "url": "https://spring.io/security/cve-2013-6430" + "url": "https://jira.spring.io/browse/SPR-13136?redirect=false" + }, + { + "type": "advisory", + "url": "https://spring.io/security/cve-2015-3192" + }, + { + "type": "advisory", + "url": "https://github.com/spring-projects/spring-framework/commit/0411435bac835de88a80a64b3f67b1b89244e907" + }, + { + "type": "advisory", + "url": "https://github.com/spring-projects/spring-framework/commit/38b8262e1e2db9be9d2171d81547da5c65ba7e09" + }, + { + "type": "advisory", + "url": "https://github.com/spring-projects/spring-framework/commit/5a711c05ec750f069235597173084c2ee7962424" + }, + { + "type": "advisory", + "url": "https://github.com/spring-projects/spring-framework/commit/9c3580d04e84d25a90ef4c249baee1b4e02df15e" + }, + { + "type": "advisory", + "url": "https://github.com/spring-projects/spring-framework/commit/d79ec68db40c381b8e205af52748ebd3163ee33b" } ], - "risk_score": 0.1638, + "risk_score": 2.793, "severity": "medium", "severity_source": "github:language:java", "source": "grype", - "title": "Improper Neutralization of Input During Web Page Generation in Spring Framework" - } - ] - }, - { - "ecosystem": "maven", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "snappy-java", - "purl": "pkg:maven/org.xerial.snappy/snappy-java@1.1.1.7", - "version": "1.1.1.7", - "vulnerabilities": [ + "title": "Pivotal Spring Framework DoS Attack with XML Input" + }, { - "affected_version_range": "\u003c=1.1.10.3 (unknown)", + "affected_version_range": "\u003c=5.2.25.RELEASE (unknown)", "aliases": [ - "CVE-2023-43642" + "CVE-2024-22243" ], "cvss": [ { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "score": 8.1, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2023-43642", - "id": "CWE-770", - "source": "security-advisories@github.com", + "cve": "CVE-2024-22243", + "id": "CWE-601", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-55g7-9cwv-5qfv", - "description": "snappy-java's missing upper bound check on chunk length can lead to Denial of Service (DoS) impact", + "data_source": "https://github.com/advisories/GHSA-ccgv-vj62-xf9h", + "description": "Spring Web vulnerable to Open Redirect or Server Side Request Forgery", "epss": [ { - "cve": "CVE-2023-43642", - "date": "2026-06-14", - "epss": 0.00247, - "percentile": 0.48348 - } - ], - "fix_available": [ - { - "date": "2023-09-26", - "kind": "first-observed", - "version": "1.1.10.4" + "cve": "CVE-2024-22243", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], - "fix_state": "fixed", - "fixed_in": "1.1.10.4", - "fixed_versions": [ - "1.1.10.4" - ], - "id": "GHSA-55g7-9cwv-5qfv", + "fix_state": "not-fixed", + "id": "GHSA-ccgv-vj62-xf9h", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", + "confidence": "low", "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2023-43642", - "Fix available: upgrade to 1.1.10.4", - "Fix state: fixed", - "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5", - "https://github.com/xerial/snappy-java/releases/tag/v1.1.10.4", - "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv", - "https://nvd.nist.gov/vuln/detail/CVE-2023-43642" + "Also known as: CVE-2024-22243", + "Fix state: not-fixed", + "http://seclists.org/fulldisclosure/2024/Sep/24", + "https://github.com/spring-projects/spring-framework/blob/main/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java", + "https://nvd.nist.gov/vuln/detail/CVE-2024-22243", + "https://security.netapp.com/advisory/ntap-20240524-0001", + "https://spring.io/security/cve-2024-22243" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-55g7-9cwv-5qfv" + "url": "https://github.com/advisories/GHSA-ccgv-vj62-xf9h" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22243" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-55g7-9cwv-5qfv" + "url": "https://spring.io/security/cve-2024-22243" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917b9f10ceb5" + "url": "https://github.com/spring-projects/spring-framework/blob/main/spring-web/src/main/java/org/springframework/web/util/UriComponentsBuilder.java" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/releases/tag/v1.1.10.4" + "url": "https://security.netapp.com/advisory/ntap-20240524-0001" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43642" + "url": "http://seclists.org/fulldisclosure/2024/Sep/24" } ], - "risk_score": 0.18525, + "risk_score": 3.09426, "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "snappy-java's missing upper bound check on chunk length can lead to Denial of Service (DoS) impact" + "title": "Spring Web vulnerable to Open Redirect or Server Side Request Forgery" }, { - "affected_version_range": "\u003c=1.1.10.0 (unknown)", + "affected_version_range": "\u003c=3.2.4.RELEASE (unknown)", "aliases": [ - "CVE-2023-34454" - ], - "cvss": [ - { - "score": 5.9, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } + "CVE-2013-6429" ], "cwes": [ { - "cve": "CVE-2023-34454", - "id": "CWE-190", - "source": "security-advisories@github.com", - "type": "Secondary" + "cve": "CVE-2013-6429", + "id": "CWE-352", + "source": "nvd@nist.gov", + "type": "Primary" + }, + { + "cve": "CVE-2013-6429", + "id": "CWE-611", + "source": "nvd@nist.gov", + "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-fjpj-2g6w-x25r", - "description": "snappy-java's Integer Overflow vulnerability in compress leads to DoS", + "data_source": "https://github.com/advisories/GHSA-g6hf-f9cq-q7w7", + "description": "Cross-Site Request Forgery in Spring Framework", "epss": [ { - "cve": "CVE-2023-34454", - "date": "2026-06-14", - "epss": 0.00667, - "percentile": 0.71842 + "cve": "CVE-2013-6429", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2023-06-16", + "date": "2022-07-08", "kind": "first-observed", - "version": "1.1.10.1" + "version": "3.2.5.RELEASE" } ], "fix_state": "fixed", - "fixed_in": "1.1.10.1", + "fixed_in": "3.2.5.RELEASE", "fixed_versions": [ - "1.1.10.1" + "3.2.5.RELEASE" ], - "id": "GHSA-fjpj-2g6w-x25r", + "id": "GHSA-g6hf-f9cq-q7w7", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", + "confidence": "low", "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2023-34454", - "Fix available: upgrade to 1.1.10.1", + "Also known as: CVE-2013-6429", + "Fix available: upgrade to 3.2.5.RELEASE", "Fix state: fixed", - "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L169", - "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L422", - "https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/Snappy.java", - "https://github.com/xerial/snappy-java/commit/d0042551e4a3509a725038eb9b2ad1f683674d94", - "https://github.com/xerial/snappy-java/security/advisories/GHSA-fjpj-2g6w-x25r", - "https://nvd.nist.gov/vuln/detail/CVE-2023-34454" + "http://rhn.redhat.com/errata/RHSA-2014-0400.html", + "http://secunia.com/advisories/57915", + "https://github.com/spring-projects/spring-framework/commit/2ae6a6a3415eebc57babcb9d3e5505887eda6d8", + "https://github.com/spring-projects/spring-framework/commit/7387cb990e35b0f1b573faf29d4f9ae183d7a5e", + "https://github.com/spring-projects/spring-framework/issues/15704", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", + "https://jira.spring.io/browse/SPR-11078?redirect=false", + "https://nvd.nist.gov/vuln/detail/CVE-2013-6429" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-fjpj-2g6w-x25r" + "url": "https://github.com/advisories/GHSA-g6hf-f9cq-q7w7" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6429" + }, + { + "type": "advisory", + "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-fjpj-2g6w-x25r" + "url": "http://rhn.redhat.com/errata/RHSA-2014-0400.html" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/commit/d0042551e4a3509a725038eb9b2ad1f683674d94" + "url": "http://secunia.com/advisories/57915" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L169" + "url": "https://github.com/spring-projects/spring-framework/issues/15704" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/Snappy.java#L422" + "url": "https://jira.spring.io/browse/SPR-11078?redirect=false" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/Snappy.java" + "url": "https://github.com/spring-projects/spring-framework/commit/2ae6a6a3415eebc57babcb9d3e5505887eda6d8" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34454" + "url": "https://github.com/spring-projects/spring-framework/commit/7387cb990e35b0f1b573faf29d4f9ae183d7a5e" } ], - "risk_score": 0.36351500000000003, + "risk_score": 45.2275, "severity": "medium", "severity_source": "github:language:java", "source": "grype", - "title": "snappy-java's Integer Overflow vulnerability in compress leads to DoS" + "title": "Cross-Site Request Forgery in Spring Framework" }, { - "affected_version_range": "\u003c=1.1.10.0 (unknown)", + "affected_version_range": "\u003c5.3.33 (unknown)", "aliases": [ - "CVE-2023-34453" + "CVE-2024-22259" ], "cvss": [ { - "score": 5.9, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "score": 8.1, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2023-34453", - "id": "CWE-190", - "source": "security-advisories@github.com", + "cve": "CVE-2024-22259", + "id": "CWE-601", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-pqr6-cmr2-h8hf", - "description": "snappy-java's Integer Overflow vulnerability in shuffle leads to DoS", + "data_source": "https://github.com/advisories/GHSA-hgjh-9rj2-g67j", + "description": "Spring Framework URL Parsing with Host Validation Vulnerability", "epss": [ { - "cve": "CVE-2023-34453", - "date": "2026-06-14", - "epss": 0.01503, - "percentile": 0.81622 + "cve": "CVE-2024-22259", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2023-06-16", + "date": "2024-03-19", "kind": "first-observed", - "version": "1.1.10.1" + "version": "5.3.33" } ], "fix_state": "fixed", - "fixed_in": "1.1.10.1", + "fixed_in": "5.3.33", "fixed_versions": [ - "1.1.10.1" + "5.3.33" ], - "id": "GHSA-pqr6-cmr2-h8hf", + "id": "GHSA-hgjh-9rj2-g67j", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", + "confidence": "low", "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2023-34453", - "Fix available: upgrade to 1.1.10.1", + "Also known as: CVE-2024-22259", + "Fix available: upgrade to 5.3.33", "Fix state: fixed", - "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.java#L107", - "https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/BitShuffle.java", - "https://github.com/xerial/snappy-java/commit/820e2e074c58748b41dbd547f4edba9e108ad905", - "https://github.com/xerial/snappy-java/security/advisories/GHSA-pqr6-cmr2-h8hf", - "https://nvd.nist.gov/vuln/detail/CVE-2023-34453" + "https://github.com/spring-projects/spring-framework/commit/297cbae2990e1413537c55845a7e0ea0ffd9f9bb", + "https://github.com/spring-projects/spring-framework/commit/381f790329a48b74c2a49fc1384dd68ca9153501", + "https://github.com/spring-projects/spring-framework/commit/f2fd2f12269c6a781c5b2c20b3c24141055a3d68", + "https://nvd.nist.gov/vuln/detail/CVE-2024-22259", + "https://security.netapp.com/advisory/ntap-20240524-0002", + "https://spring.io/security/cve-2024-22259" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-pqr6-cmr2-h8hf" + "url": "https://github.com/advisories/GHSA-hgjh-9rj2-g67j" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22259" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-pqr6-cmr2-h8hf" + "url": "https://spring.io/security/cve-2024-22259" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/commit/820e2e074c58748b41dbd547f4edba9e108ad905" + "url": "https://github.com/spring-projects/spring-framework/commit/297cbae2990e1413537c55845a7e0ea0ffd9f9bb" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/BitShuffle.java#L107" + "url": "https://github.com/spring-projects/spring-framework/commit/381f790329a48b74c2a49fc1384dd68ca9153501" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/BitShuffle.java" + "url": "https://github.com/spring-projects/spring-framework/commit/f2fd2f12269c6a781c5b2c20b3c24141055a3d68" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34453" + "url": "https://security.netapp.com/advisory/ntap-20240524-0002" } ], - "risk_score": 0.819135, - "severity": "medium", + "risk_score": 2.00694, + "severity": "high", "severity_source": "github:language:java", "source": "grype", - "title": "snappy-java's Integer Overflow vulnerability in shuffle leads to DoS" + "title": "Spring Framework URL Parsing with Host Validation Vulnerability" }, { - "affected_version_range": "\u003c=1.1.10.0 (unknown)", + "affected_version_range": "\u003c=3.2.1.RELEASE (unknown)", "aliases": [ - "CVE-2023-34455" + "CVE-2013-6430" ], "cvss": [ { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "score": 5.4, + "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2023-34455", - "id": "CWE-770", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2023-34455", - "id": "CWE-770", + "cve": "CVE-2013-6430", + "id": "CWE-79", "source": "nvd@nist.gov", "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-qcwq-55hx-v3vh", - "description": "snappy-java's unchecked chunk length leads to DoS", + "data_source": "https://github.com/advisories/GHSA-xjrf-8x4f-43h4", + "description": "Improper Neutralization of Input During Web Page Generation in Spring Framework", "epss": [ { - "cve": "CVE-2023-34455", - "date": "2026-06-14", - "epss": 0.00611, - "percentile": 0.70371 + "cve": "CVE-2013-6430", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2023-06-16", + "date": "2022-07-08", "kind": "first-observed", - "version": "1.1.10.1" + "version": "3.2.2.RELEASE" } ], "fix_state": "fixed", - "fixed_in": "1.1.10.1", + "fixed_in": "3.2.2.RELEASE", "fixed_versions": [ - "1.1.10.1" + "3.2.2.RELEASE" ], - "id": "GHSA-qcwq-55hx-v3vh", + "id": "GHSA-xjrf-8x4f-43h4", "namespace": "github:language:java", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jvmreach", + "confidence": "low", "dynamic_imports_detected": true, - "reason": "package-not-imported", - "status": "unreachable", + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2023-34455", - "Fix available: upgrade to 1.1.10.1", + "Also known as: CVE-2013-6430", + "Fix available: upgrade to 3.2.2.RELEASE", "Fix state: fixed", - "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/SnappyInputStream.java#L388", - "https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/SnappyInputStream.java", - "https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea", - "https://github.com/xerial/snappy-java/security/advisories/GHSA-qcwq-55hx-v3vh", - "https://nvd.nist.gov/vuln/detail/CVE-2023-34455", - "https://security.netapp.com/advisory/ntap-20230818-0009/" + "https://github.com/spring-projects/spring-framework/commit/7a7df6637478607bef0277bf52a4e0a03e20a248", + "https://github.com/spring-projects/spring-framework/commit/9982b4c01a8c7be0961e58b58ed83731c40449ff", + "https://github.com/spring-projects/spring-framework/commit/f5c9fe69a444607af667911bd4c5074b5b073e7b", + "https://github.com/spring-projects/spring-framework/issues/14617", + "https://jira.spring.io/browse/SPR-9983?redirect=false", + "https://nvd.nist.gov/vuln/detail/CVE-2013-6430", + "https://spring.io/security/cve-2013-6430" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-qcwq-55hx-v3vh" + "url": "https://github.com/advisories/GHSA-xjrf-8x4f-43h4" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6430" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/security/advisories/GHSA-qcwq-55hx-v3vh" + "url": "https://github.com/spring-projects/spring-framework/commit/7a7df6637478607bef0277bf52a4e0a03e20a248" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/commit/3bf67857fcf70d9eea56eed4af7c925671e8eaea" + "url": "https://github.com/spring-projects/spring-framework/issues/14617" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/blob/05c39b2ca9b5b7b39611529cc302d3d796329611/src/main/java/org/xerial/snappy/SnappyInputStream.java#L388" + "url": "https://github.com/spring-projects/spring-framework/commit/9982b4c01a8c7be0961e58b58ed83731c40449ff" }, { "type": "advisory", - "url": "https://github.com/xerial/snappy-java/blob/master/src/main/java/org/xerial/snappy/SnappyInputStream.java" + "url": "https://github.com/spring-projects/spring-framework/commit/f5c9fe69a444607af667911bd4c5074b5b073e7b" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34455" + "url": "https://jira.spring.io/browse/SPR-9983?redirect=false" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20230818-0009/" + "url": "https://spring.io/security/cve-2013-6430" } ], - "risk_score": 0.45825, - "severity": "high", + "risk_score": 1.6629600000000002, + "severity": "medium", "severity_source": "github:language:java", "source": "grype", - "title": "snappy-java's unchecked chunk length leads to DoS" + "title": "Improper Neutralization of Input During Web Page Generation in Spring Framework" } ] } @@ -16114,7 +4554,7 @@ "name": "\u003cnormalized\u003e", "package_manager": "maven", "path": "\u003cnormalized\u003e", - "target_ref": "509948ba5a02ffab48e7260031d4a1e78d010891", + "target_ref": "v1.0.0", "target_type": "git repository" }, "schema_version": "1.0" diff --git a/test/smoke/testdata/golden/scan-npm-audit.golden.json b/test/smoke/testdata/golden/scan-npm-audit.golden.json index 647dd40b..d70daff1 100644 --- a/test/smoke/testdata/golden/scan-npm-audit.golden.json +++ b/test/smoke/testdata/golden/scan-npm-audit.golden.json @@ -4,288 +4,4378 @@ { "dependencies": [ { - "depends_on": [ - "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main" - ], - "id": "pkg:githubactions/.github%2Fworkflows%2Fnode-aught.yml@local", + "depends_on": [], + "id": "pkg:npm/algo-httpserv@1.1.1", "licenses": [], - "name": ".github/workflows/node-aught.yml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Fnode-aught.yml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fnode-aught.yml@local", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "algo-httpserv", + "package_ref": "pkg:npm/algo-httpserv@1.1.1", + "purl": "pkg:npm/algo-httpserv@1.1.1", "scopes": [ "runtime" ], - "version": "local" + "version": "1.1.1" + }, + { + "depends_on": [], + "id": "pkg:npm/ansi-colors@3.2.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "ansi-colors", + "package_ref": "pkg:npm/ansi-colors@3.2.3", + "purl": "pkg:npm/ansi-colors@3.2.3", + "scopes": [ + "development" + ], + "version": "3.2.3" + }, + { + "depends_on": [], + "id": "pkg:npm/ansi-regex@3.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "ansi-regex", + "package_ref": "pkg:npm/ansi-regex@3.0.0", + "purl": "pkg:npm/ansi-regex@3.0.0", + "scopes": [ + "development" + ], + "version": "3.0.0" }, { "depends_on": [], - "id": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main", + "id": "pkg:npm/ansi-regex@4.1.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "ansi-regex", + "package_ref": "pkg:npm/ansi-regex@4.1.0", + "purl": "pkg:npm/ansi-regex@4.1.0", + "scopes": [ + "development" + ], + "version": "4.1.0" + }, + { + "depends_on": [ + "pkg:npm/color-convert@1.9.3" + ], + "id": "pkg:npm/ansi-styles@3.2.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "ansi-styles", + "package_ref": "pkg:npm/ansi-styles@3.2.1", + "purl": "pkg:npm/ansi-styles@3.2.1", + "scopes": [ + "development" + ], + "version": "3.2.1" + }, + { + "depends_on": [ + "pkg:npm/normalize-path@3.0.0", + "pkg:npm/picomatch@2.2.2" + ], + "id": "pkg:npm/anymatch@3.1.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "anymatch", + "package_ref": "pkg:npm/anymatch@3.1.1", + "purl": "pkg:npm/anymatch@3.1.1", + "scopes": [ + "development" + ], + "version": "3.1.1" + }, + { + "depends_on": [ + "pkg:npm/sprintf-js@1.0.3" + ], + "id": "pkg:npm/argparse@1.0.10", "licenses": [], - "name": "ljharb:actions/.github/workflows/node.yml", - "package_ref": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main", - "purl": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "argparse", + "package_ref": "pkg:npm/argparse@1.0.10", + "purl": "pkg:npm/argparse@1.0.10", "scopes": [ "runtime" ], - "version": "main" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/node-aught.yml", - "subproject": "." - }, - { - "dependencies": [ + "version": "1.0.10" + }, { "depends_on": [ - "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fpretest.yml@main" + "pkg:npm/lodash@4.17.15" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Fnode-pretest.yml@local", + "id": "pkg:npm/async@2.6.3", "licenses": [], - "name": ".github/workflows/node-pretest.yml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Fnode-pretest.yml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fnode-pretest.yml@local", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "async", + "package_ref": "pkg:npm/async@2.6.3", + "purl": "pkg:npm/async@2.6.3", "scopes": [ "runtime" ], - "version": "local" + "version": "2.6.3" }, { "depends_on": [], - "id": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fpretest.yml@main", + "id": "pkg:npm/balanced-match@1.0.0", "licenses": [], - "name": "ljharb:actions/.github/workflows/pretest.yml", - "package_ref": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fpretest.yml@main", - "purl": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fpretest.yml@main", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "balanced-match", + "package_ref": "pkg:npm/balanced-match@1.0.0", + "purl": "pkg:npm/balanced-match@1.0.0", "scopes": [ - "runtime" + "development" ], - "version": "main" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/node-pretest.yml", - "subproject": "." - }, - { - "dependencies": [ + "version": "1.0.0" + }, + { + "depends_on": [], + "id": "pkg:npm/binary-extensions@2.1.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "binary-extensions", + "package_ref": "pkg:npm/binary-extensions@2.1.0", + "purl": "pkg:npm/binary-extensions@2.1.0", + "scopes": [ + "development" + ], + "version": "2.1.0" + }, { "depends_on": [ - "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main" + "pkg:npm/balanced-match@1.0.0", + "pkg:npm/concat-map@0.0.1" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Fnode-tens.yml@local", + "id": "pkg:npm/brace-expansion@1.1.11", "licenses": [], - "name": ".github/workflows/node-tens.yml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Fnode-tens.yml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fnode-tens.yml@local", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "brace-expansion", + "package_ref": "pkg:npm/brace-expansion@1.1.11", + "purl": "pkg:npm/brace-expansion@1.1.11", "scopes": [ - "runtime" + "development" + ], + "version": "1.1.11" + }, + { + "depends_on": [ + "pkg:npm/fill-range@7.0.1" + ], + "id": "pkg:npm/braces@3.0.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "braces", + "package_ref": "pkg:npm/braces@3.0.2", + "purl": "pkg:npm/braces@3.0.2", + "scopes": [ + "development" ], - "version": "local" + "version": "3.0.2" }, { "depends_on": [], - "id": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main", + "id": "pkg:npm/browser-stdout@1.3.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "browser-stdout", + "package_ref": "pkg:npm/browser-stdout@1.3.1", + "purl": "pkg:npm/browser-stdout@1.3.1", + "scopes": [ + "development" + ], + "version": "1.3.1" + }, + { + "depends_on": [ + "pkg:npm/dicer@0.2.5", + "pkg:npm/readable-stream@1.1.14" + ], + "id": "pkg:npm/busboy@0.2.14", "licenses": [], - "name": "ljharb:actions/.github/workflows/node.yml", - "package_ref": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main", - "purl": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "busboy", + "package_ref": "pkg:npm/busboy@0.2.14", + "purl": "pkg:npm/busboy@0.2.14", "scopes": [ "runtime" ], - "version": "main" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/node-tens.yml", - "subproject": "." - }, - { - "dependencies": [ + "version": "0.2.14" + }, + { + "depends_on": [], + "id": "pkg:npm/camelcase@5.3.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "camelcase", + "package_ref": "pkg:npm/camelcase@5.3.1", + "purl": "pkg:npm/camelcase@5.3.1", + "scopes": [ + "development" + ], + "version": "5.3.1" + }, + { + "depends_on": [ + "pkg:npm/ansi-styles@3.2.1", + "pkg:npm/escape-string-regexp@1.0.5", + "pkg:npm/supports-color@5.5.0" + ], + "id": "pkg:npm/chalk@2.4.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "chalk", + "package_ref": "pkg:npm/chalk@2.4.2", + "purl": "pkg:npm/chalk@2.4.2", + "scopes": [ + "development" + ], + "version": "2.4.2" + }, + { + "depends_on": [ + "pkg:npm/anymatch@3.1.1", + "pkg:npm/braces@3.0.2", + "pkg:npm/fsevents@2.1.3", + "pkg:npm/glob-parent@5.1.1", + "pkg:npm/is-binary-path@2.1.0", + "pkg:npm/is-glob@4.0.1", + "pkg:npm/normalize-path@3.0.0", + "pkg:npm/readdirp@3.2.0" + ], + "id": "pkg:npm/chokidar@3.3.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "chokidar", + "package_ref": "pkg:npm/chokidar@3.3.0", + "purl": "pkg:npm/chokidar@3.3.0", + "scopes": [ + "development" + ], + "version": "3.3.0" + }, + { + "depends_on": [ + "pkg:npm/string-width@3.1.0", + "pkg:npm/strip-ansi@5.2.0", + "pkg:npm/wrap-ansi@5.1.0" + ], + "id": "pkg:npm/cliui@5.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "cliui", + "package_ref": "pkg:npm/cliui@5.0.0", + "purl": "pkg:npm/cliui@5.0.0", + "scopes": [ + "development" + ], + "version": "5.0.0" + }, { "depends_on": [ - "pkg:githubactions/actions/checkout@v3", - "pkg:githubactions/ljharb/rebase@master" + "pkg:npm/color-name@1.1.3" + ], + "id": "pkg:npm/color-convert@1.9.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "color-convert", + "package_ref": "pkg:npm/color-convert@1.9.3", + "purl": "pkg:npm/color-convert@1.9.3", + "scopes": [ + "development" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Frebase.yml@local", + "version": "1.9.3" + }, + { + "depends_on": [], + "id": "pkg:npm/color-name@1.1.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "color-name", + "package_ref": "pkg:npm/color-name@1.1.3", + "purl": "pkg:npm/color-name@1.1.3", + "scopes": [ + "development" + ], + "version": "1.1.3" + }, + { + "depends_on": [], + "id": "pkg:npm/concat-map@0.0.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "concat-map", + "package_ref": "pkg:npm/concat-map@0.0.1", + "purl": "pkg:npm/concat-map@0.0.1", + "scopes": [ + "development" + ], + "version": "0.0.1" + }, + { + "depends_on": [], + "id": "pkg:npm/core-util-is@1.0.2", "licenses": [], - "name": ".github/workflows/rebase.yml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Frebase.yml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Frebase.yml@local", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "core-util-is", + "package_ref": "pkg:npm/core-util-is@1.0.2", + "purl": "pkg:npm/core-util-is@1.0.2", "scopes": [ "runtime" ], - "version": "local" + "version": "1.0.2" + }, + { + "depends_on": [ + "pkg:npm/ms@2.1.1" + ], + "id": "pkg:npm/debug@3.2.6", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "debug", + "package_ref": "pkg:npm/debug@3.2.6", + "purl": "pkg:npm/debug@3.2.6", + "scopes": [ + "development" + ], + "version": "3.2.6" }, { "depends_on": [], - "id": "pkg:githubactions/actions/checkout@v3", + "id": "pkg:npm/decamelize@1.2.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "decamelize", + "package_ref": "pkg:npm/decamelize@1.2.0", + "purl": "pkg:npm/decamelize@1.2.0", + "scopes": [ + "development" + ], + "version": "1.2.0" + }, + { + "depends_on": [ + "pkg:npm/object-keys@1.1.1" + ], + "id": "pkg:npm/define-properties@1.1.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "define-properties", + "package_ref": "pkg:npm/define-properties@1.1.3", + "purl": "pkg:npm/define-properties@1.1.3", + "scopes": [ + "development" + ], + "version": "1.1.3" + }, + { + "depends_on": [ + "pkg:npm/readable-stream@1.1.14", + "pkg:npm/streamsearch@0.1.2" + ], + "id": "pkg:npm/dicer@0.2.5", "licenses": [], - "name": "actions:checkout", - "package_ref": "pkg:githubactions/actions/checkout@v3", - "purl": "pkg:githubactions/actions/checkout@v3", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "dicer", + "package_ref": "pkg:npm/dicer@0.2.5", + "purl": "pkg:npm/dicer@0.2.5", "scopes": [ "runtime" ], - "version": "v3" + "version": "0.2.5" + }, + { + "depends_on": [], + "id": "pkg:npm/diff@3.5.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "diff", + "package_ref": "pkg:npm/diff@3.5.0", + "purl": "pkg:npm/diff@3.5.0", + "scopes": [ + "development" + ], + "version": "3.5.0" + }, + { + "depends_on": [], + "id": "pkg:npm/emoji-regex@7.0.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "emoji-regex", + "package_ref": "pkg:npm/emoji-regex@7.0.3", + "purl": "pkg:npm/emoji-regex@7.0.3", + "scopes": [ + "development" + ], + "version": "7.0.3" + }, + { + "depends_on": [ + "pkg:npm/es-to-primitive@1.2.1", + "pkg:npm/function-bind@1.1.1", + "pkg:npm/has-symbols@1.0.1", + "pkg:npm/has@1.0.3", + "pkg:npm/is-callable@1.2.2", + "pkg:npm/is-regex@1.1.1", + "pkg:npm/object-inspect@1.8.0", + "pkg:npm/object-keys@1.1.1", + "pkg:npm/object.assign@4.1.0", + "pkg:npm/string.prototype.trimend@1.0.1", + "pkg:npm/string.prototype.trimstart@1.0.1" + ], + "id": "pkg:npm/es-abstract@1.17.6", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "es-abstract", + "package_ref": "pkg:npm/es-abstract@1.17.6", + "purl": "pkg:npm/es-abstract@1.17.6", + "scopes": [ + "development" + ], + "version": "1.17.6" + }, + { + "depends_on": [ + "pkg:npm/is-callable@1.2.2", + "pkg:npm/is-date-object@1.0.2", + "pkg:npm/is-symbol@1.0.3" + ], + "id": "pkg:npm/es-to-primitive@1.2.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "es-to-primitive", + "package_ref": "pkg:npm/es-to-primitive@1.2.1", + "purl": "pkg:npm/es-to-primitive@1.2.1", + "scopes": [ + "development" + ], + "version": "1.2.1" + }, + { + "depends_on": [], + "id": "pkg:npm/escape-string-regexp@1.0.5", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "escape-string-regexp", + "package_ref": "pkg:npm/escape-string-regexp@1.0.5", + "purl": "pkg:npm/escape-string-regexp@1.0.5", + "scopes": [ + "development" + ], + "version": "1.0.5" }, { "depends_on": [], - "id": "pkg:githubactions/ljharb/rebase@master", + "id": "pkg:npm/esprima@4.0.1", "licenses": [], - "name": "ljharb:rebase", - "package_ref": "pkg:githubactions/ljharb/rebase@master", - "purl": "pkg:githubactions/ljharb/rebase@master", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "esprima", + "package_ref": "pkg:npm/esprima@4.0.1", + "purl": "pkg:npm/esprima@4.0.1", "scopes": [ "runtime" ], - "version": "master" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/rebase.yml", - "subproject": "." - }, - { - "dependencies": [ + "version": "4.0.1" + }, + { + "depends_on": [ + "pkg:npm/algo-httpserv@1.1.1", + "pkg:npm/js-yaml@3.13.0", + "pkg:npm/larvitbase@3.1.3", + "pkg:npm/larvitfs@2.3.1", + "pkg:npm/larvitreqparser@0.2.1", + "pkg:npm/larvitrouter@3.0.2", + "pkg:npm/larvitutils@2.3.0", + "pkg:npm/lodash@4.17.15", + "pkg:npm/marked@0.3.19", + "pkg:npm/mocha@7.2.0", + "pkg:npm/node-yaml-config@0.0.5", + "pkg:npm/semver@5.7.1", + "pkg:npm/to@0.2.9", + "pkg:npm/url@0.11.0" + ], + "id": "pkg:npm/example-javascript-vulnerable-methods@0.0.1", + "licenses": [], + "name": "example-javascript-vulnerable-methods", + "package_ref": "pkg:npm/example-javascript-vulnerable-methods@0.0.1", + "purl": "pkg:npm/example-javascript-vulnerable-methods@0.0.1", + "version": "0.0.1" + }, + { + "depends_on": [ + "pkg:npm/to-regex-range@5.0.1" + ], + "id": "pkg:npm/fill-range@7.0.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "fill-range", + "package_ref": "pkg:npm/fill-range@7.0.1", + "purl": "pkg:npm/fill-range@7.0.1", + "scopes": [ + "development" + ], + "version": "7.0.1" + }, + { + "depends_on": [ + "pkg:npm/locate-path@3.0.0" + ], + "id": "pkg:npm/find-up@3.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "find-up", + "package_ref": "pkg:npm/find-up@3.0.0", + "purl": "pkg:npm/find-up@3.0.0", + "scopes": [ + "development" + ], + "version": "3.0.0" + }, + { + "depends_on": [ + "pkg:npm/is-buffer@2.0.4" + ], + "id": "pkg:npm/flat@4.1.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "flat", + "package_ref": "pkg:npm/flat@4.1.0", + "purl": "pkg:npm/flat@4.1.0", + "scopes": [ + "development" + ], + "version": "4.1.0" + }, { "depends_on": [ - "pkg:githubactions/ljharb/require-allow-edits@main" + "pkg:npm/graceful-fs@4.2.3", + "pkg:npm/jsonfile@4.0.0", + "pkg:npm/universalify@0.1.2" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Frequire-allow-edits.yml@local", + "id": "pkg:npm/fs-extra@7.0.1", "licenses": [], - "name": ".github/workflows/require-allow-edits.yml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Frequire-allow-edits.yml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Frequire-allow-edits.yml@local", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "fs-extra", + "package_ref": "pkg:npm/fs-extra@7.0.1", + "purl": "pkg:npm/fs-extra@7.0.1", "scopes": [ "runtime" ], - "version": "local" + "version": "7.0.1" }, { "depends_on": [], - "id": "pkg:githubactions/ljharb/require-allow-edits@main", + "id": "pkg:npm/fs.realpath@1.0.0", "licenses": [], - "name": "ljharb:require-allow-edits", - "package_ref": "pkg:githubactions/ljharb/require-allow-edits@main", - "purl": "pkg:githubactions/ljharb/require-allow-edits@main", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "fs.realpath", + "package_ref": "pkg:npm/fs.realpath@1.0.0", + "purl": "pkg:npm/fs.realpath@1.0.0", "scopes": [ - "runtime" + "development" ], - "version": "main" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/require-allow-edits.yml", - "subproject": "." - } - ], - "metadata": { - "duration_ms": 0 - }, + "version": "1.0.0" + }, + { + "depends_on": [], + "id": "pkg:npm/fsevents@2.1.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "fsevents", + "package_ref": "pkg:npm/fsevents@2.1.3", + "purl": "pkg:npm/fsevents@2.1.3", + "scopes": [ + "development" + ], + "version": "2.1.3" + }, + { + "depends_on": [], + "id": "pkg:npm/function-bind@1.1.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "function-bind", + "package_ref": "pkg:npm/function-bind@1.1.1", + "purl": "pkg:npm/function-bind@1.1.1", + "scopes": [ + "development", + "runtime" + ], + "version": "1.1.1" + }, + { + "depends_on": [], + "id": "pkg:npm/get-caller-file@2.0.5", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "get-caller-file", + "package_ref": "pkg:npm/get-caller-file@2.0.5", + "purl": "pkg:npm/get-caller-file@2.0.5", + "scopes": [ + "development" + ], + "version": "2.0.5" + }, + { + "depends_on": [ + "pkg:npm/is-glob@4.0.1" + ], + "id": "pkg:npm/glob-parent@5.1.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "glob-parent", + "package_ref": "pkg:npm/glob-parent@5.1.1", + "purl": "pkg:npm/glob-parent@5.1.1", + "scopes": [ + "development" + ], + "version": "5.1.1" + }, + { + "depends_on": [ + "pkg:npm/fs.realpath@1.0.0", + "pkg:npm/inflight@1.0.6", + "pkg:npm/inherits@2.0.4", + "pkg:npm/minimatch@3.0.4", + "pkg:npm/once@1.4.0", + "pkg:npm/path-is-absolute@1.0.1" + ], + "id": "pkg:npm/glob@7.1.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "glob", + "package_ref": "pkg:npm/glob@7.1.3", + "purl": "pkg:npm/glob@7.1.3", + "scopes": [ + "development" + ], + "version": "7.1.3" + }, + { + "depends_on": [], + "id": "pkg:npm/graceful-fs@4.2.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "graceful-fs", + "package_ref": "pkg:npm/graceful-fs@4.2.3", + "purl": "pkg:npm/graceful-fs@4.2.3", + "scopes": [ + "runtime" + ], + "version": "4.2.3" + }, + { + "depends_on": [], + "id": "pkg:npm/growl@1.10.5", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "growl", + "package_ref": "pkg:npm/growl@1.10.5", + "purl": "pkg:npm/growl@1.10.5", + "scopes": [ + "development" + ], + "version": "1.10.5" + }, + { + "depends_on": [], + "id": "pkg:npm/handy@0.0.13", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "handy", + "package_ref": "pkg:npm/handy@0.0.13", + "purl": "pkg:npm/handy@0.0.13", + "scopes": [ + "runtime" + ], + "version": "0.0.13" + }, + { + "depends_on": [], + "id": "pkg:npm/has-flag@3.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "has-flag", + "package_ref": "pkg:npm/has-flag@3.0.0", + "purl": "pkg:npm/has-flag@3.0.0", + "scopes": [ + "development" + ], + "version": "3.0.0" + }, + { + "depends_on": [], + "id": "pkg:npm/has-symbols@1.0.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "has-symbols", + "package_ref": "pkg:npm/has-symbols@1.0.1", + "purl": "pkg:npm/has-symbols@1.0.1", + "scopes": [ + "development" + ], + "version": "1.0.1" + }, + { + "depends_on": [ + "pkg:npm/function-bind@1.1.1" + ], + "id": "pkg:npm/has@1.0.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "has", + "package_ref": "pkg:npm/has@1.0.3", + "purl": "pkg:npm/has@1.0.3", + "scopes": [ + "runtime" + ], + "version": "1.0.3" + }, + { + "depends_on": [], + "id": "pkg:npm/he@1.2.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "he", + "package_ref": "pkg:npm/he@1.2.0", + "purl": "pkg:npm/he@1.2.0", + "scopes": [ + "development" + ], + "version": "1.2.0" + }, + { + "depends_on": [], + "id": "pkg:npm/htmlparser@1.7.7", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "htmlparser", + "package_ref": "pkg:npm/htmlparser@1.7.7", + "purl": "pkg:npm/htmlparser@1.7.7", + "scopes": [ + "runtime" + ], + "version": "1.7.7" + }, + { + "depends_on": [ + "pkg:npm/once@1.4.0", + "pkg:npm/wrappy@1.0.2" + ], + "id": "pkg:npm/inflight@1.0.6", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "inflight", + "package_ref": "pkg:npm/inflight@1.0.6", + "purl": "pkg:npm/inflight@1.0.6", + "scopes": [ + "development" + ], + "version": "1.0.6" + }, + { + "depends_on": [], + "id": "pkg:npm/inherits@2.0.4", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "inherits", + "package_ref": "pkg:npm/inherits@2.0.4", + "purl": "pkg:npm/inherits@2.0.4", + "scopes": [ + "development", + "runtime" + ], + "version": "2.0.4" + }, + { + "depends_on": [ + "pkg:npm/binary-extensions@2.1.0" + ], + "id": "pkg:npm/is-binary-path@2.1.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "is-binary-path", + "package_ref": "pkg:npm/is-binary-path@2.1.0", + "purl": "pkg:npm/is-binary-path@2.1.0", + "scopes": [ + "development" + ], + "version": "2.1.0" + }, + { + "depends_on": [], + "id": "pkg:npm/is-buffer@2.0.4", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "is-buffer", + "package_ref": "pkg:npm/is-buffer@2.0.4", + "purl": "pkg:npm/is-buffer@2.0.4", + "scopes": [ + "development" + ], + "version": "2.0.4" + }, + { + "depends_on": [], + "id": "pkg:npm/is-callable@1.2.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "is-callable", + "package_ref": "pkg:npm/is-callable@1.2.2", + "purl": "pkg:npm/is-callable@1.2.2", + "scopes": [ + "development" + ], + "version": "1.2.2" + }, + { + "depends_on": [], + "id": "pkg:npm/is-date-object@1.0.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "is-date-object", + "package_ref": "pkg:npm/is-date-object@1.0.2", + "purl": "pkg:npm/is-date-object@1.0.2", + "scopes": [ + "development" + ], + "version": "1.0.2" + }, + { + "depends_on": [], + "id": "pkg:npm/is-extglob@2.1.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "is-extglob", + "package_ref": "pkg:npm/is-extglob@2.1.1", + "purl": "pkg:npm/is-extglob@2.1.1", + "scopes": [ + "development" + ], + "version": "2.1.1" + }, + { + "depends_on": [], + "id": "pkg:npm/is-fullwidth-code-point@2.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "is-fullwidth-code-point", + "package_ref": "pkg:npm/is-fullwidth-code-point@2.0.0", + "purl": "pkg:npm/is-fullwidth-code-point@2.0.0", + "scopes": [ + "development" + ], + "version": "2.0.0" + }, + { + "depends_on": [ + "pkg:npm/is-extglob@2.1.1" + ], + "id": "pkg:npm/is-glob@4.0.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "is-glob", + "package_ref": "pkg:npm/is-glob@4.0.1", + "purl": "pkg:npm/is-glob@4.0.1", + "scopes": [ + "development" + ], + "version": "4.0.1" + }, + { + "depends_on": [], + "id": "pkg:npm/is-number@7.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "is-number", + "package_ref": "pkg:npm/is-number@7.0.0", + "purl": "pkg:npm/is-number@7.0.0", + "scopes": [ + "development" + ], + "version": "7.0.0" + }, + { + "depends_on": [ + "pkg:npm/has-symbols@1.0.1" + ], + "id": "pkg:npm/is-regex@1.1.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "is-regex", + "package_ref": "pkg:npm/is-regex@1.1.1", + "purl": "pkg:npm/is-regex@1.1.1", + "scopes": [ + "development" + ], + "version": "1.1.1" + }, + { + "depends_on": [ + "pkg:npm/has-symbols@1.0.1" + ], + "id": "pkg:npm/is-symbol@1.0.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "is-symbol", + "package_ref": "pkg:npm/is-symbol@1.0.3", + "purl": "pkg:npm/is-symbol@1.0.3", + "scopes": [ + "development" + ], + "version": "1.0.3" + }, + { + "depends_on": [], + "id": "pkg:npm/is@3.3.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "is", + "package_ref": "pkg:npm/is@3.3.0", + "purl": "pkg:npm/is@3.3.0", + "scopes": [ + "runtime" + ], + "version": "3.3.0" + }, + { + "depends_on": [], + "id": "pkg:npm/isarray@0.0.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "isarray", + "package_ref": "pkg:npm/isarray@0.0.1", + "purl": "pkg:npm/isarray@0.0.1", + "scopes": [ + "runtime" + ], + "version": "0.0.1" + }, + { + "depends_on": [], + "id": "pkg:npm/isexe@2.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "isexe", + "package_ref": "pkg:npm/isexe@2.0.0", + "purl": "pkg:npm/isexe@2.0.0", + "scopes": [ + "development" + ], + "version": "2.0.0" + }, + { + "depends_on": [ + "pkg:npm/argparse@1.0.10", + "pkg:npm/esprima@4.0.1" + ], + "id": "pkg:npm/js-yaml@3.13.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "js-yaml", + "package_ref": "pkg:npm/js-yaml@3.13.0", + "purl": "pkg:npm/js-yaml@3.13.0", + "scopes": [ + "runtime" + ], + "version": "3.13.0" + }, + { + "depends_on": [ + "pkg:npm/argparse@1.0.10", + "pkg:npm/esprima@4.0.1" + ], + "id": "pkg:npm/js-yaml@3.13.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "js-yaml", + "package_ref": "pkg:npm/js-yaml@3.13.1", + "purl": "pkg:npm/js-yaml@3.13.1", + "scopes": [ + "development" + ], + "version": "3.13.1" + }, + { + "depends_on": [ + "pkg:npm/graceful-fs@4.2.3" + ], + "id": "pkg:npm/jsonfile@4.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "jsonfile", + "package_ref": "pkg:npm/jsonfile@4.0.0", + "purl": "pkg:npm/jsonfile@4.0.0", + "scopes": [ + "runtime" + ], + "version": "4.0.0" + }, + { + "depends_on": [ + "pkg:npm/larvitutils@2.3.0", + "pkg:npm/uuid@3.4.0" + ], + "id": "pkg:npm/larvitbase@3.1.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "larvitbase", + "package_ref": "pkg:npm/larvitbase@3.1.3", + "purl": "pkg:npm/larvitbase@3.1.3", + "scopes": [ + "runtime" + ], + "version": "3.1.3" + }, + { + "depends_on": [ + "pkg:npm/larvitutils@2.3.0" + ], + "id": "pkg:npm/larvitfs@2.3.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "larvitfs", + "package_ref": "pkg:npm/larvitfs@2.3.1", + "purl": "pkg:npm/larvitfs@2.3.1", + "scopes": [ + "runtime" + ], + "version": "2.3.1" + }, + { + "depends_on": [ + "pkg:npm/async@2.6.3", + "pkg:npm/busboy@0.2.14", + "pkg:npm/fs-extra@7.0.1", + "pkg:npm/larvitutils@2.3.0", + "pkg:npm/qs@6.9.1", + "pkg:npm/uuid@3.4.0" + ], + "id": "pkg:npm/larvitreqparser@0.2.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "larvitreqparser", + "package_ref": "pkg:npm/larvitreqparser@0.2.1", + "purl": "pkg:npm/larvitreqparser@0.2.1", + "scopes": [ + "runtime" + ], + "version": "0.2.1" + }, + { + "depends_on": [ + "pkg:npm/larvitfs@2.3.1", + "pkg:npm/larvitutils@2.3.0" + ], + "id": "pkg:npm/larvitrouter@3.0.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "larvitrouter", + "package_ref": "pkg:npm/larvitrouter@3.0.2", + "purl": "pkg:npm/larvitrouter@3.0.2", + "scopes": [ + "runtime" + ], + "version": "3.0.2" + }, + { + "depends_on": [], + "id": "pkg:npm/larvitutils@2.3.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "larvitutils", + "package_ref": "pkg:npm/larvitutils@2.3.0", + "purl": "pkg:npm/larvitutils@2.3.0", + "scopes": [ + "runtime" + ], + "version": "2.3.0" + }, + { + "depends_on": [ + "pkg:npm/p-locate@3.0.0", + "pkg:npm/path-exists@3.0.0" + ], + "id": "pkg:npm/locate-path@3.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "locate-path", + "package_ref": "pkg:npm/locate-path@3.0.0", + "purl": "pkg:npm/locate-path@3.0.0", + "scopes": [ + "development" + ], + "version": "3.0.0" + }, + { + "depends_on": [], + "id": "pkg:npm/lodash@4.17.15", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "lodash", + "package_ref": "pkg:npm/lodash@4.17.15", + "purl": "pkg:npm/lodash@4.17.15", + "scopes": [ + "runtime" + ], + "version": "4.17.15" + }, + { + "depends_on": [ + "pkg:npm/chalk@2.4.2" + ], + "id": "pkg:npm/log-symbols@3.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "log-symbols", + "package_ref": "pkg:npm/log-symbols@3.0.0", + "purl": "pkg:npm/log-symbols@3.0.0", + "scopes": [ + "development" + ], + "version": "3.0.0" + }, + { + "depends_on": [], + "id": "pkg:npm/marked@0.3.19", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "marked", + "package_ref": "pkg:npm/marked@0.3.19", + "purl": "pkg:npm/marked@0.3.19", + "scopes": [ + "runtime" + ], + "version": "0.3.19" + }, + { + "depends_on": [ + "pkg:npm/brace-expansion@1.1.11" + ], + "id": "pkg:npm/minimatch@3.0.4", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "minimatch", + "package_ref": "pkg:npm/minimatch@3.0.4", + "purl": "pkg:npm/minimatch@3.0.4", + "scopes": [ + "development" + ], + "version": "3.0.4" + }, + { + "depends_on": [], + "id": "pkg:npm/minimist@0.0.10", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "minimist", + "package_ref": "pkg:npm/minimist@0.0.10", + "purl": "pkg:npm/minimist@0.0.10", + "scopes": [ + "runtime" + ], + "version": "0.0.10" + }, + { + "depends_on": [], + "id": "pkg:npm/minimist@1.2.5", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "minimist", + "package_ref": "pkg:npm/minimist@1.2.5", + "purl": "pkg:npm/minimist@1.2.5", + "scopes": [ + "development" + ], + "version": "1.2.5" + }, + { + "depends_on": [ + "pkg:npm/minimist@1.2.5" + ], + "id": "pkg:npm/mkdirp@0.5.5", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "mkdirp", + "package_ref": "pkg:npm/mkdirp@0.5.5", + "purl": "pkg:npm/mkdirp@0.5.5", + "scopes": [ + "development" + ], + "version": "0.5.5" + }, + { + "depends_on": [ + "pkg:npm/ansi-colors@3.2.3", + "pkg:npm/browser-stdout@1.3.1", + "pkg:npm/chokidar@3.3.0", + "pkg:npm/debug@3.2.6", + "pkg:npm/diff@3.5.0", + "pkg:npm/escape-string-regexp@1.0.5", + "pkg:npm/find-up@3.0.0", + "pkg:npm/glob@7.1.3", + "pkg:npm/growl@1.10.5", + "pkg:npm/he@1.2.0", + "pkg:npm/js-yaml@3.13.1", + "pkg:npm/log-symbols@3.0.0", + "pkg:npm/minimatch@3.0.4", + "pkg:npm/mkdirp@0.5.5", + "pkg:npm/ms@2.1.1", + "pkg:npm/node-environment-flags@1.0.6", + "pkg:npm/object.assign@4.1.0", + "pkg:npm/strip-json-comments@2.0.1", + "pkg:npm/supports-color@6.0.0", + "pkg:npm/which@1.3.1", + "pkg:npm/wide-align@1.1.3", + "pkg:npm/yargs-parser@13.1.2", + "pkg:npm/yargs-unparser@1.6.0", + "pkg:npm/yargs@13.3.2" + ], + "id": "pkg:npm/mocha@7.2.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "mocha", + "package_ref": "pkg:npm/mocha@7.2.0", + "purl": "pkg:npm/mocha@7.2.0", + "scopes": [ + "development" + ], + "version": "7.2.0" + }, + { + "depends_on": [], + "id": "pkg:npm/ms@2.1.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "ms", + "package_ref": "pkg:npm/ms@2.1.1", + "purl": "pkg:npm/ms@2.1.1", + "scopes": [ + "development" + ], + "version": "2.1.1" + }, + { + "depends_on": [ + "pkg:npm/object.getownpropertydescriptors@2.1.0", + "pkg:npm/semver@5.7.1" + ], + "id": "pkg:npm/node-environment-flags@1.0.6", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "node-environment-flags", + "package_ref": "pkg:npm/node-environment-flags@1.0.6", + "purl": "pkg:npm/node-environment-flags@1.0.6", + "scopes": [ + "development" + ], + "version": "1.0.6" + }, + { + "depends_on": [ + "pkg:npm/js-yaml@3.13.0", + "pkg:npm/node.extend@2.0.2" + ], + "id": "pkg:npm/node-yaml-config@0.0.5", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "node-yaml-config", + "package_ref": "pkg:npm/node-yaml-config@0.0.5", + "purl": "pkg:npm/node-yaml-config@0.0.5", + "scopes": [ + "runtime" + ], + "version": "0.0.5" + }, + { + "depends_on": [ + "pkg:npm/has@1.0.3", + "pkg:npm/is@3.3.0" + ], + "id": "pkg:npm/node.extend@2.0.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "node.extend", + "package_ref": "pkg:npm/node.extend@2.0.2", + "purl": "pkg:npm/node.extend@2.0.2", + "scopes": [ + "runtime" + ], + "version": "2.0.2" + }, + { + "depends_on": [], + "id": "pkg:npm/normalize-path@3.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "normalize-path", + "package_ref": "pkg:npm/normalize-path@3.0.0", + "purl": "pkg:npm/normalize-path@3.0.0", + "scopes": [ + "development" + ], + "version": "3.0.0" + }, + { + "depends_on": [], + "id": "pkg:npm/object-inspect@1.8.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "object-inspect", + "package_ref": "pkg:npm/object-inspect@1.8.0", + "purl": "pkg:npm/object-inspect@1.8.0", + "scopes": [ + "development" + ], + "version": "1.8.0" + }, + { + "depends_on": [], + "id": "pkg:npm/object-keys@1.1.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "object-keys", + "package_ref": "pkg:npm/object-keys@1.1.1", + "purl": "pkg:npm/object-keys@1.1.1", + "scopes": [ + "development" + ], + "version": "1.1.1" + }, + { + "depends_on": [ + "pkg:npm/define-properties@1.1.3", + "pkg:npm/function-bind@1.1.1", + "pkg:npm/has-symbols@1.0.1", + "pkg:npm/object-keys@1.1.1" + ], + "id": "pkg:npm/object.assign@4.1.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "object.assign", + "package_ref": "pkg:npm/object.assign@4.1.0", + "purl": "pkg:npm/object.assign@4.1.0", + "scopes": [ + "development" + ], + "version": "4.1.0" + }, + { + "depends_on": [ + "pkg:npm/define-properties@1.1.3", + "pkg:npm/es-abstract@1.17.6" + ], + "id": "pkg:npm/object.getownpropertydescriptors@2.1.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "object.getownpropertydescriptors", + "package_ref": "pkg:npm/object.getownpropertydescriptors@2.1.0", + "purl": "pkg:npm/object.getownpropertydescriptors@2.1.0", + "scopes": [ + "development" + ], + "version": "2.1.0" + }, + { + "depends_on": [ + "pkg:npm/wrappy@1.0.2" + ], + "id": "pkg:npm/once@1.4.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "once", + "package_ref": "pkg:npm/once@1.4.0", + "purl": "pkg:npm/once@1.4.0", + "scopes": [ + "development" + ], + "version": "1.4.0" + }, + { + "depends_on": [ + "pkg:npm/minimist@0.0.10", + "pkg:npm/wordwrap@0.0.3" + ], + "id": "pkg:npm/optimist@0.6.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "optimist", + "package_ref": "pkg:npm/optimist@0.6.1", + "purl": "pkg:npm/optimist@0.6.1", + "scopes": [ + "runtime" + ], + "version": "0.6.1" + }, + { + "depends_on": [ + "pkg:npm/p-try@2.2.0" + ], + "id": "pkg:npm/p-limit@2.3.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "p-limit", + "package_ref": "pkg:npm/p-limit@2.3.0", + "purl": "pkg:npm/p-limit@2.3.0", + "scopes": [ + "development" + ], + "version": "2.3.0" + }, + { + "depends_on": [ + "pkg:npm/p-limit@2.3.0" + ], + "id": "pkg:npm/p-locate@3.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "p-locate", + "package_ref": "pkg:npm/p-locate@3.0.0", + "purl": "pkg:npm/p-locate@3.0.0", + "scopes": [ + "development" + ], + "version": "3.0.0" + }, + { + "depends_on": [], + "id": "pkg:npm/p-try@2.2.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "p-try", + "package_ref": "pkg:npm/p-try@2.2.0", + "purl": "pkg:npm/p-try@2.2.0", + "scopes": [ + "development" + ], + "version": "2.2.0" + }, + { + "depends_on": [], + "id": "pkg:npm/path-exists@3.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "path-exists", + "package_ref": "pkg:npm/path-exists@3.0.0", + "purl": "pkg:npm/path-exists@3.0.0", + "scopes": [ + "development" + ], + "version": "3.0.0" + }, + { + "depends_on": [], + "id": "pkg:npm/path-is-absolute@1.0.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "path-is-absolute", + "package_ref": "pkg:npm/path-is-absolute@1.0.1", + "purl": "pkg:npm/path-is-absolute@1.0.1", + "scopes": [ + "development" + ], + "version": "1.0.1" + }, + { + "depends_on": [], + "id": "pkg:npm/picomatch@2.2.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "picomatch", + "package_ref": "pkg:npm/picomatch@2.2.2", + "purl": "pkg:npm/picomatch@2.2.2", + "scopes": [ + "development" + ], + "version": "2.2.2" + }, + { + "depends_on": [], + "id": "pkg:npm/punycode@1.3.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "punycode", + "package_ref": "pkg:npm/punycode@1.3.2", + "purl": "pkg:npm/punycode@1.3.2", + "scopes": [ + "runtime" + ], + "version": "1.3.2" + }, + { + "depends_on": [], + "id": "pkg:npm/qs@6.9.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "qs", + "package_ref": "pkg:npm/qs@6.9.1", + "purl": "pkg:npm/qs@6.9.1", + "scopes": [ + "runtime" + ], + "version": "6.9.1" + }, + { + "depends_on": [], + "id": "pkg:npm/querystring@0.2.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "querystring", + "package_ref": "pkg:npm/querystring@0.2.0", + "purl": "pkg:npm/querystring@0.2.0", + "scopes": [ + "runtime" + ], + "version": "0.2.0" + }, + { + "depends_on": [ + "pkg:npm/core-util-is@1.0.2", + "pkg:npm/inherits@2.0.4", + "pkg:npm/isarray@0.0.1", + "pkg:npm/string_decoder@0.10.31" + ], + "id": "pkg:npm/readable-stream@1.1.14", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "readable-stream", + "package_ref": "pkg:npm/readable-stream@1.1.14", + "purl": "pkg:npm/readable-stream@1.1.14", + "scopes": [ + "runtime" + ], + "version": "1.1.14" + }, + { + "depends_on": [ + "pkg:npm/picomatch@2.2.2" + ], + "id": "pkg:npm/readdirp@3.2.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "readdirp", + "package_ref": "pkg:npm/readdirp@3.2.0", + "purl": "pkg:npm/readdirp@3.2.0", + "scopes": [ + "development" + ], + "version": "3.2.0" + }, + { + "depends_on": [], + "id": "pkg:npm/require-directory@2.1.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "require-directory", + "package_ref": "pkg:npm/require-directory@2.1.1", + "purl": "pkg:npm/require-directory@2.1.1", + "scopes": [ + "development" + ], + "version": "2.1.1" + }, + { + "depends_on": [], + "id": "pkg:npm/require-main-filename@2.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "require-main-filename", + "package_ref": "pkg:npm/require-main-filename@2.0.0", + "purl": "pkg:npm/require-main-filename@2.0.0", + "scopes": [ + "development" + ], + "version": "2.0.0" + }, + { + "depends_on": [], + "id": "pkg:npm/semver@5.7.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "semver", + "package_ref": "pkg:npm/semver@5.7.1", + "purl": "pkg:npm/semver@5.7.1", + "scopes": [ + "runtime" + ], + "version": "5.7.1" + }, + { + "depends_on": [], + "id": "pkg:npm/set-blocking@2.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "set-blocking", + "package_ref": "pkg:npm/set-blocking@2.0.0", + "purl": "pkg:npm/set-blocking@2.0.0", + "scopes": [ + "development" + ], + "version": "2.0.0" + }, + { + "depends_on": [], + "id": "pkg:npm/sprintf-js@1.0.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "sprintf-js", + "package_ref": "pkg:npm/sprintf-js@1.0.3", + "purl": "pkg:npm/sprintf-js@1.0.3", + "scopes": [ + "runtime" + ], + "version": "1.0.3" + }, + { + "depends_on": [], + "id": "pkg:npm/streamsearch@0.1.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "streamsearch", + "package_ref": "pkg:npm/streamsearch@0.1.2", + "purl": "pkg:npm/streamsearch@0.1.2", + "scopes": [ + "runtime" + ], + "version": "0.1.2" + }, + { + "depends_on": [ + "pkg:npm/is-fullwidth-code-point@2.0.0", + "pkg:npm/strip-ansi@4.0.0" + ], + "id": "pkg:npm/string-width@2.1.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "string-width", + "package_ref": "pkg:npm/string-width@2.1.1", + "purl": "pkg:npm/string-width@2.1.1", + "scopes": [ + "development" + ], + "version": "2.1.1" + }, + { + "depends_on": [ + "pkg:npm/emoji-regex@7.0.3", + "pkg:npm/is-fullwidth-code-point@2.0.0", + "pkg:npm/strip-ansi@5.2.0" + ], + "id": "pkg:npm/string-width@3.1.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "string-width", + "package_ref": "pkg:npm/string-width@3.1.0", + "purl": "pkg:npm/string-width@3.1.0", + "scopes": [ + "development" + ], + "version": "3.1.0" + }, + { + "depends_on": [ + "pkg:npm/define-properties@1.1.3", + "pkg:npm/es-abstract@1.17.6" + ], + "id": "pkg:npm/string.prototype.trimend@1.0.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "string.prototype.trimend", + "package_ref": "pkg:npm/string.prototype.trimend@1.0.1", + "purl": "pkg:npm/string.prototype.trimend@1.0.1", + "scopes": [ + "development" + ], + "version": "1.0.1" + }, + { + "depends_on": [ + "pkg:npm/define-properties@1.1.3", + "pkg:npm/es-abstract@1.17.6" + ], + "id": "pkg:npm/string.prototype.trimstart@1.0.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "string.prototype.trimstart", + "package_ref": "pkg:npm/string.prototype.trimstart@1.0.1", + "purl": "pkg:npm/string.prototype.trimstart@1.0.1", + "scopes": [ + "development" + ], + "version": "1.0.1" + }, + { + "depends_on": [], + "id": "pkg:npm/string_decoder@0.10.31", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "string_decoder", + "package_ref": "pkg:npm/string_decoder@0.10.31", + "purl": "pkg:npm/string_decoder@0.10.31", + "scopes": [ + "runtime" + ], + "version": "0.10.31" + }, + { + "depends_on": [ + "pkg:npm/ansi-regex@3.0.0" + ], + "id": "pkg:npm/strip-ansi@4.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "strip-ansi", + "package_ref": "pkg:npm/strip-ansi@4.0.0", + "purl": "pkg:npm/strip-ansi@4.0.0", + "scopes": [ + "development" + ], + "version": "4.0.0" + }, + { + "depends_on": [ + "pkg:npm/ansi-regex@4.1.0" + ], + "id": "pkg:npm/strip-ansi@5.2.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "strip-ansi", + "package_ref": "pkg:npm/strip-ansi@5.2.0", + "purl": "pkg:npm/strip-ansi@5.2.0", + "scopes": [ + "development" + ], + "version": "5.2.0" + }, + { + "depends_on": [], + "id": "pkg:npm/strip-json-comments@2.0.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "strip-json-comments", + "package_ref": "pkg:npm/strip-json-comments@2.0.1", + "purl": "pkg:npm/strip-json-comments@2.0.1", + "scopes": [ + "development" + ], + "version": "2.0.1" + }, + { + "depends_on": [ + "pkg:npm/has-flag@3.0.0" + ], + "id": "pkg:npm/supports-color@5.5.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "supports-color", + "package_ref": "pkg:npm/supports-color@5.5.0", + "purl": "pkg:npm/supports-color@5.5.0", + "scopes": [ + "development" + ], + "version": "5.5.0" + }, + { + "depends_on": [ + "pkg:npm/has-flag@3.0.0" + ], + "id": "pkg:npm/supports-color@6.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "supports-color", + "package_ref": "pkg:npm/supports-color@6.0.0", + "purl": "pkg:npm/supports-color@6.0.0", + "scopes": [ + "development" + ], + "version": "6.0.0" + }, + { + "depends_on": [ + "pkg:npm/is-number@7.0.0" + ], + "id": "pkg:npm/to-regex-range@5.0.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "to-regex-range", + "package_ref": "pkg:npm/to-regex-range@5.0.1", + "purl": "pkg:npm/to-regex-range@5.0.1", + "scopes": [ + "development" + ], + "version": "5.0.1" + }, + { + "depends_on": [ + "pkg:npm/handy@0.0.13", + "pkg:npm/htmlparser@1.7.7", + "pkg:npm/js-yaml@3.13.0", + "pkg:npm/optimist@0.6.1", + "pkg:npm/underscore@1.9.2" + ], + "id": "pkg:npm/to@0.2.9", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "to", + "package_ref": "pkg:npm/to@0.2.9", + "purl": "pkg:npm/to@0.2.9", + "scopes": [ + "runtime" + ], + "version": "0.2.9" + }, + { + "depends_on": [], + "id": "pkg:npm/underscore@1.9.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "underscore", + "package_ref": "pkg:npm/underscore@1.9.2", + "purl": "pkg:npm/underscore@1.9.2", + "scopes": [ + "runtime" + ], + "version": "1.9.2" + }, + { + "depends_on": [], + "id": "pkg:npm/universalify@0.1.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "universalify", + "package_ref": "pkg:npm/universalify@0.1.2", + "purl": "pkg:npm/universalify@0.1.2", + "scopes": [ + "runtime" + ], + "version": "0.1.2" + }, + { + "depends_on": [ + "pkg:npm/punycode@1.3.2", + "pkg:npm/querystring@0.2.0" + ], + "id": "pkg:npm/url@0.11.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "url", + "package_ref": "pkg:npm/url@0.11.0", + "purl": "pkg:npm/url@0.11.0", + "scopes": [ + "runtime" + ], + "version": "0.11.0" + }, + { + "depends_on": [], + "id": "pkg:npm/uuid@3.4.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "uuid", + "package_ref": "pkg:npm/uuid@3.4.0", + "purl": "pkg:npm/uuid@3.4.0", + "scopes": [ + "runtime" + ], + "version": "3.4.0" + }, + { + "depends_on": [], + "id": "pkg:npm/which-module@2.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "which-module", + "package_ref": "pkg:npm/which-module@2.0.0", + "purl": "pkg:npm/which-module@2.0.0", + "scopes": [ + "development" + ], + "version": "2.0.0" + }, + { + "depends_on": [ + "pkg:npm/isexe@2.0.0" + ], + "id": "pkg:npm/which@1.3.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "which", + "package_ref": "pkg:npm/which@1.3.1", + "purl": "pkg:npm/which@1.3.1", + "scopes": [ + "development" + ], + "version": "1.3.1" + }, + { + "depends_on": [ + "pkg:npm/string-width@2.1.1" + ], + "id": "pkg:npm/wide-align@1.1.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "wide-align", + "package_ref": "pkg:npm/wide-align@1.1.3", + "purl": "pkg:npm/wide-align@1.1.3", + "scopes": [ + "development" + ], + "version": "1.1.3" + }, + { + "depends_on": [], + "id": "pkg:npm/wordwrap@0.0.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "wordwrap", + "package_ref": "pkg:npm/wordwrap@0.0.3", + "purl": "pkg:npm/wordwrap@0.0.3", + "scopes": [ + "runtime" + ], + "version": "0.0.3" + }, + { + "depends_on": [ + "pkg:npm/ansi-styles@3.2.1", + "pkg:npm/string-width@3.1.0", + "pkg:npm/strip-ansi@5.2.0" + ], + "id": "pkg:npm/wrap-ansi@5.1.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "wrap-ansi", + "package_ref": "pkg:npm/wrap-ansi@5.1.0", + "purl": "pkg:npm/wrap-ansi@5.1.0", + "scopes": [ + "development" + ], + "version": "5.1.0" + }, + { + "depends_on": [], + "id": "pkg:npm/wrappy@1.0.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "wrappy", + "package_ref": "pkg:npm/wrappy@1.0.2", + "purl": "pkg:npm/wrappy@1.0.2", + "scopes": [ + "development" + ], + "version": "1.0.2" + }, + { + "depends_on": [], + "id": "pkg:npm/y18n@4.0.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "y18n", + "package_ref": "pkg:npm/y18n@4.0.0", + "purl": "pkg:npm/y18n@4.0.0", + "scopes": [ + "development" + ], + "version": "4.0.0" + }, + { + "depends_on": [ + "pkg:npm/camelcase@5.3.1", + "pkg:npm/decamelize@1.2.0" + ], + "id": "pkg:npm/yargs-parser@13.1.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "yargs-parser", + "package_ref": "pkg:npm/yargs-parser@13.1.2", + "purl": "pkg:npm/yargs-parser@13.1.2", + "scopes": [ + "development" + ], + "version": "13.1.2" + }, + { + "depends_on": [ + "pkg:npm/flat@4.1.0", + "pkg:npm/lodash@4.17.15", + "pkg:npm/yargs@13.3.2" + ], + "id": "pkg:npm/yargs-unparser@1.6.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "yargs-unparser", + "package_ref": "pkg:npm/yargs-unparser@1.6.0", + "purl": "pkg:npm/yargs-unparser@1.6.0", + "scopes": [ + "development" + ], + "version": "1.6.0" + }, + { + "depends_on": [ + "pkg:npm/cliui@5.0.0", + "pkg:npm/find-up@3.0.0", + "pkg:npm/get-caller-file@2.0.5", + "pkg:npm/require-directory@2.1.1", + "pkg:npm/require-main-filename@2.0.0", + "pkg:npm/set-blocking@2.0.0", + "pkg:npm/string-width@3.1.0", + "pkg:npm/which-module@2.0.0", + "pkg:npm/y18n@4.0.0", + "pkg:npm/yargs-parser@13.1.2" + ], + "id": "pkg:npm/yargs@13.3.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "yargs", + "package_ref": "pkg:npm/yargs@13.3.2", + "purl": "pkg:npm/yargs@13.3.2", + "scopes": [ + "development" + ], + "version": "13.3.2" + } + ], + "detector": "npm-detector", + "ecosystem": "npm", + "kind": "package-lock.json", + "package_manager": "npm", + "path": "package-lock.json", + "subproject": "." + } + ], + "metadata": { + "duration_ms": 0 + }, "packages": [ { - "ecosystem": "github-actions", + "ecosystem": "npm", + "licenses": [], + "name": "algo-httpserv", + "purl": "pkg:npm/algo-httpserv@1.1.1", + "version": "1.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "ansi-colors", + "purl": "pkg:npm/ansi-colors@3.2.3", + "version": "3.2.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "ansi-regex", + "purl": "pkg:npm/ansi-regex@3.0.0", + "version": "3.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "ansi-regex", + "purl": "pkg:npm/ansi-regex@4.1.0", + "version": "4.1.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "ansi-styles", + "purl": "pkg:npm/ansi-styles@3.2.1", + "version": "3.2.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "anymatch", + "purl": "pkg:npm/anymatch@3.1.1", + "version": "3.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "argparse", + "purl": "pkg:npm/argparse@1.0.10", + "version": "1.0.10", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "async", + "purl": "pkg:npm/async@2.6.3", + "version": "2.6.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "balanced-match", + "purl": "pkg:npm/balanced-match@1.0.0", + "version": "1.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "binary-extensions", + "purl": "pkg:npm/binary-extensions@2.1.0", + "version": "2.1.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "brace-expansion", + "purl": "pkg:npm/brace-expansion@1.1.11", + "version": "1.1.11", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "braces", + "purl": "pkg:npm/braces@3.0.2", + "version": "3.0.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "browser-stdout", + "purl": "pkg:npm/browser-stdout@1.3.1", + "version": "1.3.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "busboy", + "purl": "pkg:npm/busboy@0.2.14", + "version": "0.2.14", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "camelcase", + "purl": "pkg:npm/camelcase@5.3.1", + "version": "5.3.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "chalk", + "purl": "pkg:npm/chalk@2.4.2", + "version": "2.4.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "chokidar", + "purl": "pkg:npm/chokidar@3.3.0", + "version": "3.3.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "cliui", + "purl": "pkg:npm/cliui@5.0.0", + "version": "5.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "color-convert", + "purl": "pkg:npm/color-convert@1.9.3", + "version": "1.9.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "color-name", + "purl": "pkg:npm/color-name@1.1.3", + "version": "1.1.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "concat-map", + "purl": "pkg:npm/concat-map@0.0.1", + "version": "0.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "core-util-is", + "purl": "pkg:npm/core-util-is@1.0.2", + "version": "1.0.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "debug", + "purl": "pkg:npm/debug@3.2.6", + "version": "3.2.6", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "decamelize", + "purl": "pkg:npm/decamelize@1.2.0", + "version": "1.2.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "define-properties", + "purl": "pkg:npm/define-properties@1.1.3", + "version": "1.1.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "dicer", + "purl": "pkg:npm/dicer@0.2.5", + "version": "0.2.5", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "diff", + "purl": "pkg:npm/diff@3.5.0", + "version": "3.5.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "emoji-regex", + "purl": "pkg:npm/emoji-regex@7.0.3", + "version": "7.0.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "es-abstract", + "purl": "pkg:npm/es-abstract@1.17.6", + "version": "1.17.6", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "es-to-primitive", + "purl": "pkg:npm/es-to-primitive@1.2.1", + "version": "1.2.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "escape-string-regexp", + "purl": "pkg:npm/escape-string-regexp@1.0.5", + "version": "1.0.5", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "esprima", + "purl": "pkg:npm/esprima@4.0.1", + "version": "4.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "example-javascript-vulnerable-methods", + "purl": "pkg:npm/example-javascript-vulnerable-methods@0.0.1", + "version": "0.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "fill-range", + "purl": "pkg:npm/fill-range@7.0.1", + "version": "7.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "find-up", + "purl": "pkg:npm/find-up@3.0.0", + "version": "3.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "flat", + "purl": "pkg:npm/flat@4.1.0", + "version": "4.1.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "fs-extra", + "purl": "pkg:npm/fs-extra@7.0.1", + "version": "7.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "fs.realpath", + "purl": "pkg:npm/fs.realpath@1.0.0", + "version": "1.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "fsevents", + "purl": "pkg:npm/fsevents@2.1.3", + "version": "2.1.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "function-bind", + "purl": "pkg:npm/function-bind@1.1.1", + "version": "1.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "get-caller-file", + "purl": "pkg:npm/get-caller-file@2.0.5", + "version": "2.0.5", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "glob-parent", + "purl": "pkg:npm/glob-parent@5.1.1", + "version": "5.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "glob", + "purl": "pkg:npm/glob@7.1.3", + "version": "7.1.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "graceful-fs", + "purl": "pkg:npm/graceful-fs@4.2.3", + "version": "4.2.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "growl", + "purl": "pkg:npm/growl@1.10.5", + "version": "1.10.5", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "handy", + "purl": "pkg:npm/handy@0.0.13", + "version": "0.0.13", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "has-flag", + "purl": "pkg:npm/has-flag@3.0.0", + "version": "3.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "has-symbols", + "purl": "pkg:npm/has-symbols@1.0.1", + "version": "1.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "has", + "purl": "pkg:npm/has@1.0.3", + "version": "1.0.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "he", + "purl": "pkg:npm/he@1.2.0", + "version": "1.2.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "htmlparser", + "purl": "pkg:npm/htmlparser@1.7.7", + "version": "1.7.7", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "inflight", + "purl": "pkg:npm/inflight@1.0.6", + "version": "1.0.6", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "inherits", + "purl": "pkg:npm/inherits@2.0.4", + "version": "2.0.4", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "is-binary-path", + "purl": "pkg:npm/is-binary-path@2.1.0", + "version": "2.1.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "is-buffer", + "purl": "pkg:npm/is-buffer@2.0.4", + "version": "2.0.4", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "is-callable", + "purl": "pkg:npm/is-callable@1.2.2", + "version": "1.2.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "is-date-object", + "purl": "pkg:npm/is-date-object@1.0.2", + "version": "1.0.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "is-extglob", + "purl": "pkg:npm/is-extglob@2.1.1", + "version": "2.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "is-fullwidth-code-point", + "purl": "pkg:npm/is-fullwidth-code-point@2.0.0", + "version": "2.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "is-glob", + "purl": "pkg:npm/is-glob@4.0.1", + "version": "4.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "is-number", + "purl": "pkg:npm/is-number@7.0.0", + "version": "7.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "is-regex", + "purl": "pkg:npm/is-regex@1.1.1", + "version": "1.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "is-symbol", + "purl": "pkg:npm/is-symbol@1.0.3", + "version": "1.0.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "is", + "purl": "pkg:npm/is@3.3.0", + "version": "3.3.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "isarray", + "purl": "pkg:npm/isarray@0.0.1", + "version": "0.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "isexe", + "purl": "pkg:npm/isexe@2.0.0", + "version": "2.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "js-yaml", + "purl": "pkg:npm/js-yaml@3.13.0", + "version": "3.13.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "js-yaml", + "purl": "pkg:npm/js-yaml@3.13.1", + "version": "3.13.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "jsonfile", + "purl": "pkg:npm/jsonfile@4.0.0", + "version": "4.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "larvitbase", + "purl": "pkg:npm/larvitbase@3.1.3", + "version": "3.1.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "larvitfs", + "purl": "pkg:npm/larvitfs@2.3.1", + "version": "2.3.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "larvitreqparser", + "purl": "pkg:npm/larvitreqparser@0.2.1", + "version": "0.2.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "larvitrouter", + "purl": "pkg:npm/larvitrouter@3.0.2", + "version": "3.0.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "larvitutils", + "purl": "pkg:npm/larvitutils@2.3.0", + "version": "2.3.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "locate-path", + "purl": "pkg:npm/locate-path@3.0.0", + "version": "3.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "lodash", + "purl": "pkg:npm/lodash@4.17.15", + "version": "4.17.15", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "log-symbols", + "purl": "pkg:npm/log-symbols@3.0.0", + "version": "3.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "marked", + "purl": "pkg:npm/marked@0.3.19", + "version": "0.3.19", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "minimatch", + "purl": "pkg:npm/minimatch@3.0.4", + "version": "3.0.4", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "minimist", + "purl": "pkg:npm/minimist@0.0.10", + "version": "0.0.10", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "minimist", + "purl": "pkg:npm/minimist@1.2.5", + "version": "1.2.5", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "mkdirp", + "purl": "pkg:npm/mkdirp@0.5.5", + "version": "0.5.5", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "mocha", + "purl": "pkg:npm/mocha@7.2.0", + "version": "7.2.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "ms", + "purl": "pkg:npm/ms@2.1.1", + "version": "2.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "node-environment-flags", + "purl": "pkg:npm/node-environment-flags@1.0.6", + "version": "1.0.6", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "node-yaml-config", + "purl": "pkg:npm/node-yaml-config@0.0.5", + "version": "0.0.5", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "node.extend", + "purl": "pkg:npm/node.extend@2.0.2", + "version": "2.0.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "normalize-path", + "purl": "pkg:npm/normalize-path@3.0.0", + "version": "3.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "object-inspect", + "purl": "pkg:npm/object-inspect@1.8.0", + "version": "1.8.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "object-keys", + "purl": "pkg:npm/object-keys@1.1.1", + "version": "1.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "object.assign", + "purl": "pkg:npm/object.assign@4.1.0", + "version": "4.1.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "object.getownpropertydescriptors", + "purl": "pkg:npm/object.getownpropertydescriptors@2.1.0", + "version": "2.1.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "once", + "purl": "pkg:npm/once@1.4.0", + "version": "1.4.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "optimist", + "purl": "pkg:npm/optimist@0.6.1", + "version": "0.6.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "p-limit", + "purl": "pkg:npm/p-limit@2.3.0", + "version": "2.3.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "p-locate", + "purl": "pkg:npm/p-locate@3.0.0", + "version": "3.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "p-try", + "purl": "pkg:npm/p-try@2.2.0", + "version": "2.2.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "path-exists", + "purl": "pkg:npm/path-exists@3.0.0", + "version": "3.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "path-is-absolute", + "purl": "pkg:npm/path-is-absolute@1.0.1", + "version": "1.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "picomatch", + "purl": "pkg:npm/picomatch@2.2.2", + "version": "2.2.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "punycode", + "purl": "pkg:npm/punycode@1.3.2", + "version": "1.3.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "qs", + "purl": "pkg:npm/qs@6.9.1", + "version": "6.9.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "querystring", + "purl": "pkg:npm/querystring@0.2.0", + "version": "0.2.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "readable-stream", + "purl": "pkg:npm/readable-stream@1.1.14", + "version": "1.1.14", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "readdirp", + "purl": "pkg:npm/readdirp@3.2.0", + "version": "3.2.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "require-directory", + "purl": "pkg:npm/require-directory@2.1.1", + "version": "2.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "require-main-filename", + "purl": "pkg:npm/require-main-filename@2.0.0", + "version": "2.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "semver", + "purl": "pkg:npm/semver@5.7.1", + "version": "5.7.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "set-blocking", + "purl": "pkg:npm/set-blocking@2.0.0", + "version": "2.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "sprintf-js", + "purl": "pkg:npm/sprintf-js@1.0.3", + "version": "1.0.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "streamsearch", + "purl": "pkg:npm/streamsearch@0.1.2", + "version": "0.1.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "string-width", + "purl": "pkg:npm/string-width@2.1.1", + "version": "2.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "string-width", + "purl": "pkg:npm/string-width@3.1.0", + "version": "3.1.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "string.prototype.trimend", + "purl": "pkg:npm/string.prototype.trimend@1.0.1", + "version": "1.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "string.prototype.trimstart", + "purl": "pkg:npm/string.prototype.trimstart@1.0.1", + "version": "1.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "string_decoder", + "purl": "pkg:npm/string_decoder@0.10.31", + "version": "0.10.31", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "strip-ansi", + "purl": "pkg:npm/strip-ansi@4.0.0", + "version": "4.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "strip-ansi", + "purl": "pkg:npm/strip-ansi@5.2.0", + "version": "5.2.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "strip-json-comments", + "purl": "pkg:npm/strip-json-comments@2.0.1", + "version": "2.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "supports-color", + "purl": "pkg:npm/supports-color@5.5.0", + "version": "5.5.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "supports-color", + "purl": "pkg:npm/supports-color@6.0.0", + "version": "6.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "to-regex-range", + "purl": "pkg:npm/to-regex-range@5.0.1", + "version": "5.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "to", + "purl": "pkg:npm/to@0.2.9", + "version": "0.2.9", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "underscore", + "purl": "pkg:npm/underscore@1.9.2", + "version": "1.9.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "universalify", + "purl": "pkg:npm/universalify@0.1.2", + "version": "0.1.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "url", + "purl": "pkg:npm/url@0.11.0", + "version": "0.11.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "uuid", + "purl": "pkg:npm/uuid@3.4.0", + "version": "3.4.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", "licenses": [], - "name": ".github/workflows/node-aught.yml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fnode-aught.yml@local", - "version": "local", + "name": "which-module", + "purl": "pkg:npm/which-module@2.0.0", + "version": "2.0.0", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": ".github/workflows/node-pretest.yml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fnode-pretest.yml@local", - "version": "local", + "name": "which", + "purl": "pkg:npm/which@1.3.1", + "version": "1.3.1", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": ".github/workflows/node-tens.yml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fnode-tens.yml@local", - "version": "local", + "name": "wide-align", + "purl": "pkg:npm/wide-align@1.1.3", + "version": "1.1.3", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": ".github/workflows/rebase.yml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Frebase.yml@local", - "version": "local", + "name": "wordwrap", + "purl": "pkg:npm/wordwrap@0.0.3", + "version": "0.0.3", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": ".github/workflows/require-allow-edits.yml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Frequire-allow-edits.yml@local", - "version": "local", + "name": "wrap-ansi", + "purl": "pkg:npm/wrap-ansi@5.1.0", + "version": "5.1.0", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": "checkout", - "purl": "pkg:githubactions/actions/checkout@v3", - "version": "v3", + "name": "wrappy", + "purl": "pkg:npm/wrappy@1.0.2", + "version": "1.0.2", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": "actions/.github/workflows/node.yml", - "purl": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main", - "version": "main", + "name": "y18n", + "purl": "pkg:npm/y18n@4.0.0", + "version": "4.0.0", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": "actions/.github/workflows/pretest.yml", - "purl": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fpretest.yml@main", - "version": "main", + "name": "yargs-parser", + "purl": "pkg:npm/yargs-parser@13.1.2", + "version": "13.1.2", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": "rebase", - "purl": "pkg:githubactions/ljharb/rebase@master", - "version": "master", + "name": "yargs-unparser", + "purl": "pkg:npm/yargs-unparser@1.6.0", + "version": "1.6.0", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": "require-allow-edits", - "purl": "pkg:githubactions/ljharb/require-allow-edits@main", - "version": "main", + "name": "yargs", + "purl": "pkg:npm/yargs@13.3.2", + "version": "13.3.2", "vulnerabilities": [] } ], "project": { - "ecosystem": "other", + "ecosystem": "npm", "name": "\u003cnormalized\u003e", - "package_manager": "multiple", + "package_manager": "npm", "path": "\u003cnormalized\u003e", - "target_ref": "v6.13.0", + "target_ref": "v1.0.0", "target_type": "git repository" }, "schema_version": "1.0" diff --git a/test/smoke/testdata/golden/scan-npm-reachability.golden.json b/test/smoke/testdata/golden/scan-npm-reachability.golden.json index bf2aacfd..31c96500 100644 --- a/test/smoke/testdata/golden/scan-npm-reachability.golden.json +++ b/test/smoke/testdata/golden/scan-npm-reachability.golden.json @@ -3,257 +3,32 @@ "manifests": [ { "dependencies": [ - { - "depends_on": [ - "pkg:githubactions/actions/checkout@v3", - "pkg:githubactions/github/codeql-action%2Fanalyze@v1", - "pkg:githubactions/github/codeql-action%2Fautobuild@v1", - "pkg:githubactions/github/codeql-action%2Finit@v1" - ], - "id": "pkg:githubactions/.github%2Fworkflows%2Fcodeql-analysis.yml@local", - "licenses": [], - "name": ".github/workflows/codeql-analysis.yml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Fcodeql-analysis.yml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fcodeql-analysis.yml@local", - "scopes": [ - "runtime" - ], - "version": "local" - }, - { - "depends_on": [], - "id": "pkg:githubactions/actions/checkout@v3", - "licenses": [], - "name": "actions:checkout", - "package_ref": "pkg:githubactions/actions/checkout@v3", - "purl": "pkg:githubactions/actions/checkout@v3", - "scopes": [ - "runtime" - ], - "version": "v3" - }, - { - "depends_on": [], - "id": "pkg:githubactions/github/codeql-action%2Fanalyze@v1", - "licenses": [], - "name": "github:codeql-action/analyze", - "package_ref": "pkg:githubactions/github/codeql-action%2Fanalyze@v1", - "purl": "pkg:githubactions/github/codeql-action%2Fanalyze@v1", - "scopes": [ - "runtime" - ], - "version": "v1" - }, - { - "depends_on": [], - "id": "pkg:githubactions/github/codeql-action%2Fautobuild@v1", - "licenses": [], - "name": "github:codeql-action/autobuild", - "package_ref": "pkg:githubactions/github/codeql-action%2Fautobuild@v1", - "purl": "pkg:githubactions/github/codeql-action%2Fautobuild@v1", - "scopes": [ - "runtime" - ], - "version": "v1" - }, - { - "depends_on": [], - "id": "pkg:githubactions/github/codeql-action%2Finit@v1", - "licenses": [], - "name": "github:codeql-action/init", - "package_ref": "pkg:githubactions/github/codeql-action%2Finit@v1", - "purl": "pkg:githubactions/github/codeql-action%2Finit@v1", - "scopes": [ - "runtime" - ], - "version": "v1" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/codeql-analysis.yml", - "subproject": "." - }, - { - "dependencies": [ - { - "depends_on": [ - "pkg:githubactions/actions/checkout@v3", - "pkg:githubactions/github/codeql-action%2Fupload-sarif@v2" - ], - "id": "pkg:githubactions/.github%2Fworkflows%2Fsnyk-code-manual.yml@local", - "licenses": [], - "name": ".github/workflows/snyk-code-manual.yml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Fsnyk-code-manual.yml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fsnyk-code-manual.yml@local", - "scopes": [ - "runtime" - ], - "version": "local" - }, - { - "depends_on": [], - "id": "pkg:githubactions/actions/checkout@v3", - "licenses": [], - "name": "actions:checkout", - "package_ref": "pkg:githubactions/actions/checkout@v3", - "purl": "pkg:githubactions/actions/checkout@v3", - "scopes": [ - "runtime" - ], - "version": "v3" - }, - { - "depends_on": [], - "id": "pkg:githubactions/github/codeql-action%2Fupload-sarif@v2", - "licenses": [], - "name": "github:codeql-action/upload-sarif", - "package_ref": "pkg:githubactions/github/codeql-action%2Fupload-sarif@v2", - "purl": "pkg:githubactions/github/codeql-action%2Fupload-sarif@v2", - "scopes": [ - "runtime" - ], - "version": "v2" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/snyk-code-manual.yml", - "subproject": "." - }, - { - "dependencies": [ - { - "depends_on": [ - "pkg:githubactions/actions/checkout@v3", - "pkg:githubactions/github/codeql-action%2Fupload-sarif@v2", - "pkg:githubactions/snyk/actions%2Fsetup@master" - ], - "id": "pkg:githubactions/.github%2Fworkflows%2Fsnyk-code.yml@local", - "licenses": [], - "name": ".github/workflows/snyk-code.yml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Fsnyk-code.yml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fsnyk-code.yml@local", - "scopes": [ - "runtime" - ], - "version": "local" - }, - { - "depends_on": [], - "id": "pkg:githubactions/actions/checkout@v3", - "licenses": [], - "name": "actions:checkout", - "package_ref": "pkg:githubactions/actions/checkout@v3", - "purl": "pkg:githubactions/actions/checkout@v3", - "scopes": [ - "runtime" - ], - "version": "v3" - }, - { - "depends_on": [], - "id": "pkg:githubactions/github/codeql-action%2Fupload-sarif@v2", - "licenses": [], - "name": "github:codeql-action/upload-sarif", - "package_ref": "pkg:githubactions/github/codeql-action%2Fupload-sarif@v2", - "purl": "pkg:githubactions/github/codeql-action%2Fupload-sarif@v2", - "scopes": [ - "runtime" - ], - "version": "v2" - }, - { - "depends_on": [], - "id": "pkg:githubactions/snyk/actions%2Fsetup@master", - "licenses": [], - "name": "snyk:actions/setup", - "package_ref": "pkg:githubactions/snyk/actions%2Fsetup@master", - "purl": "pkg:githubactions/snyk/actions%2Fsetup@master", - "scopes": [ - "runtime" - ], - "version": "master" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/snyk-code.yml", - "subproject": "." - }, - { - "dependencies": [ - { - "depends_on": [ - "pkg:githubactions/actions/checkout@v3", - "pkg:githubactions/github/codeql-action%2Fupload-sarif@v2", - "pkg:githubactions/snyk/actions%2Fsetup@master" - ], - "id": "pkg:githubactions/.github%2Fworkflows%2Fsnyk-test-sarif.yml@local", - "licenses": [], - "name": ".github/workflows/snyk-test-sarif.yml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Fsnyk-test-sarif.yml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fsnyk-test-sarif.yml@local", - "scopes": [ - "runtime" - ], - "version": "local" - }, { "depends_on": [], - "id": "pkg:githubactions/actions/checkout@v3", + "id": "pkg:npm/algo-httpserv@1.1.1", "licenses": [], - "name": "actions:checkout", - "package_ref": "pkg:githubactions/actions/checkout@v3", - "purl": "pkg:githubactions/actions/checkout@v3", - "scopes": [ - "runtime" + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } ], - "version": "v3" - }, - { - "depends_on": [], - "id": "pkg:githubactions/github/codeql-action%2Fupload-sarif@v2", - "licenses": [], - "name": "github:codeql-action/upload-sarif", - "package_ref": "pkg:githubactions/github/codeql-action%2Fupload-sarif@v2", - "purl": "pkg:githubactions/github/codeql-action%2Fupload-sarif@v2", + "matched": true, + "name": "algo-httpserv", + "package_ref": "pkg:npm/algo-httpserv@1.1.1", + "purl": "pkg:npm/algo-httpserv@1.1.1", "scopes": [ "runtime" ], - "version": "v2" + "version": "1.1.1" }, { "depends_on": [], - "id": "pkg:githubactions/snyk/actions%2Fsetup@master", - "licenses": [], - "name": "snyk:actions/setup", - "package_ref": "pkg:githubactions/snyk/actions%2Fsetup@master", - "purl": "pkg:githubactions/snyk/actions%2Fsetup@master", - "scopes": [ - "runtime" - ], - "version": "master" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/snyk-test-sarif.yml", - "subproject": "." - }, - { - "dependencies": [ - { - "depends_on": [], - "id": "pkg:npm/%40sindresorhus/is@0.14.0", + "id": "pkg:npm/ansi-colors@3.2.3", "licenses": [], "locations": [ { @@ -266,19 +41,17 @@ } ], "matched": true, - "name": "sindresorhus:is", - "package_ref": "pkg:npm/%40sindresorhus/is@0.14.0", - "purl": "pkg:npm/%40sindresorhus/is@0.14.0", + "name": "ansi-colors", + "package_ref": "pkg:npm/ansi-colors@3.2.3", + "purl": "pkg:npm/ansi-colors@3.2.3", "scopes": [ "development" ], - "version": "0.14.0" + "version": "3.2.3" }, { - "depends_on": [ - "pkg:npm/tslib@1.10.0" - ], - "id": "pkg:npm/%40snyk/cli-interface@1.5.0", + "depends_on": [], + "id": "pkg:npm/ansi-regex@3.0.0", "licenses": [], "locations": [ { @@ -291,20 +64,17 @@ } ], "matched": true, - "name": "snyk:cli-interface", - "package_ref": "pkg:npm/%40snyk/cli-interface@1.5.0", - "purl": "pkg:npm/%40snyk/cli-interface@1.5.0", + "name": "ansi-regex", + "package_ref": "pkg:npm/ansi-regex@3.0.0", + "purl": "pkg:npm/ansi-regex@3.0.0", "scopes": [ "development" ], - "version": "1.5.0" + "version": "3.0.0" }, { - "depends_on": [ - "pkg:npm/tslib@1.10.0", - "pkg:npm/tslib@1.9.3" - ], - "id": "pkg:npm/%40snyk/cli-interface@2.2.0", + "depends_on": [], + "id": "pkg:npm/ansi-regex@4.1.0", "licenses": [], "locations": [ { @@ -317,19 +87,19 @@ } ], "matched": true, - "name": "snyk:cli-interface", - "package_ref": "pkg:npm/%40snyk/cli-interface@2.2.0", - "purl": "pkg:npm/%40snyk/cli-interface@2.2.0", + "name": "ansi-regex", + "package_ref": "pkg:npm/ansi-regex@4.1.0", + "purl": "pkg:npm/ansi-regex@4.1.0", "scopes": [ "development" ], - "version": "2.2.0" + "version": "4.1.0" }, { "depends_on": [ - "pkg:npm/tslib@1.10.0" + "pkg:npm/color-convert@1.9.3" ], - "id": "pkg:npm/%40snyk/cli-interface@2.3.0", + "id": "pkg:npm/ansi-styles@3.2.1", "licenses": [], "locations": [ { @@ -342,25 +112,20 @@ } ], "matched": true, - "name": "snyk:cli-interface", - "package_ref": "pkg:npm/%40snyk/cli-interface@2.3.0", - "purl": "pkg:npm/%40snyk/cli-interface@2.3.0", + "name": "ansi-styles", + "package_ref": "pkg:npm/ansi-styles@3.2.1", + "purl": "pkg:npm/ansi-styles@3.2.1", "scopes": [ "development" ], - "version": "2.3.0" + "version": "3.2.1" }, { "depends_on": [ - "pkg:npm/%40snyk/dep-graph@1.13.1", - "pkg:npm/%40snyk/ruby-semver@2.0.4", - "pkg:npm/%40types/js-yaml@3.12.1", - "pkg:npm/core-js@3.6.4", - "pkg:npm/js-yaml@3.13.1", - "pkg:npm/source-map-support@0.5.16", - "pkg:npm/tslib@1.10.0" + "pkg:npm/normalize-path@3.0.0", + "pkg:npm/picomatch@2.2.2" ], - "id": "pkg:npm/%40snyk/cocoapods-lockfile-parser@3.0.0", + "id": "pkg:npm/anymatch@3.1.1", "licenses": [], "locations": [ { @@ -373,19 +138,19 @@ } ], "matched": true, - "name": "snyk:cocoapods-lockfile-parser", - "package_ref": "pkg:npm/%40snyk/cocoapods-lockfile-parser@3.0.0", - "purl": "pkg:npm/%40snyk/cocoapods-lockfile-parser@3.0.0", + "name": "anymatch", + "package_ref": "pkg:npm/anymatch@3.1.1", + "purl": "pkg:npm/anymatch@3.1.1", "scopes": [ "development" ], - "version": "3.0.0" + "version": "3.1.1" }, { "depends_on": [ - "pkg:npm/lodash@4.17.15" + "pkg:npm/sprintf-js@1.0.3" ], - "id": "pkg:npm/%40snyk/composer-lockfile-parser@1.2.0", + "id": "pkg:npm/argparse@1.0.10", "licenses": [], "locations": [ { @@ -398,24 +163,19 @@ } ], "matched": true, - "name": "snyk:composer-lockfile-parser", - "package_ref": "pkg:npm/%40snyk/composer-lockfile-parser@1.2.0", - "purl": "pkg:npm/%40snyk/composer-lockfile-parser@1.2.0", + "name": "argparse", + "package_ref": "pkg:npm/argparse@1.0.10", + "purl": "pkg:npm/argparse@1.0.10", "scopes": [ - "development" + "runtime" ], - "version": "1.2.0" + "version": "1.0.10" }, { "depends_on": [ - "pkg:npm/graphlib@2.1.8", - "pkg:npm/lodash@4.17.4", - "pkg:npm/object-hash@1.3.1", - "pkg:npm/semver@6.3.0", - "pkg:npm/source-map-support@0.5.16", - "pkg:npm/tslib@1.10.0" - ], - "id": "pkg:npm/%40snyk/dep-graph@1.13.1", + "pkg:npm/lodash@4.17.15" + ], + "id": "pkg:npm/async@2.6.3", "licenses": [], "locations": [ { @@ -428,17 +188,17 @@ } ], "matched": true, - "name": "snyk:dep-graph", - "package_ref": "pkg:npm/%40snyk/dep-graph@1.13.1", - "purl": "pkg:npm/%40snyk/dep-graph@1.13.1", + "name": "async", + "package_ref": "pkg:npm/async@2.6.3", + "purl": "pkg:npm/async@2.6.3", "scopes": [ - "development" + "runtime" ], - "version": "1.13.1" + "version": "2.6.3" }, { "depends_on": [], - "id": "pkg:npm/%40snyk/gemfile@1.2.0", + "id": "pkg:npm/balanced-match@1.0.0", "licenses": [], "locations": [ { @@ -451,19 +211,17 @@ } ], "matched": true, - "name": "snyk:gemfile", - "package_ref": "pkg:npm/%40snyk/gemfile@1.2.0", - "purl": "pkg:npm/%40snyk/gemfile@1.2.0", + "name": "balanced-match", + "package_ref": "pkg:npm/balanced-match@1.0.0", + "purl": "pkg:npm/balanced-match@1.0.0", "scopes": [ "development" ], - "version": "1.2.0" + "version": "1.0.0" }, { - "depends_on": [ - "pkg:npm/lodash@4.17.15" - ], - "id": "pkg:npm/%40snyk/ruby-semver@2.0.4", + "depends_on": [], + "id": "pkg:npm/binary-extensions@2.1.0", "licenses": [], "locations": [ { @@ -476,23 +234,20 @@ } ], "matched": true, - "name": "snyk:ruby-semver", - "package_ref": "pkg:npm/%40snyk/ruby-semver@2.0.4", - "purl": "pkg:npm/%40snyk/ruby-semver@2.0.4", + "name": "binary-extensions", + "package_ref": "pkg:npm/binary-extensions@2.1.0", + "purl": "pkg:npm/binary-extensions@2.1.0", "scopes": [ "development" ], - "version": "2.0.4" + "version": "2.1.0" }, { "depends_on": [ - "pkg:npm/%40snyk/cli-interface@1.5.0", - "pkg:npm/%40snyk/cocoapods-lockfile-parser@3.0.0", - "pkg:npm/%40snyk/dep-graph@1.13.1", - "pkg:npm/source-map-support@0.5.16", - "pkg:npm/tslib@1.10.0" + "pkg:npm/balanced-match@1.0.0", + "pkg:npm/concat-map@0.0.1" ], - "id": "pkg:npm/%40snyk/snyk-cocoapods-plugin@2.0.1", + "id": "pkg:npm/brace-expansion@1.1.11", "licenses": [], "locations": [ { @@ -505,19 +260,19 @@ } ], "matched": true, - "name": "snyk:snyk-cocoapods-plugin", - "package_ref": "pkg:npm/%40snyk/snyk-cocoapods-plugin@2.0.1", - "purl": "pkg:npm/%40snyk/snyk-cocoapods-plugin@2.0.1", + "name": "brace-expansion", + "package_ref": "pkg:npm/brace-expansion@1.1.11", + "purl": "pkg:npm/brace-expansion@1.1.11", "scopes": [ "development" ], - "version": "2.0.1" + "version": "1.1.11" }, { "depends_on": [ - "pkg:npm/defer-to-connect@1.1.3" + "pkg:npm/fill-range@7.0.1" ], - "id": "pkg:npm/%40szmarczak/http-timer@1.1.2", + "id": "pkg:npm/braces@3.0.2", "licenses": [], "locations": [ { @@ -530,20 +285,17 @@ } ], "matched": true, - "name": "szmarczak:http-timer", - "package_ref": "pkg:npm/%40szmarczak/http-timer@1.1.2", - "purl": "pkg:npm/%40szmarczak/http-timer@1.1.2", + "name": "braces", + "package_ref": "pkg:npm/braces@3.0.2", + "purl": "pkg:npm/braces@3.0.2", "scopes": [ "development" ], - "version": "1.1.2" + "version": "3.0.2" }, { - "depends_on": [ - "pkg:npm/%40types/events@3.0.0", - "pkg:npm/%40types/node@13.1.7" - ], - "id": "pkg:npm/%40types/agent-base@4.2.0", + "depends_on": [], + "id": "pkg:npm/browser-stdout@1.3.1", "licenses": [], "locations": [ { @@ -556,19 +308,20 @@ } ], "matched": true, - "name": "types:agent-base", - "package_ref": "pkg:npm/%40types/agent-base@4.2.0", - "purl": "pkg:npm/%40types/agent-base@4.2.0", + "name": "browser-stdout", + "package_ref": "pkg:npm/browser-stdout@1.3.1", + "purl": "pkg:npm/browser-stdout@1.3.1", "scopes": [ "development" ], - "version": "4.2.0" + "version": "1.3.1" }, { "depends_on": [ - "pkg:npm/%40types/node@13.1.7" + "pkg:npm/dicer@0.2.5", + "pkg:npm/readable-stream@1.1.14" ], - "id": "pkg:npm/%40types/bunyan@1.8.6", + "id": "pkg:npm/busboy@0.2.14", "licenses": [], "locations": [ { @@ -580,18 +333,17 @@ "real_path": "package-lock.json" } ], - "matched": true, - "name": "types:bunyan", - "package_ref": "pkg:npm/%40types/bunyan@1.8.6", - "purl": "pkg:npm/%40types/bunyan@1.8.6", + "name": "busboy", + "package_ref": "pkg:npm/busboy@0.2.14", + "purl": "pkg:npm/busboy@0.2.14", "scopes": [ - "development" + "runtime" ], - "version": "1.8.6" + "version": "0.2.14" }, { "depends_on": [], - "id": "pkg:npm/%40types/color-name@1.1.1", + "id": "pkg:npm/camelcase@5.3.1", "licenses": [], "locations": [ { @@ -604,17 +356,21 @@ } ], "matched": true, - "name": "types:color-name", - "package_ref": "pkg:npm/%40types/color-name@1.1.1", - "purl": "pkg:npm/%40types/color-name@1.1.1", + "name": "camelcase", + "package_ref": "pkg:npm/camelcase@5.3.1", + "purl": "pkg:npm/camelcase@5.3.1", "scopes": [ - "runtime" + "development" ], - "version": "1.1.1" + "version": "5.3.1" }, { - "depends_on": [], - "id": "pkg:npm/%40types/debug@4.1.5", + "depends_on": [ + "pkg:npm/ansi-styles@3.2.1", + "pkg:npm/escape-string-regexp@1.0.5", + "pkg:npm/supports-color@5.5.0" + ], + "id": "pkg:npm/chalk@2.4.2", "licenses": [], "locations": [ { @@ -627,17 +383,26 @@ } ], "matched": true, - "name": "types:debug", - "package_ref": "pkg:npm/%40types/debug@4.1.5", - "purl": "pkg:npm/%40types/debug@4.1.5", + "name": "chalk", + "package_ref": "pkg:npm/chalk@2.4.2", + "purl": "pkg:npm/chalk@2.4.2", "scopes": [ "development" ], - "version": "4.1.5" + "version": "2.4.2" }, { - "depends_on": [], - "id": "pkg:npm/%40types/events@3.0.0", + "depends_on": [ + "pkg:npm/anymatch@3.1.1", + "pkg:npm/braces@3.0.2", + "pkg:npm/fsevents@2.1.3", + "pkg:npm/glob-parent@5.1.1", + "pkg:npm/is-binary-path@2.1.0", + "pkg:npm/is-glob@4.0.1", + "pkg:npm/normalize-path@3.0.0", + "pkg:npm/readdirp@3.2.0" + ], + "id": "pkg:npm/chokidar@3.3.0", "licenses": [], "locations": [ { @@ -650,20 +415,24 @@ } ], "matched": true, - "name": "types:events", - "package_ref": "pkg:npm/%40types/events@3.0.0", - "purl": "pkg:npm/%40types/events@3.0.0", + "name": "chokidar", + "package_ref": "pkg:npm/chokidar@3.3.0", + "purl": "pkg:npm/chokidar@3.3.0", "scopes": [ "development" ], - "version": "3.0.0" + "version": "3.3.0" }, { - "depends_on": [], - "id": "pkg:npm/%40types/js-yaml@3.12.1", - "licenses": [], - "locations": [ - { + "depends_on": [ + "pkg:npm/string-width@3.1.0", + "pkg:npm/strip-ansi@5.2.0", + "pkg:npm/wrap-ansi@5.1.0" + ], + "id": "pkg:npm/cliui@5.0.0", + "licenses": [], + "locations": [ + { "access_path": "package-lock.json", "position": { "file": "package-lock.json", @@ -673,17 +442,19 @@ } ], "matched": true, - "name": "types:js-yaml", - "package_ref": "pkg:npm/%40types/js-yaml@3.12.1", - "purl": "pkg:npm/%40types/js-yaml@3.12.1", + "name": "cliui", + "package_ref": "pkg:npm/cliui@5.0.0", + "purl": "pkg:npm/cliui@5.0.0", "scopes": [ "development" ], - "version": "3.12.1" + "version": "5.0.0" }, { - "depends_on": [], - "id": "pkg:npm/%40types/node@13.1.7", + "depends_on": [ + "pkg:npm/color-name@1.1.3" + ], + "id": "pkg:npm/color-convert@1.9.3", "licenses": [], "locations": [ { @@ -696,17 +467,17 @@ } ], "matched": true, - "name": "types:node", - "package_ref": "pkg:npm/%40types/node@13.1.7", - "purl": "pkg:npm/%40types/node@13.1.7", + "name": "color-convert", + "package_ref": "pkg:npm/color-convert@1.9.3", + "purl": "pkg:npm/color-convert@1.9.3", "scopes": [ "development" ], - "version": "13.1.7" + "version": "1.9.3" }, { "depends_on": [], - "id": "pkg:npm/%40types/node@6.14.9", + "id": "pkg:npm/color-name@1.1.3", "licenses": [], "locations": [ { @@ -719,20 +490,17 @@ } ], "matched": true, - "name": "types:node", - "package_ref": "pkg:npm/%40types/node@6.14.9", - "purl": "pkg:npm/%40types/node@6.14.9", + "name": "color-name", + "package_ref": "pkg:npm/color-name@1.1.3", + "purl": "pkg:npm/color-name@1.1.3", "scopes": [ "development" ], - "version": "6.14.9" + "version": "1.1.3" }, { - "depends_on": [ - "pkg:npm/%40types/bunyan@1.8.6", - "pkg:npm/%40types/node@13.1.7" - ], - "id": "pkg:npm/%40types/restify@4.3.6", + "depends_on": [], + "id": "pkg:npm/concat-map@0.0.1", "licenses": [], "locations": [ { @@ -745,17 +513,17 @@ } ], "matched": true, - "name": "types:restify", - "package_ref": "pkg:npm/%40types/restify@4.3.6", - "purl": "pkg:npm/%40types/restify@4.3.6", + "name": "concat-map", + "package_ref": "pkg:npm/concat-map@0.0.1", + "purl": "pkg:npm/concat-map@0.0.1", "scopes": [ "development" ], - "version": "4.3.6" + "version": "0.0.1" }, { "depends_on": [], - "id": "pkg:npm/%40types/semver@5.5.0", + "id": "pkg:npm/core-util-is@1.0.2", "licenses": [], "locations": [ { @@ -768,20 +536,19 @@ } ], "matched": true, - "name": "types:semver", - "package_ref": "pkg:npm/%40types/semver@5.5.0", - "purl": "pkg:npm/%40types/semver@5.5.0", + "name": "core-util-is", + "package_ref": "pkg:npm/core-util-is@1.0.2", + "purl": "pkg:npm/core-util-is@1.0.2", "scopes": [ - "development" + "runtime" ], - "version": "5.5.0" + "version": "1.0.2" }, { "depends_on": [ - "pkg:npm/%40types/events@3.0.0", - "pkg:npm/%40types/node@13.1.7" + "pkg:npm/ms@2.1.1" ], - "id": "pkg:npm/%40types/xml2js@0.4.3", + "id": "pkg:npm/debug@3.2.6", "licenses": [], "locations": [ { @@ -794,17 +561,17 @@ } ], "matched": true, - "name": "types:xml2js", - "package_ref": "pkg:npm/%40types/xml2js@0.4.3", - "purl": "pkg:npm/%40types/xml2js@0.4.3", + "name": "debug", + "package_ref": "pkg:npm/debug@3.2.6", + "purl": "pkg:npm/debug@3.2.6", "scopes": [ "development" ], - "version": "0.4.3" + "version": "3.2.6" }, { "depends_on": [], - "id": "pkg:npm/%40yarnpkg/lockfile@1.1.0", + "id": "pkg:npm/decamelize@1.2.0", "licenses": [], "locations": [ { @@ -817,17 +584,19 @@ } ], "matched": true, - "name": "yarnpkg:lockfile", - "package_ref": "pkg:npm/%40yarnpkg/lockfile@1.1.0", - "purl": "pkg:npm/%40yarnpkg/lockfile@1.1.0", + "name": "decamelize", + "package_ref": "pkg:npm/decamelize@1.2.0", + "purl": "pkg:npm/decamelize@1.2.0", "scopes": [ "development" ], - "version": "1.1.0" + "version": "1.2.0" }, { - "depends_on": [], - "id": "pkg:npm/abbrev@1.1.1", + "depends_on": [ + "pkg:npm/object-keys@1.1.1" + ], + "id": "pkg:npm/define-properties@1.1.3", "licenses": [], "locations": [ { @@ -840,21 +609,20 @@ } ], "matched": true, - "name": "abbrev", - "package_ref": "pkg:npm/abbrev@1.1.1", - "purl": "pkg:npm/abbrev@1.1.1", + "name": "define-properties", + "package_ref": "pkg:npm/define-properties@1.1.3", + "purl": "pkg:npm/define-properties@1.1.3", "scopes": [ - "development", - "runtime" + "development" ], - "version": "1.1.1" + "version": "1.1.3" }, { "depends_on": [ - "pkg:npm/mime-types@2.0.14", - "pkg:npm/negotiator@0.4.9" + "pkg:npm/readable-stream@1.1.14", + "pkg:npm/streamsearch@0.1.2" ], - "id": "pkg:npm/accepts@1.1.4", + "id": "pkg:npm/dicer@0.2.5", "licenses": [], "locations": [ { @@ -867,20 +635,17 @@ } ], "matched": true, - "name": "accepts", - "package_ref": "pkg:npm/accepts@1.1.4", - "purl": "pkg:npm/accepts@1.1.4", + "name": "dicer", + "package_ref": "pkg:npm/dicer@0.2.5", + "purl": "pkg:npm/dicer@0.2.5", "scopes": [ "runtime" ], - "version": "1.1.4" + "version": "0.2.5" }, { - "depends_on": [ - "pkg:npm/mime-types@2.1.23", - "pkg:npm/negotiator@0.5.3" - ], - "id": "pkg:npm/accepts@1.2.13", + "depends_on": [], + "id": "pkg:npm/diff@3.5.0", "licenses": [], "locations": [ { @@ -893,17 +658,17 @@ } ], "matched": true, - "name": "accepts", - "package_ref": "pkg:npm/accepts@1.2.13", - "purl": "pkg:npm/accepts@1.2.13", + "name": "diff", + "package_ref": "pkg:npm/diff@3.5.0", + "purl": "pkg:npm/diff@3.5.0", "scopes": [ - "runtime" + "development" ], - "version": "1.2.13" + "version": "3.5.0" }, { "depends_on": [], - "id": "pkg:npm/acorn-dynamic-import@4.0.0", + "id": "pkg:npm/emoji-regex@7.0.3", "licenses": [], "locations": [ { @@ -916,22 +681,29 @@ } ], "matched": true, - "name": "acorn-dynamic-import", - "package_ref": "pkg:npm/acorn-dynamic-import@4.0.0", - "purl": "pkg:npm/acorn-dynamic-import@4.0.0", + "name": "emoji-regex", + "package_ref": "pkg:npm/emoji-regex@7.0.3", + "purl": "pkg:npm/emoji-regex@7.0.3", "scopes": [ "development" ], - "version": "4.0.0" + "version": "7.0.3" }, { "depends_on": [ - "pkg:npm/acorn-dynamic-import@4.0.0", - "pkg:npm/acorn-walk@6.1.1", - "pkg:npm/acorn@6.4.2", - "pkg:npm/xtend@4.0.1" + "pkg:npm/es-to-primitive@1.2.1", + "pkg:npm/function-bind@1.1.1", + "pkg:npm/has-symbols@1.0.1", + "pkg:npm/has@1.0.3", + "pkg:npm/is-callable@1.2.2", + "pkg:npm/is-regex@1.1.1", + "pkg:npm/object-inspect@1.8.0", + "pkg:npm/object-keys@1.1.1", + "pkg:npm/object.assign@4.1.0", + "pkg:npm/string.prototype.trimend@1.0.1", + "pkg:npm/string.prototype.trimstart@1.0.1" ], - "id": "pkg:npm/acorn-node@1.6.2", + "id": "pkg:npm/es-abstract@1.17.6", "licenses": [], "locations": [ { @@ -944,17 +716,21 @@ } ], "matched": true, - "name": "acorn-node", - "package_ref": "pkg:npm/acorn-node@1.6.2", - "purl": "pkg:npm/acorn-node@1.6.2", + "name": "es-abstract", + "package_ref": "pkg:npm/es-abstract@1.17.6", + "purl": "pkg:npm/es-abstract@1.17.6", "scopes": [ "development" ], - "version": "1.6.2" + "version": "1.17.6" }, { - "depends_on": [], - "id": "pkg:npm/acorn-walk@6.1.1", + "depends_on": [ + "pkg:npm/is-callable@1.2.2", + "pkg:npm/is-date-object@1.0.2", + "pkg:npm/is-symbol@1.0.3" + ], + "id": "pkg:npm/es-to-primitive@1.2.1", "licenses": [], "locations": [ { @@ -967,17 +743,17 @@ } ], "matched": true, - "name": "acorn-walk", - "package_ref": "pkg:npm/acorn-walk@6.1.1", - "purl": "pkg:npm/acorn-walk@6.1.1", + "name": "es-to-primitive", + "package_ref": "pkg:npm/es-to-primitive@1.2.1", + "purl": "pkg:npm/es-to-primitive@1.2.1", "scopes": [ "development" ], - "version": "6.1.1" + "version": "1.2.1" }, { "depends_on": [], - "id": "pkg:npm/acorn@5.7.4", + "id": "pkg:npm/escape-string-regexp@1.0.5", "licenses": [], "locations": [ { @@ -990,17 +766,17 @@ } ], "matched": true, - "name": "acorn", - "package_ref": "pkg:npm/acorn@5.7.4", - "purl": "pkg:npm/acorn@5.7.4", + "name": "escape-string-regexp", + "package_ref": "pkg:npm/escape-string-regexp@1.0.5", + "purl": "pkg:npm/escape-string-regexp@1.0.5", "scopes": [ "development" ], - "version": "5.7.4" + "version": "1.0.5" }, { "depends_on": [], - "id": "pkg:npm/acorn@6.4.2", + "id": "pkg:npm/esprima@4.0.1", "licenses": [], "locations": [ { @@ -1013,17 +789,43 @@ } ], "matched": true, - "name": "acorn", - "package_ref": "pkg:npm/acorn@6.4.2", - "purl": "pkg:npm/acorn@6.4.2", + "name": "esprima", + "package_ref": "pkg:npm/esprima@4.0.1", + "purl": "pkg:npm/esprima@4.0.1", "scopes": [ - "development" + "runtime" + ], + "version": "4.0.1" + }, + { + "depends_on": [ + "pkg:npm/algo-httpserv@1.1.1", + "pkg:npm/js-yaml@3.13.0", + "pkg:npm/larvitbase@3.1.3", + "pkg:npm/larvitfs@2.3.1", + "pkg:npm/larvitreqparser@0.2.1", + "pkg:npm/larvitrouter@3.0.2", + "pkg:npm/larvitutils@2.3.0", + "pkg:npm/lodash@4.17.15", + "pkg:npm/marked@0.3.19", + "pkg:npm/mocha@7.2.0", + "pkg:npm/node-yaml-config@0.0.5", + "pkg:npm/semver@5.7.1", + "pkg:npm/to@0.2.9", + "pkg:npm/url@0.11.0" ], - "version": "6.4.2" + "id": "pkg:npm/example-javascript-vulnerable-methods@0.0.1", + "licenses": [], + "name": "example-javascript-vulnerable-methods", + "package_ref": "pkg:npm/example-javascript-vulnerable-methods@0.0.1", + "purl": "pkg:npm/example-javascript-vulnerable-methods@0.0.1", + "version": "0.0.1" }, { - "depends_on": [], - "id": "pkg:npm/adm-zip@0.4.7", + "depends_on": [ + "pkg:npm/to-regex-range@5.0.1" + ], + "id": "pkg:npm/fill-range@7.0.1", "licenses": [], "locations": [ { @@ -1036,19 +838,19 @@ } ], "matched": true, - "name": "adm-zip", - "package_ref": "pkg:npm/adm-zip@0.4.7", - "purl": "pkg:npm/adm-zip@0.4.7", + "name": "fill-range", + "package_ref": "pkg:npm/fill-range@7.0.1", + "purl": "pkg:npm/fill-range@7.0.1", "scopes": [ - "runtime" + "development" ], - "version": "0.4.7" + "version": "7.0.1" }, { "depends_on": [ - "pkg:npm/es6-promisify@5.0.0" + "pkg:npm/locate-path@3.0.0" ], - "id": "pkg:npm/agent-base@4.2.1", + "id": "pkg:npm/find-up@3.0.0", "licenses": [], "locations": [ { @@ -1061,19 +863,19 @@ } ], "matched": true, - "name": "agent-base", - "package_ref": "pkg:npm/agent-base@4.2.1", - "purl": "pkg:npm/agent-base@4.2.1", + "name": "find-up", + "package_ref": "pkg:npm/find-up@3.0.0", + "purl": "pkg:npm/find-up@3.0.0", "scopes": [ "development" ], - "version": "4.2.1" + "version": "3.0.0" }, { "depends_on": [ - "pkg:npm/es6-promisify@5.0.0" + "pkg:npm/is-buffer@2.0.4" ], - "id": "pkg:npm/agent-base@4.3.0", + "id": "pkg:npm/flat@4.1.0", "licenses": [], "locations": [ { @@ -1086,22 +888,21 @@ } ], "matched": true, - "name": "agent-base", - "package_ref": "pkg:npm/agent-base@4.3.0", - "purl": "pkg:npm/agent-base@4.3.0", + "name": "flat", + "package_ref": "pkg:npm/flat@4.1.0", + "purl": "pkg:npm/flat@4.1.0", "scopes": [ "development" ], - "version": "4.3.0" + "version": "4.1.0" }, { "depends_on": [ - "pkg:npm/fast-deep-equal@2.0.1", - "pkg:npm/fast-json-stable-stringify@2.1.0", - "pkg:npm/json-schema-traverse@0.4.1", - "pkg:npm/uri-js@4.2.2" + "pkg:npm/graceful-fs@4.2.3", + "pkg:npm/jsonfile@4.0.0", + "pkg:npm/universalify@0.1.2" ], - "id": "pkg:npm/ajv@6.10.2", + "id": "pkg:npm/fs-extra@7.0.1", "licenses": [], "locations": [ { @@ -1114,57 +915,40 @@ } ], "matched": true, - "name": "ajv", - "package_ref": "pkg:npm/ajv@6.10.2", - "purl": "pkg:npm/ajv@6.10.2", - "scopes": [ - "runtime" - ], - "version": "6.10.2" - }, - { - "depends_on": [ - "pkg:npm/kind-of@3.2.2", - "pkg:npm/longest@1.0.1", - "pkg:npm/repeat-string@1.6.1" - ], - "id": "pkg:npm/align-text@0.1.4", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "align-text", - "package_ref": "pkg:npm/align-text@0.1.4", - "purl": "pkg:npm/align-text@0.1.4", + "name": "fs-extra", + "package_ref": "pkg:npm/fs-extra@7.0.1", + "purl": "pkg:npm/fs-extra@7.0.1", "scopes": [ "runtime" ], - "version": "0.1.4" + "version": "7.0.1" }, { "depends_on": [], - "id": "pkg:npm/amdefine@1.0.1", - "licenses": [ + "id": "pkg:npm/fs.realpath@1.0.0", + "licenses": [], + "locations": [ { - "type": "declared", - "value": "BSD-3-Clause OR MIT" + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" } ], - "name": "amdefine", - "package_ref": "pkg:npm/amdefine@1.0.1", - "purl": "pkg:npm/amdefine@1.0.1", + "matched": true, + "name": "fs.realpath", + "package_ref": "pkg:npm/fs.realpath@1.0.0", + "purl": "pkg:npm/fs.realpath@1.0.0", "scopes": [ - "runtime" + "development" ], - "version": "1.0.1" + "version": "1.0.0" }, { - "depends_on": [ - "pkg:npm/string-width@2.1.1" - ], - "id": "pkg:npm/ansi-align@2.0.0", + "depends_on": [], + "id": "pkg:npm/fsevents@2.1.3", "licenses": [], "locations": [ { @@ -1177,19 +961,17 @@ } ], "matched": true, - "name": "ansi-align", - "package_ref": "pkg:npm/ansi-align@2.0.0", - "purl": "pkg:npm/ansi-align@2.0.0", + "name": "fsevents", + "package_ref": "pkg:npm/fsevents@2.1.3", + "purl": "pkg:npm/fsevents@2.1.3", "scopes": [ "development" ], - "version": "2.0.0" + "version": "2.1.3" }, { - "depends_on": [ - "pkg:npm/string-width@3.1.0" - ], - "id": "pkg:npm/ansi-align@3.0.0", + "depends_on": [], + "id": "pkg:npm/function-bind@1.1.1", "licenses": [], "locations": [ { @@ -1202,17 +984,18 @@ } ], "matched": true, - "name": "ansi-align", - "package_ref": "pkg:npm/ansi-align@3.0.0", - "purl": "pkg:npm/ansi-align@3.0.0", + "name": "function-bind", + "package_ref": "pkg:npm/function-bind@1.1.1", + "purl": "pkg:npm/function-bind@1.1.1", "scopes": [ - "development" + "development", + "runtime" ], - "version": "3.0.0" + "version": "1.1.1" }, { "depends_on": [], - "id": "pkg:npm/ansi-escapes@3.2.0", + "id": "pkg:npm/get-caller-file@2.0.5", "licenses": [], "locations": [ { @@ -1225,17 +1008,19 @@ } ], "matched": true, - "name": "ansi-escapes", - "package_ref": "pkg:npm/ansi-escapes@3.2.0", - "purl": "pkg:npm/ansi-escapes@3.2.0", + "name": "get-caller-file", + "package_ref": "pkg:npm/get-caller-file@2.0.5", + "purl": "pkg:npm/get-caller-file@2.0.5", "scopes": [ "development" ], - "version": "3.2.0" + "version": "2.0.5" }, { - "depends_on": [], - "id": "pkg:npm/ansi-regex@2.1.1", + "depends_on": [ + "pkg:npm/is-glob@4.0.1" + ], + "id": "pkg:npm/glob-parent@5.1.1", "licenses": [], "locations": [ { @@ -1248,23 +1033,25 @@ } ], "matched": true, - "name": "ansi-regex", - "package_ref": "pkg:npm/ansi-regex@2.1.1", - "purl": "pkg:npm/ansi-regex@2.1.1", + "name": "glob-parent", + "package_ref": "pkg:npm/glob-parent@5.1.1", + "purl": "pkg:npm/glob-parent@5.1.1", "scopes": [ - "runtime" + "development" ], - "version": "2.1.1" + "version": "5.1.1" }, { - "depends_on": [], - "id": "pkg:npm/ansi-regex@3.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } + "depends_on": [ + "pkg:npm/fs.realpath@1.0.0", + "pkg:npm/inflight@1.0.6", + "pkg:npm/inherits@2.0.4", + "pkg:npm/minimatch@3.0.4", + "pkg:npm/once@1.4.0", + "pkg:npm/path-is-absolute@1.0.1" ], + "id": "pkg:npm/glob@7.1.3", + "licenses": [], "locations": [ { "access_path": "package-lock.json", @@ -1276,18 +1063,17 @@ } ], "matched": true, - "name": "ansi-regex", - "package_ref": "pkg:npm/ansi-regex@3.0.0", - "purl": "pkg:npm/ansi-regex@3.0.0", + "name": "glob", + "package_ref": "pkg:npm/glob@7.1.3", + "purl": "pkg:npm/glob@7.1.3", "scopes": [ - "development", - "runtime" + "development" ], - "version": "3.0.0" + "version": "7.1.3" }, { "depends_on": [], - "id": "pkg:npm/ansi-regex@4.1.0", + "id": "pkg:npm/graceful-fs@4.2.3", "licenses": [], "locations": [ { @@ -1300,18 +1086,17 @@ } ], "matched": true, - "name": "ansi-regex", - "package_ref": "pkg:npm/ansi-regex@4.1.0", - "purl": "pkg:npm/ansi-regex@4.1.0", + "name": "graceful-fs", + "package_ref": "pkg:npm/graceful-fs@4.2.3", + "purl": "pkg:npm/graceful-fs@4.2.3", "scopes": [ - "development", "runtime" ], - "version": "4.1.0" + "version": "4.2.3" }, { "depends_on": [], - "id": "pkg:npm/ansi-regex@5.0.0", + "id": "pkg:npm/growl@1.10.5", "licenses": [], "locations": [ { @@ -1324,24 +1109,18 @@ } ], "matched": true, - "name": "ansi-regex", - "package_ref": "pkg:npm/ansi-regex@5.0.0", - "purl": "pkg:npm/ansi-regex@5.0.0", + "name": "growl", + "package_ref": "pkg:npm/growl@1.10.5", + "purl": "pkg:npm/growl@1.10.5", "scopes": [ - "development", - "runtime" + "development" ], - "version": "5.0.0" + "version": "1.10.5" }, { "depends_on": [], - "id": "pkg:npm/ansi-styles@2.2.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], + "id": "pkg:npm/handy@0.0.13", + "licenses": [], "locations": [ { "access_path": "package-lock.json", @@ -1352,19 +1131,17 @@ "real_path": "package-lock.json" } ], - "name": "ansi-styles", - "package_ref": "pkg:npm/ansi-styles@2.2.1", - "purl": "pkg:npm/ansi-styles@2.2.1", + "name": "handy", + "package_ref": "pkg:npm/handy@0.0.13", + "purl": "pkg:npm/handy@0.0.13", "scopes": [ "runtime" ], - "version": "2.2.1" + "version": "0.0.13" }, { - "depends_on": [ - "pkg:npm/color-convert@1.9.3" - ], - "id": "pkg:npm/ansi-styles@3.2.1", + "depends_on": [], + "id": "pkg:npm/has-flag@3.0.0", "licenses": [], "locations": [ { @@ -1377,20 +1154,17 @@ } ], "matched": true, - "name": "ansi-styles", - "package_ref": "pkg:npm/ansi-styles@3.2.1", - "purl": "pkg:npm/ansi-styles@3.2.1", + "name": "has-flag", + "package_ref": "pkg:npm/has-flag@3.0.0", + "purl": "pkg:npm/has-flag@3.0.0", "scopes": [ - "runtime" + "development" ], - "version": "3.2.1" + "version": "3.0.0" }, { - "depends_on": [ - "pkg:npm/%40types/color-name@1.1.1", - "pkg:npm/color-convert@2.0.1" - ], - "id": "pkg:npm/ansi-styles@4.2.1", + "depends_on": [], + "id": "pkg:npm/has-symbols@1.0.1", "licenses": [], "locations": [ { @@ -1403,19 +1177,19 @@ } ], "matched": true, - "name": "ansi-styles", - "package_ref": "pkg:npm/ansi-styles@4.2.1", - "purl": "pkg:npm/ansi-styles@4.2.1", + "name": "has-symbols", + "package_ref": "pkg:npm/has-symbols@1.0.1", + "purl": "pkg:npm/has-symbols@1.0.1", "scopes": [ - "runtime" + "development" ], - "version": "4.2.1" + "version": "1.0.1" }, { "depends_on": [ - "pkg:npm/color-convert@2.0.1" + "pkg:npm/function-bind@1.1.1" ], - "id": "pkg:npm/ansi-styles@4.3.0", + "id": "pkg:npm/has@1.0.3", "licenses": [], "locations": [ { @@ -1428,18 +1202,17 @@ } ], "matched": true, - "name": "ansi-styles", - "package_ref": "pkg:npm/ansi-styles@4.3.0", - "purl": "pkg:npm/ansi-styles@4.3.0", + "name": "has", + "package_ref": "pkg:npm/has@1.0.3", + "purl": "pkg:npm/has@1.0.3", "scopes": [ - "development", "runtime" ], - "version": "4.3.0" + "version": "1.0.3" }, { "depends_on": [], - "id": "pkg:npm/ansicolors@0.3.2", + "id": "pkg:npm/he@1.2.0", "licenses": [], "locations": [ { @@ -1452,17 +1225,17 @@ } ], "matched": true, - "name": "ansicolors", - "package_ref": "pkg:npm/ansicolors@0.3.2", - "purl": "pkg:npm/ansicolors@0.3.2", + "name": "he", + "package_ref": "pkg:npm/he@1.2.0", + "purl": "pkg:npm/he@1.2.0", "scopes": [ "development" ], - "version": "0.3.2" + "version": "1.2.0" }, { "depends_on": [], - "id": "pkg:npm/any-promise@1.3.0", + "id": "pkg:npm/htmlparser@1.7.7", "licenses": [], "locations": [ { @@ -1474,21 +1247,20 @@ "real_path": "package-lock.json" } ], - "matched": true, - "name": "any-promise", - "package_ref": "pkg:npm/any-promise@1.3.0", - "purl": "pkg:npm/any-promise@1.3.0", + "name": "htmlparser", + "package_ref": "pkg:npm/htmlparser@1.7.7", + "purl": "pkg:npm/htmlparser@1.7.7", "scopes": [ "runtime" ], - "version": "1.3.0" + "version": "1.7.7" }, { "depends_on": [ - "pkg:npm/normalize-path@3.0.0", - "pkg:npm/picomatch@2.3.0" + "pkg:npm/once@1.4.0", + "pkg:npm/wrappy@1.0.2" ], - "id": "pkg:npm/anymatch@3.1.2", + "id": "pkg:npm/inflight@1.0.6", "licenses": [], "locations": [ { @@ -1501,17 +1273,17 @@ } ], "matched": true, - "name": "anymatch", - "package_ref": "pkg:npm/anymatch@3.1.2", - "purl": "pkg:npm/anymatch@3.1.2", + "name": "inflight", + "package_ref": "pkg:npm/inflight@1.0.6", + "purl": "pkg:npm/inflight@1.0.6", "scopes": [ "development" ], - "version": "3.1.2" + "version": "1.0.6" }, { "depends_on": [], - "id": "pkg:npm/app-root-path@3.0.0", + "id": "pkg:npm/inherits@2.0.4", "licenses": [], "locations": [ { @@ -1524,36 +1296,20 @@ } ], "matched": true, - "name": "app-root-path", - "package_ref": "pkg:npm/app-root-path@3.0.0", - "purl": "pkg:npm/app-root-path@3.0.0", + "name": "inherits", + "package_ref": "pkg:npm/inherits@2.0.4", + "purl": "pkg:npm/inherits@2.0.4", "scopes": [ + "development", "runtime" ], - "version": "3.0.0" + "version": "2.0.4" }, { "depends_on": [ - "pkg:npm/default-require-extensions@1.0.0" - ], - "id": "pkg:npm/append-transform@0.4.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "append-transform", - "package_ref": "pkg:npm/append-transform@0.4.0", - "purl": "pkg:npm/append-transform@0.4.0", - "scopes": [ - "runtime" + "pkg:npm/binary-extensions@2.1.0" ], - "version": "0.4.0" - }, - { - "depends_on": [], - "id": "pkg:npm/archy@1.0.0", + "id": "pkg:npm/is-binary-path@2.1.0", "licenses": [], "locations": [ { @@ -1566,20 +1322,17 @@ } ], "matched": true, - "name": "archy", - "package_ref": "pkg:npm/archy@1.0.0", - "purl": "pkg:npm/archy@1.0.0", + "name": "is-binary-path", + "package_ref": "pkg:npm/is-binary-path@2.1.0", + "purl": "pkg:npm/is-binary-path@2.1.0", "scopes": [ - "development", - "runtime" + "development" ], - "version": "1.0.0" + "version": "2.1.0" }, { - "depends_on": [ - "pkg:npm/sprintf-js@1.0.3" - ], - "id": "pkg:npm/argparse@1.0.10", + "depends_on": [], + "id": "pkg:npm/is-buffer@2.0.4", "licenses": [], "locations": [ { @@ -1592,68 +1345,63 @@ } ], "matched": true, - "name": "argparse", - "package_ref": "pkg:npm/argparse@1.0.10", - "purl": "pkg:npm/argparse@1.0.10", - "scopes": [ - "runtime" - ], - "version": "1.0.10" - }, - { - "depends_on": [], - "id": "pkg:npm/arr-diff@4.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "arr-diff", - "package_ref": "pkg:npm/arr-diff@4.0.0", - "purl": "pkg:npm/arr-diff@4.0.0", + "name": "is-buffer", + "package_ref": "pkg:npm/is-buffer@2.0.4", + "purl": "pkg:npm/is-buffer@2.0.4", "scopes": [ - "runtime" + "development" ], - "version": "4.0.0" + "version": "2.0.4" }, { "depends_on": [], - "id": "pkg:npm/arr-flatten@1.1.0", - "licenses": [ + "id": "pkg:npm/is-callable@1.2.2", + "licenses": [], + "locations": [ { - "type": "declared", - "value": "MIT" + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" } ], - "name": "arr-flatten", - "package_ref": "pkg:npm/arr-flatten@1.1.0", - "purl": "pkg:npm/arr-flatten@1.1.0", + "matched": true, + "name": "is-callable", + "package_ref": "pkg:npm/is-callable@1.2.2", + "purl": "pkg:npm/is-callable@1.2.2", "scopes": [ - "runtime" + "development" ], - "version": "1.1.0" + "version": "1.2.2" }, { "depends_on": [], - "id": "pkg:npm/arr-union@3.1.0", - "licenses": [ + "id": "pkg:npm/is-date-object@1.0.2", + "licenses": [], + "locations": [ { - "type": "declared", - "value": "MIT" + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" } ], - "name": "arr-union", - "package_ref": "pkg:npm/arr-union@3.1.0", - "purl": "pkg:npm/arr-union@3.1.0", + "matched": true, + "name": "is-date-object", + "package_ref": "pkg:npm/is-date-object@1.0.2", + "purl": "pkg:npm/is-date-object@1.0.2", "scopes": [ - "runtime" + "development" ], - "version": "3.1.0" + "version": "1.0.2" }, { "depends_on": [], - "id": "pkg:npm/array-filter@0.0.1", + "id": "pkg:npm/is-extglob@2.1.1", "licenses": [], "locations": [ { @@ -1666,17 +1414,17 @@ } ], "matched": true, - "name": "array-filter", - "package_ref": "pkg:npm/array-filter@0.0.1", - "purl": "pkg:npm/array-filter@0.0.1", + "name": "is-extglob", + "package_ref": "pkg:npm/is-extglob@2.1.1", + "purl": "pkg:npm/is-extglob@2.1.1", "scopes": [ "development" ], - "version": "0.0.1" + "version": "2.1.1" }, { "depends_on": [], - "id": "pkg:npm/array-map@0.0.0", + "id": "pkg:npm/is-fullwidth-code-point@2.0.0", "licenses": [], "locations": [ { @@ -1689,17 +1437,19 @@ } ], "matched": true, - "name": "array-map", - "package_ref": "pkg:npm/array-map@0.0.0", - "purl": "pkg:npm/array-map@0.0.0", + "name": "is-fullwidth-code-point", + "package_ref": "pkg:npm/is-fullwidth-code-point@2.0.0", + "purl": "pkg:npm/is-fullwidth-code-point@2.0.0", "scopes": [ "development" ], - "version": "0.0.0" + "version": "2.0.0" }, { - "depends_on": [], - "id": "pkg:npm/array-reduce@0.0.0", + "depends_on": [ + "pkg:npm/is-extglob@2.1.1" + ], + "id": "pkg:npm/is-glob@4.0.1", "licenses": [], "locations": [ { @@ -1712,51 +1462,42 @@ } ], "matched": true, - "name": "array-reduce", - "package_ref": "pkg:npm/array-reduce@0.0.0", - "purl": "pkg:npm/array-reduce@0.0.0", + "name": "is-glob", + "package_ref": "pkg:npm/is-glob@4.0.1", + "purl": "pkg:npm/is-glob@4.0.1", "scopes": [ "development" ], - "version": "0.0.0" + "version": "4.0.1" }, { "depends_on": [], - "id": "pkg:npm/array-unique@0.3.2", - "licenses": [ + "id": "pkg:npm/is-number@7.0.0", + "licenses": [], + "locations": [ { - "type": "declared", - "value": "MIT" + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" } ], - "name": "array-unique", - "package_ref": "pkg:npm/array-unique@0.3.2", - "purl": "pkg:npm/array-unique@0.3.2", + "matched": true, + "name": "is-number", + "package_ref": "pkg:npm/is-number@7.0.0", + "purl": "pkg:npm/is-number@7.0.0", "scopes": [ - "runtime" + "development" ], - "version": "0.3.2" + "version": "7.0.0" }, { - "depends_on": [], - "id": "pkg:npm/arrify@1.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "arrify", - "package_ref": "pkg:npm/arrify@1.0.1", - "purl": "pkg:npm/arrify@1.0.1", - "scopes": [ - "runtime" + "depends_on": [ + "pkg:npm/has-symbols@1.0.1" ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/asap@2.0.6", + "id": "pkg:npm/is-regex@1.1.1", "licenses": [], "locations": [ { @@ -1769,21 +1510,19 @@ } ], "matched": true, - "name": "asap", - "package_ref": "pkg:npm/asap@2.0.6", - "purl": "pkg:npm/asap@2.0.6", + "name": "is-regex", + "package_ref": "pkg:npm/is-regex@1.1.1", + "purl": "pkg:npm/is-regex@1.1.1", "scopes": [ "development" ], - "version": "2.0.6" + "version": "1.1.1" }, { "depends_on": [ - "pkg:npm/bn.js@4.11.8", - "pkg:npm/inherits@2.0.3", - "pkg:npm/minimalistic-assert@1.0.1" + "pkg:npm/has-symbols@1.0.1" ], - "id": "pkg:npm/asn1.js@4.10.1", + "id": "pkg:npm/is-symbol@1.0.3", "licenses": [], "locations": [ { @@ -1796,19 +1535,17 @@ } ], "matched": true, - "name": "asn1.js", - "package_ref": "pkg:npm/asn1.js@4.10.1", - "purl": "pkg:npm/asn1.js@4.10.1", + "name": "is-symbol", + "package_ref": "pkg:npm/is-symbol@1.0.3", + "purl": "pkg:npm/is-symbol@1.0.3", "scopes": [ "development" ], - "version": "4.10.1" + "version": "1.0.3" }, { - "depends_on": [ - "pkg:npm/safer-buffer@2.1.2" - ], - "id": "pkg:npm/asn1@0.2.4", + "depends_on": [], + "id": "pkg:npm/is@3.3.0", "licenses": [], "locations": [ { @@ -1821,17 +1558,17 @@ } ], "matched": true, - "name": "asn1", - "package_ref": "pkg:npm/asn1@0.2.4", - "purl": "pkg:npm/asn1@0.2.4", + "name": "is", + "package_ref": "pkg:npm/is@3.3.0", + "purl": "pkg:npm/is@3.3.0", "scopes": [ "runtime" ], - "version": "0.2.4" + "version": "3.3.0" }, { "depends_on": [], - "id": "pkg:npm/assert-plus@1.0.0", + "id": "pkg:npm/isarray@0.0.1", "licenses": [], "locations": [ { @@ -1844,19 +1581,17 @@ } ], "matched": true, - "name": "assert-plus", - "package_ref": "pkg:npm/assert-plus@1.0.0", - "purl": "pkg:npm/assert-plus@1.0.0", + "name": "isarray", + "package_ref": "pkg:npm/isarray@0.0.1", + "purl": "pkg:npm/isarray@0.0.1", "scopes": [ "runtime" ], - "version": "1.0.0" + "version": "0.0.1" }, { - "depends_on": [ - "pkg:npm/util@0.10.3" - ], - "id": "pkg:npm/assert@1.4.1", + "depends_on": [], + "id": "pkg:npm/isexe@2.0.0", "licenses": [], "locations": [ { @@ -1869,34 +1604,46 @@ } ], "matched": true, - "name": "assert", - "package_ref": "pkg:npm/assert@1.4.1", - "purl": "pkg:npm/assert@1.4.1", + "name": "isexe", + "package_ref": "pkg:npm/isexe@2.0.0", + "purl": "pkg:npm/isexe@2.0.0", "scopes": [ "development" ], - "version": "1.4.1" + "version": "2.0.0" }, { - "depends_on": [], - "id": "pkg:npm/assign-symbols@1.0.0", - "licenses": [ + "depends_on": [ + "pkg:npm/argparse@1.0.10", + "pkg:npm/esprima@4.0.1" + ], + "id": "pkg:npm/js-yaml@3.13.0", + "licenses": [], + "locations": [ { - "type": "declared", - "value": "MIT" + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" } ], - "name": "assign-symbols", - "package_ref": "pkg:npm/assign-symbols@1.0.0", - "purl": "pkg:npm/assign-symbols@1.0.0", + "matched": true, + "name": "js-yaml", + "package_ref": "pkg:npm/js-yaml@3.13.0", + "purl": "pkg:npm/js-yaml@3.13.0", "scopes": [ "runtime" ], - "version": "1.0.0" + "version": "3.13.0" }, { - "depends_on": [], - "id": "pkg:npm/ast-types@0.13.2", + "depends_on": [ + "pkg:npm/argparse@1.0.10", + "pkg:npm/esprima@4.0.1" + ], + "id": "pkg:npm/js-yaml@3.13.1", "licenses": [], "locations": [ { @@ -1909,19 +1656,19 @@ } ], "matched": true, - "name": "ast-types", - "package_ref": "pkg:npm/ast-types@0.13.2", - "purl": "pkg:npm/ast-types@0.13.2", + "name": "js-yaml", + "package_ref": "pkg:npm/js-yaml@3.13.1", + "purl": "pkg:npm/js-yaml@3.13.1", "scopes": [ "development" ], - "version": "0.13.2" + "version": "3.13.1" }, { "depends_on": [ - "pkg:npm/lru-cache@2.3.1" + "pkg:npm/graceful-fs@4.2.3" ], - "id": "pkg:npm/async-cache@0.1.5", + "id": "pkg:npm/jsonfile@4.0.0", "licenses": [], "locations": [ { @@ -1934,17 +1681,20 @@ } ], "matched": true, - "name": "async-cache", - "package_ref": "pkg:npm/async-cache@0.1.5", - "purl": "pkg:npm/async-cache@0.1.5", + "name": "jsonfile", + "package_ref": "pkg:npm/jsonfile@4.0.0", + "purl": "pkg:npm/jsonfile@4.0.0", "scopes": [ "runtime" ], - "version": "0.1.5" + "version": "4.0.0" }, { - "depends_on": [], - "id": "pkg:npm/async@0.9.0", + "depends_on": [ + "pkg:npm/larvitutils@2.3.0", + "pkg:npm/uuid@3.4.0" + ], + "id": "pkg:npm/larvitbase@3.1.3", "licenses": [], "locations": [ { @@ -1957,17 +1707,19 @@ } ], "matched": true, - "name": "async", - "package_ref": "pkg:npm/async@0.9.0", - "purl": "pkg:npm/async@0.9.0", + "name": "larvitbase", + "package_ref": "pkg:npm/larvitbase@3.1.3", + "purl": "pkg:npm/larvitbase@3.1.3", "scopes": [ "runtime" ], - "version": "0.9.0" + "version": "3.1.3" }, { - "depends_on": [], - "id": "pkg:npm/async@1.5.2", + "depends_on": [ + "pkg:npm/larvitutils@2.3.0" + ], + "id": "pkg:npm/larvitfs@2.3.1", "licenses": [], "locations": [ { @@ -1980,20 +1732,24 @@ } ], "matched": true, - "name": "async", - "package_ref": "pkg:npm/async@1.5.2", - "purl": "pkg:npm/async@1.5.2", + "name": "larvitfs", + "package_ref": "pkg:npm/larvitfs@2.3.1", + "purl": "pkg:npm/larvitfs@2.3.1", "scopes": [ - "development", "runtime" ], - "version": "1.5.2" + "version": "2.3.1" }, { "depends_on": [ - "pkg:npm/lodash@4.17.21" + "pkg:npm/async@2.6.3", + "pkg:npm/busboy@0.2.14", + "pkg:npm/fs-extra@7.0.1", + "pkg:npm/larvitutils@2.3.0", + "pkg:npm/qs@6.9.1", + "pkg:npm/uuid@3.4.0" ], - "id": "pkg:npm/async@2.6.3", + "id": "pkg:npm/larvitreqparser@0.2.1", "licenses": [], "locations": [ { @@ -2006,17 +1762,20 @@ } ], "matched": true, - "name": "async", - "package_ref": "pkg:npm/async@2.6.3", - "purl": "pkg:npm/async@2.6.3", + "name": "larvitreqparser", + "package_ref": "pkg:npm/larvitreqparser@0.2.1", + "purl": "pkg:npm/larvitreqparser@0.2.1", "scopes": [ "runtime" ], - "version": "2.6.3" + "version": "0.2.1" }, { - "depends_on": [], - "id": "pkg:npm/asynckit@0.4.0", + "depends_on": [ + "pkg:npm/larvitfs@2.3.1", + "pkg:npm/larvitutils@2.3.0" + ], + "id": "pkg:npm/larvitrouter@3.0.2", "licenses": [], "locations": [ { @@ -2029,34 +1788,43 @@ } ], "matched": true, - "name": "asynckit", - "package_ref": "pkg:npm/asynckit@0.4.0", - "purl": "pkg:npm/asynckit@0.4.0", + "name": "larvitrouter", + "package_ref": "pkg:npm/larvitrouter@3.0.2", + "purl": "pkg:npm/larvitrouter@3.0.2", "scopes": [ "runtime" ], - "version": "0.4.0" + "version": "3.0.2" }, { "depends_on": [], - "id": "pkg:npm/atob@2.1.1", - "licenses": [ + "id": "pkg:npm/larvitutils@2.3.0", + "licenses": [], + "locations": [ { - "type": "declared", - "value": "(MIT OR Apache-2.0)" + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" } ], - "name": "atob", - "package_ref": "pkg:npm/atob@2.1.1", - "purl": "pkg:npm/atob@2.1.1", + "matched": true, + "name": "larvitutils", + "package_ref": "pkg:npm/larvitutils@2.3.0", + "purl": "pkg:npm/larvitutils@2.3.0", "scopes": [ "runtime" ], - "version": "2.1.1" + "version": "2.3.0" }, { - "depends_on": [], - "id": "pkg:npm/aws-sign2@0.7.0", + "depends_on": [ + "pkg:npm/p-locate@3.0.0", + "pkg:npm/path-exists@3.0.0" + ], + "id": "pkg:npm/locate-path@3.0.0", "licenses": [], "locations": [ { @@ -2069,17 +1837,17 @@ } ], "matched": true, - "name": "aws-sign2", - "package_ref": "pkg:npm/aws-sign2@0.7.0", - "purl": "pkg:npm/aws-sign2@0.7.0", + "name": "locate-path", + "package_ref": "pkg:npm/locate-path@3.0.0", + "purl": "pkg:npm/locate-path@3.0.0", "scopes": [ - "runtime" + "development" ], - "version": "0.7.0" + "version": "3.0.0" }, { "depends_on": [], - "id": "pkg:npm/aws4@1.9.1", + "id": "pkg:npm/lodash@4.17.15", "licenses": [], "locations": [ { @@ -2092,193 +1860,67 @@ } ], "matched": true, - "name": "aws4", - "package_ref": "pkg:npm/aws4@1.9.1", - "purl": "pkg:npm/aws4@1.9.1", + "name": "lodash", + "package_ref": "pkg:npm/lodash@4.17.15", + "purl": "pkg:npm/lodash@4.17.15", "scopes": [ "runtime" ], - "version": "1.9.1" + "version": "4.17.15" }, { "depends_on": [ - "pkg:npm/chalk@1.1.3", - "pkg:npm/esutils@2.0.2", - "pkg:npm/js-tokens@3.0.2" + "pkg:npm/chalk@2.4.2" ], - "id": "pkg:npm/babel-code-frame@6.26.0", - "licenses": [ + "id": "pkg:npm/log-symbols@3.0.0", + "licenses": [], + "locations": [ { - "type": "declared", - "value": "MIT" + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" } ], - "name": "babel-code-frame", - "package_ref": "pkg:npm/babel-code-frame@6.26.0", - "purl": "pkg:npm/babel-code-frame@6.26.0", + "matched": true, + "name": "log-symbols", + "package_ref": "pkg:npm/log-symbols@3.0.0", + "purl": "pkg:npm/log-symbols@3.0.0", "scopes": [ - "runtime" + "development" ], - "version": "6.26.0" + "version": "3.0.0" }, { - "depends_on": [ - "pkg:npm/babel-messages@6.23.0", - "pkg:npm/babel-runtime@6.26.0", - "pkg:npm/babel-types@6.26.0", - "pkg:npm/detect-indent@4.0.0", - "pkg:npm/jsesc@1.3.0", - "pkg:npm/lodash@4.17.10", - "pkg:npm/source-map@0.5.7", - "pkg:npm/trim-right@1.0.1" - ], - "id": "pkg:npm/babel-generator@6.26.1", - "licenses": [ + "depends_on": [], + "id": "pkg:npm/marked@0.3.19", + "licenses": [], + "locations": [ { - "type": "declared", - "value": "MIT" + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" } ], - "name": "babel-generator", - "package_ref": "pkg:npm/babel-generator@6.26.1", - "purl": "pkg:npm/babel-generator@6.26.1", + "matched": true, + "name": "marked", + "package_ref": "pkg:npm/marked@0.3.19", + "purl": "pkg:npm/marked@0.3.19", "scopes": [ "runtime" ], - "version": "6.26.1" + "version": "0.3.19" }, { "depends_on": [ - "pkg:npm/babel-runtime@6.26.0" - ], - "id": "pkg:npm/babel-messages@6.23.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "babel-messages", - "package_ref": "pkg:npm/babel-messages@6.23.0", - "purl": "pkg:npm/babel-messages@6.23.0", - "scopes": [ - "runtime" - ], - "version": "6.23.0" - }, - { - "depends_on": [ - "pkg:npm/core-js@2.5.6", - "pkg:npm/regenerator-runtime@0.11.1" - ], - "id": "pkg:npm/babel-runtime@6.26.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "babel-runtime", - "package_ref": "pkg:npm/babel-runtime@6.26.0", - "purl": "pkg:npm/babel-runtime@6.26.0", - "scopes": [ - "runtime" - ], - "version": "6.26.0" - }, - { - "depends_on": [ - "pkg:npm/babel-runtime@6.26.0", - "pkg:npm/babel-traverse@6.26.0", - "pkg:npm/babel-types@6.26.0", - "pkg:npm/babylon@6.18.0", - "pkg:npm/lodash@4.17.10" - ], - "id": "pkg:npm/babel-template@6.26.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "babel-template", - "package_ref": "pkg:npm/babel-template@6.26.0", - "purl": "pkg:npm/babel-template@6.26.0", - "scopes": [ - "runtime" - ], - "version": "6.26.0" - }, - { - "depends_on": [ - "pkg:npm/babel-code-frame@6.26.0", - "pkg:npm/babel-messages@6.23.0", - "pkg:npm/babel-runtime@6.26.0", - "pkg:npm/babel-types@6.26.0", - "pkg:npm/babylon@6.18.0", - "pkg:npm/debug@2.6.9", - "pkg:npm/globals@9.18.0", - "pkg:npm/invariant@2.2.4", - "pkg:npm/lodash@4.17.10" - ], - "id": "pkg:npm/babel-traverse@6.26.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "babel-traverse", - "package_ref": "pkg:npm/babel-traverse@6.26.0", - "purl": "pkg:npm/babel-traverse@6.26.0", - "scopes": [ - "runtime" - ], - "version": "6.26.0" - }, - { - "depends_on": [ - "pkg:npm/babel-runtime@6.26.0", - "pkg:npm/esutils@2.0.2", - "pkg:npm/lodash@4.17.10", - "pkg:npm/to-fast-properties@1.0.3" - ], - "id": "pkg:npm/babel-types@6.26.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "babel-types", - "package_ref": "pkg:npm/babel-types@6.26.0", - "purl": "pkg:npm/babel-types@6.26.0", - "scopes": [ - "runtime" - ], - "version": "6.26.0" - }, - { - "depends_on": [], - "id": "pkg:npm/babylon@6.18.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "babylon", - "package_ref": "pkg:npm/babylon@6.18.0", - "purl": "pkg:npm/babylon@6.18.0", - "scopes": [ - "runtime" + "pkg:npm/brace-expansion@1.1.11" ], - "version": "6.18.0" - }, - { - "depends_on": [], - "id": "pkg:npm/balanced-match@1.0.0", + "id": "pkg:npm/minimatch@3.0.4", "licenses": [], "locations": [ { @@ -2291,17 +1933,17 @@ } ], "matched": true, - "name": "balanced-match", - "package_ref": "pkg:npm/balanced-match@1.0.0", - "purl": "pkg:npm/balanced-match@1.0.0", + "name": "minimatch", + "package_ref": "pkg:npm/minimatch@3.0.4", + "purl": "pkg:npm/minimatch@3.0.4", "scopes": [ - "runtime" + "development" ], - "version": "1.0.0" + "version": "3.0.4" }, { "depends_on": [], - "id": "pkg:npm/base64-js@1.3.0", + "id": "pkg:npm/minimist@0.0.10", "licenses": [], "locations": [ { @@ -2314,45 +1956,17 @@ } ], "matched": true, - "name": "base64-js", - "package_ref": "pkg:npm/base64-js@1.3.0", - "purl": "pkg:npm/base64-js@1.3.0", - "scopes": [ - "development", - "runtime" - ], - "version": "1.3.0" - }, - { - "depends_on": [ - "pkg:npm/cache-base@1.0.1", - "pkg:npm/class-utils@0.3.6", - "pkg:npm/component-emitter@1.2.1", - "pkg:npm/define-property@1.0.0", - "pkg:npm/isobject@3.0.1", - "pkg:npm/mixin-deep@1.3.1", - "pkg:npm/pascalcase@0.1.1" - ], - "id": "pkg:npm/base@0.11.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "base", - "package_ref": "pkg:npm/base@0.11.2", - "purl": "pkg:npm/base@0.11.2", + "name": "minimist", + "package_ref": "pkg:npm/minimist@0.0.10", + "purl": "pkg:npm/minimist@0.0.10", "scopes": [ "runtime" ], - "version": "0.11.2" + "version": "0.0.10" }, { - "depends_on": [ - "pkg:npm/safe-buffer@5.1.2" - ], - "id": "pkg:npm/basic-auth@2.0.1", + "depends_on": [], + "id": "pkg:npm/minimist@1.2.5", "licenses": [], "locations": [ { @@ -2365,19 +1979,19 @@ } ], "matched": true, - "name": "basic-auth", - "package_ref": "pkg:npm/basic-auth@2.0.1", - "purl": "pkg:npm/basic-auth@2.0.1", + "name": "minimist", + "package_ref": "pkg:npm/minimist@1.2.5", + "purl": "pkg:npm/minimist@1.2.5", "scopes": [ - "runtime" + "development" ], - "version": "2.0.1" + "version": "1.2.5" }, { "depends_on": [ - "pkg:npm/tweetnacl@0.14.5" + "pkg:npm/minimist@1.2.5" ], - "id": "pkg:npm/bcrypt-pbkdf@1.0.2", + "id": "pkg:npm/mkdirp@0.5.5", "licenses": [], "locations": [ { @@ -2390,17 +2004,42 @@ } ], "matched": true, - "name": "bcrypt-pbkdf", - "package_ref": "pkg:npm/bcrypt-pbkdf@1.0.2", - "purl": "pkg:npm/bcrypt-pbkdf@1.0.2", + "name": "mkdirp", + "package_ref": "pkg:npm/mkdirp@0.5.5", + "purl": "pkg:npm/mkdirp@0.5.5", "scopes": [ - "runtime" + "development" ], - "version": "1.0.2" + "version": "0.5.5" }, { - "depends_on": [], - "id": "pkg:npm/bignumber.js@9.0.0", + "depends_on": [ + "pkg:npm/ansi-colors@3.2.3", + "pkg:npm/browser-stdout@1.3.1", + "pkg:npm/chokidar@3.3.0", + "pkg:npm/debug@3.2.6", + "pkg:npm/diff@3.5.0", + "pkg:npm/escape-string-regexp@1.0.5", + "pkg:npm/find-up@3.0.0", + "pkg:npm/glob@7.1.3", + "pkg:npm/growl@1.10.5", + "pkg:npm/he@1.2.0", + "pkg:npm/js-yaml@3.13.1", + "pkg:npm/log-symbols@3.0.0", + "pkg:npm/minimatch@3.0.4", + "pkg:npm/mkdirp@0.5.5", + "pkg:npm/ms@2.1.1", + "pkg:npm/node-environment-flags@1.0.6", + "pkg:npm/object.assign@4.1.0", + "pkg:npm/strip-json-comments@2.0.1", + "pkg:npm/supports-color@6.0.0", + "pkg:npm/which@1.3.1", + "pkg:npm/wide-align@1.1.3", + "pkg:npm/yargs-parser@13.1.2", + "pkg:npm/yargs-unparser@1.6.0", + "pkg:npm/yargs@13.3.2" + ], + "id": "pkg:npm/mocha@7.2.0", "licenses": [], "locations": [ { @@ -2413,17 +2052,17 @@ } ], "matched": true, - "name": "bignumber.js", - "package_ref": "pkg:npm/bignumber.js@9.0.0", - "purl": "pkg:npm/bignumber.js@9.0.0", + "name": "mocha", + "package_ref": "pkg:npm/mocha@7.2.0", + "purl": "pkg:npm/mocha@7.2.0", "scopes": [ - "runtime" + "development" ], - "version": "9.0.0" + "version": "7.2.0" }, { "depends_on": [], - "id": "pkg:npm/binary-extensions@2.2.0", + "id": "pkg:npm/ms@2.1.1", "licenses": [], "locations": [ { @@ -2436,17 +2075,20 @@ } ], "matched": true, - "name": "binary-extensions", - "package_ref": "pkg:npm/binary-extensions@2.2.0", - "purl": "pkg:npm/binary-extensions@2.2.0", + "name": "ms", + "package_ref": "pkg:npm/ms@2.1.1", + "purl": "pkg:npm/ms@2.1.1", "scopes": [ "development" ], - "version": "2.2.0" + "version": "2.1.1" }, { - "depends_on": [], - "id": "pkg:npm/bind-obj-methods@2.0.0", + "depends_on": [ + "pkg:npm/object.getownpropertydescriptors@2.1.0", + "pkg:npm/semver@5.7.1" + ], + "id": "pkg:npm/node-environment-flags@1.0.6", "licenses": [], "locations": [ { @@ -2459,20 +2101,20 @@ } ], "matched": true, - "name": "bind-obj-methods", - "package_ref": "pkg:npm/bind-obj-methods@2.0.0", - "purl": "pkg:npm/bind-obj-methods@2.0.0", + "name": "node-environment-flags", + "package_ref": "pkg:npm/node-environment-flags@1.0.6", + "purl": "pkg:npm/node-environment-flags@1.0.6", "scopes": [ - "runtime" + "development" ], - "version": "2.0.0" + "version": "1.0.6" }, { "depends_on": [ - "pkg:npm/readable-stream@2.3.7", - "pkg:npm/safe-buffer@5.1.2" + "pkg:npm/js-yaml@3.13.0", + "pkg:npm/node.extend@2.0.2" ], - "id": "pkg:npm/bl@2.2.0", + "id": "pkg:npm/node-yaml-config@0.0.5", "licenses": [], "locations": [ { @@ -2485,19 +2127,20 @@ } ], "matched": true, - "name": "bl", - "package_ref": "pkg:npm/bl@2.2.0", - "purl": "pkg:npm/bl@2.2.0", + "name": "node-yaml-config", + "package_ref": "pkg:npm/node-yaml-config@0.0.5", + "purl": "pkg:npm/node-yaml-config@0.0.5", "scopes": [ "runtime" ], - "version": "2.2.0" + "version": "0.0.5" }, { "depends_on": [ - "pkg:npm/readable-stream@3.4.0" + "pkg:npm/has@1.0.3", + "pkg:npm/is@3.3.0" ], - "id": "pkg:npm/bl@3.0.0", + "id": "pkg:npm/node.extend@2.0.2", "licenses": [], "locations": [ { @@ -2510,17 +2153,17 @@ } ], "matched": true, - "name": "bl", - "package_ref": "pkg:npm/bl@3.0.0", - "purl": "pkg:npm/bl@3.0.0", + "name": "node.extend", + "package_ref": "pkg:npm/node.extend@2.0.2", + "purl": "pkg:npm/node.extend@2.0.2", "scopes": [ - "development" + "runtime" ], - "version": "3.0.0" + "version": "2.0.2" }, { "depends_on": [], - "id": "pkg:npm/bluebird@2.9.26", + "id": "pkg:npm/normalize-path@3.0.0", "licenses": [], "locations": [ { @@ -2533,17 +2176,17 @@ } ], "matched": true, - "name": "bluebird", - "package_ref": "pkg:npm/bluebird@2.9.26", - "purl": "pkg:npm/bluebird@2.9.26", + "name": "normalize-path", + "package_ref": "pkg:npm/normalize-path@3.0.0", + "purl": "pkg:npm/normalize-path@3.0.0", "scopes": [ - "runtime" + "development" ], - "version": "2.9.26" + "version": "3.0.0" }, { "depends_on": [], - "id": "pkg:npm/bluebird@3.5.4", + "id": "pkg:npm/object-inspect@1.8.0", "licenses": [], "locations": [ { @@ -2556,17 +2199,17 @@ } ], "matched": true, - "name": "bluebird", - "package_ref": "pkg:npm/bluebird@3.5.4", - "purl": "pkg:npm/bluebird@3.5.4", + "name": "object-inspect", + "package_ref": "pkg:npm/object-inspect@1.8.0", + "purl": "pkg:npm/object-inspect@1.8.0", "scopes": [ - "runtime" + "development" ], - "version": "3.5.4" + "version": "1.8.0" }, { "depends_on": [], - "id": "pkg:npm/bn.js@4.11.8", + "id": "pkg:npm/object-keys@1.1.1", "licenses": [], "locations": [ { @@ -2579,26 +2222,22 @@ } ], "matched": true, - "name": "bn.js", - "package_ref": "pkg:npm/bn.js@4.11.8", - "purl": "pkg:npm/bn.js@4.11.8", + "name": "object-keys", + "package_ref": "pkg:npm/object-keys@1.1.1", + "purl": "pkg:npm/object-keys@1.1.1", "scopes": [ "development" ], - "version": "4.11.8" + "version": "1.1.1" }, { "depends_on": [ - "pkg:npm/bytes@1.0.0", - "pkg:npm/depd@1.0.1", - "pkg:npm/iconv-lite@0.4.4", - "pkg:npm/media-typer@0.3.0", - "pkg:npm/on-finished@2.1.0", - "pkg:npm/qs@2.2.4", - "pkg:npm/raw-body@1.3.0", - "pkg:npm/type-is@1.5.7" - ], - "id": "pkg:npm/body-parser@1.9.0", + "pkg:npm/define-properties@1.1.3", + "pkg:npm/function-bind@1.1.1", + "pkg:npm/has-symbols@1.0.1", + "pkg:npm/object-keys@1.1.1" + ], + "id": "pkg:npm/object.assign@4.1.0", "licenses": [], "locations": [ { @@ -2611,25 +2250,20 @@ } ], "matched": true, - "name": "body-parser", - "package_ref": "pkg:npm/body-parser@1.9.0", - "purl": "pkg:npm/body-parser@1.9.0", + "name": "object.assign", + "package_ref": "pkg:npm/object.assign@4.1.0", + "purl": "pkg:npm/object.assign@4.1.0", "scopes": [ - "runtime" + "development" ], - "version": "1.9.0" + "version": "4.1.0" }, { "depends_on": [ - "pkg:npm/ansi-align@2.0.0", - "pkg:npm/camelcase@4.1.0", - "pkg:npm/chalk@2.4.2", - "pkg:npm/cli-boxes@1.0.0", - "pkg:npm/string-width@2.1.1", - "pkg:npm/term-size@1.2.0", - "pkg:npm/widest-line@2.0.1" - ], - "id": "pkg:npm/boxen@1.3.0", + "pkg:npm/define-properties@1.1.3", + "pkg:npm/es-abstract@1.17.6" + ], + "id": "pkg:npm/object.getownpropertydescriptors@2.1.0", "licenses": [], "locations": [ { @@ -2642,26 +2276,19 @@ } ], "matched": true, - "name": "boxen", - "package_ref": "pkg:npm/boxen@1.3.0", - "purl": "pkg:npm/boxen@1.3.0", + "name": "object.getownpropertydescriptors", + "package_ref": "pkg:npm/object.getownpropertydescriptors@2.1.0", + "purl": "pkg:npm/object.getownpropertydescriptors@2.1.0", "scopes": [ "development" ], - "version": "1.3.0" + "version": "2.1.0" }, { "depends_on": [ - "pkg:npm/ansi-align@3.0.0", - "pkg:npm/camelcase@5.3.1", - "pkg:npm/chalk@3.0.0", - "pkg:npm/cli-boxes@2.2.1", - "pkg:npm/string-width@4.2.2", - "pkg:npm/term-size@2.2.1", - "pkg:npm/type-fest@0.8.1", - "pkg:npm/widest-line@3.1.0" - ], - "id": "pkg:npm/boxen@4.2.0", + "pkg:npm/wrappy@1.0.2" + ], + "id": "pkg:npm/once@1.4.0", "licenses": [], "locations": [ { @@ -2674,20 +2301,20 @@ } ], "matched": true, - "name": "boxen", - "package_ref": "pkg:npm/boxen@4.2.0", - "purl": "pkg:npm/boxen@4.2.0", + "name": "once", + "package_ref": "pkg:npm/once@1.4.0", + "purl": "pkg:npm/once@1.4.0", "scopes": [ "development" ], - "version": "4.2.0" + "version": "1.4.0" }, { "depends_on": [ - "pkg:npm/balanced-match@1.0.0", - "pkg:npm/concat-map@0.0.1" + "pkg:npm/minimist@0.0.10", + "pkg:npm/wordwrap@0.0.3" ], - "id": "pkg:npm/brace-expansion@1.1.11", + "id": "pkg:npm/optimist@0.6.1", "licenses": [], "locations": [ { @@ -2700,34 +2327,20 @@ } ], "matched": true, - "name": "brace-expansion", - "package_ref": "pkg:npm/brace-expansion@1.1.11", - "purl": "pkg:npm/brace-expansion@1.1.11", + "name": "optimist", + "package_ref": "pkg:npm/optimist@0.6.1", + "purl": "pkg:npm/optimist@0.6.1", "scopes": [ "runtime" ], - "version": "1.1.11" + "version": "0.6.1" }, { "depends_on": [ - "pkg:npm/arr-flatten@1.1.0", - "pkg:npm/array-unique@0.3.2", - "pkg:npm/extend-shallow@2.0.1", - "pkg:npm/fill-range@4.0.0", - "pkg:npm/isobject@3.0.1", - "pkg:npm/repeat-element@1.1.2", - "pkg:npm/snapdragon-node@2.1.1", - "pkg:npm/snapdragon@0.8.2", - "pkg:npm/split-string@3.1.0", - "pkg:npm/to-regex@3.0.2" - ], - "id": "pkg:npm/braces@2.3.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } + "pkg:npm/p-try@2.2.0" ], + "id": "pkg:npm/p-limit@2.3.0", + "licenses": [], "locations": [ { "access_path": "package-lock.json", @@ -2739,19 +2352,19 @@ } ], "matched": true, - "name": "braces", - "package_ref": "pkg:npm/braces@2.3.2", - "purl": "pkg:npm/braces@2.3.2", + "name": "p-limit", + "package_ref": "pkg:npm/p-limit@2.3.0", + "purl": "pkg:npm/p-limit@2.3.0", "scopes": [ - "runtime" + "development" ], - "version": "2.3.2" + "version": "2.3.0" }, { "depends_on": [ - "pkg:npm/fill-range@7.0.1" + "pkg:npm/p-limit@2.3.0" ], - "id": "pkg:npm/braces@3.0.2", + "id": "pkg:npm/p-locate@3.0.0", "licenses": [], "locations": [ { @@ -2764,17 +2377,17 @@ } ], "matched": true, - "name": "braces", - "package_ref": "pkg:npm/braces@3.0.2", - "purl": "pkg:npm/braces@3.0.2", + "name": "p-locate", + "package_ref": "pkg:npm/p-locate@3.0.0", + "purl": "pkg:npm/p-locate@3.0.0", "scopes": [ "development" ], - "version": "3.0.2" + "version": "3.0.0" }, { "depends_on": [], - "id": "pkg:npm/brorand@1.1.0", + "id": "pkg:npm/p-try@2.2.0", "licenses": [], "locations": [ { @@ -2787,24 +2400,17 @@ } ], "matched": true, - "name": "brorand", - "package_ref": "pkg:npm/brorand@1.1.0", - "purl": "pkg:npm/brorand@1.1.0", + "name": "p-try", + "package_ref": "pkg:npm/p-try@2.2.0", + "purl": "pkg:npm/p-try@2.2.0", "scopes": [ "development" ], - "version": "1.1.0" + "version": "2.2.0" }, { - "depends_on": [ - "pkg:npm/combine-source-map@0.8.0", - "pkg:npm/defined@1.0.0", - "pkg:npm/jsonstream@1.3.5", - "pkg:npm/safe-buffer@5.1.2", - "pkg:npm/through2@2.0.5", - "pkg:npm/umd@3.0.3" - ], - "id": "pkg:npm/browser-pack@6.1.0", + "depends_on": [], + "id": "pkg:npm/path-exists@3.0.0", "licenses": [], "locations": [ { @@ -2817,19 +2423,17 @@ } ], "matched": true, - "name": "browser-pack", - "package_ref": "pkg:npm/browser-pack@6.1.0", - "purl": "pkg:npm/browser-pack@6.1.0", + "name": "path-exists", + "package_ref": "pkg:npm/path-exists@3.0.0", + "purl": "pkg:npm/path-exists@3.0.0", "scopes": [ "development" ], - "version": "6.1.0" + "version": "3.0.0" }, { - "depends_on": [ - "pkg:npm/resolve@1.1.7" - ], - "id": "pkg:npm/browser-resolve@1.11.3", + "depends_on": [], + "id": "pkg:npm/path-is-absolute@1.0.1", "licenses": [], "locations": [ { @@ -2842,24 +2446,17 @@ } ], "matched": true, - "name": "browser-resolve", - "package_ref": "pkg:npm/browser-resolve@1.11.3", - "purl": "pkg:npm/browser-resolve@1.11.3", + "name": "path-is-absolute", + "package_ref": "pkg:npm/path-is-absolute@1.0.1", + "purl": "pkg:npm/path-is-absolute@1.0.1", "scopes": [ "development" ], - "version": "1.11.3" + "version": "1.0.1" }, { - "depends_on": [ - "pkg:npm/buffer-xor@1.0.3", - "pkg:npm/cipher-base@1.0.4", - "pkg:npm/create-hash@1.2.0", - "pkg:npm/evp_bytestokey@1.0.3", - "pkg:npm/inherits@2.0.3", - "pkg:npm/safe-buffer@5.1.2" - ], - "id": "pkg:npm/browserify-aes@1.2.0", + "depends_on": [], + "id": "pkg:npm/picomatch@2.2.2", "licenses": [], "locations": [ { @@ -2872,21 +2469,17 @@ } ], "matched": true, - "name": "browserify-aes", - "package_ref": "pkg:npm/browserify-aes@1.2.0", - "purl": "pkg:npm/browserify-aes@1.2.0", + "name": "picomatch", + "package_ref": "pkg:npm/picomatch@2.2.2", + "purl": "pkg:npm/picomatch@2.2.2", "scopes": [ "development" ], - "version": "1.2.0" + "version": "2.2.2" }, { - "depends_on": [ - "pkg:npm/browserify-aes@1.2.0", - "pkg:npm/browserify-des@1.0.2", - "pkg:npm/evp_bytestokey@1.0.3" - ], - "id": "pkg:npm/browserify-cipher@1.0.1", + "depends_on": [], + "id": "pkg:npm/punycode@1.3.2", "licenses": [], "locations": [ { @@ -2899,22 +2492,17 @@ } ], "matched": true, - "name": "browserify-cipher", - "package_ref": "pkg:npm/browserify-cipher@1.0.1", - "purl": "pkg:npm/browserify-cipher@1.0.1", + "name": "punycode", + "package_ref": "pkg:npm/punycode@1.3.2", + "purl": "pkg:npm/punycode@1.3.2", "scopes": [ - "development" + "runtime" ], - "version": "1.0.1" + "version": "1.3.2" }, { - "depends_on": [ - "pkg:npm/cipher-base@1.0.4", - "pkg:npm/des.js@1.0.0", - "pkg:npm/inherits@2.0.3", - "pkg:npm/safe-buffer@5.1.2" - ], - "id": "pkg:npm/browserify-des@1.0.2", + "depends_on": [], + "id": "pkg:npm/qs@6.9.1", "licenses": [], "locations": [ { @@ -2927,20 +2515,17 @@ } ], "matched": true, - "name": "browserify-des", - "package_ref": "pkg:npm/browserify-des@1.0.2", - "purl": "pkg:npm/browserify-des@1.0.2", + "name": "qs", + "package_ref": "pkg:npm/qs@6.9.1", + "purl": "pkg:npm/qs@6.9.1", "scopes": [ - "development" + "runtime" ], - "version": "1.0.2" + "version": "6.9.1" }, { - "depends_on": [ - "pkg:npm/bn.js@4.11.8", - "pkg:npm/randombytes@2.1.0" - ], - "id": "pkg:npm/browserify-rsa@4.0.1", + "depends_on": [], + "id": "pkg:npm/querystring@0.2.0", "licenses": [], "locations": [ { @@ -2953,25 +2538,22 @@ } ], "matched": true, - "name": "browserify-rsa", - "package_ref": "pkg:npm/browserify-rsa@4.0.1", - "purl": "pkg:npm/browserify-rsa@4.0.1", + "name": "querystring", + "package_ref": "pkg:npm/querystring@0.2.0", + "purl": "pkg:npm/querystring@0.2.0", "scopes": [ - "development" + "runtime" ], - "version": "4.0.1" + "version": "0.2.0" }, { "depends_on": [ - "pkg:npm/bn.js@4.11.8", - "pkg:npm/browserify-rsa@4.0.1", - "pkg:npm/create-hash@1.2.0", - "pkg:npm/create-hmac@1.1.7", - "pkg:npm/elliptic@6.4.1", - "pkg:npm/inherits@2.0.3", - "pkg:npm/parse-asn1@5.1.4" - ], - "id": "pkg:npm/browserify-sign@4.0.4", + "pkg:npm/core-util-is@1.0.2", + "pkg:npm/inherits@2.0.4", + "pkg:npm/isarray@0.0.1", + "pkg:npm/string_decoder@0.10.31" + ], + "id": "pkg:npm/readable-stream@1.1.14", "licenses": [], "locations": [ { @@ -2984,19 +2566,19 @@ } ], "matched": true, - "name": "browserify-sign", - "package_ref": "pkg:npm/browserify-sign@4.0.4", - "purl": "pkg:npm/browserify-sign@4.0.4", + "name": "readable-stream", + "package_ref": "pkg:npm/readable-stream@1.1.14", + "purl": "pkg:npm/readable-stream@1.1.14", "scopes": [ - "development" + "runtime" ], - "version": "4.0.4" + "version": "1.1.14" }, { "depends_on": [ - "pkg:npm/pako@0.2.9" + "pkg:npm/picomatch@2.2.2" ], - "id": "pkg:npm/browserify-zlib@0.1.4", + "id": "pkg:npm/readdirp@3.2.0", "licenses": [], "locations": [ { @@ -3009,65 +2591,17 @@ } ], "matched": true, - "name": "browserify-zlib", - "package_ref": "pkg:npm/browserify-zlib@0.1.4", - "purl": "pkg:npm/browserify-zlib@0.1.4", + "name": "readdirp", + "package_ref": "pkg:npm/readdirp@3.2.0", + "purl": "pkg:npm/readdirp@3.2.0", "scopes": [ "development" ], - "version": "0.1.4" + "version": "3.2.0" }, { - "depends_on": [ - "pkg:npm/assert@1.4.1", - "pkg:npm/browser-pack@6.1.0", - "pkg:npm/browser-resolve@1.11.3", - "pkg:npm/browserify-zlib@0.1.4", - "pkg:npm/buffer@4.9.1", - "pkg:npm/cached-path-relative@1.0.2", - "pkg:npm/concat-stream@1.5.2", - "pkg:npm/console-browserify@1.1.0", - "pkg:npm/constants-browserify@1.0.0", - "pkg:npm/crypto-browserify@3.12.0", - "pkg:npm/defined@1.0.0", - "pkg:npm/deps-sort@2.0.0", - "pkg:npm/domain-browser@1.1.7", - "pkg:npm/duplexer2@0.1.4", - "pkg:npm/events@1.1.1", - "pkg:npm/glob@7.1.3", - "pkg:npm/has@1.0.3", - "pkg:npm/htmlescape@1.1.1", - "pkg:npm/https-browserify@0.0.1", - "pkg:npm/inherits@2.0.3", - "pkg:npm/insert-module-globals@7.2.0", - "pkg:npm/jsonstream@1.3.5", - "pkg:npm/labeled-stream-splicer@2.0.1", - "pkg:npm/module-deps@4.1.1", - "pkg:npm/os-browserify@0.1.2", - "pkg:npm/parents@1.0.1", - "pkg:npm/path-browserify@0.0.1", - "pkg:npm/process@0.11.10", - "pkg:npm/punycode@1.4.1", - "pkg:npm/querystring-es3@0.2.1", - "pkg:npm/read-only-stream@2.0.0", - "pkg:npm/readable-stream@2.3.6", - "pkg:npm/resolve@1.10.0", - "pkg:npm/shasum@1.0.2", - "pkg:npm/shell-quote@1.6.1", - "pkg:npm/stream-browserify@2.0.2", - "pkg:npm/stream-http@2.8.3", - "pkg:npm/string_decoder@0.10.31", - "pkg:npm/subarg@1.0.0", - "pkg:npm/syntax-error@1.4.0", - "pkg:npm/through2@2.0.5", - "pkg:npm/timers-browserify@1.4.2", - "pkg:npm/tty-browserify@0.0.1", - "pkg:npm/url@0.11.0", - "pkg:npm/util@0.10.4", - "pkg:npm/vm-browserify@0.0.4", - "pkg:npm/xtend@4.0.1" - ], - "id": "pkg:npm/browserify@13.3.0", + "depends_on": [], + "id": "pkg:npm/require-directory@2.1.1", "licenses": [], "locations": [ { @@ -3080,17 +2614,17 @@ } ], "matched": true, - "name": "browserify", - "package_ref": "pkg:npm/browserify@13.3.0", - "purl": "pkg:npm/browserify@13.3.0", + "name": "require-directory", + "package_ref": "pkg:npm/require-directory@2.1.1", + "purl": "pkg:npm/require-directory@2.1.1", "scopes": [ "development" ], - "version": "13.3.0" + "version": "2.1.1" }, { "depends_on": [], - "id": "pkg:npm/bson@0.4.23", + "id": "pkg:npm/require-main-filename@2.0.0", "licenses": [], "locations": [ { @@ -3103,17 +2637,17 @@ } ], "matched": true, - "name": "bson", - "package_ref": "pkg:npm/bson@0.4.23", - "purl": "pkg:npm/bson@0.4.23", + "name": "require-main-filename", + "package_ref": "pkg:npm/require-main-filename@2.0.0", + "purl": "pkg:npm/require-main-filename@2.0.0", "scopes": [ - "runtime" + "development" ], - "version": "0.4.23" + "version": "2.0.0" }, { "depends_on": [], - "id": "pkg:npm/bson@1.1.4", + "id": "pkg:npm/semver@5.7.1", "licenses": [], "locations": [ { @@ -3126,17 +2660,17 @@ } ], "matched": true, - "name": "bson", - "package_ref": "pkg:npm/bson@1.1.4", - "purl": "pkg:npm/bson@1.1.4", + "name": "semver", + "package_ref": "pkg:npm/semver@5.7.1", + "purl": "pkg:npm/semver@5.7.1", "scopes": [ "runtime" ], - "version": "1.1.4" + "version": "5.7.1" }, { "depends_on": [], - "id": "pkg:npm/buffer-from@1.1.1", + "id": "pkg:npm/set-blocking@2.0.0", "licenses": [], "locations": [ { @@ -3149,17 +2683,17 @@ } ], "matched": true, - "name": "buffer-from", - "package_ref": "pkg:npm/buffer-from@1.1.1", - "purl": "pkg:npm/buffer-from@1.1.1", + "name": "set-blocking", + "package_ref": "pkg:npm/set-blocking@2.0.0", + "purl": "pkg:npm/set-blocking@2.0.0", "scopes": [ - "runtime" + "development" ], - "version": "1.1.1" + "version": "2.0.0" }, { "depends_on": [], - "id": "pkg:npm/buffer-xor@1.0.3", + "id": "pkg:npm/sprintf-js@1.0.3", "licenses": [], "locations": [ { @@ -3172,21 +2706,17 @@ } ], "matched": true, - "name": "buffer-xor", - "package_ref": "pkg:npm/buffer-xor@1.0.3", - "purl": "pkg:npm/buffer-xor@1.0.3", + "name": "sprintf-js", + "package_ref": "pkg:npm/sprintf-js@1.0.3", + "purl": "pkg:npm/sprintf-js@1.0.3", "scopes": [ - "development" + "runtime" ], "version": "1.0.3" }, { - "depends_on": [ - "pkg:npm/base64-js@1.3.0", - "pkg:npm/ieee754@1.1.13", - "pkg:npm/isarray@1.0.0" - ], - "id": "pkg:npm/buffer@4.9.1", + "depends_on": [], + "id": "pkg:npm/streamsearch@0.1.2", "licenses": [], "locations": [ { @@ -3198,21 +2728,20 @@ "real_path": "package-lock.json" } ], - "matched": true, - "name": "buffer", - "package_ref": "pkg:npm/buffer@4.9.1", - "purl": "pkg:npm/buffer@4.9.1", + "name": "streamsearch", + "package_ref": "pkg:npm/streamsearch@0.1.2", + "purl": "pkg:npm/streamsearch@0.1.2", "scopes": [ - "development" + "runtime" ], - "version": "4.9.1" + "version": "0.1.2" }, { "depends_on": [ - "pkg:npm/base64-js@1.3.0", - "pkg:npm/ieee754@1.1.13" + "pkg:npm/is-fullwidth-code-point@2.0.0", + "pkg:npm/strip-ansi@4.0.0" ], - "id": "pkg:npm/buffer@5.6.0", + "id": "pkg:npm/string-width@2.1.1", "licenses": [], "locations": [ { @@ -3225,34 +2754,47 @@ } ], "matched": true, - "name": "buffer", - "package_ref": "pkg:npm/buffer@5.6.0", - "purl": "pkg:npm/buffer@5.6.0", + "name": "string-width", + "package_ref": "pkg:npm/string-width@2.1.1", + "purl": "pkg:npm/string-width@2.1.1", "scopes": [ - "runtime" + "development" ], - "version": "5.6.0" + "version": "2.1.1" }, { - "depends_on": [], - "id": "pkg:npm/builtin-modules@1.1.1", - "licenses": [ + "depends_on": [ + "pkg:npm/emoji-regex@7.0.3", + "pkg:npm/is-fullwidth-code-point@2.0.0", + "pkg:npm/strip-ansi@5.2.0" + ], + "id": "pkg:npm/string-width@3.1.0", + "licenses": [], + "locations": [ { - "type": "declared", - "value": "MIT" + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" } ], - "name": "builtin-modules", - "package_ref": "pkg:npm/builtin-modules@1.1.1", - "purl": "pkg:npm/builtin-modules@1.1.1", + "matched": true, + "name": "string-width", + "package_ref": "pkg:npm/string-width@3.1.0", + "purl": "pkg:npm/string-width@3.1.0", "scopes": [ - "runtime" + "development" ], - "version": "1.1.1" + "version": "3.1.0" }, { - "depends_on": [], - "id": "pkg:npm/builtin-status-codes@3.0.0", + "depends_on": [ + "pkg:npm/define-properties@1.1.3", + "pkg:npm/es-abstract@1.17.6" + ], + "id": "pkg:npm/string.prototype.trimend@1.0.1", "licenses": [], "locations": [ { @@ -3265,19 +2807,20 @@ } ], "matched": true, - "name": "builtin-status-codes", - "package_ref": "pkg:npm/builtin-status-codes@3.0.0", - "purl": "pkg:npm/builtin-status-codes@3.0.0", + "name": "string.prototype.trimend", + "package_ref": "pkg:npm/string.prototype.trimend@1.0.1", + "purl": "pkg:npm/string.prototype.trimend@1.0.1", "scopes": [ "development" ], - "version": "3.0.0" + "version": "1.0.1" }, { "depends_on": [ - "pkg:npm/dicer@0.3.0" + "pkg:npm/define-properties@1.1.3", + "pkg:npm/es-abstract@1.17.6" ], - "id": "pkg:npm/busboy@0.3.1", + "id": "pkg:npm/string.prototype.trimstart@1.0.1", "licenses": [], "locations": [ { @@ -3289,17 +2832,18 @@ "real_path": "package-lock.json" } ], - "name": "busboy", - "package_ref": "pkg:npm/busboy@0.3.1", - "purl": "pkg:npm/busboy@0.3.1", + "matched": true, + "name": "string.prototype.trimstart", + "package_ref": "pkg:npm/string.prototype.trimstart@1.0.1", + "purl": "pkg:npm/string.prototype.trimstart@1.0.1", "scopes": [ - "runtime" + "development" ], - "version": "0.3.1" + "version": "1.0.1" }, { "depends_on": [], - "id": "pkg:npm/bytes@1.0.0", + "id": "pkg:npm/string_decoder@0.10.31", "licenses": [], "locations": [ { @@ -3311,17 +2855,20 @@ "real_path": "package-lock.json" } ], - "name": "bytes", - "package_ref": "pkg:npm/bytes@1.0.0", - "purl": "pkg:npm/bytes@1.0.0", + "matched": true, + "name": "string_decoder", + "package_ref": "pkg:npm/string_decoder@0.10.31", + "purl": "pkg:npm/string_decoder@0.10.31", "scopes": [ "runtime" ], - "version": "1.0.0" + "version": "0.10.31" }, { - "depends_on": [], - "id": "pkg:npm/bytes@3.1.0", + "depends_on": [ + "pkg:npm/ansi-regex@3.0.0" + ], + "id": "pkg:npm/strip-ansi@4.0.0", "licenses": [], "locations": [ { @@ -3333,52 +2880,20 @@ "real_path": "package-lock.json" } ], - "name": "bytes", - "package_ref": "pkg:npm/bytes@3.1.0", - "purl": "pkg:npm/bytes@3.1.0", + "matched": true, + "name": "strip-ansi", + "package_ref": "pkg:npm/strip-ansi@4.0.0", + "purl": "pkg:npm/strip-ansi@4.0.0", "scopes": [ "development" ], - "version": "3.1.0" + "version": "4.0.0" }, { "depends_on": [ - "pkg:npm/collection-visit@1.0.0", - "pkg:npm/component-emitter@1.2.1", - "pkg:npm/get-value@2.0.6", - "pkg:npm/has-value@1.0.0", - "pkg:npm/isobject@3.0.1", - "pkg:npm/set-value@2.0.0", - "pkg:npm/to-object-path@0.3.0", - "pkg:npm/union-value@1.0.0", - "pkg:npm/unset-value@1.0.0" - ], - "id": "pkg:npm/cache-base@1.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "cache-base", - "package_ref": "pkg:npm/cache-base@1.0.1", - "purl": "pkg:npm/cache-base@1.0.1", - "scopes": [ - "runtime" + "pkg:npm/ansi-regex@4.1.0" ], - "version": "1.0.1" - }, - { - "depends_on": [ - "pkg:npm/clone-response@1.0.2", - "pkg:npm/get-stream@5.2.0", - "pkg:npm/http-cache-semantics@4.1.0", - "pkg:npm/keyv@3.1.0", - "pkg:npm/lowercase-keys@2.0.0", - "pkg:npm/normalize-url@4.5.1", - "pkg:npm/responselike@1.0.2" - ], - "id": "pkg:npm/cacheable-request@6.1.0", + "id": "pkg:npm/strip-ansi@5.2.0", "licenses": [], "locations": [ { @@ -3390,17 +2905,18 @@ "real_path": "package-lock.json" } ], - "name": "cacheable-request", - "package_ref": "pkg:npm/cacheable-request@6.1.0", - "purl": "pkg:npm/cacheable-request@6.1.0", + "matched": true, + "name": "strip-ansi", + "package_ref": "pkg:npm/strip-ansi@5.2.0", + "purl": "pkg:npm/strip-ansi@5.2.0", "scopes": [ "development" ], - "version": "6.1.0" + "version": "5.2.0" }, { "depends_on": [], - "id": "pkg:npm/cached-path-relative@1.0.2", + "id": "pkg:npm/strip-json-comments@2.0.1", "licenses": [], "locations": [ { @@ -3413,44 +2929,45 @@ } ], "matched": true, - "name": "cached-path-relative", - "package_ref": "pkg:npm/cached-path-relative@1.0.2", - "purl": "pkg:npm/cached-path-relative@1.0.2", + "name": "strip-json-comments", + "package_ref": "pkg:npm/strip-json-comments@2.0.1", + "purl": "pkg:npm/strip-json-comments@2.0.1", "scopes": [ "development" ], - "version": "1.0.2" + "version": "2.0.1" }, { "depends_on": [ - "pkg:npm/md5-hex@1.3.0", - "pkg:npm/mkdirp@0.5.1", - "pkg:npm/write-file-atomic@1.3.4" + "pkg:npm/has-flag@3.0.0" ], - "id": "pkg:npm/caching-transform@1.0.1", - "licenses": [ + "id": "pkg:npm/supports-color@5.5.0", + "licenses": [], + "locations": [ { - "type": "declared", - "value": "MIT" + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" } ], - "name": "caching-transform", - "package_ref": "pkg:npm/caching-transform@1.0.1", - "purl": "pkg:npm/caching-transform@1.0.1", + "matched": true, + "name": "supports-color", + "package_ref": "pkg:npm/supports-color@5.5.0", + "purl": "pkg:npm/supports-color@5.5.0", "scopes": [ - "runtime" + "development" ], - "version": "1.0.1" + "version": "5.5.0" }, { - "depends_on": [], - "id": "pkg:npm/camelcase@1.2.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } + "depends_on": [ + "pkg:npm/has-flag@3.0.0" ], + "id": "pkg:npm/supports-color@6.0.0", + "licenses": [], "locations": [ { "access_path": "package-lock.json", @@ -3461,17 +2978,20 @@ "real_path": "package-lock.json" } ], - "name": "camelcase", - "package_ref": "pkg:npm/camelcase@1.2.1", - "purl": "pkg:npm/camelcase@1.2.1", + "matched": true, + "name": "supports-color", + "package_ref": "pkg:npm/supports-color@6.0.0", + "purl": "pkg:npm/supports-color@6.0.0", "scopes": [ - "runtime" + "development" ], - "version": "1.2.1" + "version": "6.0.0" }, { - "depends_on": [], - "id": "pkg:npm/camelcase@2.1.1", + "depends_on": [ + "pkg:npm/is-number@7.0.0" + ], + "id": "pkg:npm/to-regex-range@5.0.1", "licenses": [], "locations": [ { @@ -3483,17 +3003,24 @@ "real_path": "package-lock.json" } ], - "name": "camelcase", - "package_ref": "pkg:npm/camelcase@2.1.1", - "purl": "pkg:npm/camelcase@2.1.1", + "matched": true, + "name": "to-regex-range", + "package_ref": "pkg:npm/to-regex-range@5.0.1", + "purl": "pkg:npm/to-regex-range@5.0.1", "scopes": [ "development" ], - "version": "2.1.1" + "version": "5.0.1" }, { - "depends_on": [], - "id": "pkg:npm/camelcase@4.1.0", + "depends_on": [ + "pkg:npm/handy@0.0.13", + "pkg:npm/htmlparser@1.7.7", + "pkg:npm/js-yaml@3.13.0", + "pkg:npm/optimist@0.6.1", + "pkg:npm/underscore@1.9.2" + ], + "id": "pkg:npm/to@0.2.9", "licenses": [], "locations": [ { @@ -3505,18 +3032,17 @@ "real_path": "package-lock.json" } ], - "name": "camelcase", - "package_ref": "pkg:npm/camelcase@4.1.0", - "purl": "pkg:npm/camelcase@4.1.0", + "name": "to", + "package_ref": "pkg:npm/to@0.2.9", + "purl": "pkg:npm/to@0.2.9", "scopes": [ - "development", "runtime" ], - "version": "4.1.0" + "version": "0.2.9" }, { "depends_on": [], - "id": "pkg:npm/camelcase@5.3.1", + "id": "pkg:npm/underscore@1.9.2", "licenses": [], "locations": [ { @@ -3528,18 +3054,18 @@ "real_path": "package-lock.json" } ], - "name": "camelcase", - "package_ref": "pkg:npm/camelcase@5.3.1", - "purl": "pkg:npm/camelcase@5.3.1", + "matched": true, + "name": "underscore", + "package_ref": "pkg:npm/underscore@1.9.2", + "purl": "pkg:npm/underscore@1.9.2", "scopes": [ - "development", "runtime" ], - "version": "5.3.1" + "version": "1.9.2" }, { "depends_on": [], - "id": "pkg:npm/capture-stack-trace@1.0.1", + "id": "pkg:npm/universalify@0.1.2", "licenses": [], "locations": [ { @@ -3551,17 +3077,21 @@ "real_path": "package-lock.json" } ], - "name": "capture-stack-trace", - "package_ref": "pkg:npm/capture-stack-trace@1.0.1", - "purl": "pkg:npm/capture-stack-trace@1.0.1", + "matched": true, + "name": "universalify", + "package_ref": "pkg:npm/universalify@0.1.2", + "purl": "pkg:npm/universalify@0.1.2", "scopes": [ - "development" + "runtime" ], - "version": "1.0.1" + "version": "0.1.2" }, { - "depends_on": [], - "id": "pkg:npm/caseless@0.12.0", + "depends_on": [ + "pkg:npm/punycode@1.3.2", + "pkg:npm/querystring@0.2.0" + ], + "id": "pkg:npm/url@0.11.0", "licenses": [], "locations": [ { @@ -3573,41 +3103,41 @@ "real_path": "package-lock.json" } ], - "name": "caseless", - "package_ref": "pkg:npm/caseless@0.12.0", - "purl": "pkg:npm/caseless@0.12.0", + "matched": true, + "name": "url", + "package_ref": "pkg:npm/url@0.11.0", + "purl": "pkg:npm/url@0.11.0", "scopes": [ "runtime" ], - "version": "0.12.0" + "version": "0.11.0" }, { - "depends_on": [ - "pkg:npm/align-text@0.1.4", - "pkg:npm/lazy-cache@1.0.4" - ], - "id": "pkg:npm/center-align@0.1.3", - "licenses": [ + "depends_on": [], + "id": "pkg:npm/uuid@3.4.0", + "licenses": [], + "locations": [ { - "type": "declared", - "value": "MIT" + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" } ], - "name": "center-align", - "package_ref": "pkg:npm/center-align@0.1.3", - "purl": "pkg:npm/center-align@0.1.3", + "matched": true, + "name": "uuid", + "package_ref": "pkg:npm/uuid@3.4.0", + "purl": "pkg:npm/uuid@3.4.0", "scopes": [ "runtime" ], - "version": "0.1.3" + "version": "3.4.0" }, { - "depends_on": [ - "pkg:npm/js-yaml@3.13.1", - "pkg:npm/ports@1.1.0", - "pkg:npm/underscore@1.9.1" - ], - "id": "pkg:npm/cfenv@1.2.2", + "depends_on": [], + "id": "pkg:npm/which-module@2.0.0", "licenses": [], "locations": [ { @@ -3619,29 +3149,21 @@ "real_path": "package-lock.json" } ], - "name": "cfenv", - "package_ref": "pkg:npm/cfenv@1.2.2", - "purl": "pkg:npm/cfenv@1.2.2", + "matched": true, + "name": "which-module", + "package_ref": "pkg:npm/which-module@2.0.0", + "purl": "pkg:npm/which-module@2.0.0", "scopes": [ - "runtime" + "development" ], - "version": "1.2.2" + "version": "2.0.0" }, { "depends_on": [ - "pkg:npm/ansi-styles@2.2.1", - "pkg:npm/escape-string-regexp@1.0.5", - "pkg:npm/has-ansi@2.0.0", - "pkg:npm/strip-ansi@3.0.1", - "pkg:npm/supports-color@2.0.0" - ], - "id": "pkg:npm/chalk@1.1.3", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } + "pkg:npm/isexe@2.0.0" ], + "id": "pkg:npm/which@1.3.1", + "licenses": [], "locations": [ { "access_path": "package-lock.json", @@ -3652,49 +3174,20 @@ "real_path": "package-lock.json" } ], - "name": "chalk", - "package_ref": "pkg:npm/chalk@1.1.3", - "purl": "pkg:npm/chalk@1.1.3", + "matched": true, + "name": "which", + "package_ref": "pkg:npm/which@1.3.1", + "purl": "pkg:npm/which@1.3.1", "scopes": [ - "runtime" - ], - "version": "1.1.3" - }, - { - "depends_on": [ - "pkg:npm/ansi-styles@3.2.1", - "pkg:npm/escape-string-regexp@1.0.5", - "pkg:npm/supports-color@5.5.0" - ], - "id": "pkg:npm/chalk@2.4.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "chalk", - "package_ref": "pkg:npm/chalk@2.4.2", - "purl": "pkg:npm/chalk@2.4.2", - "scopes": [ - "development", - "runtime" + "development" ], - "version": "2.4.2" + "version": "1.3.1" }, { "depends_on": [ - "pkg:npm/ansi-styles@4.2.1", - "pkg:npm/ansi-styles@4.3.0", - "pkg:npm/supports-color@7.1.0", - "pkg:npm/supports-color@7.2.0" + "pkg:npm/string-width@2.1.1" ], - "id": "pkg:npm/chalk@3.0.0", + "id": "pkg:npm/wide-align@1.1.3", "licenses": [], "locations": [ { @@ -3706,18 +3199,18 @@ "real_path": "package-lock.json" } ], - "name": "chalk", - "package_ref": "pkg:npm/chalk@3.0.0", - "purl": "pkg:npm/chalk@3.0.0", + "matched": true, + "name": "wide-align", + "package_ref": "pkg:npm/wide-align@1.1.3", + "purl": "pkg:npm/wide-align@1.1.3", "scopes": [ - "development", - "runtime" + "development" ], - "version": "3.0.0" + "version": "1.1.3" }, { "depends_on": [], - "id": "pkg:npm/chardet@0.7.0", + "id": "pkg:npm/wordwrap@0.0.3", "licenses": [], "locations": [ { @@ -3729,26 +3222,22 @@ "real_path": "package-lock.json" } ], - "name": "chardet", - "package_ref": "pkg:npm/chardet@0.7.0", - "purl": "pkg:npm/chardet@0.7.0", + "matched": true, + "name": "wordwrap", + "package_ref": "pkg:npm/wordwrap@0.0.3", + "purl": "pkg:npm/wordwrap@0.0.3", "scopes": [ - "development" + "runtime" ], - "version": "0.7.0" + "version": "0.0.3" }, { "depends_on": [ - "pkg:npm/anymatch@3.1.2", - "pkg:npm/braces@3.0.2", - "pkg:npm/fsevents@2.3.2", - "pkg:npm/glob-parent@5.1.2", - "pkg:npm/is-binary-path@2.1.0", - "pkg:npm/is-glob@4.0.1", - "pkg:npm/normalize-path@3.0.0", - "pkg:npm/readdirp@3.5.0" + "pkg:npm/ansi-styles@3.2.1", + "pkg:npm/string-width@3.1.0", + "pkg:npm/strip-ansi@5.2.0" ], - "id": "pkg:npm/chokidar@3.5.1", + "id": "pkg:npm/wrap-ansi@5.1.0", "licenses": [], "locations": [ { @@ -3760,17 +3249,18 @@ "real_path": "package-lock.json" } ], - "name": "chokidar", - "package_ref": "pkg:npm/chokidar@3.5.1", - "purl": "pkg:npm/chokidar@3.5.1", + "matched": true, + "name": "wrap-ansi", + "package_ref": "pkg:npm/wrap-ansi@5.1.0", + "purl": "pkg:npm/wrap-ansi@5.1.0", "scopes": [ "development" ], - "version": "3.5.1" + "version": "5.1.0" }, { "depends_on": [], - "id": "pkg:npm/ci-info@1.6.0", + "id": "pkg:npm/wrappy@1.0.2", "licenses": [], "locations": [ { @@ -3782,17 +3272,18 @@ "real_path": "package-lock.json" } ], - "name": "ci-info", - "package_ref": "pkg:npm/ci-info@1.6.0", - "purl": "pkg:npm/ci-info@1.6.0", + "matched": true, + "name": "wrappy", + "package_ref": "pkg:npm/wrappy@1.0.2", + "purl": "pkg:npm/wrappy@1.0.2", "scopes": [ "development" ], - "version": "1.6.0" + "version": "1.0.2" }, { "depends_on": [], - "id": "pkg:npm/ci-info@2.0.0", + "id": "pkg:npm/y18n@4.0.0", "licenses": [], "locations": [ { @@ -3804,20 +3295,21 @@ "real_path": "package-lock.json" } ], - "name": "ci-info", - "package_ref": "pkg:npm/ci-info@2.0.0", - "purl": "pkg:npm/ci-info@2.0.0", + "matched": true, + "name": "y18n", + "package_ref": "pkg:npm/y18n@4.0.0", + "purl": "pkg:npm/y18n@4.0.0", "scopes": [ "development" ], - "version": "2.0.0" + "version": "4.0.0" }, { "depends_on": [ - "pkg:npm/inherits@2.0.3", - "pkg:npm/safe-buffer@5.1.2" + "pkg:npm/camelcase@5.3.1", + "pkg:npm/decamelize@1.2.0" ], - "id": "pkg:npm/cipher-base@1.0.4", + "id": "pkg:npm/yargs-parser@13.1.2", "licenses": [], "locations": [ { @@ -3830,83 +3322,21 @@ } ], "matched": true, - "name": "cipher-base", - "package_ref": "pkg:npm/cipher-base@1.0.4", - "purl": "pkg:npm/cipher-base@1.0.4", + "name": "yargs-parser", + "package_ref": "pkg:npm/yargs-parser@13.1.2", + "purl": "pkg:npm/yargs-parser@13.1.2", "scopes": [ "development" ], - "version": "1.0.4" + "version": "13.1.2" }, { "depends_on": [ - "pkg:npm/arr-union@3.1.0", - "pkg:npm/define-property@0.2.5", - "pkg:npm/isobject@3.0.1", - "pkg:npm/static-extend@0.1.2" - ], - "id": "pkg:npm/class-utils@0.3.6", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "class-utils", - "package_ref": "pkg:npm/class-utils@0.3.6", - "purl": "pkg:npm/class-utils@0.3.6", - "scopes": [ - "runtime" - ], - "version": "0.3.6" - }, - { - "depends_on": [], - "id": "pkg:npm/clean-yaml-object@0.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "clean-yaml-object", - "package_ref": "pkg:npm/clean-yaml-object@0.1.0", - "purl": "pkg:npm/clean-yaml-object@0.1.0", - "scopes": [ - "runtime" - ], - "version": "0.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/cli-boxes@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "cli-boxes", - "package_ref": "pkg:npm/cli-boxes@1.0.0", - "purl": "pkg:npm/cli-boxes@1.0.0", - "scopes": [ - "development" + "pkg:npm/flat@4.1.0", + "pkg:npm/lodash@4.17.15", + "pkg:npm/yargs@13.3.2" ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/cli-boxes@2.2.1", + "id": "pkg:npm/yargs-unparser@1.6.0", "licenses": [], "locations": [ { @@ -3918,19 +3348,29 @@ "real_path": "package-lock.json" } ], - "name": "cli-boxes", - "package_ref": "pkg:npm/cli-boxes@2.2.1", - "purl": "pkg:npm/cli-boxes@2.2.1", + "matched": true, + "name": "yargs-unparser", + "package_ref": "pkg:npm/yargs-unparser@1.6.0", + "purl": "pkg:npm/yargs-unparser@1.6.0", "scopes": [ "development" ], - "version": "2.2.1" + "version": "1.6.0" }, { "depends_on": [ - "pkg:npm/restore-cursor@2.0.0" + "pkg:npm/cliui@5.0.0", + "pkg:npm/find-up@3.0.0", + "pkg:npm/get-caller-file@2.0.5", + "pkg:npm/require-directory@2.1.1", + "pkg:npm/require-main-filename@2.0.0", + "pkg:npm/set-blocking@2.0.0", + "pkg:npm/string-width@3.1.0", + "pkg:npm/which-module@2.0.0", + "pkg:npm/y18n@4.0.0", + "pkg:npm/yargs-parser@13.1.2" ], - "id": "pkg:npm/cli-cursor@2.1.0", + "id": "pkg:npm/yargs@13.3.2", "licenses": [], "locations": [ { @@ -3942,52103 +3382,115 @@ "real_path": "package-lock.json" } ], - "name": "cli-cursor", - "package_ref": "pkg:npm/cli-cursor@2.1.0", - "purl": "pkg:npm/cli-cursor@2.1.0", + "matched": true, + "name": "yargs", + "package_ref": "pkg:npm/yargs@13.3.2", + "purl": "pkg:npm/yargs@13.3.2", "scopes": [ "development" ], - "version": "2.1.0" - }, + "version": "13.3.2" + } + ], + "detector": "npm-detector", + "ecosystem": "npm", + "kind": "package-lock.json", + "package_manager": "npm", + "path": "package-lock.json", + "subproject": "." + } + ], + "metadata": { + "analyzer_runs": [ + "JavaScript Reachability" + ], + "analyzer_stats": { + "jsreach": { + "reachable": 19, + "unreachable": 23 + } + }, + "duration_ms": 0, + "reachability_enabled": true + }, + "packages": [ + { + "ecosystem": "npm", + "licenses": [ { - "depends_on": [ - "pkg:npm/chalk@3.0.0", - "pkg:npm/highlight.js@9.18.1", - "pkg:npm/mz@2.7.0", - "pkg:npm/parse5-htmlparser2-tree-adapter@5.1.1", - "pkg:npm/parse5@5.1.1", - "pkg:npm/yargs@15.4.1" - ], - "id": "pkg:npm/cli-highlight@2.1.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "cli-highlight", - "package_ref": "pkg:npm/cli-highlight@2.1.4", - "purl": "pkg:npm/cli-highlight@2.1.4", - "scopes": [ - "runtime" - ], - "version": "2.1.4" - }, + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "algo-httpserv", + "purl": "pkg:npm/algo-httpserv@1.1.1", + "version": "1.1.1", + "vulnerabilities": [ { - "depends_on": [], - "id": "pkg:npm/cli-spinner@0.2.10", - "licenses": [], - "locations": [ + "affected_version_range": "\u003c1.1.2 (semantic)", + "cvss": [ { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" + "score": 8.6, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", + "version": "3.1" } ], - "name": "cli-spinner", - "package_ref": "pkg:npm/cli-spinner@0.2.10", - "purl": "pkg:npm/cli-spinner@0.2.10", - "scopes": [ - "development" - ], - "version": "0.2.10" - }, - { - "depends_on": [], - "id": "pkg:npm/cli-width@2.2.0", - "licenses": [], - "locations": [ + "data_source": "https://github.com/advisories/GHSA-cgjv-rghq-qhgp", + "description": "Path Traversal in algo-httpserv", + "fix_available": [ { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" + "date": "2020-09-12", + "kind": "first-observed", + "version": "1.1.2" } ], - "name": "cli-width", - "package_ref": "pkg:npm/cli-width@2.2.0", - "purl": "pkg:npm/cli-width@2.2.0", - "scopes": [ - "development" + "fix_state": "fixed", + "fixed_in": "1.1.2", + "fixed_versions": [ + "1.1.2" ], - "version": "2.2.0" - }, - { - "depends_on": [ - "pkg:npm/center-align@0.1.3", - "pkg:npm/right-align@0.1.3", - "pkg:npm/wordwrap@0.0.2" + "id": "GHSA-cgjv-rghq-qhgp", + "namespace": "github:language:javascript", + "reachability": { + "analyzed_at": "\u003ctimestamp\u003e", + "analyzer": "jsreach", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 0, + "status": "reachable", + "tier": "package" + }, + "reasons": [ + "Fix available: upgrade to 1.1.2", + "Fix state: fixed", + "https://github.com/AlgoRythm-Dylan/httpserv/commit/bcfe9d4316c2b59aab3a64a38905376026888735", + "https://snyk.io/vuln/SNYK-JS-ALGOHTTPSERV-174741", + "https://www.npmjs.com/advisories/889" ], - "id": "pkg:npm/cliui@2.1.0", - "licenses": [ + "references": [ + { + "type": "data_source", + "url": "https://github.com/advisories/GHSA-cgjv-rghq-qhgp" + }, { - "type": "declared", - "value": "ISC" + "type": "advisory", + "url": "https://github.com/AlgoRythm-Dylan/httpserv/commit/bcfe9d4316c2b59aab3a64a38905376026888735" + }, + { + "type": "advisory", + "url": "https://www.npmjs.com/advisories/889" + }, + { + "type": "advisory", + "url": "https://snyk.io/vuln/SNYK-JS-ALGOHTTPSERV-174741" } ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "cliui", - "package_ref": "pkg:npm/cliui@2.1.0", - "purl": "pkg:npm/cliui@2.1.0", - "scopes": [ - "runtime" - ], - "version": "2.1.0" - }, - { - "depends_on": [ - "pkg:npm/string-width@1.0.2", - "pkg:npm/strip-ansi@3.0.1", - "pkg:npm/wrap-ansi@2.1.0" - ], - "id": "pkg:npm/cliui@3.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "cliui", - "package_ref": "pkg:npm/cliui@3.2.0", - "purl": "pkg:npm/cliui@3.2.0", - "scopes": [ - "development" - ], - "version": "3.2.0" - }, - { - "depends_on": [ - "pkg:npm/string-width@2.1.1", - "pkg:npm/strip-ansi@4.0.0", - "pkg:npm/wrap-ansi@2.1.0" - ], - "id": "pkg:npm/cliui@4.1.0", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "cliui", - "package_ref": "pkg:npm/cliui@4.1.0", - "purl": "pkg:npm/cliui@4.1.0", - "scopes": [ - "runtime" - ], - "version": "4.1.0" - }, - { - "depends_on": [ - "pkg:npm/string-width@3.1.0", - "pkg:npm/strip-ansi@5.2.0", - "pkg:npm/wrap-ansi@5.1.0" - ], - "id": "pkg:npm/cliui@5.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "cliui", - "package_ref": "pkg:npm/cliui@5.0.0", - "purl": "pkg:npm/cliui@5.0.0", - "scopes": [ - "runtime" - ], - "version": "5.0.0" - }, - { - "depends_on": [ - "pkg:npm/string-width@4.2.0", - "pkg:npm/strip-ansi@6.0.0", - "pkg:npm/wrap-ansi@6.2.0" - ], - "id": "pkg:npm/cliui@6.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "cliui", - "package_ref": "pkg:npm/cliui@6.0.0", - "purl": "pkg:npm/cliui@6.0.0", - "scopes": [ - "runtime" - ], - "version": "6.0.0" - }, - { - "depends_on": [ - "pkg:npm/for-own@1.0.0", - "pkg:npm/is-plain-object@2.0.4", - "pkg:npm/kind-of@3.2.2", - "pkg:npm/shallow-clone@0.1.2" - ], - "id": "pkg:npm/clone-deep@0.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "clone-deep", - "package_ref": "pkg:npm/clone-deep@0.3.0", - "purl": "pkg:npm/clone-deep@0.3.0", - "scopes": [ - "development" - ], - "version": "0.3.0" - }, - { - "depends_on": [ - "pkg:npm/mimic-response@1.0.1" - ], - "id": "pkg:npm/clone-response@1.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "clone-response", - "package_ref": "pkg:npm/clone-response@1.0.2", - "purl": "pkg:npm/clone-response@1.0.2", - "scopes": [ - "development" - ], - "version": "1.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/co@4.6.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "co", - "package_ref": "pkg:npm/co@4.6.0", - "purl": "pkg:npm/co@4.6.0", - "scopes": [ - "development" - ], - "version": "4.6.0" - }, - { - "depends_on": [], - "id": "pkg:npm/code-point-at@1.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "code-point-at", - "package_ref": "pkg:npm/code-point-at@1.1.0", - "purl": "pkg:npm/code-point-at@1.1.0", - "scopes": [ - "development", - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [ - "pkg:npm/map-visit@1.0.0", - "pkg:npm/object-visit@1.0.1" - ], - "id": "pkg:npm/collection-visit@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "collection-visit", - "package_ref": "pkg:npm/collection-visit@1.0.0", - "purl": "pkg:npm/collection-visit@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/color-name@1.1.3" - ], - "id": "pkg:npm/color-convert@1.9.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "color-convert", - "package_ref": "pkg:npm/color-convert@1.9.3", - "purl": "pkg:npm/color-convert@1.9.3", - "scopes": [ - "runtime" - ], - "version": "1.9.3" - }, - { - "depends_on": [ - "pkg:npm/color-name@1.1.4" - ], - "id": "pkg:npm/color-convert@2.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "color-convert", - "package_ref": "pkg:npm/color-convert@2.0.1", - "purl": "pkg:npm/color-convert@2.0.1", - "scopes": [ - "development", - "runtime" - ], - "version": "2.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/color-name@1.1.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "color-name", - "package_ref": "pkg:npm/color-name@1.1.3", - "purl": "pkg:npm/color-name@1.1.3", - "scopes": [ - "runtime" - ], - "version": "1.1.3" - }, - { - "depends_on": [], - "id": "pkg:npm/color-name@1.1.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "color-name", - "package_ref": "pkg:npm/color-name@1.1.4", - "purl": "pkg:npm/color-name@1.1.4", - "scopes": [ - "development", - "runtime" - ], - "version": "1.1.4" - }, - { - "depends_on": [], - "id": "pkg:npm/color-support@1.1.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "color-support", - "package_ref": "pkg:npm/color-support@1.1.3", - "purl": "pkg:npm/color-support@1.1.3", - "scopes": [ - "runtime" - ], - "version": "1.1.3" - }, - { - "depends_on": [ - "pkg:npm/convert-source-map@1.1.3", - "pkg:npm/inline-source-map@0.6.2", - "pkg:npm/lodash.memoize@3.0.4", - "pkg:npm/source-map@0.5.7" - ], - "id": "pkg:npm/combine-source-map@0.8.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "combine-source-map", - "package_ref": "pkg:npm/combine-source-map@0.8.0", - "purl": "pkg:npm/combine-source-map@0.8.0", - "scopes": [ - "development" - ], - "version": "0.8.0" - }, - { - "depends_on": [ - "pkg:npm/delayed-stream@1.0.0" - ], - "id": "pkg:npm/combined-stream@1.0.8", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "combined-stream", - "package_ref": "pkg:npm/combined-stream@1.0.8", - "purl": "pkg:npm/combined-stream@1.0.8", - "scopes": [ - "runtime" - ], - "version": "1.0.8" - }, - { - "depends_on": [], - "id": "pkg:npm/commondir@1.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "commondir", - "package_ref": "pkg:npm/commondir@1.0.1", - "purl": "pkg:npm/commondir@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/component-emitter@1.2.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "component-emitter", - "package_ref": "pkg:npm/component-emitter@1.2.1", - "purl": "pkg:npm/component-emitter@1.2.1", - "scopes": [ - "runtime" - ], - "version": "1.2.1" - }, - { - "depends_on": [], - "id": "pkg:npm/concat-map@0.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "concat-map", - "package_ref": "pkg:npm/concat-map@0.0.1", - "purl": "pkg:npm/concat-map@0.0.1", - "scopes": [ - "runtime" - ], - "version": "0.0.1" - }, - { - "depends_on": [ - "pkg:npm/inherits@2.0.3", - "pkg:npm/readable-stream@2.0.6", - "pkg:npm/typedarray@0.0.6" - ], - "id": "pkg:npm/concat-stream@1.5.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "concat-stream", - "package_ref": "pkg:npm/concat-stream@1.5.2", - "purl": "pkg:npm/concat-stream@1.5.2", - "scopes": [ - "development" - ], - "version": "1.5.2" - }, - { - "depends_on": [ - "pkg:npm/buffer-from@1.1.1", - "pkg:npm/inherits@2.0.3", - "pkg:npm/readable-stream@2.3.6", - "pkg:npm/typedarray@0.0.6" - ], - "id": "pkg:npm/concat-stream@1.6.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "concat-stream", - "package_ref": "pkg:npm/concat-stream@1.6.2", - "purl": "pkg:npm/concat-stream@1.6.2", - "scopes": [ - "development" - ], - "version": "1.6.2" - }, - { - "depends_on": [ - "pkg:npm/ini@1.3.5", - "pkg:npm/proto-list@1.2.4" - ], - "id": "pkg:npm/config-chain@1.1.12", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "config-chain", - "package_ref": "pkg:npm/config-chain@1.1.12", - "purl": "pkg:npm/config-chain@1.1.12", - "scopes": [ - "runtime" - ], - "version": "1.1.12" - }, - { - "depends_on": [ - "pkg:npm/dot-prop@4.2.0", - "pkg:npm/graceful-fs@4.1.15", - "pkg:npm/make-dir@1.3.0", - "pkg:npm/unique-string@1.0.0", - "pkg:npm/write-file-atomic@2.4.3", - "pkg:npm/xdg-basedir@3.0.0" - ], - "id": "pkg:npm/configstore@3.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "configstore", - "package_ref": "pkg:npm/configstore@3.1.2", - "purl": "pkg:npm/configstore@3.1.2", - "scopes": [ - "development" - ], - "version": "3.1.2" - }, - { - "depends_on": [ - "pkg:npm/dot-prop@5.3.0", - "pkg:npm/graceful-fs@4.1.15", - "pkg:npm/make-dir@3.1.0", - "pkg:npm/unique-string@2.0.0", - "pkg:npm/write-file-atomic@3.0.3", - "pkg:npm/xdg-basedir@4.0.0" - ], - "id": "pkg:npm/configstore@5.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "configstore", - "package_ref": "pkg:npm/configstore@5.0.1", - "purl": "pkg:npm/configstore@5.0.1", - "scopes": [ - "development" - ], - "version": "5.0.1" - }, - { - "depends_on": [ - "pkg:npm/busboy@0.3.1" - ], - "id": "pkg:npm/connect-busboy@0.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "connect-busboy", - "package_ref": "pkg:npm/connect-busboy@0.0.2", - "purl": "pkg:npm/connect-busboy@0.0.2", - "scopes": [ - "runtime" - ], - "version": "0.0.2" - }, - { - "depends_on": [ - "pkg:npm/date-now@0.1.4" - ], - "id": "pkg:npm/console-browserify@1.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "console-browserify", - "package_ref": "pkg:npm/console-browserify@1.1.0", - "purl": "pkg:npm/console-browserify@1.1.0", - "scopes": [ - "development" - ], - "version": "1.1.0" - }, - { - "depends_on": [ - "pkg:npm/bluebird@3.5.4" - ], - "id": "pkg:npm/consolidate@0.14.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "consolidate", - "package_ref": "pkg:npm/consolidate@0.14.5", - "purl": "pkg:npm/consolidate@0.14.5", - "scopes": [ - "runtime" - ], - "version": "0.14.5" - }, - { - "depends_on": [], - "id": "pkg:npm/constants-browserify@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "constants-browserify", - "package_ref": "pkg:npm/constants-browserify@1.0.0", - "purl": "pkg:npm/constants-browserify@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/content-disposition@0.5.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "content-disposition", - "package_ref": "pkg:npm/content-disposition@0.5.0", - "purl": "pkg:npm/content-disposition@0.5.0", - "scopes": [ - "runtime" - ], - "version": "0.5.0" - }, - { - "depends_on": [], - "id": "pkg:npm/content-type@1.0.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "content-type", - "package_ref": "pkg:npm/content-type@1.0.4", - "purl": "pkg:npm/content-type@1.0.4", - "scopes": [ - "runtime" - ], - "version": "1.0.4" - }, - { - "depends_on": [], - "id": "pkg:npm/convert-source-map@1.1.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "convert-source-map", - "package_ref": "pkg:npm/convert-source-map@1.1.3", - "purl": "pkg:npm/convert-source-map@1.1.3", - "scopes": [ - "development" - ], - "version": "1.1.3" - }, - { - "depends_on": [], - "id": "pkg:npm/convert-source-map@1.5.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "convert-source-map", - "package_ref": "pkg:npm/convert-source-map@1.5.1", - "purl": "pkg:npm/convert-source-map@1.5.1", - "scopes": [ - "runtime" - ], - "version": "1.5.1" - }, - { - "depends_on": [], - "id": "pkg:npm/cookie-signature@1.0.6", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "cookie-signature", - "package_ref": "pkg:npm/cookie-signature@1.0.6", - "purl": "pkg:npm/cookie-signature@1.0.6", - "scopes": [ - "runtime" - ], - "version": "1.0.6" - }, - { - "depends_on": [], - "id": "pkg:npm/cookie@0.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "cookie", - "package_ref": "pkg:npm/cookie@0.1.2", - "purl": "pkg:npm/cookie@0.1.2", - "scopes": [ - "runtime" - ], - "version": "0.1.2" - }, - { - "depends_on": [], - "id": "pkg:npm/cookie@0.4.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "cookie", - "package_ref": "pkg:npm/cookie@0.4.1", - "purl": "pkg:npm/cookie@0.4.1", - "scopes": [ - "runtime" - ], - "version": "0.4.1" - }, - { - "depends_on": [], - "id": "pkg:npm/copy-descriptor@0.1.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "copy-descriptor", - "package_ref": "pkg:npm/copy-descriptor@0.1.1", - "purl": "pkg:npm/copy-descriptor@0.1.1", - "scopes": [ - "runtime" - ], - "version": "0.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/core-js@2.5.6", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "core-js", - "package_ref": "pkg:npm/core-js@2.5.6", - "purl": "pkg:npm/core-js@2.5.6", - "scopes": [ - "runtime" - ], - "version": "2.5.6" - }, - { - "depends_on": [], - "id": "pkg:npm/core-js@3.6.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "core-js", - "package_ref": "pkg:npm/core-js@3.6.4", - "purl": "pkg:npm/core-js@3.6.4", - "scopes": [ - "development" - ], - "version": "3.6.4" - }, - { - "depends_on": [], - "id": "pkg:npm/core-util-is@1.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "core-util-is", - "package_ref": "pkg:npm/core-util-is@1.0.2", - "purl": "pkg:npm/core-util-is@1.0.2", - "scopes": [ - "development", - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [ - "pkg:npm/js-yaml@3.13.1", - "pkg:npm/lcov-parse@1.0.0", - "pkg:npm/log-driver@1.2.7", - "pkg:npm/minimist@1.2.0", - "pkg:npm/request@2.88.0" - ], - "id": "pkg:npm/coveralls@3.0.9", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "coveralls", - "package_ref": "pkg:npm/coveralls@3.0.9", - "purl": "pkg:npm/coveralls@3.0.9", - "scopes": [ - "runtime" - ], - "version": "3.0.9" - }, - { - "depends_on": [], - "id": "pkg:npm/crc@3.2.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "crc", - "package_ref": "pkg:npm/crc@3.2.1", - "purl": "pkg:npm/crc@3.2.1", - "scopes": [ - "runtime" - ], - "version": "3.2.1" - }, - { - "depends_on": [ - "pkg:npm/bn.js@4.11.8", - "pkg:npm/elliptic@6.4.1" - ], - "id": "pkg:npm/create-ecdh@4.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "create-ecdh", - "package_ref": "pkg:npm/create-ecdh@4.0.3", - "purl": "pkg:npm/create-ecdh@4.0.3", - "scopes": [ - "development" - ], - "version": "4.0.3" - }, - { - "depends_on": [ - "pkg:npm/capture-stack-trace@1.0.1" - ], - "id": "pkg:npm/create-error-class@3.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "create-error-class", - "package_ref": "pkg:npm/create-error-class@3.0.2", - "purl": "pkg:npm/create-error-class@3.0.2", - "scopes": [ - "development" - ], - "version": "3.0.2" - }, - { - "depends_on": [ - "pkg:npm/cipher-base@1.0.4", - "pkg:npm/inherits@2.0.3", - "pkg:npm/md5.js@1.3.5", - "pkg:npm/ripemd160@2.0.2", - "pkg:npm/sha.js@2.4.11" - ], - "id": "pkg:npm/create-hash@1.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "create-hash", - "package_ref": "pkg:npm/create-hash@1.2.0", - "purl": "pkg:npm/create-hash@1.2.0", - "scopes": [ - "development" - ], - "version": "1.2.0" - }, - { - "depends_on": [ - "pkg:npm/cipher-base@1.0.4", - "pkg:npm/create-hash@1.2.0", - "pkg:npm/inherits@2.0.3", - "pkg:npm/ripemd160@2.0.2", - "pkg:npm/safe-buffer@5.1.2", - "pkg:npm/sha.js@2.4.11" - ], - "id": "pkg:npm/create-hmac@1.1.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "create-hmac", - "package_ref": "pkg:npm/create-hmac@1.1.7", - "purl": "pkg:npm/create-hmac@1.1.7", - "scopes": [ - "development" - ], - "version": "1.1.7" - }, - { - "depends_on": [ - "pkg:npm/lru-cache@4.1.3", - "pkg:npm/lru-cache@4.1.5", - "pkg:npm/which@1.3.0", - "pkg:npm/which@1.3.1" - ], - "id": "pkg:npm/cross-spawn@4.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "cross-spawn", - "package_ref": "pkg:npm/cross-spawn@4.0.2", - "purl": "pkg:npm/cross-spawn@4.0.2", - "scopes": [ - "runtime" - ], - "version": "4.0.2" - }, - { - "depends_on": [ - "pkg:npm/lru-cache@4.1.3", - "pkg:npm/lru-cache@4.1.5", - "pkg:npm/shebang-command@1.2.0", - "pkg:npm/which@1.3.0", - "pkg:npm/which@1.3.1" - ], - "id": "pkg:npm/cross-spawn@5.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "cross-spawn", - "package_ref": "pkg:npm/cross-spawn@5.1.0", - "purl": "pkg:npm/cross-spawn@5.1.0", - "scopes": [ - "development", - "runtime" - ], - "version": "5.1.0" - }, - { - "depends_on": [ - "pkg:npm/nice-try@1.0.5", - "pkg:npm/path-key@2.0.1", - "pkg:npm/semver@5.7.0", - "pkg:npm/shebang-command@1.2.0", - "pkg:npm/which@1.3.1" - ], - "id": "pkg:npm/cross-spawn@6.0.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "cross-spawn", - "package_ref": "pkg:npm/cross-spawn@6.0.5", - "purl": "pkg:npm/cross-spawn@6.0.5", - "scopes": [ - "development" - ], - "version": "6.0.5" - }, - { - "depends_on": [ - "pkg:npm/browserify-cipher@1.0.1", - "pkg:npm/browserify-sign@4.0.4", - "pkg:npm/create-ecdh@4.0.3", - "pkg:npm/create-hash@1.2.0", - "pkg:npm/create-hmac@1.1.7", - "pkg:npm/diffie-hellman@5.0.3", - "pkg:npm/inherits@2.0.3", - "pkg:npm/pbkdf2@3.0.17", - "pkg:npm/public-encrypt@4.0.3", - "pkg:npm/randombytes@2.1.0", - "pkg:npm/randomfill@1.0.4" - ], - "id": "pkg:npm/crypto-browserify@3.12.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "crypto-browserify", - "package_ref": "pkg:npm/crypto-browserify@3.12.0", - "purl": "pkg:npm/crypto-browserify@3.12.0", - "scopes": [ - "development" - ], - "version": "3.12.0" - }, - { - "depends_on": [], - "id": "pkg:npm/crypto-random-string@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "crypto-random-string", - "package_ref": "pkg:npm/crypto-random-string@1.0.0", - "purl": "pkg:npm/crypto-random-string@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/crypto-random-string@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "crypto-random-string", - "package_ref": "pkg:npm/crypto-random-string@2.0.0", - "purl": "pkg:npm/crypto-random-string@2.0.0", - "scopes": [ - "development" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/dash-ast@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "dash-ast", - "package_ref": "pkg:npm/dash-ast@1.0.0", - "purl": "pkg:npm/dash-ast@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/assert-plus@1.0.0" - ], - "id": "pkg:npm/dashdash@1.14.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "dashdash", - "package_ref": "pkg:npm/dashdash@1.14.1", - "purl": "pkg:npm/dashdash@1.14.1", - "scopes": [ - "runtime" - ], - "version": "1.14.1" - }, - { - "depends_on": [], - "id": "pkg:npm/data-uri-to-buffer@1.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "data-uri-to-buffer", - "package_ref": "pkg:npm/data-uri-to-buffer@1.2.0", - "purl": "pkg:npm/data-uri-to-buffer@1.2.0", - "scopes": [ - "development" - ], - "version": "1.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/date-now@0.1.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "date-now", - "package_ref": "pkg:npm/date-now@0.1.4", - "purl": "pkg:npm/date-now@0.1.4", - "scopes": [ - "development" - ], - "version": "0.1.4" - }, - { - "depends_on": [], - "id": "pkg:npm/debug-log@1.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "debug-log", - "package_ref": "pkg:npm/debug-log@1.0.1", - "purl": "pkg:npm/debug-log@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [ - "pkg:npm/ms@0.7.1" - ], - "id": "pkg:npm/debug@2.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "debug", - "package_ref": "pkg:npm/debug@2.2.0", - "purl": "pkg:npm/debug@2.2.0", - "scopes": [ - "runtime" - ], - "version": "2.2.0" - }, - { - "depends_on": [ - "pkg:npm/ms@2.0.0" - ], - "id": "pkg:npm/debug@2.6.9", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "debug", - "package_ref": "pkg:npm/debug@2.6.9", - "purl": "pkg:npm/debug@2.6.9", - "scopes": [ - "development", - "runtime" - ], - "version": "2.6.9" - }, - { - "depends_on": [ - "pkg:npm/ms@2.0.0" - ], - "id": "pkg:npm/debug@3.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "debug", - "package_ref": "pkg:npm/debug@3.1.0", - "purl": "pkg:npm/debug@3.1.0", - "scopes": [ - "development", - "runtime" - ], - "version": "3.1.0" - }, - { - "depends_on": [ - "pkg:npm/ms@2.1.2" - ], - "id": "pkg:npm/debug@3.2.6", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "debug", - "package_ref": "pkg:npm/debug@3.2.6", - "purl": "pkg:npm/debug@3.2.6", - "scopes": [ - "development" - ], - "version": "3.2.6" - }, - { - "depends_on": [ - "pkg:npm/ms@2.1.3" - ], - "id": "pkg:npm/debug@3.2.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "debug", - "package_ref": "pkg:npm/debug@3.2.7", - "purl": "pkg:npm/debug@3.2.7", - "scopes": [ - "development" - ], - "version": "3.2.7" - }, - { - "depends_on": [ - "pkg:npm/ms@2.1.1" - ], - "id": "pkg:npm/debug@4.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "debug", - "package_ref": "pkg:npm/debug@4.1.1", - "purl": "pkg:npm/debug@4.1.1", - "scopes": [ - "runtime" - ], - "version": "4.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/decamelize@1.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "decamelize", - "package_ref": "pkg:npm/decamelize@1.2.0", - "purl": "pkg:npm/decamelize@1.2.0", - "scopes": [ - "runtime" - ], - "version": "1.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/decode-uri-component@0.2.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "decode-uri-component", - "package_ref": "pkg:npm/decode-uri-component@0.2.0", - "purl": "pkg:npm/decode-uri-component@0.2.0", - "scopes": [ - "runtime" - ], - "version": "0.2.0" - }, - { - "depends_on": [ - "pkg:npm/mimic-response@1.0.1" - ], - "id": "pkg:npm/decompress-response@3.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "decompress-response", - "package_ref": "pkg:npm/decompress-response@3.3.0", - "purl": "pkg:npm/decompress-response@3.3.0", - "scopes": [ - "development" - ], - "version": "3.3.0" - }, - { - "depends_on": [], - "id": "pkg:npm/deep-extend@0.6.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "deep-extend", - "package_ref": "pkg:npm/deep-extend@0.6.0", - "purl": "pkg:npm/deep-extend@0.6.0", - "scopes": [ - "development" - ], - "version": "0.6.0" - }, - { - "depends_on": [], - "id": "pkg:npm/deep-is@0.1.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "deep-is", - "package_ref": "pkg:npm/deep-is@0.1.3", - "purl": "pkg:npm/deep-is@0.1.3", - "scopes": [ - "development" - ], - "version": "0.1.3" - }, - { - "depends_on": [ - "pkg:npm/strip-bom@2.0.0" - ], - "id": "pkg:npm/default-require-extensions@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "default-require-extensions", - "package_ref": "pkg:npm/default-require-extensions@1.0.0", - "purl": "pkg:npm/default-require-extensions@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/defer-to-connect@1.1.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "defer-to-connect", - "package_ref": "pkg:npm/defer-to-connect@1.1.3", - "purl": "pkg:npm/defer-to-connect@1.1.3", - "scopes": [ - "development" - ], - "version": "1.1.3" - }, - { - "depends_on": [ - "pkg:npm/is-descriptor@0.1.6" - ], - "id": "pkg:npm/define-property@0.2.5", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "define-property", - "package_ref": "pkg:npm/define-property@0.2.5", - "purl": "pkg:npm/define-property@0.2.5", - "scopes": [ - "runtime" - ], - "version": "0.2.5" - }, - { - "depends_on": [ - "pkg:npm/is-descriptor@1.0.2" - ], - "id": "pkg:npm/define-property@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "define-property", - "package_ref": "pkg:npm/define-property@1.0.0", - "purl": "pkg:npm/define-property@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/is-descriptor@1.0.2", - "pkg:npm/isobject@3.0.1" - ], - "id": "pkg:npm/define-property@2.0.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "define-property", - "package_ref": "pkg:npm/define-property@2.0.2", - "purl": "pkg:npm/define-property@2.0.2", - "scopes": [ - "runtime" - ], - "version": "2.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/defined@1.0.0", - "licenses": [], - "name": "defined", - "package_ref": "pkg:npm/defined@1.0.0", - "purl": "pkg:npm/defined@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/ast-types@0.13.2", - "pkg:npm/escodegen@1.12.1", - "pkg:npm/esprima@3.1.3" - ], - "id": "pkg:npm/degenerator@1.0.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "degenerator", - "package_ref": "pkg:npm/degenerator@1.0.4", - "purl": "pkg:npm/degenerator@1.0.4", - "scopes": [ - "development" - ], - "version": "1.0.4" - }, - { - "depends_on": [], - "id": "pkg:npm/delayed-stream@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "delayed-stream", - "package_ref": "pkg:npm/delayed-stream@1.0.0", - "purl": "pkg:npm/delayed-stream@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/denque@1.4.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "denque", - "package_ref": "pkg:npm/denque@1.4.1", - "purl": "pkg:npm/denque@1.4.1", - "scopes": [ - "runtime" - ], - "version": "1.4.1" - }, - { - "depends_on": [], - "id": "pkg:npm/depd@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "depd", - "package_ref": "pkg:npm/depd@1.0.1", - "purl": "pkg:npm/depd@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/depd@1.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "depd", - "package_ref": "pkg:npm/depd@1.1.2", - "purl": "pkg:npm/depd@1.1.2", - "scopes": [ - "development" - ], - "version": "1.1.2" - }, - { - "depends_on": [], - "id": "pkg:npm/depd@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "depd", - "package_ref": "pkg:npm/depd@2.0.0", - "purl": "pkg:npm/depd@2.0.0", - "scopes": [ - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/jsonstream@1.3.5", - "pkg:npm/shasum@1.0.2", - "pkg:npm/subarg@1.0.0", - "pkg:npm/through2@2.0.5" - ], - "id": "pkg:npm/deps-sort@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "deps-sort", - "package_ref": "pkg:npm/deps-sort@2.0.0", - "purl": "pkg:npm/deps-sort@2.0.0", - "scopes": [ - "development" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/inherits@2.0.3", - "pkg:npm/minimalistic-assert@1.0.1" - ], - "id": "pkg:npm/des.js@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "des.js", - "package_ref": "pkg:npm/des.js@1.0.0", - "purl": "pkg:npm/des.js@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/destroy@1.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "destroy", - "package_ref": "pkg:npm/destroy@1.0.3", - "purl": "pkg:npm/destroy@1.0.3", - "scopes": [ - "runtime" - ], - "version": "1.0.3" - }, - { - "depends_on": [ - "pkg:npm/repeating@2.0.1" - ], - "id": "pkg:npm/detect-indent@4.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "detect-indent", - "package_ref": "pkg:npm/detect-indent@4.0.0", - "purl": "pkg:npm/detect-indent@4.0.0", - "scopes": [ - "runtime" - ], - "version": "4.0.0" - }, - { - "depends_on": [ - "pkg:npm/acorn@5.7.4", - "pkg:npm/defined@1.0.0" - ], - "id": "pkg:npm/detective@4.7.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "detective", - "package_ref": "pkg:npm/detective@4.7.1", - "purl": "pkg:npm/detective@4.7.1", - "scopes": [ - "development" - ], - "version": "4.7.1" - }, - { - "depends_on": [ - "pkg:npm/streamsearch@0.1.2" - ], - "id": "pkg:npm/dicer@0.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "dicer", - "package_ref": "pkg:npm/dicer@0.3.0", - "purl": "pkg:npm/dicer@0.3.0", - "scopes": [ - "runtime" - ], - "version": "0.3.0" - }, - { - "depends_on": [], - "id": "pkg:npm/diff@1.4.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "diff", - "package_ref": "pkg:npm/diff@1.4.0", - "purl": "pkg:npm/diff@1.4.0", - "scopes": [ - "runtime" - ], - "version": "1.4.0" - }, - { - "depends_on": [], - "id": "pkg:npm/diff@4.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "diff", - "package_ref": "pkg:npm/diff@4.0.2", - "purl": "pkg:npm/diff@4.0.2", - "scopes": [ - "development" - ], - "version": "4.0.2" - }, - { - "depends_on": [ - "pkg:npm/bn.js@4.11.8", - "pkg:npm/miller-rabin@4.0.1", - "pkg:npm/randombytes@2.1.0" - ], - "id": "pkg:npm/diffie-hellman@5.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "diffie-hellman", - "package_ref": "pkg:npm/diffie-hellman@5.0.3", - "purl": "pkg:npm/diffie-hellman@5.0.3", - "scopes": [ - "development" - ], - "version": "5.0.3" - }, - { - "depends_on": [ - "pkg:npm/vscode-languageserver-types@3.15.0" - ], - "id": "pkg:npm/dockerfile-ast@0.0.16", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "dockerfile-ast", - "package_ref": "pkg:npm/dockerfile-ast@0.0.16", - "purl": "pkg:npm/dockerfile-ast@0.0.16", - "scopes": [ - "development" - ], - "version": "0.0.16" - }, - { - "depends_on": [], - "id": "pkg:npm/domain-browser@1.1.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "domain-browser", - "package_ref": "pkg:npm/domain-browser@1.1.7", - "purl": "pkg:npm/domain-browser@1.1.7", - "scopes": [ - "development" - ], - "version": "1.1.7" - }, - { - "depends_on": [ - "pkg:npm/is-obj@1.0.1" - ], - "id": "pkg:npm/dot-prop@4.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "dot-prop", - "package_ref": "pkg:npm/dot-prop@4.2.0", - "purl": "pkg:npm/dot-prop@4.2.0", - "scopes": [ - "development" - ], - "version": "4.2.0" - }, - { - "depends_on": [ - "pkg:npm/is-obj@2.0.0" - ], - "id": "pkg:npm/dot-prop@5.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "dot-prop", - "package_ref": "pkg:npm/dot-prop@5.3.0", - "purl": "pkg:npm/dot-prop@5.3.0", - "scopes": [ - "development" - ], - "version": "5.3.0" - }, - { - "depends_on": [], - "id": "pkg:npm/dotenv@6.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "dotenv", - "package_ref": "pkg:npm/dotenv@6.2.0", - "purl": "pkg:npm/dotenv@6.2.0", - "scopes": [ - "runtime" - ], - "version": "6.2.0" - }, - { - "depends_on": [ - "pkg:npm/%40types/xml2js@0.4.3", - "pkg:npm/lodash@4.17.15", - "pkg:npm/source-map-support@0.5.16", - "pkg:npm/tslib@1.10.0", - "pkg:npm/xml2js@0.4.19" - ], - "id": "pkg:npm/dotnet-deps-parser@4.9.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "dotnet-deps-parser", - "package_ref": "pkg:npm/dotnet-deps-parser@4.9.0", - "purl": "pkg:npm/dotnet-deps-parser@4.9.0", - "scopes": [ - "development" - ], - "version": "4.9.0" - }, - { - "depends_on": [ - "pkg:npm/readable-stream@2.3.6" - ], - "id": "pkg:npm/duplexer2@0.1.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "duplexer2", - "package_ref": "pkg:npm/duplexer2@0.1.4", - "purl": "pkg:npm/duplexer2@0.1.4", - "scopes": [ - "development" - ], - "version": "0.1.4" - }, - { - "depends_on": [], - "id": "pkg:npm/duplexer3@0.1.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "duplexer3", - "package_ref": "pkg:npm/duplexer3@0.1.4", - "purl": "pkg:npm/duplexer3@0.1.4", - "scopes": [ - "development" - ], - "version": "0.1.4" - }, - { - "depends_on": [], - "id": "pkg:npm/dustjs-helpers@1.5.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "dustjs-helpers", - "package_ref": "pkg:npm/dustjs-helpers@1.5.0", - "purl": "pkg:npm/dustjs-helpers@1.5.0", - "scopes": [ - "runtime" - ], - "version": "1.5.0" - }, - { - "depends_on": [], - "id": "pkg:npm/dustjs-linkedin@2.5.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "dustjs-linkedin", - "package_ref": "pkg:npm/dustjs-linkedin@2.5.0", - "purl": "pkg:npm/dustjs-linkedin@2.5.0", - "scopes": [ - "runtime" - ], - "version": "2.5.0" - }, - { - "depends_on": [ - "pkg:npm/jsbn@0.1.1", - "pkg:npm/safer-buffer@2.1.2" - ], - "id": "pkg:npm/ecc-jsbn@0.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ecc-jsbn", - "package_ref": "pkg:npm/ecc-jsbn@0.1.2", - "purl": "pkg:npm/ecc-jsbn@0.1.2", - "scopes": [ - "runtime" - ], - "version": "0.1.2" - }, - { - "depends_on": [], - "id": "pkg:npm/ee-first@1.0.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ee-first", - "package_ref": "pkg:npm/ee-first@1.0.5", - "purl": "pkg:npm/ee-first@1.0.5", - "scopes": [ - "runtime" - ], - "version": "1.0.5" - }, - { - "depends_on": [], - "id": "pkg:npm/ee-first@1.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ee-first", - "package_ref": "pkg:npm/ee-first@1.1.0", - "purl": "pkg:npm/ee-first@1.1.0", - "scopes": [ - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/ee-first@1.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ee-first", - "package_ref": "pkg:npm/ee-first@1.1.1", - "purl": "pkg:npm/ee-first@1.1.1", - "scopes": [ - "runtime" - ], - "version": "1.1.1" - }, - { - "depends_on": [ - "pkg:npm/ejs@0.8.8" - ], - "id": "pkg:npm/ejs-locals@1.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ejs-locals", - "package_ref": "pkg:npm/ejs-locals@1.0.2", - "purl": "pkg:npm/ejs-locals@1.0.2", - "scopes": [ - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/ejs@0.8.8", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "ejs", - "package_ref": "pkg:npm/ejs@0.8.8", - "purl": "pkg:npm/ejs@0.8.8", - "scopes": [ - "runtime" - ], - "version": "0.8.8" - }, - { - "depends_on": [], - "id": "pkg:npm/ejs@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "ejs", - "package_ref": "pkg:npm/ejs@1.0.0", - "purl": "pkg:npm/ejs@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/bn.js@4.11.8", - "pkg:npm/brorand@1.1.0", - "pkg:npm/hash.js@1.1.7", - "pkg:npm/hmac-drbg@1.0.1", - "pkg:npm/inherits@2.0.3", - "pkg:npm/minimalistic-assert@1.0.1", - "pkg:npm/minimalistic-crypto-utils@1.0.1" - ], - "id": "pkg:npm/elliptic@6.4.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "elliptic", - "package_ref": "pkg:npm/elliptic@6.4.1", - "purl": "pkg:npm/elliptic@6.4.1", - "scopes": [ - "development" - ], - "version": "6.4.1" - }, - { - "depends_on": [], - "id": "pkg:npm/email-validator@2.0.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "email-validator", - "package_ref": "pkg:npm/email-validator@2.0.4", - "purl": "pkg:npm/email-validator@2.0.4", - "scopes": [ - "development" - ], - "version": "2.0.4" - }, - { - "depends_on": [], - "id": "pkg:npm/emoji-regex@7.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "emoji-regex", - "package_ref": "pkg:npm/emoji-regex@7.0.3", - "purl": "pkg:npm/emoji-regex@7.0.3", - "scopes": [ - "runtime" - ], - "version": "7.0.3" - }, - { - "depends_on": [], - "id": "pkg:npm/emoji-regex@8.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "emoji-regex", - "package_ref": "pkg:npm/emoji-regex@8.0.0", - "purl": "pkg:npm/emoji-regex@8.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "8.0.0" - }, - { - "depends_on": [ - "pkg:npm/once@1.4.0" - ], - "id": "pkg:npm/end-of-stream@1.4.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "end-of-stream", - "package_ref": "pkg:npm/end-of-stream@1.4.4", - "purl": "pkg:npm/end-of-stream@1.4.4", - "scopes": [ - "development" - ], - "version": "1.4.4" - }, - { - "depends_on": [ - "pkg:npm/is-arrayish@0.2.1" - ], - "id": "pkg:npm/error-ex@1.3.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "error-ex", - "package_ref": "pkg:npm/error-ex@1.3.1", - "purl": "pkg:npm/error-ex@1.3.1", - "scopes": [ - "runtime" - ], - "version": "1.3.1" - }, - { - "depends_on": [ - "pkg:npm/accepts@1.1.4", - "pkg:npm/escape-html@1.0.1" - ], - "id": "pkg:npm/errorhandler@1.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "errorhandler", - "package_ref": "pkg:npm/errorhandler@1.2.0", - "purl": "pkg:npm/errorhandler@1.2.0", - "scopes": [ - "runtime" - ], - "version": "1.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/es6-promise@2.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "es6-promise", - "package_ref": "pkg:npm/es6-promise@2.1.1", - "purl": "pkg:npm/es6-promise@2.1.1", - "scopes": [ - "runtime" - ], - "version": "2.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/es6-promise@4.2.8", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "es6-promise", - "package_ref": "pkg:npm/es6-promise@4.2.8", - "purl": "pkg:npm/es6-promise@4.2.8", - "scopes": [ - "development" - ], - "version": "4.2.8" - }, - { - "depends_on": [ - "pkg:npm/es6-promise@4.2.8" - ], - "id": "pkg:npm/es6-promisify@5.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "es6-promisify", - "package_ref": "pkg:npm/es6-promisify@5.0.0", - "purl": "pkg:npm/es6-promisify@5.0.0", - "scopes": [ - "development" - ], - "version": "5.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/escape-goat@2.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "escape-goat", - "package_ref": "pkg:npm/escape-goat@2.1.1", - "purl": "pkg:npm/escape-goat@2.1.1", - "scopes": [ - "development" - ], - "version": "2.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/escape-html@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "escape-html", - "package_ref": "pkg:npm/escape-html@1.0.1", - "purl": "pkg:npm/escape-html@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/escape-string-regexp@1.0.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "escape-string-regexp", - "package_ref": "pkg:npm/escape-string-regexp@1.0.5", - "purl": "pkg:npm/escape-string-regexp@1.0.5", - "scopes": [ - "runtime" - ], - "version": "1.0.5" - }, - { - "depends_on": [ - "pkg:npm/esprima@3.1.3", - "pkg:npm/estraverse@4.3.0", - "pkg:npm/esutils@2.0.3", - "pkg:npm/optionator@0.8.3", - "pkg:npm/source-map@0.6.1" - ], - "id": "pkg:npm/escodegen@1.12.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "escodegen", - "package_ref": "pkg:npm/escodegen@1.12.1", - "purl": "pkg:npm/escodegen@1.12.1", - "scopes": [ - "development" - ], - "version": "1.12.1" - }, - { - "depends_on": [], - "id": "pkg:npm/esprima@3.1.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "esprima", - "package_ref": "pkg:npm/esprima@3.1.3", - "purl": "pkg:npm/esprima@3.1.3", - "scopes": [ - "development" - ], - "version": "3.1.3" - }, - { - "depends_on": [], - "id": "pkg:npm/esprima@4.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "esprima", - "package_ref": "pkg:npm/esprima@4.0.1", - "purl": "pkg:npm/esprima@4.0.1", - "scopes": [ - "runtime" - ], - "version": "4.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/estraverse@4.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "estraverse", - "package_ref": "pkg:npm/estraverse@4.3.0", - "purl": "pkg:npm/estraverse@4.3.0", - "scopes": [ - "development" - ], - "version": "4.3.0" - }, - { - "depends_on": [], - "id": "pkg:npm/esutils@2.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "esutils", - "package_ref": "pkg:npm/esutils@2.0.2", - "purl": "pkg:npm/esutils@2.0.2", - "scopes": [ - "runtime" - ], - "version": "2.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/esutils@2.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "esutils", - "package_ref": "pkg:npm/esutils@2.0.3", - "purl": "pkg:npm/esutils@2.0.3", - "scopes": [ - "development" - ], - "version": "2.0.3" - }, - { - "depends_on": [ - "pkg:npm/crc@3.2.1" - ], - "id": "pkg:npm/etag@1.6.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "etag", - "package_ref": "pkg:npm/etag@1.6.0", - "purl": "pkg:npm/etag@1.6.0", - "scopes": [ - "runtime" - ], - "version": "1.6.0" - }, - { - "depends_on": [], - "id": "pkg:npm/events-to-array@1.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "events-to-array", - "package_ref": "pkg:npm/events-to-array@1.1.2", - "purl": "pkg:npm/events-to-array@1.1.2", - "scopes": [ - "runtime" - ], - "version": "1.1.2" - }, - { - "depends_on": [], - "id": "pkg:npm/events@1.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "events", - "package_ref": "pkg:npm/events@1.1.1", - "purl": "pkg:npm/events@1.1.1", - "scopes": [ - "development" - ], - "version": "1.1.1" - }, - { - "depends_on": [ - "pkg:npm/md5.js@1.3.5", - "pkg:npm/safe-buffer@5.1.2" - ], - "id": "pkg:npm/evp_bytestokey@1.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "evp_bytestokey", - "package_ref": "pkg:npm/evp_bytestokey@1.0.3", - "purl": "pkg:npm/evp_bytestokey@1.0.3", - "scopes": [ - "development" - ], - "version": "1.0.3" - }, - { - "depends_on": [ - "pkg:npm/cross-spawn@5.1.0", - "pkg:npm/get-stream@3.0.0", - "pkg:npm/is-stream@1.1.0", - "pkg:npm/npm-run-path@2.0.2", - "pkg:npm/p-finally@1.0.0", - "pkg:npm/signal-exit@3.0.2", - "pkg:npm/strip-eof@1.0.0" - ], - "id": "pkg:npm/execa@0.7.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "execa", - "package_ref": "pkg:npm/execa@0.7.0", - "purl": "pkg:npm/execa@0.7.0", - "scopes": [ - "development", - "runtime" - ], - "version": "0.7.0" - }, - { - "depends_on": [ - "pkg:npm/cross-spawn@6.0.5", - "pkg:npm/get-stream@4.1.0", - "pkg:npm/is-stream@1.1.0", - "pkg:npm/npm-run-path@2.0.2", - "pkg:npm/p-finally@1.0.0", - "pkg:npm/signal-exit@3.0.2", - "pkg:npm/strip-eof@1.0.0" - ], - "id": "pkg:npm/execa@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "execa", - "package_ref": "pkg:npm/execa@1.0.0", - "purl": "pkg:npm/execa@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/debug@2.6.9", - "pkg:npm/define-property@0.2.5", - "pkg:npm/extend-shallow@2.0.1", - "pkg:npm/posix-character-classes@0.1.1", - "pkg:npm/regex-not@1.0.2", - "pkg:npm/snapdragon@0.8.2", - "pkg:npm/to-regex@3.0.2" - ], - "id": "pkg:npm/expand-brackets@2.1.4", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "expand-brackets", - "package_ref": "pkg:npm/expand-brackets@2.1.4", - "purl": "pkg:npm/expand-brackets@2.1.4", - "scopes": [ - "runtime" - ], - "version": "2.1.4" - }, - { - "depends_on": [ - "pkg:npm/connect-busboy@0.0.2", - "pkg:npm/fs-extra@0.22.1", - "pkg:npm/streamifier@0.1.1" - ], - "id": "pkg:npm/express-fileupload@0.0.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "express-fileupload", - "package_ref": "pkg:npm/express-fileupload@0.0.5", - "purl": "pkg:npm/express-fileupload@0.0.5", - "scopes": [ - "runtime" - ], - "version": "0.0.5" - }, - { - "depends_on": [ - "pkg:npm/cookie-signature@1.0.6", - "pkg:npm/cookie@0.4.1", - "pkg:npm/debug@2.6.9", - "pkg:npm/depd@2.0.0", - "pkg:npm/on-headers@1.0.2", - "pkg:npm/parseurl@1.3.3", - "pkg:npm/safe-buffer@5.2.1", - "pkg:npm/uid-safe@2.1.5" - ], - "id": "pkg:npm/express-session@1.17.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "express-session", - "package_ref": "pkg:npm/express-session@1.17.2", - "purl": "pkg:npm/express-session@1.17.2", - "scopes": [ - "runtime" - ], - "version": "1.17.2" - }, - { - "depends_on": [ - "pkg:npm/accepts@1.2.13", - "pkg:npm/content-disposition@0.5.0", - "pkg:npm/content-type@1.0.4", - "pkg:npm/cookie-signature@1.0.6", - "pkg:npm/cookie@0.1.2", - "pkg:npm/debug@2.2.0", - "pkg:npm/depd@1.0.1", - "pkg:npm/escape-html@1.0.1", - "pkg:npm/etag@1.6.0", - "pkg:npm/finalhandler@0.3.6", - "pkg:npm/fresh@0.2.4", - "pkg:npm/merge-descriptors@1.0.0", - "pkg:npm/methods@1.1.2", - "pkg:npm/on-finished@2.2.1", - "pkg:npm/parseurl@1.3.3", - "pkg:npm/path-to-regexp@0.1.3", - "pkg:npm/proxy-addr@1.0.10", - "pkg:npm/qs@2.4.2", - "pkg:npm/range-parser@1.0.3", - "pkg:npm/send@0.12.3", - "pkg:npm/serve-static@1.9.3", - "pkg:npm/type-is@1.6.16", - "pkg:npm/utils-merge@1.0.0", - "pkg:npm/vary@1.0.1" - ], - "id": "pkg:npm/express@4.12.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "express", - "package_ref": "pkg:npm/express@4.12.4", - "purl": "pkg:npm/express@4.12.4", - "scopes": [ - "runtime" - ], - "version": "4.12.4" - }, - { - "depends_on": [ - "pkg:npm/is-extendable@0.1.1" - ], - "id": "pkg:npm/extend-shallow@2.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "extend-shallow", - "package_ref": "pkg:npm/extend-shallow@2.0.1", - "purl": "pkg:npm/extend-shallow@2.0.1", - "scopes": [ - "runtime" - ], - "version": "2.0.1" - }, - { - "depends_on": [ - "pkg:npm/assign-symbols@1.0.0", - "pkg:npm/is-extendable@1.0.1" - ], - "id": "pkg:npm/extend-shallow@3.0.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "extend-shallow", - "package_ref": "pkg:npm/extend-shallow@3.0.2", - "purl": "pkg:npm/extend-shallow@3.0.2", - "scopes": [ - "runtime" - ], - "version": "3.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/extend@3.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "extend", - "package_ref": "pkg:npm/extend@3.0.2", - "purl": "pkg:npm/extend@3.0.2", - "scopes": [ - "runtime" - ], - "version": "3.0.2" - }, - { - "depends_on": [ - "pkg:npm/chardet@0.7.0", - "pkg:npm/iconv-lite@0.4.24", - "pkg:npm/tmp@0.0.33" - ], - "id": "pkg:npm/external-editor@3.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "external-editor", - "package_ref": "pkg:npm/external-editor@3.1.0", - "purl": "pkg:npm/external-editor@3.1.0", - "scopes": [ - "development" - ], - "version": "3.1.0" - }, - { - "depends_on": [ - "pkg:npm/array-unique@0.3.2", - "pkg:npm/define-property@1.0.0", - "pkg:npm/expand-brackets@2.1.4", - "pkg:npm/extend-shallow@2.0.1", - "pkg:npm/fragment-cache@0.2.1", - "pkg:npm/regex-not@1.0.2", - "pkg:npm/snapdragon@0.8.2", - "pkg:npm/to-regex@3.0.2" - ], - "id": "pkg:npm/extglob@2.0.4", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "extglob", - "package_ref": "pkg:npm/extglob@2.0.4", - "purl": "pkg:npm/extglob@2.0.4", - "scopes": [ - "runtime" - ], - "version": "2.0.4" - }, - { - "depends_on": [], - "id": "pkg:npm/extsprintf@1.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "extsprintf", - "package_ref": "pkg:npm/extsprintf@1.3.0", - "purl": "pkg:npm/extsprintf@1.3.0", - "scopes": [ - "runtime" - ], - "version": "1.3.0" - }, - { - "depends_on": [], - "id": "pkg:npm/fast-deep-equal@2.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "fast-deep-equal", - "package_ref": "pkg:npm/fast-deep-equal@2.0.1", - "purl": "pkg:npm/fast-deep-equal@2.0.1", - "scopes": [ - "runtime" - ], - "version": "2.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/fast-json-stable-stringify@2.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "fast-json-stable-stringify", - "package_ref": "pkg:npm/fast-json-stable-stringify@2.1.0", - "purl": "pkg:npm/fast-json-stable-stringify@2.1.0", - "scopes": [ - "runtime" - ], - "version": "2.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/fast-levenshtein@2.0.6", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "fast-levenshtein", - "package_ref": "pkg:npm/fast-levenshtein@2.0.6", - "purl": "pkg:npm/fast-levenshtein@2.0.6", - "scopes": [ - "development" - ], - "version": "2.0.6" - }, - { - "depends_on": [], - "id": "pkg:npm/fd@0.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "fd", - "package_ref": "pkg:npm/fd@0.0.3", - "purl": "pkg:npm/fd@0.0.3", - "scopes": [ - "runtime" - ], - "version": "0.0.3" - }, - { - "depends_on": [], - "id": "pkg:npm/figlet@1.5.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "figlet", - "package_ref": "pkg:npm/figlet@1.5.0", - "purl": "pkg:npm/figlet@1.5.0", - "scopes": [ - "runtime" - ], - "version": "1.5.0" - }, - { - "depends_on": [ - "pkg:npm/escape-string-regexp@1.0.5" - ], - "id": "pkg:npm/figures@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "figures", - "package_ref": "pkg:npm/figures@2.0.0", - "purl": "pkg:npm/figures@2.0.0", - "scopes": [ - "development" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/file-type@8.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "file-type", - "package_ref": "pkg:npm/file-type@8.1.0", - "purl": "pkg:npm/file-type@8.1.0", - "scopes": [ - "runtime" - ], - "version": "8.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/file-uri-to-path@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "file-uri-to-path", - "package_ref": "pkg:npm/file-uri-to-path@1.0.0", - "purl": "pkg:npm/file-uri-to-path@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/extend-shallow@2.0.1", - "pkg:npm/is-number@3.0.0", - "pkg:npm/repeat-string@1.6.1", - "pkg:npm/to-regex-range@2.1.1" - ], - "id": "pkg:npm/fill-range@4.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "fill-range", - "package_ref": "pkg:npm/fill-range@4.0.0", - "purl": "pkg:npm/fill-range@4.0.0", - "scopes": [ - "runtime" - ], - "version": "4.0.0" - }, - { - "depends_on": [ - "pkg:npm/to-regex-range@5.0.1" - ], - "id": "pkg:npm/fill-range@7.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "fill-range", - "package_ref": "pkg:npm/fill-range@7.0.1", - "purl": "pkg:npm/fill-range@7.0.1", - "scopes": [ - "development" - ], - "version": "7.0.1" - }, - { - "depends_on": [ - "pkg:npm/debug@2.2.0", - "pkg:npm/escape-html@1.0.1", - "pkg:npm/on-finished@2.2.1" - ], - "id": "pkg:npm/finalhandler@0.3.6", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "finalhandler", - "package_ref": "pkg:npm/finalhandler@0.3.6", - "purl": "pkg:npm/finalhandler@0.3.6", - "scopes": [ - "runtime" - ], - "version": "0.3.6" - }, - { - "depends_on": [ - "pkg:npm/commondir@1.0.1", - "pkg:npm/mkdirp@0.5.1", - "pkg:npm/pkg-dir@1.0.0" - ], - "id": "pkg:npm/find-cache-dir@0.1.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "find-cache-dir", - "package_ref": "pkg:npm/find-cache-dir@0.1.1", - "purl": "pkg:npm/find-cache-dir@0.1.1", - "scopes": [ - "runtime" - ], - "version": "0.1.1" - }, - { - "depends_on": [ - "pkg:npm/path-exists@2.1.0", - "pkg:npm/pinkie-promise@2.0.1" - ], - "id": "pkg:npm/find-up@1.1.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "find-up", - "package_ref": "pkg:npm/find-up@1.1.2", - "purl": "pkg:npm/find-up@1.1.2", - "scopes": [ - "runtime" - ], - "version": "1.1.2" - }, - { - "depends_on": [ - "pkg:npm/locate-path@2.0.0" - ], - "id": "pkg:npm/find-up@2.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "find-up", - "package_ref": "pkg:npm/find-up@2.1.0", - "purl": "pkg:npm/find-up@2.1.0", - "scopes": [ - "runtime" - ], - "version": "2.1.0" - }, - { - "depends_on": [ - "pkg:npm/locate-path@3.0.0" - ], - "id": "pkg:npm/find-up@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "find-up", - "package_ref": "pkg:npm/find-up@3.0.0", - "purl": "pkg:npm/find-up@3.0.0", - "scopes": [ - "runtime" - ], - "version": "3.0.0" - }, - { - "depends_on": [ - "pkg:npm/locate-path@5.0.0", - "pkg:npm/path-exists@4.0.0" - ], - "id": "pkg:npm/find-up@4.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "find-up", - "package_ref": "pkg:npm/find-up@4.1.0", - "purl": "pkg:npm/find-up@4.1.0", - "scopes": [ - "runtime" - ], - "version": "4.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/for-in@0.1.8", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "for-in", - "package_ref": "pkg:npm/for-in@0.1.8", - "purl": "pkg:npm/for-in@0.1.8", - "scopes": [ - "development" - ], - "version": "0.1.8" - }, - { - "depends_on": [], - "id": "pkg:npm/for-in@1.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "for-in", - "package_ref": "pkg:npm/for-in@1.0.2", - "purl": "pkg:npm/for-in@1.0.2", - "scopes": [ - "development", - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [ - "pkg:npm/for-in@1.0.2" - ], - "id": "pkg:npm/for-own@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "for-own", - "package_ref": "pkg:npm/for-own@1.0.0", - "purl": "pkg:npm/for-own@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/foreachasync@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "foreachasync", - "package_ref": "pkg:npm/foreachasync@3.0.0", - "purl": "pkg:npm/foreachasync@3.0.0", - "scopes": [ - "runtime" - ], - "version": "3.0.0" - }, - { - "depends_on": [ - "pkg:npm/cross-spawn@4.0.2", - "pkg:npm/signal-exit@3.0.2" - ], - "id": "pkg:npm/foreground-child@1.5.6", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "foreground-child", - "package_ref": "pkg:npm/foreground-child@1.5.6", - "purl": "pkg:npm/foreground-child@1.5.6", - "scopes": [ - "runtime" - ], - "version": "1.5.6" - }, - { - "depends_on": [], - "id": "pkg:npm/forever-agent@0.6.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "forever-agent", - "package_ref": "pkg:npm/forever-agent@0.6.1", - "purl": "pkg:npm/forever-agent@0.6.1", - "scopes": [ - "runtime" - ], - "version": "0.6.1" - }, - { - "depends_on": [ - "pkg:npm/asynckit@0.4.0", - "pkg:npm/combined-stream@1.0.8", - "pkg:npm/mime-types@2.1.26" - ], - "id": "pkg:npm/form-data@2.3.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "form-data", - "package_ref": "pkg:npm/form-data@2.3.3", - "purl": "pkg:npm/form-data@2.3.3", - "scopes": [ - "runtime" - ], - "version": "2.3.3" - }, - { - "depends_on": [], - "id": "pkg:npm/forwarded@0.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "forwarded", - "package_ref": "pkg:npm/forwarded@0.1.2", - "purl": "pkg:npm/forwarded@0.1.2", - "scopes": [ - "runtime" - ], - "version": "0.1.2" - }, - { - "depends_on": [ - "pkg:npm/map-cache@0.2.2" - ], - "id": "pkg:npm/fragment-cache@0.2.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "fragment-cache", - "package_ref": "pkg:npm/fragment-cache@0.2.1", - "purl": "pkg:npm/fragment-cache@0.2.1", - "scopes": [ - "runtime" - ], - "version": "0.2.1" - }, - { - "depends_on": [], - "id": "pkg:npm/fresh@0.2.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "fresh", - "package_ref": "pkg:npm/fresh@0.2.4", - "purl": "pkg:npm/fresh@0.2.4", - "scopes": [ - "runtime" - ], - "version": "0.2.4" - }, - { - "depends_on": [], - "id": "pkg:npm/fs-constants@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "fs-constants", - "package_ref": "pkg:npm/fs-constants@1.0.0", - "purl": "pkg:npm/fs-constants@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/fs-exists-cached@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "fs-exists-cached", - "package_ref": "pkg:npm/fs-exists-cached@1.0.0", - "purl": "pkg:npm/fs-exists-cached@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/graceful-fs@4.1.15", - "pkg:npm/jsonfile@2.4.0", - "pkg:npm/rimraf@2.6.3" - ], - "id": "pkg:npm/fs-extra@0.22.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "fs-extra", - "package_ref": "pkg:npm/fs-extra@0.22.1", - "purl": "pkg:npm/fs-extra@0.22.1", - "scopes": [ - "runtime" - ], - "version": "0.22.1" - }, - { - "depends_on": [], - "id": "pkg:npm/fs.realpath@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "fs.realpath", - "package_ref": "pkg:npm/fs.realpath@1.0.0", - "purl": "pkg:npm/fs.realpath@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/fsevents@2.3.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "fsevents", - "package_ref": "pkg:npm/fsevents@2.3.2", - "purl": "pkg:npm/fsevents@2.3.2", - "scopes": [ - "development" - ], - "version": "2.3.2" - }, - { - "depends_on": [ - "pkg:npm/readable-stream@1.1.14", - "pkg:npm/xregexp@2.0.0" - ], - "id": "pkg:npm/ftp@0.3.10", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ftp", - "package_ref": "pkg:npm/ftp@0.3.10", - "purl": "pkg:npm/ftp@0.3.10", - "scopes": [ - "development" - ], - "version": "0.3.10" - }, - { - "depends_on": [], - "id": "pkg:npm/function-bind@1.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "function-bind", - "package_ref": "pkg:npm/function-bind@1.1.1", - "purl": "pkg:npm/function-bind@1.1.1", - "scopes": [ - "development" - ], - "version": "1.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/function-loop@1.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "function-loop", - "package_ref": "pkg:npm/function-loop@1.0.2", - "purl": "pkg:npm/function-loop@1.0.2", - "scopes": [ - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/get-assigned-identifiers@1.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "get-assigned-identifiers", - "package_ref": "pkg:npm/get-assigned-identifiers@1.2.0", - "purl": "pkg:npm/get-assigned-identifiers@1.2.0", - "scopes": [ - "development" - ], - "version": "1.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/get-caller-file@1.0.2", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "get-caller-file", - "package_ref": "pkg:npm/get-caller-file@1.0.2", - "purl": "pkg:npm/get-caller-file@1.0.2", - "scopes": [ - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/get-caller-file@2.0.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "get-caller-file", - "package_ref": "pkg:npm/get-caller-file@2.0.5", - "purl": "pkg:npm/get-caller-file@2.0.5", - "scopes": [ - "runtime" - ], - "version": "2.0.5" - }, - { - "depends_on": [], - "id": "pkg:npm/get-stream@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "get-stream", - "package_ref": "pkg:npm/get-stream@3.0.0", - "purl": "pkg:npm/get-stream@3.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "3.0.0" - }, - { - "depends_on": [ - "pkg:npm/pump@3.0.0" - ], - "id": "pkg:npm/get-stream@4.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "get-stream", - "package_ref": "pkg:npm/get-stream@4.1.0", - "purl": "pkg:npm/get-stream@4.1.0", - "scopes": [ - "development" - ], - "version": "4.1.0" - }, - { - "depends_on": [ - "pkg:npm/pump@3.0.0" - ], - "id": "pkg:npm/get-stream@5.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "get-stream", - "package_ref": "pkg:npm/get-stream@5.2.0", - "purl": "pkg:npm/get-stream@5.2.0", - "scopes": [ - "development" - ], - "version": "5.2.0" - }, - { - "depends_on": [ - "pkg:npm/data-uri-to-buffer@1.2.0", - "pkg:npm/debug@2.6.9", - "pkg:npm/extend@3.0.2", - "pkg:npm/file-uri-to-path@1.0.0", - "pkg:npm/ftp@0.3.10", - "pkg:npm/readable-stream@2.3.7" - ], - "id": "pkg:npm/get-uri@2.0.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "get-uri", - "package_ref": "pkg:npm/get-uri@2.0.4", - "purl": "pkg:npm/get-uri@2.0.4", - "scopes": [ - "development" - ], - "version": "2.0.4" - }, - { - "depends_on": [], - "id": "pkg:npm/get-value@2.0.6", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "get-value", - "package_ref": "pkg:npm/get-value@2.0.6", - "purl": "pkg:npm/get-value@2.0.6", - "scopes": [ - "runtime" - ], - "version": "2.0.6" - }, - { - "depends_on": [ - "pkg:npm/assert-plus@1.0.0" - ], - "id": "pkg:npm/getpass@0.1.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "getpass", - "package_ref": "pkg:npm/getpass@0.1.7", - "purl": "pkg:npm/getpass@0.1.7", - "scopes": [ - "runtime" - ], - "version": "0.1.7" - }, - { - "depends_on": [ - "pkg:npm/is-ssh@1.3.1", - "pkg:npm/parse-url@5.0.1" - ], - "id": "pkg:npm/git-up@4.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "git-up", - "package_ref": "pkg:npm/git-up@4.0.1", - "purl": "pkg:npm/git-up@4.0.1", - "scopes": [ - "development" - ], - "version": "4.0.1" - }, - { - "depends_on": [ - "pkg:npm/git-up@4.0.1" - ], - "id": "pkg:npm/git-url-parse@11.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "git-url-parse", - "package_ref": "pkg:npm/git-url-parse@11.1.2", - "purl": "pkg:npm/git-url-parse@11.1.2", - "scopes": [ - "development" - ], - "version": "11.1.2" - }, - { - "depends_on": [ - "pkg:npm/is-glob@4.0.1" - ], - "id": "pkg:npm/glob-parent@5.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "glob-parent", - "package_ref": "pkg:npm/glob-parent@5.1.2", - "purl": "pkg:npm/glob-parent@5.1.2", - "scopes": [ - "development" - ], - "version": "5.1.2" - }, - { - "depends_on": [ - "pkg:npm/fs.realpath@1.0.0", - "pkg:npm/inflight@1.0.6", - "pkg:npm/inherits@2.0.3", - "pkg:npm/minimatch@3.0.4", - "pkg:npm/once@1.4.0", - "pkg:npm/path-is-absolute@1.0.1" - ], - "id": "pkg:npm/glob@7.1.2", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "glob", - "package_ref": "pkg:npm/glob@7.1.2", - "purl": "pkg:npm/glob@7.1.2", - "scopes": [ - "runtime" - ], - "version": "7.1.2" - }, - { - "depends_on": [ - "pkg:npm/fs.realpath@1.0.0", - "pkg:npm/inflight@1.0.6", - "pkg:npm/inherits@2.0.3", - "pkg:npm/minimatch@3.0.4", - "pkg:npm/once@1.4.0", - "pkg:npm/path-is-absolute@1.0.1" - ], - "id": "pkg:npm/glob@7.1.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "glob", - "package_ref": "pkg:npm/glob@7.1.3", - "purl": "pkg:npm/glob@7.1.3", - "scopes": [ - "development", - "runtime" - ], - "version": "7.1.3" - }, - { - "depends_on": [ - "pkg:npm/ini@1.3.5" - ], - "id": "pkg:npm/global-dirs@0.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "global-dirs", - "package_ref": "pkg:npm/global-dirs@0.1.1", - "purl": "pkg:npm/global-dirs@0.1.1", - "scopes": [ - "development" - ], - "version": "0.1.1" - }, - { - "depends_on": [ - "pkg:npm/ini@1.3.7" - ], - "id": "pkg:npm/global-dirs@2.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "global-dirs", - "package_ref": "pkg:npm/global-dirs@2.1.0", - "purl": "pkg:npm/global-dirs@2.1.0", - "scopes": [ - "development" - ], - "version": "2.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/globals@9.18.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "globals", - "package_ref": "pkg:npm/globals@9.18.0", - "purl": "pkg:npm/globals@9.18.0", - "scopes": [ - "runtime" - ], - "version": "9.18.0" - }, - { - "depends_on": [ - "pkg:npm/adm-zip@0.4.7", - "pkg:npm/body-parser@1.9.0", - "pkg:npm/browserify@13.3.0", - "pkg:npm/cfenv@1.2.2", - "pkg:npm/consolidate@0.14.5", - "pkg:npm/dustjs-helpers@1.5.0", - "pkg:npm/dustjs-linkedin@2.5.0", - "pkg:npm/ejs-locals@1.0.2", - "pkg:npm/ejs@1.0.0", - "pkg:npm/errorhandler@1.2.0", - "pkg:npm/express-fileupload@0.0.5", - "pkg:npm/express-session@1.17.2", - "pkg:npm/express@4.12.4", - "pkg:npm/file-type@8.1.0", - "pkg:npm/hbs@4.0.4", - "pkg:npm/humanize-ms@1.0.1", - "pkg:npm/jquery@2.2.4", - "pkg:npm/lodash@4.17.4", - "pkg:npm/marked@0.3.5", - "pkg:npm/method-override@3.0.0", - "pkg:npm/moment@2.15.1", - "pkg:npm/mongodb@3.5.9", - "pkg:npm/mongoose@4.2.4", - "pkg:npm/morgan@1.10.0", - "pkg:npm/ms@0.7.3", - "pkg:npm/mysql@2.18.1", - "pkg:npm/nodemon@2.0.7", - "pkg:npm/npmconf@0.0.24", - "pkg:npm/optional@0.1.4", - "pkg:npm/snyk@1.278.1", - "pkg:npm/st@0.2.4", - "pkg:npm/stream-buffers@3.0.2", - "pkg:npm/tap@11.1.5", - "pkg:npm/typeorm@0.2.24", - "pkg:npm/validator@13.5.2" - ], - "id": "pkg:npm/goof@1.0.1", - "licenses": [], - "name": "goof", - "package_ref": "pkg:npm/goof@1.0.1", - "purl": "pkg:npm/goof@1.0.1", - "version": "1.0.1" - }, - { - "depends_on": [ - "pkg:npm/create-error-class@3.0.2", - "pkg:npm/duplexer3@0.1.4", - "pkg:npm/get-stream@3.0.0", - "pkg:npm/is-redirect@1.0.0", - "pkg:npm/is-retry-allowed@1.2.0", - "pkg:npm/is-stream@1.1.0", - "pkg:npm/lowercase-keys@1.0.1", - "pkg:npm/safe-buffer@5.1.2", - "pkg:npm/timed-out@4.0.1", - "pkg:npm/unzip-response@2.0.1", - "pkg:npm/url-parse-lax@1.0.0" - ], - "id": "pkg:npm/got@6.7.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "got", - "package_ref": "pkg:npm/got@6.7.1", - "purl": "pkg:npm/got@6.7.1", - "scopes": [ - "development" - ], - "version": "6.7.1" - }, - { - "depends_on": [ - "pkg:npm/%40sindresorhus/is@0.14.0", - "pkg:npm/%40szmarczak/http-timer@1.1.2", - "pkg:npm/cacheable-request@6.1.0", - "pkg:npm/decompress-response@3.3.0", - "pkg:npm/duplexer3@0.1.4", - "pkg:npm/get-stream@4.1.0", - "pkg:npm/lowercase-keys@1.0.1", - "pkg:npm/mimic-response@1.0.1", - "pkg:npm/p-cancelable@1.1.0", - "pkg:npm/to-readable-stream@1.0.0", - "pkg:npm/url-parse-lax@3.0.0" - ], - "id": "pkg:npm/got@9.6.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "got", - "package_ref": "pkg:npm/got@9.6.0", - "purl": "pkg:npm/got@9.6.0", - "scopes": [ - "development" - ], - "version": "9.6.0" - }, - { - "depends_on": [], - "id": "pkg:npm/graceful-fs@1.2.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "graceful-fs", - "package_ref": "pkg:npm/graceful-fs@1.2.3", - "purl": "pkg:npm/graceful-fs@1.2.3", - "scopes": [ - "runtime" - ], - "version": "1.2.3" - }, - { - "depends_on": [], - "id": "pkg:npm/graceful-fs@4.1.11", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "graceful-fs", - "package_ref": "pkg:npm/graceful-fs@4.1.11", - "purl": "pkg:npm/graceful-fs@4.1.11", - "scopes": [ - "runtime" - ], - "version": "4.1.11" - }, - { - "depends_on": [], - "id": "pkg:npm/graceful-fs@4.1.15", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "graceful-fs", - "package_ref": "pkg:npm/graceful-fs@4.1.15", - "purl": "pkg:npm/graceful-fs@4.1.15", - "scopes": [ - "runtime" - ], - "version": "4.1.15" - }, - { - "depends_on": [ - "pkg:npm/lodash@4.17.15" - ], - "id": "pkg:npm/graphlib@2.1.8", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "graphlib", - "package_ref": "pkg:npm/graphlib@2.1.8", - "purl": "pkg:npm/graphlib@2.1.8", - "scopes": [ - "development" - ], - "version": "2.1.8" - }, - { - "depends_on": [ - "pkg:npm/async@1.5.2", - "pkg:npm/optimist@0.6.1", - "pkg:npm/source-map@0.4.4", - "pkg:npm/uglify-js@2.8.29" - ], - "id": "pkg:npm/handlebars@4.0.11", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "handlebars", - "package_ref": "pkg:npm/handlebars@4.0.11", - "purl": "pkg:npm/handlebars@4.0.11", - "scopes": [ - "runtime" - ], - "version": "4.0.11" - }, - { - "depends_on": [ - "pkg:npm/async@2.6.3", - "pkg:npm/optimist@0.6.1", - "pkg:npm/source-map@0.6.1", - "pkg:npm/uglify-js@3.13.9" - ], - "id": "pkg:npm/handlebars@4.0.14", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "handlebars", - "package_ref": "pkg:npm/handlebars@4.0.14", - "purl": "pkg:npm/handlebars@4.0.14", - "scopes": [ - "runtime" - ], - "version": "4.0.14" - }, - { - "depends_on": [], - "id": "pkg:npm/har-schema@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "har-schema", - "package_ref": "pkg:npm/har-schema@2.0.0", - "purl": "pkg:npm/har-schema@2.0.0", - "scopes": [ - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/ajv@6.10.2", - "pkg:npm/har-schema@2.0.0" - ], - "id": "pkg:npm/har-validator@5.1.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "har-validator", - "package_ref": "pkg:npm/har-validator@5.1.3", - "purl": "pkg:npm/har-validator@5.1.3", - "scopes": [ - "runtime" - ], - "version": "5.1.3" - }, - { - "depends_on": [ - "pkg:npm/ansi-regex@2.1.1" - ], - "id": "pkg:npm/has-ansi@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "has-ansi", - "package_ref": "pkg:npm/has-ansi@2.0.0", - "purl": "pkg:npm/has-ansi@2.0.0", - "scopes": [ - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/has-flag@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "has-flag", - "package_ref": "pkg:npm/has-flag@1.0.0", - "purl": "pkg:npm/has-flag@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/has-flag@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "has-flag", - "package_ref": "pkg:npm/has-flag@3.0.0", - "purl": "pkg:npm/has-flag@3.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "3.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/has-flag@4.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "has-flag", - "package_ref": "pkg:npm/has-flag@4.0.0", - "purl": "pkg:npm/has-flag@4.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "4.0.0" - }, - { - "depends_on": [ - "pkg:npm/get-value@2.0.6", - "pkg:npm/has-values@0.1.4", - "pkg:npm/isobject@2.1.0" - ], - "id": "pkg:npm/has-value@0.3.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "has-value", - "package_ref": "pkg:npm/has-value@0.3.1", - "purl": "pkg:npm/has-value@0.3.1", - "scopes": [ - "runtime" - ], - "version": "0.3.1" - }, - { - "depends_on": [ - "pkg:npm/get-value@2.0.6", - "pkg:npm/has-values@1.0.0", - "pkg:npm/isobject@3.0.1" - ], - "id": "pkg:npm/has-value@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "has-value", - "package_ref": "pkg:npm/has-value@1.0.0", - "purl": "pkg:npm/has-value@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/has-values@0.1.4", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "has-values", - "package_ref": "pkg:npm/has-values@0.1.4", - "purl": "pkg:npm/has-values@0.1.4", - "scopes": [ - "runtime" - ], - "version": "0.1.4" - }, - { - "depends_on": [ - "pkg:npm/is-number@3.0.0", - "pkg:npm/kind-of@4.0.0" - ], - "id": "pkg:npm/has-values@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "has-values", - "package_ref": "pkg:npm/has-values@1.0.0", - "purl": "pkg:npm/has-values@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/has-yarn@2.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "has-yarn", - "package_ref": "pkg:npm/has-yarn@2.1.0", - "purl": "pkg:npm/has-yarn@2.1.0", - "scopes": [ - "development" - ], - "version": "2.1.0" - }, - { - "depends_on": [ - "pkg:npm/function-bind@1.1.1" - ], - "id": "pkg:npm/has@1.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "has", - "package_ref": "pkg:npm/has@1.0.3", - "purl": "pkg:npm/has@1.0.3", - "scopes": [ - "development" - ], - "version": "1.0.3" - }, - { - "depends_on": [ - "pkg:npm/inherits@2.0.3", - "pkg:npm/safe-buffer@5.1.2" - ], - "id": "pkg:npm/hash-base@3.0.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "hash-base", - "package_ref": "pkg:npm/hash-base@3.0.4", - "purl": "pkg:npm/hash-base@3.0.4", - "scopes": [ - "development" - ], - "version": "3.0.4" - }, - { - "depends_on": [ - "pkg:npm/inherits@2.0.3", - "pkg:npm/minimalistic-assert@1.0.1" - ], - "id": "pkg:npm/hash.js@1.1.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "hash.js", - "package_ref": "pkg:npm/hash.js@1.1.7", - "purl": "pkg:npm/hash.js@1.1.7", - "scopes": [ - "development" - ], - "version": "1.1.7" - }, - { - "depends_on": [ - "pkg:npm/handlebars@4.0.14", - "pkg:npm/walk@2.3.9" - ], - "id": "pkg:npm/hbs@4.0.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "hbs", - "package_ref": "pkg:npm/hbs@4.0.4", - "purl": "pkg:npm/hbs@4.0.4", - "scopes": [ - "runtime" - ], - "version": "4.0.4" - }, - { - "depends_on": [], - "id": "pkg:npm/highlight.js@9.18.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "highlight.js", - "package_ref": "pkg:npm/highlight.js@9.18.1", - "purl": "pkg:npm/highlight.js@9.18.1", - "scopes": [ - "runtime" - ], - "version": "9.18.1" - }, - { - "depends_on": [ - "pkg:npm/hash.js@1.1.7", - "pkg:npm/minimalistic-assert@1.0.1", - "pkg:npm/minimalistic-crypto-utils@1.0.1" - ], - "id": "pkg:npm/hmac-drbg@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "hmac-drbg", - "package_ref": "pkg:npm/hmac-drbg@1.0.1", - "purl": "pkg:npm/hmac-drbg@1.0.1", - "scopes": [ - "development" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/hooks-fixed@1.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "hooks-fixed", - "package_ref": "pkg:npm/hooks-fixed@1.1.0", - "purl": "pkg:npm/hooks-fixed@1.1.0", - "scopes": [ - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/hosted-git-info@2.6.0", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "hosted-git-info", - "package_ref": "pkg:npm/hosted-git-info@2.6.0", - "purl": "pkg:npm/hosted-git-info@2.6.0", - "scopes": [ - "runtime" - ], - "version": "2.6.0" - }, - { - "depends_on": [], - "id": "pkg:npm/hosted-git-info@2.8.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "hosted-git-info", - "package_ref": "pkg:npm/hosted-git-info@2.8.5", - "purl": "pkg:npm/hosted-git-info@2.8.5", - "scopes": [ - "development" - ], - "version": "2.8.5" - }, - { - "depends_on": [], - "id": "pkg:npm/htmlescape@1.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "htmlescape", - "package_ref": "pkg:npm/htmlescape@1.1.1", - "purl": "pkg:npm/htmlescape@1.1.1", - "scopes": [ - "development" - ], - "version": "1.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/http-cache-semantics@4.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "http-cache-semantics", - "package_ref": "pkg:npm/http-cache-semantics@4.1.0", - "purl": "pkg:npm/http-cache-semantics@4.1.0", - "scopes": [ - "development" - ], - "version": "4.1.0" - }, - { - "depends_on": [ - "pkg:npm/depd@1.1.2", - "pkg:npm/inherits@2.0.4", - "pkg:npm/setprototypeof@1.1.1", - "pkg:npm/statuses@1.5.0", - "pkg:npm/toidentifier@1.0.0" - ], - "id": "pkg:npm/http-errors@1.7.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "http-errors", - "package_ref": "pkg:npm/http-errors@1.7.3", - "purl": "pkg:npm/http-errors@1.7.3", - "scopes": [ - "development" - ], - "version": "1.7.3" - }, - { - "depends_on": [ - "pkg:npm/agent-base@4.3.0", - "pkg:npm/debug@3.1.0" - ], - "id": "pkg:npm/http-proxy-agent@2.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "http-proxy-agent", - "package_ref": "pkg:npm/http-proxy-agent@2.1.0", - "purl": "pkg:npm/http-proxy-agent@2.1.0", - "scopes": [ - "development" - ], - "version": "2.1.0" - }, - { - "depends_on": [ - "pkg:npm/assert-plus@1.0.0", - "pkg:npm/jsprim@1.4.1", - "pkg:npm/sshpk@1.16.1" - ], - "id": "pkg:npm/http-signature@1.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "http-signature", - "package_ref": "pkg:npm/http-signature@1.2.0", - "purl": "pkg:npm/http-signature@1.2.0", - "scopes": [ - "runtime" - ], - "version": "1.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/https-browserify@0.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "https-browserify", - "package_ref": "pkg:npm/https-browserify@0.0.1", - "purl": "pkg:npm/https-browserify@0.0.1", - "scopes": [ - "development" - ], - "version": "0.0.1" - }, - { - "depends_on": [ - "pkg:npm/agent-base@4.3.0", - "pkg:npm/debug@3.2.6" - ], - "id": "pkg:npm/https-proxy-agent@3.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "https-proxy-agent", - "package_ref": "pkg:npm/https-proxy-agent@3.0.1", - "purl": "pkg:npm/https-proxy-agent@3.0.1", - "scopes": [ - "development" - ], - "version": "3.0.1" - }, - { - "depends_on": [ - "pkg:npm/ms@0.6.2" - ], - "id": "pkg:npm/humanize-ms@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "humanize-ms", - "package_ref": "pkg:npm/humanize-ms@1.0.1", - "purl": "pkg:npm/humanize-ms@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [ - "pkg:npm/safer-buffer@2.1.2" - ], - "id": "pkg:npm/iconv-lite@0.4.24", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "iconv-lite", - "package_ref": "pkg:npm/iconv-lite@0.4.24", - "purl": "pkg:npm/iconv-lite@0.4.24", - "scopes": [ - "development" - ], - "version": "0.4.24" - }, - { - "depends_on": [], - "id": "pkg:npm/iconv-lite@0.4.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "iconv-lite", - "package_ref": "pkg:npm/iconv-lite@0.4.4", - "purl": "pkg:npm/iconv-lite@0.4.4", - "scopes": [ - "runtime" - ], - "version": "0.4.4" - }, - { - "depends_on": [], - "id": "pkg:npm/ieee754@1.1.13", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ieee754", - "package_ref": "pkg:npm/ieee754@1.1.13", - "purl": "pkg:npm/ieee754@1.1.13", - "scopes": [ - "development", - "runtime" - ], - "version": "1.1.13" - }, - { - "depends_on": [], - "id": "pkg:npm/ignore-by-default@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ignore-by-default", - "package_ref": "pkg:npm/ignore-by-default@1.0.1", - "purl": "pkg:npm/ignore-by-default@1.0.1", - "scopes": [ - "development" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/immediate@3.0.6", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "immediate", - "package_ref": "pkg:npm/immediate@3.0.6", - "purl": "pkg:npm/immediate@3.0.6", - "scopes": [ - "development" - ], - "version": "3.0.6" - }, - { - "depends_on": [], - "id": "pkg:npm/import-lazy@2.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "import-lazy", - "package_ref": "pkg:npm/import-lazy@2.1.0", - "purl": "pkg:npm/import-lazy@2.1.0", - "scopes": [ - "development" - ], - "version": "2.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/imurmurhash@0.1.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "imurmurhash", - "package_ref": "pkg:npm/imurmurhash@0.1.4", - "purl": "pkg:npm/imurmurhash@0.1.4", - "scopes": [ - "runtime" - ], - "version": "0.1.4" - }, - { - "depends_on": [], - "id": "pkg:npm/indexof@0.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "indexof", - "package_ref": "pkg:npm/indexof@0.0.1", - "purl": "pkg:npm/indexof@0.0.1", - "scopes": [ - "development" - ], - "version": "0.0.1" - }, - { - "depends_on": [ - "pkg:npm/once@1.4.0", - "pkg:npm/wrappy@1.0.2" - ], - "id": "pkg:npm/inflight@1.0.6", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "inflight", - "package_ref": "pkg:npm/inflight@1.0.6", - "purl": "pkg:npm/inflight@1.0.6", - "scopes": [ - "runtime" - ], - "version": "1.0.6" - }, - { - "depends_on": [], - "id": "pkg:npm/inherits@1.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "inherits", - "package_ref": "pkg:npm/inherits@1.0.2", - "purl": "pkg:npm/inherits@1.0.2", - "scopes": [ - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/inherits@2.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "inherits", - "package_ref": "pkg:npm/inherits@2.0.1", - "purl": "pkg:npm/inherits@2.0.1", - "scopes": [ - "development" - ], - "version": "2.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/inherits@2.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "inherits", - "package_ref": "pkg:npm/inherits@2.0.3", - "purl": "pkg:npm/inherits@2.0.3", - "scopes": [ - "development", - "runtime" - ], - "version": "2.0.3" - }, - { - "depends_on": [], - "id": "pkg:npm/inherits@2.0.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "inherits", - "package_ref": "pkg:npm/inherits@2.0.4", - "purl": "pkg:npm/inherits@2.0.4", - "scopes": [ - "development" - ], - "version": "2.0.4" - }, - { - "depends_on": [], - "id": "pkg:npm/ini@1.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "ini", - "package_ref": "pkg:npm/ini@1.1.0", - "purl": "pkg:npm/ini@1.1.0", - "scopes": [ - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/ini@1.3.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "ini", - "package_ref": "pkg:npm/ini@1.3.5", - "purl": "pkg:npm/ini@1.3.5", - "scopes": [ - "development", - "runtime" - ], - "version": "1.3.5" - }, - { - "depends_on": [], - "id": "pkg:npm/ini@1.3.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ini", - "package_ref": "pkg:npm/ini@1.3.7", - "purl": "pkg:npm/ini@1.3.7", - "scopes": [ - "development" - ], - "version": "1.3.7" - }, - { - "depends_on": [ - "pkg:npm/source-map@0.5.7" - ], - "id": "pkg:npm/inline-source-map@0.6.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "inline-source-map", - "package_ref": "pkg:npm/inline-source-map@0.6.2", - "purl": "pkg:npm/inline-source-map@0.6.2", - "scopes": [ - "development" - ], - "version": "0.6.2" - }, - { - "depends_on": [ - "pkg:npm/ansi-escapes@3.2.0", - "pkg:npm/chalk@2.4.2", - "pkg:npm/cli-cursor@2.1.0", - "pkg:npm/cli-width@2.2.0", - "pkg:npm/external-editor@3.1.0", - "pkg:npm/figures@2.0.0", - "pkg:npm/lodash@4.17.15", - "pkg:npm/mute-stream@0.0.7", - "pkg:npm/run-async@2.3.0", - "pkg:npm/rxjs@6.5.4", - "pkg:npm/string-width@2.1.1", - "pkg:npm/strip-ansi@5.2.0", - "pkg:npm/through@2.3.8" - ], - "id": "pkg:npm/inquirer@6.5.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "inquirer", - "package_ref": "pkg:npm/inquirer@6.5.2", - "purl": "pkg:npm/inquirer@6.5.2", - "scopes": [ - "development" - ], - "version": "6.5.2" - }, - { - "depends_on": [ - "pkg:npm/acorn-node@1.6.2", - "pkg:npm/combine-source-map@0.8.0", - "pkg:npm/concat-stream@1.6.2", - "pkg:npm/is-buffer@1.1.6", - "pkg:npm/jsonstream@1.3.5", - "pkg:npm/path-is-absolute@1.0.1", - "pkg:npm/process@0.11.10", - "pkg:npm/through2@2.0.5", - "pkg:npm/undeclared-identifiers@1.1.3", - "pkg:npm/xtend@4.0.1" - ], - "id": "pkg:npm/insert-module-globals@7.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "insert-module-globals", - "package_ref": "pkg:npm/insert-module-globals@7.2.0", - "purl": "pkg:npm/insert-module-globals@7.2.0", - "scopes": [ - "development" - ], - "version": "7.2.0" - }, - { - "depends_on": [ - "pkg:npm/loose-envify@1.3.1" - ], - "id": "pkg:npm/invariant@2.2.4", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "invariant", - "package_ref": "pkg:npm/invariant@2.2.4", - "purl": "pkg:npm/invariant@2.2.4", - "scopes": [ - "runtime" - ], - "version": "2.2.4" - }, - { - "depends_on": [], - "id": "pkg:npm/invert-kv@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "invert-kv", - "package_ref": "pkg:npm/invert-kv@1.0.0", - "purl": "pkg:npm/invert-kv@1.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/ip@1.1.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "ip", - "package_ref": "pkg:npm/ip@1.1.5", - "purl": "pkg:npm/ip@1.1.5", - "scopes": [ - "development" - ], - "version": "1.1.5" - }, - { - "depends_on": [], - "id": "pkg:npm/ipaddr.js@1.0.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ipaddr.js", - "package_ref": "pkg:npm/ipaddr.js@1.0.5", - "purl": "pkg:npm/ipaddr.js@1.0.5", - "scopes": [ - "runtime" - ], - "version": "1.0.5" - }, - { - "depends_on": [ - "pkg:npm/kind-of@3.2.2" - ], - "id": "pkg:npm/is-accessor-descriptor@0.1.6", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-accessor-descriptor", - "package_ref": "pkg:npm/is-accessor-descriptor@0.1.6", - "purl": "pkg:npm/is-accessor-descriptor@0.1.6", - "scopes": [ - "runtime" - ], - "version": "0.1.6" - }, - { - "depends_on": [ - "pkg:npm/kind-of@6.0.2" - ], - "id": "pkg:npm/is-accessor-descriptor@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-accessor-descriptor", - "package_ref": "pkg:npm/is-accessor-descriptor@1.0.0", - "purl": "pkg:npm/is-accessor-descriptor@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/is-arrayish@0.2.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-arrayish", - "package_ref": "pkg:npm/is-arrayish@0.2.1", - "purl": "pkg:npm/is-arrayish@0.2.1", - "scopes": [ - "runtime" - ], - "version": "0.2.1" - }, - { - "depends_on": [ - "pkg:npm/binary-extensions@2.2.0" - ], - "id": "pkg:npm/is-binary-path@2.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-binary-path", - "package_ref": "pkg:npm/is-binary-path@2.1.0", - "purl": "pkg:npm/is-binary-path@2.1.0", - "scopes": [ - "development" - ], - "version": "2.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/is-buffer@1.1.6", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-buffer", - "package_ref": "pkg:npm/is-buffer@1.1.6", - "purl": "pkg:npm/is-buffer@1.1.6", - "scopes": [ - "development", - "runtime" - ], - "version": "1.1.6" - }, - { - "depends_on": [ - "pkg:npm/builtin-modules@1.1.1" - ], - "id": "pkg:npm/is-builtin-module@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-builtin-module", - "package_ref": "pkg:npm/is-builtin-module@1.0.0", - "purl": "pkg:npm/is-builtin-module@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/ci-info@1.6.0" - ], - "id": "pkg:npm/is-ci@1.2.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-ci", - "package_ref": "pkg:npm/is-ci@1.2.1", - "purl": "pkg:npm/is-ci@1.2.1", - "scopes": [ - "development" - ], - "version": "1.2.1" - }, - { - "depends_on": [ - "pkg:npm/ci-info@2.0.0" - ], - "id": "pkg:npm/is-ci@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-ci", - "package_ref": "pkg:npm/is-ci@2.0.0", - "purl": "pkg:npm/is-ci@2.0.0", - "scopes": [ - "development" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/kind-of@3.2.2" - ], - "id": "pkg:npm/is-data-descriptor@0.1.4", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-data-descriptor", - "package_ref": "pkg:npm/is-data-descriptor@0.1.4", - "purl": "pkg:npm/is-data-descriptor@0.1.4", - "scopes": [ - "runtime" - ], - "version": "0.1.4" - }, - { - "depends_on": [ - "pkg:npm/kind-of@6.0.2" - ], - "id": "pkg:npm/is-data-descriptor@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-data-descriptor", - "package_ref": "pkg:npm/is-data-descriptor@1.0.0", - "purl": "pkg:npm/is-data-descriptor@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/is-accessor-descriptor@0.1.6", - "pkg:npm/is-data-descriptor@0.1.4", - "pkg:npm/kind-of@5.1.0" - ], - "id": "pkg:npm/is-descriptor@0.1.6", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-descriptor", - "package_ref": "pkg:npm/is-descriptor@0.1.6", - "purl": "pkg:npm/is-descriptor@0.1.6", - "scopes": [ - "runtime" - ], - "version": "0.1.6" - }, - { - "depends_on": [ - "pkg:npm/is-accessor-descriptor@1.0.0", - "pkg:npm/is-data-descriptor@1.0.0", - "pkg:npm/kind-of@6.0.2" - ], - "id": "pkg:npm/is-descriptor@1.0.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-descriptor", - "package_ref": "pkg:npm/is-descriptor@1.0.2", - "purl": "pkg:npm/is-descriptor@1.0.2", - "scopes": [ - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/is-extendable@0.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-extendable", - "package_ref": "pkg:npm/is-extendable@0.1.1", - "purl": "pkg:npm/is-extendable@0.1.1", - "scopes": [ - "development", - "runtime" - ], - "version": "0.1.1" - }, - { - "depends_on": [ - "pkg:npm/is-plain-object@2.0.4" - ], - "id": "pkg:npm/is-extendable@1.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-extendable", - "package_ref": "pkg:npm/is-extendable@1.0.1", - "purl": "pkg:npm/is-extendable@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/is-extglob@2.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-extglob", - "package_ref": "pkg:npm/is-extglob@2.1.1", - "purl": "pkg:npm/is-extglob@2.1.1", - "scopes": [ - "development" - ], - "version": "2.1.1" - }, - { - "depends_on": [ - "pkg:npm/number-is-nan@1.0.1" - ], - "id": "pkg:npm/is-finite@1.0.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-finite", - "package_ref": "pkg:npm/is-finite@1.0.2", - "purl": "pkg:npm/is-finite@1.0.2", - "scopes": [ - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [ - "pkg:npm/number-is-nan@1.0.1" - ], - "id": "pkg:npm/is-fullwidth-code-point@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-fullwidth-code-point", - "package_ref": "pkg:npm/is-fullwidth-code-point@1.0.0", - "purl": "pkg:npm/is-fullwidth-code-point@1.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/is-fullwidth-code-point@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-fullwidth-code-point", - "package_ref": "pkg:npm/is-fullwidth-code-point@2.0.0", - "purl": "pkg:npm/is-fullwidth-code-point@2.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/is-fullwidth-code-point@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-fullwidth-code-point", - "package_ref": "pkg:npm/is-fullwidth-code-point@3.0.0", - "purl": "pkg:npm/is-fullwidth-code-point@3.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "3.0.0" - }, - { - "depends_on": [ - "pkg:npm/is-extglob@2.1.1" - ], - "id": "pkg:npm/is-glob@4.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-glob", - "package_ref": "pkg:npm/is-glob@4.0.1", - "purl": "pkg:npm/is-glob@4.0.1", - "scopes": [ - "development" - ], - "version": "4.0.1" - }, - { - "depends_on": [ - "pkg:npm/global-dirs@0.1.1", - "pkg:npm/is-path-inside@1.0.1" - ], - "id": "pkg:npm/is-installed-globally@0.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-installed-globally", - "package_ref": "pkg:npm/is-installed-globally@0.1.0", - "purl": "pkg:npm/is-installed-globally@0.1.0", - "scopes": [ - "development" - ], - "version": "0.1.0" - }, - { - "depends_on": [ - "pkg:npm/global-dirs@2.1.0", - "pkg:npm/is-path-inside@3.0.3" - ], - "id": "pkg:npm/is-installed-globally@0.3.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-installed-globally", - "package_ref": "pkg:npm/is-installed-globally@0.3.2", - "purl": "pkg:npm/is-installed-globally@0.3.2", - "scopes": [ - "development" - ], - "version": "0.3.2" - }, - { - "depends_on": [], - "id": "pkg:npm/is-npm@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-npm", - "package_ref": "pkg:npm/is-npm@1.0.0", - "purl": "pkg:npm/is-npm@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/is-npm@4.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-npm", - "package_ref": "pkg:npm/is-npm@4.0.0", - "purl": "pkg:npm/is-npm@4.0.0", - "scopes": [ - "development" - ], - "version": "4.0.0" - }, - { - "depends_on": [ - "pkg:npm/kind-of@3.2.2" - ], - "id": "pkg:npm/is-number@3.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-number", - "package_ref": "pkg:npm/is-number@3.0.0", - "purl": "pkg:npm/is-number@3.0.0", - "scopes": [ - "runtime" - ], - "version": "3.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/is-number@4.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-number", - "package_ref": "pkg:npm/is-number@4.0.0", - "purl": "pkg:npm/is-number@4.0.0", - "scopes": [ - "runtime" - ], - "version": "4.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/is-number@7.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-number", - "package_ref": "pkg:npm/is-number@7.0.0", - "purl": "pkg:npm/is-number@7.0.0", - "scopes": [ - "development" - ], - "version": "7.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/is-obj@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-obj", - "package_ref": "pkg:npm/is-obj@1.0.1", - "purl": "pkg:npm/is-obj@1.0.1", - "scopes": [ - "development" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/is-obj@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-obj", - "package_ref": "pkg:npm/is-obj@2.0.0", - "purl": "pkg:npm/is-obj@2.0.0", - "scopes": [ - "development" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/is-number@4.0.0" - ], - "id": "pkg:npm/is-odd@2.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-odd", - "package_ref": "pkg:npm/is-odd@2.0.0", - "purl": "pkg:npm/is-odd@2.0.0", - "scopes": [ - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/path-is-inside@1.0.2" - ], - "id": "pkg:npm/is-path-inside@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-path-inside", - "package_ref": "pkg:npm/is-path-inside@1.0.1", - "purl": "pkg:npm/is-path-inside@1.0.1", - "scopes": [ - "development" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/is-path-inside@3.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-path-inside", - "package_ref": "pkg:npm/is-path-inside@3.0.3", - "purl": "pkg:npm/is-path-inside@3.0.3", - "scopes": [ - "development" - ], - "version": "3.0.3" - }, - { - "depends_on": [ - "pkg:npm/isobject@3.0.1" - ], - "id": "pkg:npm/is-plain-object@2.0.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-plain-object", - "package_ref": "pkg:npm/is-plain-object@2.0.4", - "purl": "pkg:npm/is-plain-object@2.0.4", - "scopes": [ - "development", - "runtime" - ], - "version": "2.0.4" - }, - { - "depends_on": [], - "id": "pkg:npm/is-promise@2.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-promise", - "package_ref": "pkg:npm/is-promise@2.1.0", - "purl": "pkg:npm/is-promise@2.1.0", - "scopes": [ - "development" - ], - "version": "2.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/is-redirect@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-redirect", - "package_ref": "pkg:npm/is-redirect@1.0.0", - "purl": "pkg:npm/is-redirect@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/is-retry-allowed@1.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-retry-allowed", - "package_ref": "pkg:npm/is-retry-allowed@1.2.0", - "purl": "pkg:npm/is-retry-allowed@1.2.0", - "scopes": [ - "development" - ], - "version": "1.2.0" - }, - { - "depends_on": [ - "pkg:npm/protocols@1.4.7" - ], - "id": "pkg:npm/is-ssh@1.3.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-ssh", - "package_ref": "pkg:npm/is-ssh@1.3.1", - "purl": "pkg:npm/is-ssh@1.3.1", - "scopes": [ - "development" - ], - "version": "1.3.1" - }, - { - "depends_on": [], - "id": "pkg:npm/is-stream@1.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-stream", - "package_ref": "pkg:npm/is-stream@1.1.0", - "purl": "pkg:npm/is-stream@1.1.0", - "scopes": [ - "development", - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/is-typedarray@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-typedarray", - "package_ref": "pkg:npm/is-typedarray@1.0.0", - "purl": "pkg:npm/is-typedarray@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/is-utf8@0.2.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-utf8", - "package_ref": "pkg:npm/is-utf8@0.2.1", - "purl": "pkg:npm/is-utf8@0.2.1", - "scopes": [ - "runtime" - ], - "version": "0.2.1" - }, - { - "depends_on": [], - "id": "pkg:npm/is-windows@1.0.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-windows", - "package_ref": "pkg:npm/is-windows@1.0.2", - "purl": "pkg:npm/is-windows@1.0.2", - "scopes": [ - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/is-wsl@1.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-wsl", - "package_ref": "pkg:npm/is-wsl@1.1.0", - "purl": "pkg:npm/is-wsl@1.1.0", - "scopes": [ - "development" - ], - "version": "1.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/is-yarn-global@0.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "is-yarn-global", - "package_ref": "pkg:npm/is-yarn-global@0.3.0", - "purl": "pkg:npm/is-yarn-global@0.3.0", - "scopes": [ - "development" - ], - "version": "0.3.0" - }, - { - "depends_on": [], - "id": "pkg:npm/isarray@0.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "isarray", - "package_ref": "pkg:npm/isarray@0.0.1", - "purl": "pkg:npm/isarray@0.0.1", - "scopes": [ - "runtime" - ], - "version": "0.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/isarray@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "isarray", - "package_ref": "pkg:npm/isarray@1.0.0", - "purl": "pkg:npm/isarray@1.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/isarray@2.0.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "isarray", - "package_ref": "pkg:npm/isarray@2.0.4", - "purl": "pkg:npm/isarray@2.0.4", - "scopes": [ - "development" - ], - "version": "2.0.4" - }, - { - "depends_on": [], - "id": "pkg:npm/isexe@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "isexe", - "package_ref": "pkg:npm/isexe@2.0.0", - "purl": "pkg:npm/isexe@2.0.0", - "scopes": [ - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/isarray@1.0.0" - ], - "id": "pkg:npm/isobject@2.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "isobject", - "package_ref": "pkg:npm/isobject@2.1.0", - "purl": "pkg:npm/isobject@2.1.0", - "scopes": [ - "runtime" - ], - "version": "2.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/isobject@3.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "isobject", - "package_ref": "pkg:npm/isobject@3.0.1", - "purl": "pkg:npm/isobject@3.0.1", - "scopes": [ - "development", - "runtime" - ], - "version": "3.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/isstream@0.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "isstream", - "package_ref": "pkg:npm/isstream@0.1.2", - "purl": "pkg:npm/isstream@0.1.2", - "scopes": [ - "runtime" - ], - "version": "0.1.2" - }, - { - "depends_on": [], - "id": "pkg:npm/istanbul-lib-coverage@1.2.0", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "name": "istanbul-lib-coverage", - "package_ref": "pkg:npm/istanbul-lib-coverage@1.2.0", - "purl": "pkg:npm/istanbul-lib-coverage@1.2.0", - "scopes": [ - "runtime" - ], - "version": "1.2.0" - }, - { - "depends_on": [ - "pkg:npm/append-transform@0.4.0" - ], - "id": "pkg:npm/istanbul-lib-hook@1.1.0", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "name": "istanbul-lib-hook", - "package_ref": "pkg:npm/istanbul-lib-hook@1.1.0", - "purl": "pkg:npm/istanbul-lib-hook@1.1.0", - "scopes": [ - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [ - "pkg:npm/babel-generator@6.26.1", - "pkg:npm/babel-template@6.26.0", - "pkg:npm/babel-traverse@6.26.0", - "pkg:npm/babel-types@6.26.0", - "pkg:npm/babylon@6.18.0", - "pkg:npm/istanbul-lib-coverage@1.2.0", - "pkg:npm/semver@5.5.0" - ], - "id": "pkg:npm/istanbul-lib-instrument@1.10.1", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "name": "istanbul-lib-instrument", - "package_ref": "pkg:npm/istanbul-lib-instrument@1.10.1", - "purl": "pkg:npm/istanbul-lib-instrument@1.10.1", - "scopes": [ - "runtime" - ], - "version": "1.10.1" - }, - { - "depends_on": [ - "pkg:npm/istanbul-lib-coverage@1.2.0", - "pkg:npm/mkdirp@0.5.1", - "pkg:npm/path-parse@1.0.5", - "pkg:npm/supports-color@3.2.3" - ], - "id": "pkg:npm/istanbul-lib-report@1.1.3", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "name": "istanbul-lib-report", - "package_ref": "pkg:npm/istanbul-lib-report@1.1.3", - "purl": "pkg:npm/istanbul-lib-report@1.1.3", - "scopes": [ - "runtime" - ], - "version": "1.1.3" - }, - { - "depends_on": [ - "pkg:npm/debug@3.1.0", - "pkg:npm/istanbul-lib-coverage@1.2.0", - "pkg:npm/mkdirp@0.5.1", - "pkg:npm/rimraf@2.6.2", - "pkg:npm/source-map@0.5.7" - ], - "id": "pkg:npm/istanbul-lib-source-maps@1.2.3", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "name": "istanbul-lib-source-maps", - "package_ref": "pkg:npm/istanbul-lib-source-maps@1.2.3", - "purl": "pkg:npm/istanbul-lib-source-maps@1.2.3", - "scopes": [ - "runtime" - ], - "version": "1.2.3" - }, - { - "depends_on": [ - "pkg:npm/handlebars@4.0.11" - ], - "id": "pkg:npm/istanbul-reports@1.4.0", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "name": "istanbul-reports", - "package_ref": "pkg:npm/istanbul-reports@1.4.0", - "purl": "pkg:npm/istanbul-reports@1.4.0", - "scopes": [ - "runtime" - ], - "version": "1.4.0" - }, - { - "depends_on": [], - "id": "pkg:npm/jquery@2.2.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "jquery", - "package_ref": "pkg:npm/jquery@2.2.4", - "purl": "pkg:npm/jquery@2.2.4", - "scopes": [ - "runtime" - ], - "version": "2.2.4" - }, - { - "depends_on": [], - "id": "pkg:npm/js-tokens@3.0.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "js-tokens", - "package_ref": "pkg:npm/js-tokens@3.0.2", - "purl": "pkg:npm/js-tokens@3.0.2", - "scopes": [ - "runtime" - ], - "version": "3.0.2" - }, - { - "depends_on": [ - "pkg:npm/argparse@1.0.10", - "pkg:npm/esprima@4.0.1" - ], - "id": "pkg:npm/js-yaml@3.13.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "js-yaml", - "package_ref": "pkg:npm/js-yaml@3.13.1", - "purl": "pkg:npm/js-yaml@3.13.1", - "scopes": [ - "runtime" - ], - "version": "3.13.1" - }, - { - "depends_on": [], - "id": "pkg:npm/jsbn@0.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "jsbn", - "package_ref": "pkg:npm/jsbn@0.1.1", - "purl": "pkg:npm/jsbn@0.1.1", - "scopes": [ - "runtime" - ], - "version": "0.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/jsesc@1.3.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "jsesc", - "package_ref": "pkg:npm/jsesc@1.3.0", - "purl": "pkg:npm/jsesc@1.3.0", - "scopes": [ - "runtime" - ], - "version": "1.3.0" - }, - { - "depends_on": [], - "id": "pkg:npm/json-buffer@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "json-buffer", - "package_ref": "pkg:npm/json-buffer@3.0.0", - "purl": "pkg:npm/json-buffer@3.0.0", - "scopes": [ - "development" - ], - "version": "3.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/json-schema-traverse@0.4.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "json-schema-traverse", - "package_ref": "pkg:npm/json-schema-traverse@0.4.1", - "purl": "pkg:npm/json-schema-traverse@0.4.1", - "scopes": [ - "runtime" - ], - "version": "0.4.1" - }, - { - "depends_on": [], - "id": "pkg:npm/json-schema@0.2.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "json-schema", - "package_ref": "pkg:npm/json-schema@0.2.3", - "purl": "pkg:npm/json-schema@0.2.3", - "scopes": [ - "runtime" - ], - "version": "0.2.3" - }, - { - "depends_on": [ - "pkg:npm/jsonify@0.0.0" - ], - "id": "pkg:npm/json-stable-stringify@0.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "json-stable-stringify", - "package_ref": "pkg:npm/json-stable-stringify@0.0.1", - "purl": "pkg:npm/json-stable-stringify@0.0.1", - "scopes": [ - "development" - ], - "version": "0.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/json-stringify-safe@5.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "json-stringify-safe", - "package_ref": "pkg:npm/json-stringify-safe@5.0.1", - "purl": "pkg:npm/json-stringify-safe@5.0.1", - "scopes": [ - "runtime" - ], - "version": "5.0.1" - }, - { - "depends_on": [ - "pkg:npm/graceful-fs@4.1.15" - ], - "id": "pkg:npm/jsonfile@2.4.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "jsonfile", - "package_ref": "pkg:npm/jsonfile@2.4.0", - "purl": "pkg:npm/jsonfile@2.4.0", - "scopes": [ - "runtime" - ], - "version": "2.4.0" - }, - { - "depends_on": [], - "id": "pkg:npm/jsonify@0.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "jsonify", - "package_ref": "pkg:npm/jsonify@0.0.0", - "purl": "pkg:npm/jsonify@0.0.0", - "scopes": [ - "development" - ], - "version": "0.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/jsonparse@1.3.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "jsonparse", - "package_ref": "pkg:npm/jsonparse@1.3.1", - "purl": "pkg:npm/jsonparse@1.3.1", - "scopes": [ - "development" - ], - "version": "1.3.1" - }, - { - "depends_on": [ - "pkg:npm/jsonparse@1.3.1", - "pkg:npm/through@2.3.8" - ], - "id": "pkg:npm/jsonstream@1.3.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "jsonstream", - "package_ref": "pkg:npm/jsonstream@1.3.5", - "purl": "pkg:npm/jsonstream@1.3.5", - "scopes": [ - "development" - ], - "version": "1.3.5" - }, - { - "depends_on": [ - "pkg:npm/assert-plus@1.0.0", - "pkg:npm/extsprintf@1.3.0", - "pkg:npm/json-schema@0.2.3", - "pkg:npm/verror@1.10.0" - ], - "id": "pkg:npm/jsprim@1.4.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "jsprim", - "package_ref": "pkg:npm/jsprim@1.4.1", - "purl": "pkg:npm/jsprim@1.4.1", - "scopes": [ - "runtime" - ], - "version": "1.4.1" - }, - { - "depends_on": [ - "pkg:npm/lie@3.3.0", - "pkg:npm/pako@1.0.10", - "pkg:npm/readable-stream@2.3.7", - "pkg:npm/set-immediate-shim@1.0.1" - ], - "id": "pkg:npm/jszip@3.2.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "jszip", - "package_ref": "pkg:npm/jszip@3.2.2", - "purl": "pkg:npm/jszip@3.2.2", - "scopes": [ - "development" - ], - "version": "3.2.2" - }, - { - "depends_on": [], - "id": "pkg:npm/kareem@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "kareem", - "package_ref": "pkg:npm/kareem@1.0.1", - "purl": "pkg:npm/kareem@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [ - "pkg:npm/nan@2.10.0" - ], - "id": "pkg:npm/kerberos@0.0.24", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "kerberos", - "package_ref": "pkg:npm/kerberos@0.0.24", - "purl": "pkg:npm/kerberos@0.0.24", - "scopes": [ - "runtime" - ], - "version": "0.0.24" - }, - { - "depends_on": [ - "pkg:npm/json-buffer@3.0.0" - ], - "id": "pkg:npm/keyv@3.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "keyv", - "package_ref": "pkg:npm/keyv@3.1.0", - "purl": "pkg:npm/keyv@3.1.0", - "scopes": [ - "development" - ], - "version": "3.1.0" - }, - { - "depends_on": [ - "pkg:npm/is-buffer@1.1.6" - ], - "id": "pkg:npm/kind-of@2.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "kind-of", - "package_ref": "pkg:npm/kind-of@2.0.1", - "purl": "pkg:npm/kind-of@2.0.1", - "scopes": [ - "development" - ], - "version": "2.0.1" - }, - { - "depends_on": [ - "pkg:npm/is-buffer@1.1.6" - ], - "id": "pkg:npm/kind-of@3.2.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "kind-of", - "package_ref": "pkg:npm/kind-of@3.2.2", - "purl": "pkg:npm/kind-of@3.2.2", - "scopes": [ - "development", - "runtime" - ], - "version": "3.2.2" - }, - { - "depends_on": [ - "pkg:npm/is-buffer@1.1.6" - ], - "id": "pkg:npm/kind-of@4.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "kind-of", - "package_ref": "pkg:npm/kind-of@4.0.0", - "purl": "pkg:npm/kind-of@4.0.0", - "scopes": [ - "runtime" - ], - "version": "4.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/kind-of@5.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "kind-of", - "package_ref": "pkg:npm/kind-of@5.1.0", - "purl": "pkg:npm/kind-of@5.1.0", - "scopes": [ - "runtime" - ], - "version": "5.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/kind-of@6.0.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "kind-of", - "package_ref": "pkg:npm/kind-of@6.0.2", - "purl": "pkg:npm/kind-of@6.0.2", - "scopes": [ - "runtime" - ], - "version": "6.0.2" - }, - { - "depends_on": [ - "pkg:npm/inherits@2.0.3", - "pkg:npm/isarray@2.0.4", - "pkg:npm/stream-splicer@2.0.0" - ], - "id": "pkg:npm/labeled-stream-splicer@2.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "labeled-stream-splicer", - "package_ref": "pkg:npm/labeled-stream-splicer@2.0.1", - "purl": "pkg:npm/labeled-stream-splicer@2.0.1", - "scopes": [ - "development" - ], - "version": "2.0.1" - }, - { - "depends_on": [ - "pkg:npm/package-json@4.0.1" - ], - "id": "pkg:npm/latest-version@3.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "latest-version", - "package_ref": "pkg:npm/latest-version@3.1.0", - "purl": "pkg:npm/latest-version@3.1.0", - "scopes": [ - "development" - ], - "version": "3.1.0" - }, - { - "depends_on": [ - "pkg:npm/package-json@6.5.0" - ], - "id": "pkg:npm/latest-version@5.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "latest-version", - "package_ref": "pkg:npm/latest-version@5.1.0", - "purl": "pkg:npm/latest-version@5.1.0", - "scopes": [ - "development" - ], - "version": "5.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/lazy-cache@0.2.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lazy-cache", - "package_ref": "pkg:npm/lazy-cache@0.2.7", - "purl": "pkg:npm/lazy-cache@0.2.7", - "scopes": [ - "development" - ], - "version": "0.2.7" - }, - { - "depends_on": [], - "id": "pkg:npm/lazy-cache@1.0.4", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lazy-cache", - "package_ref": "pkg:npm/lazy-cache@1.0.4", - "purl": "pkg:npm/lazy-cache@1.0.4", - "scopes": [ - "runtime" - ], - "version": "1.0.4" - }, - { - "depends_on": [ - "pkg:npm/invert-kv@1.0.0" - ], - "id": "pkg:npm/lcid@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lcid", - "package_ref": "pkg:npm/lcid@1.0.0", - "purl": "pkg:npm/lcid@1.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/lcov-parse@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lcov-parse", - "package_ref": "pkg:npm/lcov-parse@1.0.0", - "purl": "pkg:npm/lcov-parse@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/prelude-ls@1.1.2", - "pkg:npm/type-check@0.3.2" - ], - "id": "pkg:npm/levn@0.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "levn", - "package_ref": "pkg:npm/levn@0.3.0", - "purl": "pkg:npm/levn@0.3.0", - "scopes": [ - "development" - ], - "version": "0.3.0" - }, - { - "depends_on": [ - "pkg:npm/immediate@3.0.6" - ], - "id": "pkg:npm/lie@3.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lie", - "package_ref": "pkg:npm/lie@3.3.0", - "purl": "pkg:npm/lie@3.3.0", - "scopes": [ - "development" - ], - "version": "3.3.0" - }, - { - "depends_on": [ - "pkg:npm/graceful-fs@4.1.11", - "pkg:npm/parse-json@2.2.0", - "pkg:npm/pify@2.3.0", - "pkg:npm/pinkie-promise@2.0.1", - "pkg:npm/strip-bom@2.0.0" - ], - "id": "pkg:npm/load-json-file@1.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "load-json-file", - "package_ref": "pkg:npm/load-json-file@1.1.0", - "purl": "pkg:npm/load-json-file@1.1.0", - "scopes": [ - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [ - "pkg:npm/p-locate@2.0.0", - "pkg:npm/path-exists@3.0.0" - ], - "id": "pkg:npm/locate-path@2.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "locate-path", - "package_ref": "pkg:npm/locate-path@2.0.0", - "purl": "pkg:npm/locate-path@2.0.0", - "scopes": [ - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/p-locate@3.0.0", - "pkg:npm/path-exists@3.0.0" - ], - "id": "pkg:npm/locate-path@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "locate-path", - "package_ref": "pkg:npm/locate-path@3.0.0", - "purl": "pkg:npm/locate-path@3.0.0", - "scopes": [ - "runtime" - ], - "version": "3.0.0" - }, - { - "depends_on": [ - "pkg:npm/p-locate@4.1.0" - ], - "id": "pkg:npm/locate-path@5.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "locate-path", - "package_ref": "pkg:npm/locate-path@5.0.0", - "purl": "pkg:npm/locate-path@5.0.0", - "scopes": [ - "runtime" - ], - "version": "5.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/lodash.assign@4.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lodash.assign", - "package_ref": "pkg:npm/lodash.assign@4.2.0", - "purl": "pkg:npm/lodash.assign@4.2.0", - "scopes": [ - "development" - ], - "version": "4.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/lodash.assignin@4.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lodash.assignin", - "package_ref": "pkg:npm/lodash.assignin@4.2.0", - "purl": "pkg:npm/lodash.assignin@4.2.0", - "scopes": [ - "development" - ], - "version": "4.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/lodash.clone@4.5.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lodash.clone", - "package_ref": "pkg:npm/lodash.clone@4.5.0", - "purl": "pkg:npm/lodash.clone@4.5.0", - "scopes": [ - "development" - ], - "version": "4.5.0" - }, - { - "depends_on": [], - "id": "pkg:npm/lodash.clonedeep@4.5.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lodash.clonedeep", - "package_ref": "pkg:npm/lodash.clonedeep@4.5.0", - "purl": "pkg:npm/lodash.clonedeep@4.5.0", - "scopes": [ - "development" - ], - "version": "4.5.0" - }, - { - "depends_on": [], - "id": "pkg:npm/lodash.flatten@4.4.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lodash.flatten", - "package_ref": "pkg:npm/lodash.flatten@4.4.0", - "purl": "pkg:npm/lodash.flatten@4.4.0", - "scopes": [ - "development" - ], - "version": "4.4.0" - }, - { - "depends_on": [], - "id": "pkg:npm/lodash.get@4.4.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lodash.get", - "package_ref": "pkg:npm/lodash.get@4.4.2", - "purl": "pkg:npm/lodash.get@4.4.2", - "scopes": [ - "development" - ], - "version": "4.4.2" - }, - { - "depends_on": [], - "id": "pkg:npm/lodash.memoize@3.0.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lodash.memoize", - "package_ref": "pkg:npm/lodash.memoize@3.0.4", - "purl": "pkg:npm/lodash.memoize@3.0.4", - "scopes": [ - "development" - ], - "version": "3.0.4" - }, - { - "depends_on": [], - "id": "pkg:npm/lodash.set@4.3.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "lodash.set", - "package_ref": "pkg:npm/lodash.set@4.3.2", - "purl": "pkg:npm/lodash.set@4.3.2", - "scopes": [ - "development" - ], - "version": "4.3.2" - }, - { - "depends_on": [], - "id": "pkg:npm/lodash@4.17.10", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "lodash", - "package_ref": "pkg:npm/lodash@4.17.10", - "purl": "pkg:npm/lodash@4.17.10", - "scopes": [ - "runtime" - ], - "version": "4.17.10" - }, - { - "depends_on": [], - "id": "pkg:npm/lodash@4.17.15", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "lodash", - "package_ref": "pkg:npm/lodash@4.17.15", - "purl": "pkg:npm/lodash@4.17.15", - "scopes": [ - "development" - ], - "version": "4.17.15" - }, - { - "depends_on": [], - "id": "pkg:npm/lodash@4.17.21", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "lodash", - "package_ref": "pkg:npm/lodash@4.17.21", - "purl": "pkg:npm/lodash@4.17.21", - "scopes": [ - "runtime" - ], - "version": "4.17.21" - }, - { - "depends_on": [], - "id": "pkg:npm/lodash@4.17.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "lodash", - "package_ref": "pkg:npm/lodash@4.17.4", - "purl": "pkg:npm/lodash@4.17.4", - "scopes": [ - "runtime" - ], - "version": "4.17.4" - }, - { - "depends_on": [], - "id": "pkg:npm/log-driver@1.2.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "log-driver", - "package_ref": "pkg:npm/log-driver@1.2.7", - "purl": "pkg:npm/log-driver@1.2.7", - "scopes": [ - "runtime" - ], - "version": "1.2.7" - }, - { - "depends_on": [], - "id": "pkg:npm/longest@1.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "longest", - "package_ref": "pkg:npm/longest@1.0.1", - "purl": "pkg:npm/longest@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [ - "pkg:npm/js-tokens@3.0.2" - ], - "id": "pkg:npm/loose-envify@1.3.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "loose-envify", - "package_ref": "pkg:npm/loose-envify@1.3.1", - "purl": "pkg:npm/loose-envify@1.3.1", - "scopes": [ - "runtime" - ], - "version": "1.3.1" - }, - { - "depends_on": [], - "id": "pkg:npm/lowercase-keys@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lowercase-keys", - "package_ref": "pkg:npm/lowercase-keys@1.0.1", - "purl": "pkg:npm/lowercase-keys@1.0.1", - "scopes": [ - "development" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/lowercase-keys@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lowercase-keys", - "package_ref": "pkg:npm/lowercase-keys@2.0.0", - "purl": "pkg:npm/lowercase-keys@2.0.0", - "scopes": [ - "development" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/lru-cache@2.3.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lru-cache", - "package_ref": "pkg:npm/lru-cache@2.3.1", - "purl": "pkg:npm/lru-cache@2.3.1", - "scopes": [ - "runtime" - ], - "version": "2.3.1" - }, - { - "depends_on": [ - "pkg:npm/pseudomap@1.0.2", - "pkg:npm/yallist@2.1.2" - ], - "id": "pkg:npm/lru-cache@4.1.3", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lru-cache", - "package_ref": "pkg:npm/lru-cache@4.1.3", - "purl": "pkg:npm/lru-cache@4.1.3", - "scopes": [ - "runtime" - ], - "version": "4.1.3" - }, - { - "depends_on": [ - "pkg:npm/pseudomap@1.0.2", - "pkg:npm/yallist@2.1.2" - ], - "id": "pkg:npm/lru-cache@4.1.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lru-cache", - "package_ref": "pkg:npm/lru-cache@4.1.5", - "purl": "pkg:npm/lru-cache@4.1.5", - "scopes": [ - "development", - "runtime" - ], - "version": "4.1.5" - }, - { - "depends_on": [ - "pkg:npm/yallist@3.1.1" - ], - "id": "pkg:npm/lru-cache@5.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "lru-cache", - "package_ref": "pkg:npm/lru-cache@5.1.1", - "purl": "pkg:npm/lru-cache@5.1.1", - "scopes": [ - "development" - ], - "version": "5.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/macos-release@2.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "macos-release", - "package_ref": "pkg:npm/macos-release@2.3.0", - "purl": "pkg:npm/macos-release@2.3.0", - "scopes": [ - "development" - ], - "version": "2.3.0" - }, - { - "depends_on": [ - "pkg:npm/pify@3.0.0" - ], - "id": "pkg:npm/make-dir@1.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "make-dir", - "package_ref": "pkg:npm/make-dir@1.3.0", - "purl": "pkg:npm/make-dir@1.3.0", - "scopes": [ - "development" - ], - "version": "1.3.0" - }, - { - "depends_on": [ - "pkg:npm/semver@6.3.0" - ], - "id": "pkg:npm/make-dir@3.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "make-dir", - "package_ref": "pkg:npm/make-dir@3.1.0", - "purl": "pkg:npm/make-dir@3.1.0", - "scopes": [ - "development" - ], - "version": "3.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/map-cache@0.2.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "map-cache", - "package_ref": "pkg:npm/map-cache@0.2.2", - "purl": "pkg:npm/map-cache@0.2.2", - "scopes": [ - "runtime" - ], - "version": "0.2.2" - }, - { - "depends_on": [ - "pkg:npm/object-visit@1.0.1" - ], - "id": "pkg:npm/map-visit@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "map-visit", - "package_ref": "pkg:npm/map-visit@1.0.0", - "purl": "pkg:npm/map-visit@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/marked@0.3.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "marked", - "package_ref": "pkg:npm/marked@0.3.5", - "purl": "pkg:npm/marked@0.3.5", - "scopes": [ - "runtime" - ], - "version": "0.3.5" - }, - { - "depends_on": [ - "pkg:npm/md5-o-matic@0.1.1" - ], - "id": "pkg:npm/md5-hex@1.3.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "md5-hex", - "package_ref": "pkg:npm/md5-hex@1.3.0", - "purl": "pkg:npm/md5-hex@1.3.0", - "scopes": [ - "runtime" - ], - "version": "1.3.0" - }, - { - "depends_on": [], - "id": "pkg:npm/md5-o-matic@0.1.1", - "licenses": [], - "name": "md5-o-matic", - "package_ref": "pkg:npm/md5-o-matic@0.1.1", - "purl": "pkg:npm/md5-o-matic@0.1.1", - "scopes": [ - "runtime" - ], - "version": "0.1.1" - }, - { - "depends_on": [ - "pkg:npm/hash-base@3.0.4", - "pkg:npm/inherits@2.0.3", - "pkg:npm/safe-buffer@5.1.2" - ], - "id": "pkg:npm/md5.js@1.3.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "md5.js", - "package_ref": "pkg:npm/md5.js@1.3.5", - "purl": "pkg:npm/md5.js@1.3.5", - "scopes": [ - "development" - ], - "version": "1.3.5" - }, - { - "depends_on": [], - "id": "pkg:npm/media-typer@0.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "media-typer", - "package_ref": "pkg:npm/media-typer@0.3.0", - "purl": "pkg:npm/media-typer@0.3.0", - "scopes": [ - "runtime" - ], - "version": "0.3.0" - }, - { - "depends_on": [ - "pkg:npm/mimic-fn@1.2.0" - ], - "id": "pkg:npm/mem@1.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "mem", - "package_ref": "pkg:npm/mem@1.1.0", - "purl": "pkg:npm/mem@1.1.0", - "scopes": [ - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/memory-pager@1.5.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "memory-pager", - "package_ref": "pkg:npm/memory-pager@1.5.0", - "purl": "pkg:npm/memory-pager@1.5.0", - "scopes": [ - "runtime" - ], - "version": "1.5.0" - }, - { - "depends_on": [], - "id": "pkg:npm/merge-descriptors@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "merge-descriptors", - "package_ref": "pkg:npm/merge-descriptors@1.0.0", - "purl": "pkg:npm/merge-descriptors@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/source-map@0.6.1" - ], - "id": "pkg:npm/merge-source-map@1.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "merge-source-map", - "package_ref": "pkg:npm/merge-source-map@1.1.0", - "purl": "pkg:npm/merge-source-map@1.1.0", - "scopes": [ - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [ - "pkg:npm/debug@3.1.0", - "pkg:npm/methods@1.1.2", - "pkg:npm/parseurl@1.3.3", - "pkg:npm/vary@1.1.2" - ], - "id": "pkg:npm/method-override@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "method-override", - "package_ref": "pkg:npm/method-override@3.0.0", - "purl": "pkg:npm/method-override@3.0.0", - "scopes": [ - "runtime" - ], - "version": "3.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/methods@1.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "methods", - "package_ref": "pkg:npm/methods@1.1.2", - "purl": "pkg:npm/methods@1.1.2", - "scopes": [ - "runtime" - ], - "version": "1.1.2" - }, - { - "depends_on": [ - "pkg:npm/arr-diff@4.0.0", - "pkg:npm/array-unique@0.3.2", - "pkg:npm/braces@2.3.2", - "pkg:npm/define-property@2.0.2", - "pkg:npm/extend-shallow@3.0.2", - "pkg:npm/extglob@2.0.4", - "pkg:npm/fragment-cache@0.2.1", - "pkg:npm/kind-of@6.0.2", - "pkg:npm/nanomatch@1.2.9", - "pkg:npm/object.pick@1.3.0", - "pkg:npm/regex-not@1.0.2", - "pkg:npm/snapdragon@0.8.2", - "pkg:npm/to-regex@3.0.2" - ], - "id": "pkg:npm/micromatch@3.1.10", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "micromatch", - "package_ref": "pkg:npm/micromatch@3.1.10", - "purl": "pkg:npm/micromatch@3.1.10", - "scopes": [ - "runtime" - ], - "version": "3.1.10" - }, - { - "depends_on": [ - "pkg:npm/bn.js@4.11.8", - "pkg:npm/brorand@1.1.0" - ], - "id": "pkg:npm/miller-rabin@4.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "miller-rabin", - "package_ref": "pkg:npm/miller-rabin@4.0.1", - "purl": "pkg:npm/miller-rabin@4.0.1", - "scopes": [ - "development" - ], - "version": "4.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/mime-db@1.12.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mime-db", - "package_ref": "pkg:npm/mime-db@1.12.0", - "purl": "pkg:npm/mime-db@1.12.0", - "scopes": [ - "runtime" - ], - "version": "1.12.0" - }, - { - "depends_on": [], - "id": "pkg:npm/mime-db@1.39.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mime-db", - "package_ref": "pkg:npm/mime-db@1.39.0", - "purl": "pkg:npm/mime-db@1.39.0", - "scopes": [ - "runtime" - ], - "version": "1.39.0" - }, - { - "depends_on": [], - "id": "pkg:npm/mime-db@1.43.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mime-db", - "package_ref": "pkg:npm/mime-db@1.43.0", - "purl": "pkg:npm/mime-db@1.43.0", - "scopes": [ - "runtime" - ], - "version": "1.43.0" - }, - { - "depends_on": [ - "pkg:npm/mime-db@1.12.0" - ], - "id": "pkg:npm/mime-types@2.0.14", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mime-types", - "package_ref": "pkg:npm/mime-types@2.0.14", - "purl": "pkg:npm/mime-types@2.0.14", - "scopes": [ - "runtime" - ], - "version": "2.0.14" - }, - { - "depends_on": [ - "pkg:npm/mime-db@1.39.0" - ], - "id": "pkg:npm/mime-types@2.1.23", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mime-types", - "package_ref": "pkg:npm/mime-types@2.1.23", - "purl": "pkg:npm/mime-types@2.1.23", - "scopes": [ - "runtime" - ], - "version": "2.1.23" - }, - { - "depends_on": [ - "pkg:npm/mime-db@1.43.0" - ], - "id": "pkg:npm/mime-types@2.1.26", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mime-types", - "package_ref": "pkg:npm/mime-types@2.1.26", - "purl": "pkg:npm/mime-types@2.1.26", - "scopes": [ - "runtime" - ], - "version": "2.1.26" - }, - { - "depends_on": [], - "id": "pkg:npm/mime@1.2.11", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "mime", - "package_ref": "pkg:npm/mime@1.2.11", - "purl": "pkg:npm/mime@1.2.11", - "scopes": [ - "runtime" - ], - "version": "1.2.11" - }, - { - "depends_on": [], - "id": "pkg:npm/mime@1.3.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "mime", - "package_ref": "pkg:npm/mime@1.3.4", - "purl": "pkg:npm/mime@1.3.4", - "scopes": [ - "runtime" - ], - "version": "1.3.4" - }, - { - "depends_on": [], - "id": "pkg:npm/mimic-fn@1.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mimic-fn", - "package_ref": "pkg:npm/mimic-fn@1.2.0", - "purl": "pkg:npm/mimic-fn@1.2.0", - "scopes": [ - "development", - "runtime" - ], - "version": "1.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/mimic-response@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mimic-response", - "package_ref": "pkg:npm/mimic-response@1.0.1", - "purl": "pkg:npm/mimic-response@1.0.1", - "scopes": [ - "development" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/minimalistic-assert@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "minimalistic-assert", - "package_ref": "pkg:npm/minimalistic-assert@1.0.1", - "purl": "pkg:npm/minimalistic-assert@1.0.1", - "scopes": [ - "development" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/minimalistic-crypto-utils@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "minimalistic-crypto-utils", - "package_ref": "pkg:npm/minimalistic-crypto-utils@1.0.1", - "purl": "pkg:npm/minimalistic-crypto-utils@1.0.1", - "scopes": [ - "development" - ], - "version": "1.0.1" - }, - { - "depends_on": [ - "pkg:npm/brace-expansion@1.1.11" - ], - "id": "pkg:npm/minimatch@3.0.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "minimatch", - "package_ref": "pkg:npm/minimatch@3.0.4", - "purl": "pkg:npm/minimatch@3.0.4", - "scopes": [ - "development", - "runtime" - ], - "version": "3.0.4" - }, - { - "depends_on": [], - "id": "pkg:npm/minimist@0.0.10", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "minimist", - "package_ref": "pkg:npm/minimist@0.0.10", - "purl": "pkg:npm/minimist@0.0.10", - "scopes": [ - "runtime" - ], - "version": "0.0.10" - }, - { - "depends_on": [], - "id": "pkg:npm/minimist@0.0.8", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "minimist", - "package_ref": "pkg:npm/minimist@0.0.8", - "purl": "pkg:npm/minimist@0.0.8", - "scopes": [ - "runtime" - ], - "version": "0.0.8" - }, - { - "depends_on": [], - "id": "pkg:npm/minimist@1.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "minimist", - "package_ref": "pkg:npm/minimist@1.2.0", - "purl": "pkg:npm/minimist@1.2.0", - "scopes": [ - "development", - "runtime" - ], - "version": "1.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/minimist@1.2.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "minimist", - "package_ref": "pkg:npm/minimist@1.2.5", - "purl": "pkg:npm/minimist@1.2.5", - "scopes": [ - "runtime" - ], - "version": "1.2.5" - }, - { - "depends_on": [ - "pkg:npm/safe-buffer@5.1.2", - "pkg:npm/yallist@3.1.1" - ], - "id": "pkg:npm/minipass@2.9.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "minipass", - "package_ref": "pkg:npm/minipass@2.9.0", - "purl": "pkg:npm/minipass@2.9.0", - "scopes": [ - "runtime" - ], - "version": "2.9.0" - }, - { - "depends_on": [ - "pkg:npm/for-in@1.0.2", - "pkg:npm/is-extendable@1.0.1" - ], - "id": "pkg:npm/mixin-deep@1.3.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "mixin-deep", - "package_ref": "pkg:npm/mixin-deep@1.3.1", - "purl": "pkg:npm/mixin-deep@1.3.1", - "scopes": [ - "runtime" - ], - "version": "1.3.1" - }, - { - "depends_on": [ - "pkg:npm/for-in@0.1.8", - "pkg:npm/is-extendable@0.1.1" - ], - "id": "pkg:npm/mixin-object@2.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mixin-object", - "package_ref": "pkg:npm/mixin-object@2.0.1", - "purl": "pkg:npm/mixin-object@2.0.1", - "scopes": [ - "development" - ], - "version": "2.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/mkdirp@0.3.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mkdirp", - "package_ref": "pkg:npm/mkdirp@0.3.5", - "purl": "pkg:npm/mkdirp@0.3.5", - "scopes": [ - "runtime" - ], - "version": "0.3.5" - }, - { - "depends_on": [ - "pkg:npm/minimist@0.0.8" - ], - "id": "pkg:npm/mkdirp@0.5.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mkdirp", - "package_ref": "pkg:npm/mkdirp@0.5.1", - "purl": "pkg:npm/mkdirp@0.5.1", - "scopes": [ - "runtime" - ], - "version": "0.5.1" - }, - { - "depends_on": [ - "pkg:npm/minimist@1.2.5" - ], - "id": "pkg:npm/mkdirp@0.5.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mkdirp", - "package_ref": "pkg:npm/mkdirp@0.5.5", - "purl": "pkg:npm/mkdirp@0.5.5", - "scopes": [ - "runtime" - ], - "version": "0.5.5" - }, - { - "depends_on": [ - "pkg:npm/browser-resolve@1.11.3", - "pkg:npm/cached-path-relative@1.0.2", - "pkg:npm/concat-stream@1.5.2", - "pkg:npm/defined@1.0.0", - "pkg:npm/detective@4.7.1", - "pkg:npm/duplexer2@0.1.4", - "pkg:npm/inherits@2.0.3", - "pkg:npm/jsonstream@1.3.5", - "pkg:npm/parents@1.0.1", - "pkg:npm/readable-stream@2.3.6", - "pkg:npm/resolve@1.10.0", - "pkg:npm/stream-combiner2@1.1.1", - "pkg:npm/subarg@1.0.0", - "pkg:npm/through2@2.0.5", - "pkg:npm/xtend@4.0.1" - ], - "id": "pkg:npm/module-deps@4.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "module-deps", - "package_ref": "pkg:npm/module-deps@4.1.1", - "purl": "pkg:npm/module-deps@4.1.1", - "scopes": [ - "development" - ], - "version": "4.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/moment@2.15.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "moment", - "package_ref": "pkg:npm/moment@2.15.1", - "purl": "pkg:npm/moment@2.15.1", - "scopes": [ - "runtime" - ], - "version": "2.15.1" - }, - { - "depends_on": [ - "pkg:npm/bson@0.4.23", - "pkg:npm/kerberos@0.0.24" - ], - "id": "pkg:npm/mongodb-core@1.2.19", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mongodb-core", - "package_ref": "pkg:npm/mongodb-core@1.2.19", - "purl": "pkg:npm/mongodb-core@1.2.19", - "scopes": [ - "runtime" - ], - "version": "1.2.19" - }, - { - "depends_on": [ - "pkg:npm/es6-promise@2.1.1", - "pkg:npm/mongodb-core@1.2.19", - "pkg:npm/readable-stream@1.0.31" - ], - "id": "pkg:npm/mongodb@2.0.46", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "mongodb", - "package_ref": "pkg:npm/mongodb@2.0.46", - "purl": "pkg:npm/mongodb@2.0.46", - "scopes": [ - "runtime" - ], - "version": "2.0.46" - }, - { - "depends_on": [ - "pkg:npm/bl@2.2.0", - "pkg:npm/bson@1.1.4", - "pkg:npm/denque@1.4.1", - "pkg:npm/require_optional@1.0.1", - "pkg:npm/safe-buffer@5.1.2", - "pkg:npm/saslprep@1.0.3" - ], - "id": "pkg:npm/mongodb@3.5.9", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mongodb", - "package_ref": "pkg:npm/mongodb@3.5.9", - "purl": "pkg:npm/mongodb@3.5.9", - "scopes": [ - "runtime" - ], - "version": "3.5.9" - }, - { - "depends_on": [ - "pkg:npm/async@0.9.0", - "pkg:npm/bson@0.4.23", - "pkg:npm/hooks-fixed@1.1.0", - "pkg:npm/kareem@1.0.1", - "pkg:npm/mongodb@2.0.46", - "pkg:npm/mpath@0.1.1", - "pkg:npm/mpromise@0.5.4", - "pkg:npm/mquery@1.6.3", - "pkg:npm/ms@0.7.1", - "pkg:npm/muri@1.0.0", - "pkg:npm/regexp-clone@0.0.1", - "pkg:npm/sliced@0.0.5" - ], - "id": "pkg:npm/mongoose@4.2.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "mongoose", - "package_ref": "pkg:npm/mongoose@4.2.4", - "purl": "pkg:npm/mongoose@4.2.4", - "scopes": [ - "runtime" - ], - "version": "4.2.4" - }, - { - "depends_on": [ - "pkg:npm/basic-auth@2.0.1", - "pkg:npm/debug@2.6.9", - "pkg:npm/depd@2.0.0", - "pkg:npm/on-finished@2.3.0", - "pkg:npm/on-headers@1.0.2" - ], - "id": "pkg:npm/morgan@1.10.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "morgan", - "package_ref": "pkg:npm/morgan@1.10.0", - "purl": "pkg:npm/morgan@1.10.0", - "scopes": [ - "runtime" - ], - "version": "1.10.0" - }, - { - "depends_on": [], - "id": "pkg:npm/mpath@0.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "mpath", - "package_ref": "pkg:npm/mpath@0.1.1", - "purl": "pkg:npm/mpath@0.1.1", - "scopes": [ - "runtime" - ], - "version": "0.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/mpromise@0.5.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mpromise", - "package_ref": "pkg:npm/mpromise@0.5.4", - "purl": "pkg:npm/mpromise@0.5.4", - "scopes": [ - "runtime" - ], - "version": "0.5.4" - }, - { - "depends_on": [ - "pkg:npm/bluebird@2.9.26", - "pkg:npm/debug@2.2.0", - "pkg:npm/regexp-clone@0.0.1", - "pkg:npm/sliced@0.0.5" - ], - "id": "pkg:npm/mquery@1.6.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "mquery", - "package_ref": "pkg:npm/mquery@1.6.3", - "purl": "pkg:npm/mquery@1.6.3", - "scopes": [ - "runtime" - ], - "version": "1.6.3" - }, - { - "depends_on": [], - "id": "pkg:npm/ms@0.6.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "ms", - "package_ref": "pkg:npm/ms@0.6.2", - "purl": "pkg:npm/ms@0.6.2", - "scopes": [ - "runtime" - ], - "version": "0.6.2" - }, - { - "depends_on": [], - "id": "pkg:npm/ms@0.7.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "ms", - "package_ref": "pkg:npm/ms@0.7.1", - "purl": "pkg:npm/ms@0.7.1", - "scopes": [ - "runtime" - ], - "version": "0.7.1" - }, - { - "depends_on": [], - "id": "pkg:npm/ms@0.7.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "ms", - "package_ref": "pkg:npm/ms@0.7.3", - "purl": "pkg:npm/ms@0.7.3", - "scopes": [ - "runtime" - ], - "version": "0.7.3" - }, - { - "depends_on": [], - "id": "pkg:npm/ms@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ms", - "package_ref": "pkg:npm/ms@2.0.0", - "purl": "pkg:npm/ms@2.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/ms@2.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ms", - "package_ref": "pkg:npm/ms@2.1.1", - "purl": "pkg:npm/ms@2.1.1", - "scopes": [ - "runtime" - ], - "version": "2.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/ms@2.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ms", - "package_ref": "pkg:npm/ms@2.1.2", - "purl": "pkg:npm/ms@2.1.2", - "scopes": [ - "development" - ], - "version": "2.1.2" - }, - { - "depends_on": [], - "id": "pkg:npm/ms@2.1.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ms", - "package_ref": "pkg:npm/ms@2.1.3", - "purl": "pkg:npm/ms@2.1.3", - "scopes": [ - "development" - ], - "version": "2.1.3" - }, - { - "depends_on": [], - "id": "pkg:npm/muri@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "muri", - "package_ref": "pkg:npm/muri@1.0.0", - "purl": "pkg:npm/muri@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/mute-stream@0.0.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mute-stream", - "package_ref": "pkg:npm/mute-stream@0.0.7", - "purl": "pkg:npm/mute-stream@0.0.7", - "scopes": [ - "development" - ], - "version": "0.0.7" - }, - { - "depends_on": [ - "pkg:npm/bignumber.js@9.0.0", - "pkg:npm/readable-stream@2.3.7", - "pkg:npm/safe-buffer@5.1.2", - "pkg:npm/sqlstring@2.3.1" - ], - "id": "pkg:npm/mysql@2.18.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mysql", - "package_ref": "pkg:npm/mysql@2.18.1", - "purl": "pkg:npm/mysql@2.18.1", - "scopes": [ - "runtime" - ], - "version": "2.18.1" - }, - { - "depends_on": [ - "pkg:npm/any-promise@1.3.0", - "pkg:npm/object-assign@4.1.1", - "pkg:npm/thenify-all@1.6.0" - ], - "id": "pkg:npm/mz@2.7.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "mz", - "package_ref": "pkg:npm/mz@2.7.0", - "purl": "pkg:npm/mz@2.7.0", - "scopes": [ - "runtime" - ], - "version": "2.7.0" - }, - { - "depends_on": [], - "id": "pkg:npm/nan@2.10.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "nan", - "package_ref": "pkg:npm/nan@2.10.0", - "purl": "pkg:npm/nan@2.10.0", - "scopes": [ - "runtime" - ], - "version": "2.10.0" - }, - { - "depends_on": [ - "pkg:npm/arr-diff@4.0.0", - "pkg:npm/array-unique@0.3.2", - "pkg:npm/define-property@2.0.2", - "pkg:npm/extend-shallow@3.0.2", - "pkg:npm/fragment-cache@0.2.1", - "pkg:npm/is-odd@2.0.0", - "pkg:npm/is-windows@1.0.2", - "pkg:npm/kind-of@6.0.2", - "pkg:npm/object.pick@1.3.0", - "pkg:npm/regex-not@1.0.2", - "pkg:npm/snapdragon@0.8.2", - "pkg:npm/to-regex@3.0.2" - ], - "id": "pkg:npm/nanomatch@1.2.9", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "nanomatch", - "package_ref": "pkg:npm/nanomatch@1.2.9", - "purl": "pkg:npm/nanomatch@1.2.9", - "scopes": [ - "runtime" - ], - "version": "1.2.9" - }, - { - "depends_on": [ - "pkg:npm/async@1.5.2", - "pkg:npm/ini@1.3.5", - "pkg:npm/secure-keys@1.0.0", - "pkg:npm/yargs@3.32.0" - ], - "id": "pkg:npm/nconf@0.10.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "nconf", - "package_ref": "pkg:npm/nconf@0.10.0", - "purl": "pkg:npm/nconf@0.10.0", - "scopes": [ - "development" - ], - "version": "0.10.0" - }, - { - "depends_on": [ - "pkg:npm/debug@4.1.1", - "pkg:npm/iconv-lite@0.4.24", - "pkg:npm/sax@1.2.4" - ], - "id": "pkg:npm/needle@2.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "needle", - "package_ref": "pkg:npm/needle@2.3.0", - "purl": "pkg:npm/needle@2.3.0", - "scopes": [ - "development" - ], - "version": "2.3.0" - }, - { - "depends_on": [ - "pkg:npm/debug@3.2.6", - "pkg:npm/iconv-lite@0.4.24", - "pkg:npm/sax@1.2.4" - ], - "id": "pkg:npm/needle@2.4.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "needle", - "package_ref": "pkg:npm/needle@2.4.0", - "purl": "pkg:npm/needle@2.4.0", - "scopes": [ - "development" - ], - "version": "2.4.0" - }, - { - "depends_on": [], - "id": "pkg:npm/negotiator@0.2.8", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "negotiator", - "package_ref": "pkg:npm/negotiator@0.2.8", - "purl": "pkg:npm/negotiator@0.2.8", - "scopes": [ - "runtime" - ], - "version": "0.2.8" - }, - { - "depends_on": [], - "id": "pkg:npm/negotiator@0.4.9", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "negotiator", - "package_ref": "pkg:npm/negotiator@0.4.9", - "purl": "pkg:npm/negotiator@0.4.9", - "scopes": [ - "runtime" - ], - "version": "0.4.9" - }, - { - "depends_on": [], - "id": "pkg:npm/negotiator@0.5.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "negotiator", - "package_ref": "pkg:npm/negotiator@0.5.3", - "purl": "pkg:npm/negotiator@0.5.3", - "scopes": [ - "runtime" - ], - "version": "0.5.3" - }, - { - "depends_on": [], - "id": "pkg:npm/netmask@1.0.6", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "netmask", - "package_ref": "pkg:npm/netmask@1.0.6", - "purl": "pkg:npm/netmask@1.0.6", - "scopes": [ - "development" - ], - "version": "1.0.6" - }, - { - "depends_on": [], - "id": "pkg:npm/nice-try@1.0.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "nice-try", - "package_ref": "pkg:npm/nice-try@1.0.5", - "purl": "pkg:npm/nice-try@1.0.5", - "scopes": [ - "development" - ], - "version": "1.0.5" - }, - { - "depends_on": [ - "pkg:npm/chokidar@3.5.1", - "pkg:npm/debug@3.2.7", - "pkg:npm/ignore-by-default@1.0.1", - "pkg:npm/minimatch@3.0.4", - "pkg:npm/pstree.remy@1.1.8", - "pkg:npm/semver@5.7.1", - "pkg:npm/supports-color@5.5.0", - "pkg:npm/touch@3.1.0", - "pkg:npm/undefsafe@2.0.3", - "pkg:npm/update-notifier@4.1.3" - ], - "id": "pkg:npm/nodemon@2.0.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "nodemon", - "package_ref": "pkg:npm/nodemon@2.0.7", - "purl": "pkg:npm/nodemon@2.0.7", - "scopes": [ - "development" - ], - "version": "2.0.7" - }, - { - "depends_on": [ - "pkg:npm/abbrev@1.1.1" - ], - "id": "pkg:npm/nopt@1.0.10", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "nopt", - "package_ref": "pkg:npm/nopt@1.0.10", - "purl": "pkg:npm/nopt@1.0.10", - "scopes": [ - "development" - ], - "version": "1.0.10" - }, - { - "depends_on": [ - "pkg:npm/abbrev@1.1.1" - ], - "id": "pkg:npm/nopt@2.2.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "nopt", - "package_ref": "pkg:npm/nopt@2.2.1", - "purl": "pkg:npm/nopt@2.2.1", - "scopes": [ - "runtime" - ], - "version": "2.2.1" - }, - { - "depends_on": [ - "pkg:npm/hosted-git-info@2.6.0", - "pkg:npm/is-builtin-module@1.0.0", - "pkg:npm/semver@5.5.0", - "pkg:npm/validate-npm-package-license@3.0.3" - ], - "id": "pkg:npm/normalize-package-data@2.4.0", - "licenses": [ - { - "type": "declared", - "value": "BSD-2-Clause" - } - ], - "name": "normalize-package-data", - "package_ref": "pkg:npm/normalize-package-data@2.4.0", - "purl": "pkg:npm/normalize-package-data@2.4.0", - "scopes": [ - "runtime" - ], - "version": "2.4.0" - }, - { - "depends_on": [], - "id": "pkg:npm/normalize-path@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "normalize-path", - "package_ref": "pkg:npm/normalize-path@3.0.0", - "purl": "pkg:npm/normalize-path@3.0.0", - "scopes": [ - "development" - ], - "version": "3.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/normalize-url@3.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "normalize-url", - "package_ref": "pkg:npm/normalize-url@3.3.0", - "purl": "pkg:npm/normalize-url@3.3.0", - "scopes": [ - "development" - ], - "version": "3.3.0" - }, - { - "depends_on": [], - "id": "pkg:npm/normalize-url@4.5.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "normalize-url", - "package_ref": "pkg:npm/normalize-url@4.5.1", - "purl": "pkg:npm/normalize-url@4.5.1", - "scopes": [ - "development" - ], - "version": "4.5.1" - }, - { - "depends_on": [ - "pkg:npm/path-key@2.0.1" - ], - "id": "pkg:npm/npm-run-path@2.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "npm-run-path", - "package_ref": "pkg:npm/npm-run-path@2.0.2", - "purl": "pkg:npm/npm-run-path@2.0.2", - "scopes": [ - "development", - "runtime" - ], - "version": "2.0.2" - }, - { - "depends_on": [ - "pkg:npm/config-chain@1.1.12", - "pkg:npm/inherits@1.0.2", - "pkg:npm/ini@1.1.0", - "pkg:npm/mkdirp@0.3.5", - "pkg:npm/nopt@2.2.1", - "pkg:npm/once@1.1.1", - "pkg:npm/osenv@0.0.3", - "pkg:npm/semver@1.1.4" - ], - "id": "pkg:npm/npmconf@0.0.24", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "npmconf", - "package_ref": "pkg:npm/npmconf@0.0.24", - "purl": "pkg:npm/npmconf@0.0.24", - "scopes": [ - "runtime" - ], - "version": "0.0.24" - }, - { - "depends_on": [], - "id": "pkg:npm/number-is-nan@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "number-is-nan", - "package_ref": "pkg:npm/number-is-nan@1.0.1", - "purl": "pkg:npm/number-is-nan@1.0.1", - "scopes": [ - "development", - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [ - "pkg:npm/archy@1.0.0", - "pkg:npm/arrify@1.0.1", - "pkg:npm/caching-transform@1.0.1", - "pkg:npm/convert-source-map@1.5.1", - "pkg:npm/debug-log@1.0.1", - "pkg:npm/default-require-extensions@1.0.0", - "pkg:npm/find-cache-dir@0.1.1", - "pkg:npm/find-up@2.1.0", - "pkg:npm/foreground-child@1.5.6", - "pkg:npm/glob@7.1.2", - "pkg:npm/istanbul-lib-coverage@1.2.0", - "pkg:npm/istanbul-lib-hook@1.1.0", - "pkg:npm/istanbul-lib-instrument@1.10.1", - "pkg:npm/istanbul-lib-report@1.1.3", - "pkg:npm/istanbul-lib-source-maps@1.2.3", - "pkg:npm/istanbul-reports@1.4.0", - "pkg:npm/md5-hex@1.3.0", - "pkg:npm/merge-source-map@1.1.0", - "pkg:npm/micromatch@3.1.10", - "pkg:npm/mkdirp@0.5.1", - "pkg:npm/resolve-from@2.0.0", - "pkg:npm/rimraf@2.6.2", - "pkg:npm/signal-exit@3.0.2", - "pkg:npm/spawn-wrap@1.4.2", - "pkg:npm/test-exclude@4.2.1", - "pkg:npm/yargs-parser@8.1.0", - "pkg:npm/yargs@11.1.0" - ], - "id": "pkg:npm/nyc@11.9.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "nyc", - "package_ref": "pkg:npm/nyc@11.9.0", - "purl": "pkg:npm/nyc@11.9.0", - "scopes": [ - "runtime" - ], - "version": "11.9.0" - }, - { - "depends_on": [], - "id": "pkg:npm/oauth-sign@0.9.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "oauth-sign", - "package_ref": "pkg:npm/oauth-sign@0.9.0", - "purl": "pkg:npm/oauth-sign@0.9.0", - "scopes": [ - "runtime" - ], - "version": "0.9.0" - }, - { - "depends_on": [], - "id": "pkg:npm/object-assign@4.1.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "object-assign", - "package_ref": "pkg:npm/object-assign@4.1.1", - "purl": "pkg:npm/object-assign@4.1.1", - "scopes": [ - "runtime" - ], - "version": "4.1.1" - }, - { - "depends_on": [ - "pkg:npm/copy-descriptor@0.1.1", - "pkg:npm/define-property@0.2.5", - "pkg:npm/kind-of@3.2.2" - ], - "id": "pkg:npm/object-copy@0.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "object-copy", - "package_ref": "pkg:npm/object-copy@0.1.0", - "purl": "pkg:npm/object-copy@0.1.0", - "scopes": [ - "runtime" - ], - "version": "0.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/object-hash@1.3.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "object-hash", - "package_ref": "pkg:npm/object-hash@1.3.1", - "purl": "pkg:npm/object-hash@1.3.1", - "scopes": [ - "development" - ], - "version": "1.3.1" - }, - { - "depends_on": [ - "pkg:npm/isobject@3.0.1" - ], - "id": "pkg:npm/object-visit@1.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "object-visit", - "package_ref": "pkg:npm/object-visit@1.0.1", - "purl": "pkg:npm/object-visit@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [ - "pkg:npm/isobject@3.0.1" - ], - "id": "pkg:npm/object.pick@1.3.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "object.pick", - "package_ref": "pkg:npm/object.pick@1.3.0", - "purl": "pkg:npm/object.pick@1.3.0", - "scopes": [ - "runtime" - ], - "version": "1.3.0" - }, - { - "depends_on": [ - "pkg:npm/ee-first@1.0.5" - ], - "id": "pkg:npm/on-finished@2.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "on-finished", - "package_ref": "pkg:npm/on-finished@2.1.0", - "purl": "pkg:npm/on-finished@2.1.0", - "scopes": [ - "runtime" - ], - "version": "2.1.0" - }, - { - "depends_on": [ - "pkg:npm/ee-first@1.1.0" - ], - "id": "pkg:npm/on-finished@2.2.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "on-finished", - "package_ref": "pkg:npm/on-finished@2.2.1", - "purl": "pkg:npm/on-finished@2.2.1", - "scopes": [ - "runtime" - ], - "version": "2.2.1" - }, - { - "depends_on": [ - "pkg:npm/ee-first@1.1.1" - ], - "id": "pkg:npm/on-finished@2.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "on-finished", - "package_ref": "pkg:npm/on-finished@2.3.0", - "purl": "pkg:npm/on-finished@2.3.0", - "scopes": [ - "runtime" - ], - "version": "2.3.0" - }, - { - "depends_on": [], - "id": "pkg:npm/on-headers@1.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "on-headers", - "package_ref": "pkg:npm/on-headers@1.0.2", - "purl": "pkg:npm/on-headers@1.0.2", - "scopes": [ - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/once@1.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "once", - "package_ref": "pkg:npm/once@1.1.1", - "purl": "pkg:npm/once@1.1.1", - "scopes": [ - "runtime" - ], - "version": "1.1.1" - }, - { - "depends_on": [ - "pkg:npm/wrappy@1.0.2" - ], - "id": "pkg:npm/once@1.4.0", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "once", - "package_ref": "pkg:npm/once@1.4.0", - "purl": "pkg:npm/once@1.4.0", - "scopes": [ - "runtime" - ], - "version": "1.4.0" - }, - { - "depends_on": [ - "pkg:npm/mimic-fn@1.2.0" - ], - "id": "pkg:npm/onetime@2.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "onetime", - "package_ref": "pkg:npm/onetime@2.0.1", - "purl": "pkg:npm/onetime@2.0.1", - "scopes": [ - "development" - ], - "version": "2.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/opener@1.5.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "opener", - "package_ref": "pkg:npm/opener@1.5.1", - "purl": "pkg:npm/opener@1.5.1", - "scopes": [ - "runtime" - ], - "version": "1.5.1" - }, - { - "depends_on": [ - "pkg:npm/is-wsl@1.1.0" - ], - "id": "pkg:npm/opn@5.5.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "opn", - "package_ref": "pkg:npm/opn@5.5.0", - "purl": "pkg:npm/opn@5.5.0", - "scopes": [ - "development" - ], - "version": "5.5.0" - }, - { - "depends_on": [ - "pkg:npm/minimist@0.0.10", - "pkg:npm/minimist@0.0.8", - "pkg:npm/wordwrap@0.0.3" - ], - "id": "pkg:npm/optimist@0.6.1", - "licenses": [ - { - "type": "declared", - "value": "MIT/X11" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "optimist", - "package_ref": "pkg:npm/optimist@0.6.1", - "purl": "pkg:npm/optimist@0.6.1", - "scopes": [ - "runtime" - ], - "version": "0.6.1" - }, - { - "depends_on": [], - "id": "pkg:npm/optional@0.1.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "optional", - "package_ref": "pkg:npm/optional@0.1.4", - "purl": "pkg:npm/optional@0.1.4", - "scopes": [ - "runtime" - ], - "version": "0.1.4" - }, - { - "depends_on": [ - "pkg:npm/deep-is@0.1.3", - "pkg:npm/fast-levenshtein@2.0.6", - "pkg:npm/levn@0.3.0", - "pkg:npm/prelude-ls@1.1.2", - "pkg:npm/type-check@0.3.2", - "pkg:npm/word-wrap@1.2.3" - ], - "id": "pkg:npm/optionator@0.8.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "optionator", - "package_ref": "pkg:npm/optionator@0.8.3", - "purl": "pkg:npm/optionator@0.8.3", - "scopes": [ - "development" - ], - "version": "0.8.3" - }, - { - "depends_on": [], - "id": "pkg:npm/os-browserify@0.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "os-browserify", - "package_ref": "pkg:npm/os-browserify@0.1.2", - "purl": "pkg:npm/os-browserify@0.1.2", - "scopes": [ - "development" - ], - "version": "0.1.2" - }, - { - "depends_on": [], - "id": "pkg:npm/os-homedir@1.0.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "os-homedir", - "package_ref": "pkg:npm/os-homedir@1.0.2", - "purl": "pkg:npm/os-homedir@1.0.2", - "scopes": [ - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [ - "pkg:npm/lcid@1.0.0" - ], - "id": "pkg:npm/os-locale@1.4.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "os-locale", - "package_ref": "pkg:npm/os-locale@1.4.0", - "purl": "pkg:npm/os-locale@1.4.0", - "scopes": [ - "development" - ], - "version": "1.4.0" - }, - { - "depends_on": [ - "pkg:npm/execa@0.7.0", - "pkg:npm/lcid@1.0.0", - "pkg:npm/mem@1.1.0" - ], - "id": "pkg:npm/os-locale@2.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "os-locale", - "package_ref": "pkg:npm/os-locale@2.1.0", - "purl": "pkg:npm/os-locale@2.1.0", - "scopes": [ - "runtime" - ], - "version": "2.1.0" - }, - { - "depends_on": [ - "pkg:npm/macos-release@2.3.0", - "pkg:npm/windows-release@3.2.0" - ], - "id": "pkg:npm/os-name@3.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "os-name", - "package_ref": "pkg:npm/os-name@3.1.0", - "purl": "pkg:npm/os-name@3.1.0", - "scopes": [ - "development" - ], - "version": "3.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/os-tmpdir@1.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "os-tmpdir", - "package_ref": "pkg:npm/os-tmpdir@1.0.2", - "purl": "pkg:npm/os-tmpdir@1.0.2", - "scopes": [ - "development" - ], - "version": "1.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/osenv@0.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "osenv", - "package_ref": "pkg:npm/osenv@0.0.3", - "purl": "pkg:npm/osenv@0.0.3", - "scopes": [ - "runtime" - ], - "version": "0.0.3" - }, - { - "depends_on": [ - "pkg:npm/own-or@1.0.0" - ], - "id": "pkg:npm/own-or-env@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "own-or-env", - "package_ref": "pkg:npm/own-or-env@1.0.1", - "purl": "pkg:npm/own-or-env@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/own-or@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "own-or", - "package_ref": "pkg:npm/own-or@1.0.0", - "purl": "pkg:npm/own-or@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/p-cancelable@1.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "p-cancelable", - "package_ref": "pkg:npm/p-cancelable@1.1.0", - "purl": "pkg:npm/p-cancelable@1.1.0", - "scopes": [ - "development" - ], - "version": "1.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/p-finally@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "p-finally", - "package_ref": "pkg:npm/p-finally@1.0.0", - "purl": "pkg:npm/p-finally@1.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/p-try@1.0.0" - ], - "id": "pkg:npm/p-limit@1.2.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "p-limit", - "package_ref": "pkg:npm/p-limit@1.2.0", - "purl": "pkg:npm/p-limit@1.2.0", - "scopes": [ - "runtime" - ], - "version": "1.2.0" - }, - { - "depends_on": [ - "pkg:npm/p-try@2.2.0" - ], - "id": "pkg:npm/p-limit@2.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "p-limit", - "package_ref": "pkg:npm/p-limit@2.3.0", - "purl": "pkg:npm/p-limit@2.3.0", - "scopes": [ - "runtime" - ], - "version": "2.3.0" - }, - { - "depends_on": [ - "pkg:npm/p-limit@1.2.0" - ], - "id": "pkg:npm/p-locate@2.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "p-locate", - "package_ref": "pkg:npm/p-locate@2.0.0", - "purl": "pkg:npm/p-locate@2.0.0", - "scopes": [ - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/p-limit@2.3.0" - ], - "id": "pkg:npm/p-locate@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "p-locate", - "package_ref": "pkg:npm/p-locate@3.0.0", - "purl": "pkg:npm/p-locate@3.0.0", - "scopes": [ - "runtime" - ], - "version": "3.0.0" - }, - { - "depends_on": [ - "pkg:npm/p-limit@2.3.0" - ], - "id": "pkg:npm/p-locate@4.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "p-locate", - "package_ref": "pkg:npm/p-locate@4.1.0", - "purl": "pkg:npm/p-locate@4.1.0", - "scopes": [ - "runtime" - ], - "version": "4.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/p-map@2.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "p-map", - "package_ref": "pkg:npm/p-map@2.1.0", - "purl": "pkg:npm/p-map@2.1.0", - "scopes": [ - "development" - ], - "version": "2.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/p-try@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "p-try", - "package_ref": "pkg:npm/p-try@1.0.0", - "purl": "pkg:npm/p-try@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/p-try@2.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "p-try", - "package_ref": "pkg:npm/p-try@2.2.0", - "purl": "pkg:npm/p-try@2.2.0", - "scopes": [ - "runtime" - ], - "version": "2.2.0" - }, - { - "depends_on": [ - "pkg:npm/agent-base@4.3.0", - "pkg:npm/debug@4.1.1", - "pkg:npm/get-uri@2.0.4", - "pkg:npm/http-proxy-agent@2.1.0", - "pkg:npm/https-proxy-agent@3.0.1", - "pkg:npm/pac-resolver@3.0.0", - "pkg:npm/raw-body@2.4.1", - "pkg:npm/socks-proxy-agent@4.0.2" - ], - "id": "pkg:npm/pac-proxy-agent@3.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "pac-proxy-agent", - "package_ref": "pkg:npm/pac-proxy-agent@3.0.1", - "purl": "pkg:npm/pac-proxy-agent@3.0.1", - "scopes": [ - "development" - ], - "version": "3.0.1" - }, - { - "depends_on": [ - "pkg:npm/co@4.6.0", - "pkg:npm/degenerator@1.0.4", - "pkg:npm/ip@1.1.5", - "pkg:npm/netmask@1.0.6", - "pkg:npm/thunkify@2.1.2" - ], - "id": "pkg:npm/pac-resolver@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "pac-resolver", - "package_ref": "pkg:npm/pac-resolver@3.0.0", - "purl": "pkg:npm/pac-resolver@3.0.0", - "scopes": [ - "development" - ], - "version": "3.0.0" - }, - { - "depends_on": [ - "pkg:npm/got@6.7.1", - "pkg:npm/registry-auth-token@3.4.0", - "pkg:npm/registry-url@3.1.0", - "pkg:npm/semver@5.7.0" - ], - "id": "pkg:npm/package-json@4.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "package-json", - "package_ref": "pkg:npm/package-json@4.0.1", - "purl": "pkg:npm/package-json@4.0.1", - "scopes": [ - "development" - ], - "version": "4.0.1" - }, - { - "depends_on": [ - "pkg:npm/got@9.6.0", - "pkg:npm/registry-auth-token@4.2.1", - "pkg:npm/registry-url@5.1.0", - "pkg:npm/semver@6.3.0" - ], - "id": "pkg:npm/package-json@6.5.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "package-json", - "package_ref": "pkg:npm/package-json@6.5.0", - "purl": "pkg:npm/package-json@6.5.0", - "scopes": [ - "development" - ], - "version": "6.5.0" - }, - { - "depends_on": [], - "id": "pkg:npm/pako@0.2.9", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "pako", - "package_ref": "pkg:npm/pako@0.2.9", - "purl": "pkg:npm/pako@0.2.9", - "scopes": [ - "development" - ], - "version": "0.2.9" - }, - { - "depends_on": [], - "id": "pkg:npm/pako@1.0.10", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "pako", - "package_ref": "pkg:npm/pako@1.0.10", - "purl": "pkg:npm/pako@1.0.10", - "scopes": [ - "development" - ], - "version": "1.0.10" - }, - { - "depends_on": [], - "id": "pkg:npm/parent-require@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "parent-require", - "package_ref": "pkg:npm/parent-require@1.0.0", - "purl": "pkg:npm/parent-require@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/path-platform@0.11.15" - ], - "id": "pkg:npm/parents@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "parents", - "package_ref": "pkg:npm/parents@1.0.1", - "purl": "pkg:npm/parents@1.0.1", - "scopes": [ - "development" - ], - "version": "1.0.1" - }, - { - "depends_on": [ - "pkg:npm/asn1.js@4.10.1", - "pkg:npm/browserify-aes@1.2.0", - "pkg:npm/create-hash@1.2.0", - "pkg:npm/evp_bytestokey@1.0.3", - "pkg:npm/pbkdf2@3.0.17", - "pkg:npm/safe-buffer@5.1.2" - ], - "id": "pkg:npm/parse-asn1@5.1.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "parse-asn1", - "package_ref": "pkg:npm/parse-asn1@5.1.4", - "purl": "pkg:npm/parse-asn1@5.1.4", - "scopes": [ - "development" - ], - "version": "5.1.4" - }, - { - "depends_on": [ - "pkg:npm/error-ex@1.3.1" - ], - "id": "pkg:npm/parse-json@2.2.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "parse-json", - "package_ref": "pkg:npm/parse-json@2.2.0", - "purl": "pkg:npm/parse-json@2.2.0", - "scopes": [ - "runtime" - ], - "version": "2.2.0" - }, - { - "depends_on": [ - "pkg:npm/is-ssh@1.3.1", - "pkg:npm/protocols@1.4.7" - ], - "id": "pkg:npm/parse-path@4.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "parse-path", - "package_ref": "pkg:npm/parse-path@4.0.1", - "purl": "pkg:npm/parse-path@4.0.1", - "scopes": [ - "development" - ], - "version": "4.0.1" - }, - { - "depends_on": [ - "pkg:npm/is-ssh@1.3.1", - "pkg:npm/normalize-url@3.3.0", - "pkg:npm/parse-path@4.0.1", - "pkg:npm/protocols@1.4.7" - ], - "id": "pkg:npm/parse-url@5.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "parse-url", - "package_ref": "pkg:npm/parse-url@5.0.1", - "purl": "pkg:npm/parse-url@5.0.1", - "scopes": [ - "development" - ], - "version": "5.0.1" - }, - { - "depends_on": [ - "pkg:npm/parse5@5.1.1" - ], - "id": "pkg:npm/parse5-htmlparser2-tree-adapter@5.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "parse5-htmlparser2-tree-adapter", - "package_ref": "pkg:npm/parse5-htmlparser2-tree-adapter@5.1.1", - "purl": "pkg:npm/parse5-htmlparser2-tree-adapter@5.1.1", - "scopes": [ - "runtime" - ], - "version": "5.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/parse5@5.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "parse5", - "package_ref": "pkg:npm/parse5@5.1.1", - "purl": "pkg:npm/parse5@5.1.1", - "scopes": [ - "runtime" - ], - "version": "5.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/parseurl@1.3.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "parseurl", - "package_ref": "pkg:npm/parseurl@1.3.3", - "purl": "pkg:npm/parseurl@1.3.3", - "scopes": [ - "runtime" - ], - "version": "1.3.3" - }, - { - "depends_on": [], - "id": "pkg:npm/pascalcase@0.1.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "pascalcase", - "package_ref": "pkg:npm/pascalcase@0.1.1", - "purl": "pkg:npm/pascalcase@0.1.1", - "scopes": [ - "runtime" - ], - "version": "0.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/path-browserify@0.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "path-browserify", - "package_ref": "pkg:npm/path-browserify@0.0.1", - "purl": "pkg:npm/path-browserify@0.0.1", - "scopes": [ - "development" - ], - "version": "0.0.1" - }, - { - "depends_on": [ - "pkg:npm/pinkie-promise@2.0.1" - ], - "id": "pkg:npm/path-exists@2.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "path-exists", - "package_ref": "pkg:npm/path-exists@2.1.0", - "purl": "pkg:npm/path-exists@2.1.0", - "scopes": [ - "runtime" - ], - "version": "2.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/path-exists@3.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "path-exists", - "package_ref": "pkg:npm/path-exists@3.0.0", - "purl": "pkg:npm/path-exists@3.0.0", - "scopes": [ - "runtime" - ], - "version": "3.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/path-exists@4.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "path-exists", - "package_ref": "pkg:npm/path-exists@4.0.0", - "purl": "pkg:npm/path-exists@4.0.0", - "scopes": [ - "runtime" - ], - "version": "4.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/path-is-absolute@1.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "path-is-absolute", - "package_ref": "pkg:npm/path-is-absolute@1.0.1", - "purl": "pkg:npm/path-is-absolute@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/path-is-inside@1.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "path-is-inside", - "package_ref": "pkg:npm/path-is-inside@1.0.2", - "purl": "pkg:npm/path-is-inside@1.0.2", - "scopes": [ - "development" - ], - "version": "1.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/path-key@2.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "path-key", - "package_ref": "pkg:npm/path-key@2.0.1", - "purl": "pkg:npm/path-key@2.0.1", - "scopes": [ - "development", - "runtime" - ], - "version": "2.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/path-parse@1.0.5", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "path-parse", - "package_ref": "pkg:npm/path-parse@1.0.5", - "purl": "pkg:npm/path-parse@1.0.5", - "scopes": [ - "runtime" - ], - "version": "1.0.5" - }, - { - "depends_on": [], - "id": "pkg:npm/path-parse@1.0.6", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "path-parse", - "package_ref": "pkg:npm/path-parse@1.0.6", - "purl": "pkg:npm/path-parse@1.0.6", - "scopes": [ - "development" - ], - "version": "1.0.6" - }, - { - "depends_on": [], - "id": "pkg:npm/path-platform@0.11.15", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "path-platform", - "package_ref": "pkg:npm/path-platform@0.11.15", - "purl": "pkg:npm/path-platform@0.11.15", - "scopes": [ - "development" - ], - "version": "0.11.15" - }, - { - "depends_on": [], - "id": "pkg:npm/path-to-regexp@0.1.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "path-to-regexp", - "package_ref": "pkg:npm/path-to-regexp@0.1.3", - "purl": "pkg:npm/path-to-regexp@0.1.3", - "scopes": [ - "runtime" - ], - "version": "0.1.3" - }, - { - "depends_on": [ - "pkg:npm/graceful-fs@4.1.11", - "pkg:npm/pify@2.3.0", - "pkg:npm/pinkie-promise@2.0.1" - ], - "id": "pkg:npm/path-type@1.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "path-type", - "package_ref": "pkg:npm/path-type@1.1.0", - "purl": "pkg:npm/path-type@1.1.0", - "scopes": [ - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [ - "pkg:npm/create-hash@1.2.0", - "pkg:npm/create-hmac@1.1.7", - "pkg:npm/ripemd160@2.0.2", - "pkg:npm/safe-buffer@5.1.2", - "pkg:npm/sha.js@2.4.11" - ], - "id": "pkg:npm/pbkdf2@3.0.17", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "pbkdf2", - "package_ref": "pkg:npm/pbkdf2@3.0.17", - "purl": "pkg:npm/pbkdf2@3.0.17", - "scopes": [ - "development" - ], - "version": "3.0.17" - }, - { - "depends_on": [], - "id": "pkg:npm/performance-now@2.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "performance-now", - "package_ref": "pkg:npm/performance-now@2.1.0", - "purl": "pkg:npm/performance-now@2.1.0", - "scopes": [ - "runtime" - ], - "version": "2.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/picomatch@2.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "picomatch", - "package_ref": "pkg:npm/picomatch@2.3.0", - "purl": "pkg:npm/picomatch@2.3.0", - "scopes": [ - "development" - ], - "version": "2.3.0" - }, - { - "depends_on": [], - "id": "pkg:npm/pify@2.3.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "pify", - "package_ref": "pkg:npm/pify@2.3.0", - "purl": "pkg:npm/pify@2.3.0", - "scopes": [ - "runtime" - ], - "version": "2.3.0" - }, - { - "depends_on": [], - "id": "pkg:npm/pify@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "pify", - "package_ref": "pkg:npm/pify@3.0.0", - "purl": "pkg:npm/pify@3.0.0", - "scopes": [ - "development" - ], - "version": "3.0.0" - }, - { - "depends_on": [ - "pkg:npm/pinkie@2.0.4" - ], - "id": "pkg:npm/pinkie-promise@2.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "pinkie-promise", - "package_ref": "pkg:npm/pinkie-promise@2.0.1", - "purl": "pkg:npm/pinkie-promise@2.0.1", - "scopes": [ - "runtime" - ], - "version": "2.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/pinkie@2.0.4", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "pinkie", - "package_ref": "pkg:npm/pinkie@2.0.4", - "purl": "pkg:npm/pinkie@2.0.4", - "scopes": [ - "runtime" - ], - "version": "2.0.4" - }, - { - "depends_on": [ - "pkg:npm/find-up@1.1.2" - ], - "id": "pkg:npm/pkg-dir@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "pkg-dir", - "package_ref": "pkg:npm/pkg-dir@1.0.0", - "purl": "pkg:npm/pkg-dir@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/ports@1.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ports", - "package_ref": "pkg:npm/ports@1.1.0", - "purl": "pkg:npm/ports@1.1.0", - "scopes": [ - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/posix-character-classes@0.1.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "posix-character-classes", - "package_ref": "pkg:npm/posix-character-classes@0.1.1", - "purl": "pkg:npm/posix-character-classes@0.1.1", - "scopes": [ - "runtime" - ], - "version": "0.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/prelude-ls@1.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "prelude-ls", - "package_ref": "pkg:npm/prelude-ls@1.1.2", - "purl": "pkg:npm/prelude-ls@1.1.2", - "scopes": [ - "development" - ], - "version": "1.1.2" - }, - { - "depends_on": [], - "id": "pkg:npm/prepend-http@1.0.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "prepend-http", - "package_ref": "pkg:npm/prepend-http@1.0.4", - "purl": "pkg:npm/prepend-http@1.0.4", - "scopes": [ - "development" - ], - "version": "1.0.4" - }, - { - "depends_on": [], - "id": "pkg:npm/prepend-http@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "prepend-http", - "package_ref": "pkg:npm/prepend-http@2.0.0", - "purl": "pkg:npm/prepend-http@2.0.0", - "scopes": [ - "development" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/process-nextick-args@1.0.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "process-nextick-args", - "package_ref": "pkg:npm/process-nextick-args@1.0.7", - "purl": "pkg:npm/process-nextick-args@1.0.7", - "scopes": [ - "development" - ], - "version": "1.0.7" - }, - { - "depends_on": [], - "id": "pkg:npm/process-nextick-args@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "process-nextick-args", - "package_ref": "pkg:npm/process-nextick-args@2.0.0", - "purl": "pkg:npm/process-nextick-args@2.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/process@0.11.10", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "process", - "package_ref": "pkg:npm/process@0.11.10", - "purl": "pkg:npm/process@0.11.10", - "scopes": [ - "development" - ], - "version": "0.11.10" - }, - { - "depends_on": [ - "pkg:npm/asap@2.0.6" - ], - "id": "pkg:npm/promise@7.3.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "promise", - "package_ref": "pkg:npm/promise@7.3.1", - "purl": "pkg:npm/promise@7.3.1", - "scopes": [ - "development" - ], - "version": "7.3.1" - }, - { - "depends_on": [], - "id": "pkg:npm/proto-list@1.2.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "proto-list", - "package_ref": "pkg:npm/proto-list@1.2.4", - "purl": "pkg:npm/proto-list@1.2.4", - "scopes": [ - "runtime" - ], - "version": "1.2.4" - }, - { - "depends_on": [], - "id": "pkg:npm/protocols@1.4.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "protocols", - "package_ref": "pkg:npm/protocols@1.4.7", - "purl": "pkg:npm/protocols@1.4.7", - "scopes": [ - "development" - ], - "version": "1.4.7" - }, - { - "depends_on": [ - "pkg:npm/forwarded@0.1.2", - "pkg:npm/ipaddr.js@1.0.5" - ], - "id": "pkg:npm/proxy-addr@1.0.10", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "proxy-addr", - "package_ref": "pkg:npm/proxy-addr@1.0.10", - "purl": "pkg:npm/proxy-addr@1.0.10", - "scopes": [ - "runtime" - ], - "version": "1.0.10" - }, - { - "depends_on": [ - "pkg:npm/agent-base@4.3.0", - "pkg:npm/debug@4.1.1", - "pkg:npm/http-proxy-agent@2.1.0", - "pkg:npm/https-proxy-agent@3.0.1", - "pkg:npm/lru-cache@5.1.1", - "pkg:npm/pac-proxy-agent@3.0.1", - "pkg:npm/proxy-from-env@1.0.0", - "pkg:npm/socks-proxy-agent@4.0.2" - ], - "id": "pkg:npm/proxy-agent@3.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "proxy-agent", - "package_ref": "pkg:npm/proxy-agent@3.1.1", - "purl": "pkg:npm/proxy-agent@3.1.1", - "scopes": [ - "development" - ], - "version": "3.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/proxy-from-env@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "proxy-from-env", - "package_ref": "pkg:npm/proxy-from-env@1.0.0", - "purl": "pkg:npm/proxy-from-env@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/pseudomap@1.0.2", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "pseudomap", - "package_ref": "pkg:npm/pseudomap@1.0.2", - "purl": "pkg:npm/pseudomap@1.0.2", - "scopes": [ - "development", - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/psl@1.7.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "psl", - "package_ref": "pkg:npm/psl@1.7.0", - "purl": "pkg:npm/psl@1.7.0", - "scopes": [ - "runtime" - ], - "version": "1.7.0" - }, - { - "depends_on": [], - "id": "pkg:npm/pstree.remy@1.1.8", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "pstree.remy", - "package_ref": "pkg:npm/pstree.remy@1.1.8", - "purl": "pkg:npm/pstree.remy@1.1.8", - "scopes": [ - "development" - ], - "version": "1.1.8" - }, - { - "depends_on": [ - "pkg:npm/bn.js@4.11.8", - "pkg:npm/browserify-rsa@4.0.1", - "pkg:npm/create-hash@1.2.0", - "pkg:npm/parse-asn1@5.1.4", - "pkg:npm/randombytes@2.1.0", - "pkg:npm/safe-buffer@5.1.2" - ], - "id": "pkg:npm/public-encrypt@4.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "public-encrypt", - "package_ref": "pkg:npm/public-encrypt@4.0.3", - "purl": "pkg:npm/public-encrypt@4.0.3", - "scopes": [ - "development" - ], - "version": "4.0.3" - }, - { - "depends_on": [ - "pkg:npm/end-of-stream@1.4.4", - "pkg:npm/once@1.4.0" - ], - "id": "pkg:npm/pump@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "pump", - "package_ref": "pkg:npm/pump@3.0.0", - "purl": "pkg:npm/pump@3.0.0", - "scopes": [ - "development" - ], - "version": "3.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/punycode@1.3.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "punycode", - "package_ref": "pkg:npm/punycode@1.3.2", - "purl": "pkg:npm/punycode@1.3.2", - "scopes": [ - "development" - ], - "version": "1.3.2" - }, - { - "depends_on": [], - "id": "pkg:npm/punycode@1.4.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "punycode", - "package_ref": "pkg:npm/punycode@1.4.1", - "purl": "pkg:npm/punycode@1.4.1", - "scopes": [ - "development", - "runtime" - ], - "version": "1.4.1" - }, - { - "depends_on": [], - "id": "pkg:npm/punycode@2.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "punycode", - "package_ref": "pkg:npm/punycode@2.1.1", - "purl": "pkg:npm/punycode@2.1.1", - "scopes": [ - "runtime" - ], - "version": "2.1.1" - }, - { - "depends_on": [ - "pkg:npm/escape-goat@2.1.1" - ], - "id": "pkg:npm/pupa@2.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "pupa", - "package_ref": "pkg:npm/pupa@2.1.1", - "purl": "pkg:npm/pupa@2.1.1", - "scopes": [ - "development" - ], - "version": "2.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/qs@2.2.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "qs", - "package_ref": "pkg:npm/qs@2.2.4", - "purl": "pkg:npm/qs@2.2.4", - "scopes": [ - "runtime" - ], - "version": "2.2.4" - }, - { - "depends_on": [], - "id": "pkg:npm/qs@2.4.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "qs", - "package_ref": "pkg:npm/qs@2.4.2", - "purl": "pkg:npm/qs@2.4.2", - "scopes": [ - "runtime" - ], - "version": "2.4.2" - }, - { - "depends_on": [], - "id": "pkg:npm/qs@6.5.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "qs", - "package_ref": "pkg:npm/qs@6.5.2", - "purl": "pkg:npm/qs@6.5.2", - "scopes": [ - "runtime" - ], - "version": "6.5.2" - }, - { - "depends_on": [], - "id": "pkg:npm/querystring-es3@0.2.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "querystring-es3", - "package_ref": "pkg:npm/querystring-es3@0.2.1", - "purl": "pkg:npm/querystring-es3@0.2.1", - "scopes": [ - "development" - ], - "version": "0.2.1" - }, - { - "depends_on": [], - "id": "pkg:npm/querystring@0.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "querystring", - "package_ref": "pkg:npm/querystring@0.2.0", - "purl": "pkg:npm/querystring@0.2.0", - "scopes": [ - "development" - ], - "version": "0.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/random-bytes@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "random-bytes", - "package_ref": "pkg:npm/random-bytes@1.0.0", - "purl": "pkg:npm/random-bytes@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/safe-buffer@5.1.2" - ], - "id": "pkg:npm/randombytes@2.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "randombytes", - "package_ref": "pkg:npm/randombytes@2.1.0", - "purl": "pkg:npm/randombytes@2.1.0", - "scopes": [ - "development" - ], - "version": "2.1.0" - }, - { - "depends_on": [ - "pkg:npm/randombytes@2.1.0", - "pkg:npm/safe-buffer@5.1.2" - ], - "id": "pkg:npm/randomfill@1.0.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "randomfill", - "package_ref": "pkg:npm/randomfill@1.0.4", - "purl": "pkg:npm/randomfill@1.0.4", - "scopes": [ - "development" - ], - "version": "1.0.4" - }, - { - "depends_on": [], - "id": "pkg:npm/range-parser@1.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "range-parser", - "package_ref": "pkg:npm/range-parser@1.0.3", - "purl": "pkg:npm/range-parser@1.0.3", - "scopes": [ - "runtime" - ], - "version": "1.0.3" - }, - { - "depends_on": [ - "pkg:npm/bytes@1.0.0", - "pkg:npm/iconv-lite@0.4.4" - ], - "id": "pkg:npm/raw-body@1.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "raw-body", - "package_ref": "pkg:npm/raw-body@1.3.0", - "purl": "pkg:npm/raw-body@1.3.0", - "scopes": [ - "runtime" - ], - "version": "1.3.0" - }, - { - "depends_on": [ - "pkg:npm/bytes@3.1.0", - "pkg:npm/http-errors@1.7.3", - "pkg:npm/iconv-lite@0.4.24", - "pkg:npm/unpipe@1.0.0" - ], - "id": "pkg:npm/raw-body@2.4.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "raw-body", - "package_ref": "pkg:npm/raw-body@2.4.1", - "purl": "pkg:npm/raw-body@2.4.1", - "scopes": [ - "development" - ], - "version": "2.4.1" - }, - { - "depends_on": [ - "pkg:npm/deep-extend@0.6.0", - "pkg:npm/ini@1.3.5", - "pkg:npm/minimist@1.2.0", - "pkg:npm/strip-json-comments@2.0.1" - ], - "id": "pkg:npm/rc@1.2.8", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "rc", - "package_ref": "pkg:npm/rc@1.2.8", - "purl": "pkg:npm/rc@1.2.8", - "scopes": [ - "development" - ], - "version": "1.2.8" - }, - { - "depends_on": [ - "pkg:npm/readable-stream@2.3.6" - ], - "id": "pkg:npm/read-only-stream@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "read-only-stream", - "package_ref": "pkg:npm/read-only-stream@2.0.0", - "purl": "pkg:npm/read-only-stream@2.0.0", - "scopes": [ - "development" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/find-up@1.1.2", - "pkg:npm/read-pkg@1.1.0" - ], - "id": "pkg:npm/read-pkg-up@1.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "read-pkg-up", - "package_ref": "pkg:npm/read-pkg-up@1.0.1", - "purl": "pkg:npm/read-pkg-up@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [ - "pkg:npm/load-json-file@1.1.0", - "pkg:npm/normalize-package-data@2.4.0", - "pkg:npm/path-type@1.1.0" - ], - "id": "pkg:npm/read-pkg@1.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "read-pkg", - "package_ref": "pkg:npm/read-pkg@1.1.0", - "purl": "pkg:npm/read-pkg@1.1.0", - "scopes": [ - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [ - "pkg:npm/core-util-is@1.0.2", - "pkg:npm/inherits@2.0.3", - "pkg:npm/isarray@0.0.1", - "pkg:npm/string_decoder@0.10.31" - ], - "id": "pkg:npm/readable-stream@1.0.31", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "readable-stream", - "package_ref": "pkg:npm/readable-stream@1.0.31", - "purl": "pkg:npm/readable-stream@1.0.31", - "scopes": [ - "runtime" - ], - "version": "1.0.31" - }, - { - "depends_on": [ - "pkg:npm/core-util-is@1.0.2", - "pkg:npm/inherits@2.0.3", - "pkg:npm/isarray@0.0.1", - "pkg:npm/string_decoder@0.10.31" - ], - "id": "pkg:npm/readable-stream@1.1.14", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "readable-stream", - "package_ref": "pkg:npm/readable-stream@1.1.14", - "purl": "pkg:npm/readable-stream@1.1.14", - "scopes": [ - "development" - ], - "version": "1.1.14" - }, - { - "depends_on": [ - "pkg:npm/core-util-is@1.0.2", - "pkg:npm/inherits@2.0.3", - "pkg:npm/isarray@1.0.0", - "pkg:npm/process-nextick-args@1.0.7", - "pkg:npm/string_decoder@0.10.31", - "pkg:npm/util-deprecate@1.0.2" - ], - "id": "pkg:npm/readable-stream@2.0.6", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "readable-stream", - "package_ref": "pkg:npm/readable-stream@2.0.6", - "purl": "pkg:npm/readable-stream@2.0.6", - "scopes": [ - "development" - ], - "version": "2.0.6" - }, - { - "depends_on": [ - "pkg:npm/core-util-is@1.0.2", - "pkg:npm/inherits@2.0.3", - "pkg:npm/isarray@1.0.0", - "pkg:npm/process-nextick-args@2.0.0", - "pkg:npm/safe-buffer@5.1.2", - "pkg:npm/string_decoder@1.1.1", - "pkg:npm/util-deprecate@1.0.2" - ], - "id": "pkg:npm/readable-stream@2.3.6", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "readable-stream", - "package_ref": "pkg:npm/readable-stream@2.3.6", - "purl": "pkg:npm/readable-stream@2.3.6", - "scopes": [ - "development" - ], - "version": "2.3.6" - }, - { - "depends_on": [ - "pkg:npm/core-util-is@1.0.2", - "pkg:npm/inherits@2.0.3", - "pkg:npm/isarray@1.0.0", - "pkg:npm/process-nextick-args@2.0.0", - "pkg:npm/safe-buffer@5.1.2", - "pkg:npm/string_decoder@1.1.1", - "pkg:npm/util-deprecate@1.0.2" - ], - "id": "pkg:npm/readable-stream@2.3.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "readable-stream", - "package_ref": "pkg:npm/readable-stream@2.3.7", - "purl": "pkg:npm/readable-stream@2.3.7", - "scopes": [ - "development", - "runtime" - ], - "version": "2.3.7" - }, - { - "depends_on": [ - "pkg:npm/inherits@2.0.3", - "pkg:npm/string_decoder@1.3.0", - "pkg:npm/util-deprecate@1.0.2" - ], - "id": "pkg:npm/readable-stream@3.4.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "readable-stream", - "package_ref": "pkg:npm/readable-stream@3.4.0", - "purl": "pkg:npm/readable-stream@3.4.0", - "scopes": [ - "development" - ], - "version": "3.4.0" - }, - { - "depends_on": [ - "pkg:npm/picomatch@2.3.0" - ], - "id": "pkg:npm/readdirp@3.5.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "readdirp", - "package_ref": "pkg:npm/readdirp@3.5.0", - "purl": "pkg:npm/readdirp@3.5.0", - "scopes": [ - "development" - ], - "version": "3.5.0" - }, - { - "depends_on": [], - "id": "pkg:npm/reflect-metadata@0.1.13", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "reflect-metadata", - "package_ref": "pkg:npm/reflect-metadata@0.1.13", - "purl": "pkg:npm/reflect-metadata@0.1.13", - "scopes": [ - "runtime" - ], - "version": "0.1.13" - }, - { - "depends_on": [], - "id": "pkg:npm/regenerator-runtime@0.11.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "regenerator-runtime", - "package_ref": "pkg:npm/regenerator-runtime@0.11.1", - "purl": "pkg:npm/regenerator-runtime@0.11.1", - "scopes": [ - "runtime" - ], - "version": "0.11.1" - }, - { - "depends_on": [ - "pkg:npm/extend-shallow@3.0.2", - "pkg:npm/safe-regex@1.1.0" - ], - "id": "pkg:npm/regex-not@1.0.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "regex-not", - "package_ref": "pkg:npm/regex-not@1.0.2", - "purl": "pkg:npm/regex-not@1.0.2", - "scopes": [ - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/regexp-clone@0.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "regexp-clone", - "package_ref": "pkg:npm/regexp-clone@0.0.1", - "purl": "pkg:npm/regexp-clone@0.0.1", - "scopes": [ - "runtime" - ], - "version": "0.0.1" - }, - { - "depends_on": [ - "pkg:npm/rc@1.2.8", - "pkg:npm/safe-buffer@5.1.2" - ], - "id": "pkg:npm/registry-auth-token@3.4.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "registry-auth-token", - "package_ref": "pkg:npm/registry-auth-token@3.4.0", - "purl": "pkg:npm/registry-auth-token@3.4.0", - "scopes": [ - "development" - ], - "version": "3.4.0" - }, - { - "depends_on": [ - "pkg:npm/rc@1.2.8" - ], - "id": "pkg:npm/registry-auth-token@4.2.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "registry-auth-token", - "package_ref": "pkg:npm/registry-auth-token@4.2.1", - "purl": "pkg:npm/registry-auth-token@4.2.1", - "scopes": [ - "development" - ], - "version": "4.2.1" - }, - { - "depends_on": [ - "pkg:npm/rc@1.2.8" - ], - "id": "pkg:npm/registry-url@3.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "registry-url", - "package_ref": "pkg:npm/registry-url@3.1.0", - "purl": "pkg:npm/registry-url@3.1.0", - "scopes": [ - "development" - ], - "version": "3.1.0" - }, - { - "depends_on": [ - "pkg:npm/rc@1.2.8" - ], - "id": "pkg:npm/registry-url@5.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "registry-url", - "package_ref": "pkg:npm/registry-url@5.1.0", - "purl": "pkg:npm/registry-url@5.1.0", - "scopes": [ - "development" - ], - "version": "5.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/repeat-element@1.1.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "repeat-element", - "package_ref": "pkg:npm/repeat-element@1.1.2", - "purl": "pkg:npm/repeat-element@1.1.2", - "scopes": [ - "runtime" - ], - "version": "1.1.2" - }, - { - "depends_on": [], - "id": "pkg:npm/repeat-string@1.6.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "repeat-string", - "package_ref": "pkg:npm/repeat-string@1.6.1", - "purl": "pkg:npm/repeat-string@1.6.1", - "scopes": [ - "runtime" - ], - "version": "1.6.1" - }, - { - "depends_on": [ - "pkg:npm/is-finite@1.0.2" - ], - "id": "pkg:npm/repeating@2.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "repeating", - "package_ref": "pkg:npm/repeating@2.0.1", - "purl": "pkg:npm/repeating@2.0.1", - "scopes": [ - "runtime" - ], - "version": "2.0.1" - }, - { - "depends_on": [ - "pkg:npm/aws-sign2@0.7.0", - "pkg:npm/aws4@1.9.1", - "pkg:npm/caseless@0.12.0", - "pkg:npm/combined-stream@1.0.8", - "pkg:npm/extend@3.0.2", - "pkg:npm/forever-agent@0.6.1", - "pkg:npm/form-data@2.3.3", - "pkg:npm/har-validator@5.1.3", - "pkg:npm/http-signature@1.2.0", - "pkg:npm/is-typedarray@1.0.0", - "pkg:npm/isstream@0.1.2", - "pkg:npm/json-stringify-safe@5.0.1", - "pkg:npm/mime-types@2.1.26", - "pkg:npm/oauth-sign@0.9.0", - "pkg:npm/performance-now@2.1.0", - "pkg:npm/qs@6.5.2", - "pkg:npm/safe-buffer@5.1.2", - "pkg:npm/tough-cookie@2.4.3", - "pkg:npm/tunnel-agent@0.6.0", - "pkg:npm/uuid@3.3.2" - ], - "id": "pkg:npm/request@2.88.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "request", - "package_ref": "pkg:npm/request@2.88.0", - "purl": "pkg:npm/request@2.88.0", - "scopes": [ - "runtime" - ], - "version": "2.88.0" - }, - { - "depends_on": [], - "id": "pkg:npm/require-directory@2.1.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "require-directory", - "package_ref": "pkg:npm/require-directory@2.1.1", - "purl": "pkg:npm/require-directory@2.1.1", - "scopes": [ - "runtime" - ], - "version": "2.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/require-main-filename@1.0.1", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "require-main-filename", - "package_ref": "pkg:npm/require-main-filename@1.0.1", - "purl": "pkg:npm/require-main-filename@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/require-main-filename@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "require-main-filename", - "package_ref": "pkg:npm/require-main-filename@2.0.0", - "purl": "pkg:npm/require-main-filename@2.0.0", - "scopes": [ - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/resolve-from@2.0.0", - "pkg:npm/semver@5.7.0" - ], - "id": "pkg:npm/require_optional@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "require_optional", - "package_ref": "pkg:npm/require_optional@1.0.1", - "purl": "pkg:npm/require_optional@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/resolve-from@2.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "resolve-from", - "package_ref": "pkg:npm/resolve-from@2.0.0", - "purl": "pkg:npm/resolve-from@2.0.0", - "scopes": [ - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/resolve-url@0.2.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "resolve-url", - "package_ref": "pkg:npm/resolve-url@0.2.1", - "purl": "pkg:npm/resolve-url@0.2.1", - "scopes": [ - "runtime" - ], - "version": "0.2.1" - }, - { - "depends_on": [], - "id": "pkg:npm/resolve@1.1.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "resolve", - "package_ref": "pkg:npm/resolve@1.1.7", - "purl": "pkg:npm/resolve@1.1.7", - "scopes": [ - "development" - ], - "version": "1.1.7" - }, - { - "depends_on": [ - "pkg:npm/path-parse@1.0.6" - ], - "id": "pkg:npm/resolve@1.10.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "resolve", - "package_ref": "pkg:npm/resolve@1.10.0", - "purl": "pkg:npm/resolve@1.10.0", - "scopes": [ - "development" - ], - "version": "1.10.0" - }, - { - "depends_on": [ - "pkg:npm/lowercase-keys@1.0.1" - ], - "id": "pkg:npm/responselike@1.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "responselike", - "package_ref": "pkg:npm/responselike@1.0.2", - "purl": "pkg:npm/responselike@1.0.2", - "scopes": [ - "development" - ], - "version": "1.0.2" - }, - { - "depends_on": [ - "pkg:npm/onetime@2.0.1", - "pkg:npm/signal-exit@3.0.2" - ], - "id": "pkg:npm/restore-cursor@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "restore-cursor", - "package_ref": "pkg:npm/restore-cursor@2.0.0", - "purl": "pkg:npm/restore-cursor@2.0.0", - "scopes": [ - "development" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/ret@0.1.15", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "ret", - "package_ref": "pkg:npm/ret@0.1.15", - "purl": "pkg:npm/ret@0.1.15", - "scopes": [ - "runtime" - ], - "version": "0.1.15" - }, - { - "depends_on": [ - "pkg:npm/align-text@0.1.4" - ], - "id": "pkg:npm/right-align@0.1.3", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "right-align", - "package_ref": "pkg:npm/right-align@0.1.3", - "purl": "pkg:npm/right-align@0.1.3", - "scopes": [ - "runtime" - ], - "version": "0.1.3" - }, - { - "depends_on": [ - "pkg:npm/glob@7.1.2" - ], - "id": "pkg:npm/rimraf@2.6.2", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "rimraf", - "package_ref": "pkg:npm/rimraf@2.6.2", - "purl": "pkg:npm/rimraf@2.6.2", - "scopes": [ - "runtime" - ], - "version": "2.6.2" - }, - { - "depends_on": [ - "pkg:npm/glob@7.1.3" - ], - "id": "pkg:npm/rimraf@2.6.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "rimraf", - "package_ref": "pkg:npm/rimraf@2.6.3", - "purl": "pkg:npm/rimraf@2.6.3", - "scopes": [ - "runtime" - ], - "version": "2.6.3" - }, - { - "depends_on": [ - "pkg:npm/hash-base@3.0.4", - "pkg:npm/inherits@2.0.3" - ], - "id": "pkg:npm/ripemd160@2.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "ripemd160", - "package_ref": "pkg:npm/ripemd160@2.0.2", - "purl": "pkg:npm/ripemd160@2.0.2", - "scopes": [ - "development" - ], - "version": "2.0.2" - }, - { - "depends_on": [ - "pkg:npm/is-promise@2.1.0" - ], - "id": "pkg:npm/run-async@2.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "run-async", - "package_ref": "pkg:npm/run-async@2.3.0", - "purl": "pkg:npm/run-async@2.3.0", - "scopes": [ - "development" - ], - "version": "2.3.0" - }, - { - "depends_on": [ - "pkg:npm/tslib@1.10.0" - ], - "id": "pkg:npm/rxjs@6.5.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "rxjs", - "package_ref": "pkg:npm/rxjs@6.5.4", - "purl": "pkg:npm/rxjs@6.5.4", - "scopes": [ - "development" - ], - "version": "6.5.4" - }, - { - "depends_on": [], - "id": "pkg:npm/safe-buffer@5.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "safe-buffer", - "package_ref": "pkg:npm/safe-buffer@5.1.2", - "purl": "pkg:npm/safe-buffer@5.1.2", - "scopes": [ - "runtime" - ], - "version": "5.1.2" - }, - { - "depends_on": [], - "id": "pkg:npm/safe-buffer@5.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "safe-buffer", - "package_ref": "pkg:npm/safe-buffer@5.2.0", - "purl": "pkg:npm/safe-buffer@5.2.0", - "scopes": [ - "development" - ], - "version": "5.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/safe-buffer@5.2.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "safe-buffer", - "package_ref": "pkg:npm/safe-buffer@5.2.1", - "purl": "pkg:npm/safe-buffer@5.2.1", - "scopes": [ - "runtime" - ], - "version": "5.2.1" - }, - { - "depends_on": [ - "pkg:npm/ret@0.1.15" - ], - "id": "pkg:npm/safe-regex@1.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "safe-regex", - "package_ref": "pkg:npm/safe-regex@1.1.0", - "purl": "pkg:npm/safe-regex@1.1.0", - "scopes": [ - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/safer-buffer@2.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "safer-buffer", - "package_ref": "pkg:npm/safer-buffer@2.1.2", - "purl": "pkg:npm/safer-buffer@2.1.2", - "scopes": [ - "development", - "runtime" - ], - "version": "2.1.2" - }, - { - "depends_on": [ - "pkg:npm/sparse-bitfield@3.0.3" - ], - "id": "pkg:npm/saslprep@1.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "saslprep", - "package_ref": "pkg:npm/saslprep@1.0.3", - "purl": "pkg:npm/saslprep@1.0.3", - "scopes": [ - "runtime" - ], - "version": "1.0.3" - }, - { - "depends_on": [], - "id": "pkg:npm/sax@1.2.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "sax", - "package_ref": "pkg:npm/sax@1.2.4", - "purl": "pkg:npm/sax@1.2.4", - "scopes": [ - "development", - "runtime" - ], - "version": "1.2.4" - }, - { - "depends_on": [], - "id": "pkg:npm/secure-keys@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "secure-keys", - "package_ref": "pkg:npm/secure-keys@1.0.0", - "purl": "pkg:npm/secure-keys@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/semver@5.7.0" - ], - "id": "pkg:npm/semver-diff@2.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "semver-diff", - "package_ref": "pkg:npm/semver-diff@2.1.0", - "purl": "pkg:npm/semver-diff@2.1.0", - "scopes": [ - "development" - ], - "version": "2.1.0" - }, - { - "depends_on": [ - "pkg:npm/semver@6.3.0" - ], - "id": "pkg:npm/semver-diff@3.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "semver-diff", - "package_ref": "pkg:npm/semver-diff@3.1.1", - "purl": "pkg:npm/semver-diff@3.1.1", - "scopes": [ - "development" - ], - "version": "3.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/semver@1.1.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "semver", - "package_ref": "pkg:npm/semver@1.1.4", - "purl": "pkg:npm/semver@1.1.4", - "scopes": [ - "runtime" - ], - "version": "1.1.4" - }, - { - "depends_on": [], - "id": "pkg:npm/semver@5.5.0", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "semver", - "package_ref": "pkg:npm/semver@5.5.0", - "purl": "pkg:npm/semver@5.5.0", - "scopes": [ - "runtime" - ], - "version": "5.5.0" - }, - { - "depends_on": [], - "id": "pkg:npm/semver@5.7.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "semver", - "package_ref": "pkg:npm/semver@5.7.0", - "purl": "pkg:npm/semver@5.7.0", - "scopes": [ - "runtime" - ], - "version": "5.7.0" - }, - { - "depends_on": [], - "id": "pkg:npm/semver@5.7.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "semver", - "package_ref": "pkg:npm/semver@5.7.1", - "purl": "pkg:npm/semver@5.7.1", - "scopes": [ - "development" - ], - "version": "5.7.1" - }, - { - "depends_on": [], - "id": "pkg:npm/semver@6.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "semver", - "package_ref": "pkg:npm/semver@6.3.0", - "purl": "pkg:npm/semver@6.3.0", - "scopes": [ - "development" - ], - "version": "6.3.0" - }, - { - "depends_on": [ - "pkg:npm/debug@2.2.0", - "pkg:npm/depd@1.0.1", - "pkg:npm/destroy@1.0.3", - "pkg:npm/escape-html@1.0.1", - "pkg:npm/etag@1.6.0", - "pkg:npm/fresh@0.2.4", - "pkg:npm/mime@1.3.4", - "pkg:npm/ms@0.7.1", - "pkg:npm/on-finished@2.2.1", - "pkg:npm/range-parser@1.0.3" - ], - "id": "pkg:npm/send@0.12.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "send", - "package_ref": "pkg:npm/send@0.12.3", - "purl": "pkg:npm/send@0.12.3", - "scopes": [ - "runtime" - ], - "version": "0.12.3" - }, - { - "depends_on": [ - "pkg:npm/escape-html@1.0.1", - "pkg:npm/parseurl@1.3.3", - "pkg:npm/send@0.12.3", - "pkg:npm/utils-merge@1.0.0" - ], - "id": "pkg:npm/serve-static@1.9.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "serve-static", - "package_ref": "pkg:npm/serve-static@1.9.3", - "purl": "pkg:npm/serve-static@1.9.3", - "scopes": [ - "runtime" - ], - "version": "1.9.3" - }, - { - "depends_on": [], - "id": "pkg:npm/set-blocking@2.0.0", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "set-blocking", - "package_ref": "pkg:npm/set-blocking@2.0.0", - "purl": "pkg:npm/set-blocking@2.0.0", - "scopes": [ - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/set-immediate-shim@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "set-immediate-shim", - "package_ref": "pkg:npm/set-immediate-shim@1.0.1", - "purl": "pkg:npm/set-immediate-shim@1.0.1", - "scopes": [ - "development" - ], - "version": "1.0.1" - }, - { - "depends_on": [ - "pkg:npm/extend-shallow@2.0.1", - "pkg:npm/is-extendable@0.1.1", - "pkg:npm/is-plain-object@2.0.4", - "pkg:npm/to-object-path@0.3.0" - ], - "id": "pkg:npm/set-value@0.4.3", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "set-value", - "package_ref": "pkg:npm/set-value@0.4.3", - "purl": "pkg:npm/set-value@0.4.3", - "scopes": [ - "runtime" - ], - "version": "0.4.3" - }, - { - "depends_on": [ - "pkg:npm/extend-shallow@2.0.1", - "pkg:npm/is-extendable@0.1.1", - "pkg:npm/is-plain-object@2.0.4", - "pkg:npm/split-string@3.1.0" - ], - "id": "pkg:npm/set-value@2.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "set-value", - "package_ref": "pkg:npm/set-value@2.0.0", - "purl": "pkg:npm/set-value@2.0.0", - "scopes": [ - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/setprototypeof@1.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "setprototypeof", - "package_ref": "pkg:npm/setprototypeof@1.1.1", - "purl": "pkg:npm/setprototypeof@1.1.1", - "scopes": [ - "development" - ], - "version": "1.1.1" - }, - { - "depends_on": [ - "pkg:npm/inherits@2.0.3", - "pkg:npm/safe-buffer@5.1.2" - ], - "id": "pkg:npm/sha.js@2.4.11", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "sha.js", - "package_ref": "pkg:npm/sha.js@2.4.11", - "purl": "pkg:npm/sha.js@2.4.11", - "scopes": [ - "runtime" - ], - "version": "2.4.11" - }, - { - "depends_on": [ - "pkg:npm/is-extendable@0.1.1", - "pkg:npm/kind-of@2.0.1", - "pkg:npm/lazy-cache@0.2.7", - "pkg:npm/mixin-object@2.0.1" - ], - "id": "pkg:npm/shallow-clone@0.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "shallow-clone", - "package_ref": "pkg:npm/shallow-clone@0.1.2", - "purl": "pkg:npm/shallow-clone@0.1.2", - "scopes": [ - "development" - ], - "version": "0.1.2" - }, - { - "depends_on": [ - "pkg:npm/json-stable-stringify@0.0.1", - "pkg:npm/sha.js@2.4.11" - ], - "id": "pkg:npm/shasum@1.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "shasum", - "package_ref": "pkg:npm/shasum@1.0.2", - "purl": "pkg:npm/shasum@1.0.2", - "scopes": [ - "development" - ], - "version": "1.0.2" - }, - { - "depends_on": [ - "pkg:npm/shebang-regex@1.0.0" - ], - "id": "pkg:npm/shebang-command@1.2.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "shebang-command", - "package_ref": "pkg:npm/shebang-command@1.2.0", - "purl": "pkg:npm/shebang-command@1.2.0", - "scopes": [ - "development", - "runtime" - ], - "version": "1.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/shebang-regex@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "shebang-regex", - "package_ref": "pkg:npm/shebang-regex@1.0.0", - "purl": "pkg:npm/shebang-regex@1.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/array-filter@0.0.1", - "pkg:npm/array-map@0.0.0", - "pkg:npm/array-reduce@0.0.0", - "pkg:npm/jsonify@0.0.0" - ], - "id": "pkg:npm/shell-quote@1.6.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "shell-quote", - "package_ref": "pkg:npm/shell-quote@1.6.1", - "purl": "pkg:npm/shell-quote@1.6.1", - "scopes": [ - "development" - ], - "version": "1.6.1" - }, - { - "depends_on": [], - "id": "pkg:npm/signal-exit@3.0.2", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "signal-exit", - "package_ref": "pkg:npm/signal-exit@3.0.2", - "purl": "pkg:npm/signal-exit@3.0.2", - "scopes": [ - "runtime" - ], - "version": "3.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/simple-concat@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "simple-concat", - "package_ref": "pkg:npm/simple-concat@1.0.0", - "purl": "pkg:npm/simple-concat@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/sliced@0.0.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "sliced", - "package_ref": "pkg:npm/sliced@0.0.5", - "purl": "pkg:npm/sliced@0.0.5", - "scopes": [ - "runtime" - ], - "version": "0.0.5" - }, - { - "depends_on": [], - "id": "pkg:npm/slide@1.1.6", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "slide", - "package_ref": "pkg:npm/slide@1.1.6", - "purl": "pkg:npm/slide@1.1.6", - "scopes": [ - "runtime" - ], - "version": "1.1.6" - }, - { - "depends_on": [], - "id": "pkg:npm/smart-buffer@4.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "smart-buffer", - "package_ref": "pkg:npm/smart-buffer@4.1.0", - "purl": "pkg:npm/smart-buffer@4.1.0", - "scopes": [ - "development" - ], - "version": "4.1.0" - }, - { - "depends_on": [ - "pkg:npm/define-property@1.0.0", - "pkg:npm/isobject@3.0.1", - "pkg:npm/snapdragon-util@3.0.1" - ], - "id": "pkg:npm/snapdragon-node@2.1.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "snapdragon-node", - "package_ref": "pkg:npm/snapdragon-node@2.1.1", - "purl": "pkg:npm/snapdragon-node@2.1.1", - "scopes": [ - "runtime" - ], - "version": "2.1.1" - }, - { - "depends_on": [ - "pkg:npm/kind-of@3.2.2" - ], - "id": "pkg:npm/snapdragon-util@3.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "snapdragon-util", - "package_ref": "pkg:npm/snapdragon-util@3.0.1", - "purl": "pkg:npm/snapdragon-util@3.0.1", - "scopes": [ - "runtime" - ], - "version": "3.0.1" - }, - { - "depends_on": [ - "pkg:npm/base@0.11.2", - "pkg:npm/debug@2.6.9", - "pkg:npm/define-property@0.2.5", - "pkg:npm/extend-shallow@2.0.1", - "pkg:npm/map-cache@0.2.2", - "pkg:npm/source-map-resolve@0.5.1", - "pkg:npm/source-map@0.5.7", - "pkg:npm/use@3.1.0" - ], - "id": "pkg:npm/snapdragon@0.8.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "snapdragon", - "package_ref": "pkg:npm/snapdragon@0.8.2", - "purl": "pkg:npm/snapdragon@0.8.2", - "scopes": [ - "runtime" - ], - "version": "0.8.2" - }, - { - "depends_on": [ - "pkg:npm/debug@3.2.6", - "pkg:npm/lodash@4.17.15", - "pkg:npm/nconf@0.10.0" - ], - "id": "pkg:npm/snyk-config@2.2.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "snyk-config", - "package_ref": "pkg:npm/snyk-config@2.2.3", - "purl": "pkg:npm/snyk-config@2.2.3", - "scopes": [ - "development" - ], - "version": "2.2.3" - }, - { - "depends_on": [ - "pkg:npm/debug@4.1.1", - "pkg:npm/dockerfile-ast@0.0.16", - "pkg:npm/semver@6.3.0", - "pkg:npm/tar-stream@2.1.0", - "pkg:npm/tslib@1.10.0" - ], - "id": "pkg:npm/snyk-docker-plugin@1.33.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "snyk-docker-plugin", - "package_ref": "pkg:npm/snyk-docker-plugin@1.33.1", - "purl": "pkg:npm/snyk-docker-plugin@1.33.1", - "scopes": [ - "development" - ], - "version": "1.33.1" - }, - { - "depends_on": [ - "pkg:npm/toml@3.0.0", - "pkg:npm/tslib@1.10.0" - ], - "id": "pkg:npm/snyk-go-parser@1.3.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "snyk-go-parser", - "package_ref": "pkg:npm/snyk-go-parser@1.3.1", - "purl": "pkg:npm/snyk-go-parser@1.3.1", - "scopes": [ - "development" - ], - "version": "1.3.1" - }, - { - "depends_on": [ - "pkg:npm/debug@4.1.1", - "pkg:npm/graphlib@2.1.8", - "pkg:npm/snyk-go-parser@1.3.1", - "pkg:npm/tmp@0.0.33", - "pkg:npm/tslib@1.10.0" - ], - "id": "pkg:npm/snyk-go-plugin@1.11.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "snyk-go-plugin", - "package_ref": "pkg:npm/snyk-go-plugin@1.11.1", - "purl": "pkg:npm/snyk-go-plugin@1.11.1", - "scopes": [ - "development" - ], - "version": "1.11.1" - }, - { - "depends_on": [ - "pkg:npm/%40snyk/cli-interface@2.2.0", - "pkg:npm/%40types/debug@4.1.5", - "pkg:npm/chalk@2.4.2", - "pkg:npm/clone-deep@0.3.0", - "pkg:npm/debug@4.1.1", - "pkg:npm/tmp@0.0.33", - "pkg:npm/tslib@1.10.0" - ], - "id": "pkg:npm/snyk-gradle-plugin@3.2.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "snyk-gradle-plugin", - "package_ref": "pkg:npm/snyk-gradle-plugin@3.2.2", - "purl": "pkg:npm/snyk-gradle-plugin@3.2.2", - "scopes": [ - "development" - ], - "version": "3.2.2" - }, - { - "depends_on": [ - "pkg:npm/debug@3.2.6", - "pkg:npm/hosted-git-info@2.8.5" - ], - "id": "pkg:npm/snyk-module@1.9.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "snyk-module", - "package_ref": "pkg:npm/snyk-module@1.9.1", - "purl": "pkg:npm/snyk-module@1.9.1", - "scopes": [ - "development" - ], - "version": "1.9.1" - }, - { - "depends_on": [ - "pkg:npm/%40snyk/cli-interface@2.2.0", - "pkg:npm/debug@4.1.1", - "pkg:npm/lodash@4.17.15", - "pkg:npm/needle@2.4.0", - "pkg:npm/tmp@0.1.0", - "pkg:npm/tslib@1.9.3" - ], - "id": "pkg:npm/snyk-mvn-plugin@2.7.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "snyk-mvn-plugin", - "package_ref": "pkg:npm/snyk-mvn-plugin@2.7.0", - "purl": "pkg:npm/snyk-mvn-plugin@2.7.0", - "scopes": [ - "development" - ], - "version": "2.7.0" - }, - { - "depends_on": [ - "pkg:npm/%40yarnpkg/lockfile@1.1.0", - "pkg:npm/graphlib@2.1.8", - "pkg:npm/lodash@4.17.15", - "pkg:npm/p-map@2.1.0", - "pkg:npm/source-map-support@0.5.16", - "pkg:npm/tslib@1.10.0", - "pkg:npm/uuid@3.3.2" - ], - "id": "pkg:npm/snyk-nodejs-lockfile-parser@1.17.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "snyk-nodejs-lockfile-parser", - "package_ref": "pkg:npm/snyk-nodejs-lockfile-parser@1.17.0", - "purl": "pkg:npm/snyk-nodejs-lockfile-parser@1.17.0", - "scopes": [ - "development" - ], - "version": "1.17.0" - }, - { - "depends_on": [ - "pkg:npm/debug@3.2.6", - "pkg:npm/dotnet-deps-parser@4.9.0", - "pkg:npm/jszip@3.2.2", - "pkg:npm/lodash@4.17.15", - "pkg:npm/snyk-paket-parser@1.5.0", - "pkg:npm/tslib@1.10.0", - "pkg:npm/xml2js@0.4.23" - ], - "id": "pkg:npm/snyk-nuget-plugin@1.16.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "snyk-nuget-plugin", - "package_ref": "pkg:npm/snyk-nuget-plugin@1.16.0", - "purl": "pkg:npm/snyk-nuget-plugin@1.16.0", - "scopes": [ - "development" - ], - "version": "1.16.0" - }, - { - "depends_on": [ - "pkg:npm/tslib@1.10.0" - ], - "id": "pkg:npm/snyk-paket-parser@1.5.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "snyk-paket-parser", - "package_ref": "pkg:npm/snyk-paket-parser@1.5.0", - "purl": "pkg:npm/snyk-paket-parser@1.5.0", - "scopes": [ - "development" - ], - "version": "1.5.0" - }, - { - "depends_on": [ - "pkg:npm/%40snyk/cli-interface@2.2.0", - "pkg:npm/%40snyk/composer-lockfile-parser@1.2.0", - "pkg:npm/tslib@1.9.3" - ], - "id": "pkg:npm/snyk-php-plugin@1.7.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "snyk-php-plugin", - "package_ref": "pkg:npm/snyk-php-plugin@1.7.0", - "purl": "pkg:npm/snyk-php-plugin@1.7.0", - "scopes": [ - "development" - ], - "version": "1.7.0" - }, - { - "depends_on": [ - "pkg:npm/debug@3.2.6", - "pkg:npm/email-validator@2.0.4", - "pkg:npm/js-yaml@3.13.1", - "pkg:npm/lodash.clonedeep@4.5.0", - "pkg:npm/semver@6.3.0", - "pkg:npm/snyk-module@1.9.1", - "pkg:npm/snyk-resolve@1.0.1", - "pkg:npm/snyk-try-require@1.3.1", - "pkg:npm/then-fs@2.0.0" - ], - "id": "pkg:npm/snyk-policy@1.13.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "snyk-policy", - "package_ref": "pkg:npm/snyk-policy@1.13.5", - "purl": "pkg:npm/snyk-policy@1.13.5", - "scopes": [ - "development" - ], - "version": "1.13.5" - }, - { - "depends_on": [ - "pkg:npm/%40snyk/cli-interface@2.3.0", - "pkg:npm/tmp@0.0.33" - ], - "id": "pkg:npm/snyk-python-plugin@1.16.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "snyk-python-plugin", - "package_ref": "pkg:npm/snyk-python-plugin@1.16.0", - "purl": "pkg:npm/snyk-python-plugin@1.16.0", - "scopes": [ - "development" - ], - "version": "1.16.0" - }, - { - "depends_on": [ - "pkg:npm/%40types/node@6.14.9", - "pkg:npm/%40types/semver@5.5.0", - "pkg:npm/ansicolors@0.3.2", - "pkg:npm/debug@3.2.6", - "pkg:npm/lodash.assign@4.2.0", - "pkg:npm/lodash.assignin@4.2.0", - "pkg:npm/lodash.clone@4.5.0", - "pkg:npm/lodash.flatten@4.4.0", - "pkg:npm/lodash.get@4.4.2", - "pkg:npm/lodash.set@4.3.2", - "pkg:npm/lru-cache@4.1.5", - "pkg:npm/semver@5.7.0", - "pkg:npm/snyk-module@1.9.1", - "pkg:npm/snyk-resolve@1.0.1", - "pkg:npm/snyk-tree@1.0.0", - "pkg:npm/snyk-try-require@1.3.1", - "pkg:npm/then-fs@2.0.0" - ], - "id": "pkg:npm/snyk-resolve-deps@4.4.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "snyk-resolve-deps", - "package_ref": "pkg:npm/snyk-resolve-deps@4.4.0", - "purl": "pkg:npm/snyk-resolve-deps@4.4.0", - "scopes": [ - "development" - ], - "version": "4.4.0" - }, - { - "depends_on": [ - "pkg:npm/debug@3.2.6", - "pkg:npm/then-fs@2.0.0" - ], - "id": "pkg:npm/snyk-resolve@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "snyk-resolve", - "package_ref": "pkg:npm/snyk-resolve@1.0.1", - "purl": "pkg:npm/snyk-resolve@1.0.1", - "scopes": [ - "development" - ], - "version": "1.0.1" - }, - { - "depends_on": [ - "pkg:npm/debug@4.1.1", - "pkg:npm/semver@6.3.0", - "pkg:npm/tmp@0.1.0", - "pkg:npm/tree-kill@1.2.2", - "pkg:npm/tslib@1.10.0" - ], - "id": "pkg:npm/snyk-sbt-plugin@2.11.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "snyk-sbt-plugin", - "package_ref": "pkg:npm/snyk-sbt-plugin@2.11.0", - "purl": "pkg:npm/snyk-sbt-plugin@2.11.0", - "scopes": [ - "development" - ], - "version": "2.11.0" - }, - { - "depends_on": [ - "pkg:npm/archy@1.0.0" - ], - "id": "pkg:npm/snyk-tree@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "snyk-tree", - "package_ref": "pkg:npm/snyk-tree@1.0.0", - "purl": "pkg:npm/snyk-tree@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/debug@3.2.6", - "pkg:npm/lodash.clonedeep@4.5.0", - "pkg:npm/lru-cache@4.1.5", - "pkg:npm/then-fs@2.0.0" - ], - "id": "pkg:npm/snyk-try-require@1.3.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "snyk-try-require", - "package_ref": "pkg:npm/snyk-try-require@1.3.1", - "purl": "pkg:npm/snyk-try-require@1.3.1", - "scopes": [ - "development" - ], - "version": "1.3.1" - }, - { - "depends_on": [ - "pkg:npm/%40snyk/cli-interface@2.3.0", - "pkg:npm/%40snyk/dep-graph@1.13.1", - "pkg:npm/%40snyk/gemfile@1.2.0", - "pkg:npm/%40snyk/snyk-cocoapods-plugin@2.0.1", - "pkg:npm/%40types/agent-base@4.2.0", - "pkg:npm/%40types/restify@4.3.6", - "pkg:npm/abbrev@1.1.1", - "pkg:npm/ansi-escapes@3.2.0", - "pkg:npm/chalk@2.4.2", - "pkg:npm/cli-spinner@0.2.10", - "pkg:npm/configstore@3.1.2", - "pkg:npm/debug@3.2.6", - "pkg:npm/diff@4.0.2", - "pkg:npm/git-url-parse@11.1.2", - "pkg:npm/glob@7.1.3", - "pkg:npm/inquirer@6.5.2", - "pkg:npm/lodash@4.17.15", - "pkg:npm/needle@2.3.0", - "pkg:npm/opn@5.5.0", - "pkg:npm/os-name@3.1.0", - "pkg:npm/proxy-agent@3.1.1", - "pkg:npm/proxy-from-env@1.0.0", - "pkg:npm/semver@6.3.0", - "pkg:npm/snyk-config@2.2.3", - "pkg:npm/snyk-docker-plugin@1.33.1", - "pkg:npm/snyk-go-plugin@1.11.1", - "pkg:npm/snyk-gradle-plugin@3.2.2", - "pkg:npm/snyk-module@1.9.1", - "pkg:npm/snyk-mvn-plugin@2.7.0", - "pkg:npm/snyk-nodejs-lockfile-parser@1.17.0", - "pkg:npm/snyk-nuget-plugin@1.16.0", - "pkg:npm/snyk-php-plugin@1.7.0", - "pkg:npm/snyk-policy@1.13.5", - "pkg:npm/snyk-python-plugin@1.16.0", - "pkg:npm/snyk-resolve-deps@4.4.0", - "pkg:npm/snyk-resolve@1.0.1", - "pkg:npm/snyk-sbt-plugin@2.11.0", - "pkg:npm/snyk-tree@1.0.0", - "pkg:npm/snyk-try-require@1.3.1", - "pkg:npm/source-map-support@0.5.16", - "pkg:npm/strip-ansi@5.2.0", - "pkg:npm/tempfile@2.0.0", - "pkg:npm/then-fs@2.0.0", - "pkg:npm/update-notifier@2.5.0", - "pkg:npm/uuid@3.3.2", - "pkg:npm/wrap-ansi@5.1.0" - ], - "id": "pkg:npm/snyk@1.278.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "snyk", - "package_ref": "pkg:npm/snyk@1.278.1", - "purl": "pkg:npm/snyk@1.278.1", - "scopes": [ - "development" - ], - "version": "1.278.1" - }, - { - "depends_on": [ - "pkg:npm/agent-base@4.2.1", - "pkg:npm/socks@2.3.3" - ], - "id": "pkg:npm/socks-proxy-agent@4.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "socks-proxy-agent", - "package_ref": "pkg:npm/socks-proxy-agent@4.0.2", - "purl": "pkg:npm/socks-proxy-agent@4.0.2", - "scopes": [ - "development" - ], - "version": "4.0.2" - }, - { - "depends_on": [ - "pkg:npm/ip@1.1.5", - "pkg:npm/smart-buffer@4.1.0" - ], - "id": "pkg:npm/socks@2.3.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "socks", - "package_ref": "pkg:npm/socks@2.3.3", - "purl": "pkg:npm/socks@2.3.3", - "scopes": [ - "development" - ], - "version": "2.3.3" - }, - { - "depends_on": [ - "pkg:npm/atob@2.1.1", - "pkg:npm/decode-uri-component@0.2.0", - "pkg:npm/resolve-url@0.2.1", - "pkg:npm/source-map-url@0.4.0", - "pkg:npm/urix@0.1.0" - ], - "id": "pkg:npm/source-map-resolve@0.5.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "source-map-resolve", - "package_ref": "pkg:npm/source-map-resolve@0.5.1", - "purl": "pkg:npm/source-map-resolve@0.5.1", - "scopes": [ - "runtime" - ], - "version": "0.5.1" - }, - { - "depends_on": [ - "pkg:npm/buffer-from@1.1.1", - "pkg:npm/source-map@0.6.1" - ], - "id": "pkg:npm/source-map-support@0.5.16", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "source-map-support", - "package_ref": "pkg:npm/source-map-support@0.5.16", - "purl": "pkg:npm/source-map-support@0.5.16", - "scopes": [ - "development", - "runtime" - ], - "version": "0.5.16" - }, - { - "depends_on": [], - "id": "pkg:npm/source-map-url@0.4.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "source-map-url", - "package_ref": "pkg:npm/source-map-url@0.4.0", - "purl": "pkg:npm/source-map-url@0.4.0", - "scopes": [ - "runtime" - ], - "version": "0.4.0" - }, - { - "depends_on": [ - "pkg:npm/amdefine@1.0.1" - ], - "id": "pkg:npm/source-map@0.4.4", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "source-map", - "package_ref": "pkg:npm/source-map@0.4.4", - "purl": "pkg:npm/source-map@0.4.4", - "scopes": [ - "runtime" - ], - "version": "0.4.4" - }, - { - "depends_on": [], - "id": "pkg:npm/source-map@0.5.7", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "source-map", - "package_ref": "pkg:npm/source-map@0.5.7", - "purl": "pkg:npm/source-map@0.5.7", - "scopes": [ - "development", - "runtime" - ], - "version": "0.5.7" - }, - { - "depends_on": [], - "id": "pkg:npm/source-map@0.6.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "source-map", - "package_ref": "pkg:npm/source-map@0.6.1", - "purl": "pkg:npm/source-map@0.6.1", - "scopes": [ - "development", - "runtime" - ], - "version": "0.6.1" - }, - { - "depends_on": [ - "pkg:npm/memory-pager@1.5.0" - ], - "id": "pkg:npm/sparse-bitfield@3.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "sparse-bitfield", - "package_ref": "pkg:npm/sparse-bitfield@3.0.3", - "purl": "pkg:npm/sparse-bitfield@3.0.3", - "scopes": [ - "runtime" - ], - "version": "3.0.3" - }, - { - "depends_on": [ - "pkg:npm/foreground-child@1.5.6", - "pkg:npm/mkdirp@0.5.1", - "pkg:npm/os-homedir@1.0.2", - "pkg:npm/rimraf@2.6.2", - "pkg:npm/signal-exit@3.0.2", - "pkg:npm/which@1.3.0" - ], - "id": "pkg:npm/spawn-wrap@1.4.2", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "spawn-wrap", - "package_ref": "pkg:npm/spawn-wrap@1.4.2", - "purl": "pkg:npm/spawn-wrap@1.4.2", - "scopes": [ - "runtime" - ], - "version": "1.4.2" - }, - { - "depends_on": [ - "pkg:npm/spdx-expression-parse@3.0.0", - "pkg:npm/spdx-license-ids@3.0.0" - ], - "id": "pkg:npm/spdx-correct@3.0.0", - "licenses": [ - { - "type": "declared", - "value": "Apache-2.0" - } - ], - "name": "spdx-correct", - "package_ref": "pkg:npm/spdx-correct@3.0.0", - "purl": "pkg:npm/spdx-correct@3.0.0", - "scopes": [ - "runtime" - ], - "version": "3.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/spdx-exceptions@2.1.0", - "licenses": [ - { - "type": "declared", - "value": "CC-BY-3.0" - } - ], - "name": "spdx-exceptions", - "package_ref": "pkg:npm/spdx-exceptions@2.1.0", - "purl": "pkg:npm/spdx-exceptions@2.1.0", - "scopes": [ - "runtime" - ], - "version": "2.1.0" - }, - { - "depends_on": [ - "pkg:npm/spdx-exceptions@2.1.0", - "pkg:npm/spdx-license-ids@3.0.0" - ], - "id": "pkg:npm/spdx-expression-parse@3.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "spdx-expression-parse", - "package_ref": "pkg:npm/spdx-expression-parse@3.0.0", - "purl": "pkg:npm/spdx-expression-parse@3.0.0", - "scopes": [ - "runtime" - ], - "version": "3.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/spdx-license-ids@3.0.0", - "licenses": [ - { - "type": "declared", - "value": "CC0-1.0" - } - ], - "name": "spdx-license-ids", - "package_ref": "pkg:npm/spdx-license-ids@3.0.0", - "purl": "pkg:npm/spdx-license-ids@3.0.0", - "scopes": [ - "runtime" - ], - "version": "3.0.0" - }, - { - "depends_on": [ - "pkg:npm/extend-shallow@3.0.2" - ], - "id": "pkg:npm/split-string@3.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "split-string", - "package_ref": "pkg:npm/split-string@3.1.0", - "purl": "pkg:npm/split-string@3.1.0", - "scopes": [ - "runtime" - ], - "version": "3.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/sprintf-js@1.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "sprintf-js", - "package_ref": "pkg:npm/sprintf-js@1.0.3", - "purl": "pkg:npm/sprintf-js@1.0.3", - "scopes": [ - "runtime" - ], - "version": "1.0.3" - }, - { - "depends_on": [], - "id": "pkg:npm/sqlstring@2.3.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "sqlstring", - "package_ref": "pkg:npm/sqlstring@2.3.1", - "purl": "pkg:npm/sqlstring@2.3.1", - "scopes": [ - "runtime" - ], - "version": "2.3.1" - }, - { - "depends_on": [ - "pkg:npm/asn1@0.2.4", - "pkg:npm/assert-plus@1.0.0", - "pkg:npm/bcrypt-pbkdf@1.0.2", - "pkg:npm/dashdash@1.14.1", - "pkg:npm/ecc-jsbn@0.1.2", - "pkg:npm/getpass@0.1.7", - "pkg:npm/jsbn@0.1.1", - "pkg:npm/safer-buffer@2.1.2", - "pkg:npm/tweetnacl@0.14.5" - ], - "id": "pkg:npm/sshpk@1.16.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "sshpk", - "package_ref": "pkg:npm/sshpk@1.16.1", - "purl": "pkg:npm/sshpk@1.16.1", - "scopes": [ - "runtime" - ], - "version": "1.16.1" - }, - { - "depends_on": [ - "pkg:npm/async-cache@0.1.5", - "pkg:npm/fd@0.0.3", - "pkg:npm/graceful-fs@1.2.3", - "pkg:npm/mime@1.2.11", - "pkg:npm/negotiator@0.2.8" - ], - "id": "pkg:npm/st@0.2.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "st", - "package_ref": "pkg:npm/st@0.2.4", - "purl": "pkg:npm/st@0.2.4", - "scopes": [ - "runtime" - ], - "version": "0.2.4" - }, - { - "depends_on": [], - "id": "pkg:npm/stack-utils@1.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "stack-utils", - "package_ref": "pkg:npm/stack-utils@1.0.2", - "purl": "pkg:npm/stack-utils@1.0.2", - "scopes": [ - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [ - "pkg:npm/define-property@0.2.5", - "pkg:npm/object-copy@0.1.0" - ], - "id": "pkg:npm/static-extend@0.1.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "static-extend", - "package_ref": "pkg:npm/static-extend@0.1.2", - "purl": "pkg:npm/static-extend@0.1.2", - "scopes": [ - "runtime" - ], - "version": "0.1.2" - }, - { - "depends_on": [], - "id": "pkg:npm/statuses@1.5.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "statuses", - "package_ref": "pkg:npm/statuses@1.5.0", - "purl": "pkg:npm/statuses@1.5.0", - "scopes": [ - "development" - ], - "version": "1.5.0" - }, - { - "depends_on": [ - "pkg:npm/inherits@2.0.3", - "pkg:npm/readable-stream@2.3.6" - ], - "id": "pkg:npm/stream-browserify@2.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "stream-browserify", - "package_ref": "pkg:npm/stream-browserify@2.0.2", - "purl": "pkg:npm/stream-browserify@2.0.2", - "scopes": [ - "development" - ], - "version": "2.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/stream-buffers@3.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "stream-buffers", - "package_ref": "pkg:npm/stream-buffers@3.0.2", - "purl": "pkg:npm/stream-buffers@3.0.2", - "scopes": [ - "runtime" - ], - "version": "3.0.2" - }, - { - "depends_on": [ - "pkg:npm/duplexer2@0.1.4", - "pkg:npm/readable-stream@2.3.6" - ], - "id": "pkg:npm/stream-combiner2@1.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "stream-combiner2", - "package_ref": "pkg:npm/stream-combiner2@1.1.1", - "purl": "pkg:npm/stream-combiner2@1.1.1", - "scopes": [ - "development" - ], - "version": "1.1.1" - }, - { - "depends_on": [ - "pkg:npm/builtin-status-codes@3.0.0", - "pkg:npm/inherits@2.0.3", - "pkg:npm/readable-stream@2.3.6", - "pkg:npm/to-arraybuffer@1.0.1", - "pkg:npm/xtend@4.0.1" - ], - "id": "pkg:npm/stream-http@2.8.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "stream-http", - "package_ref": "pkg:npm/stream-http@2.8.3", - "purl": "pkg:npm/stream-http@2.8.3", - "scopes": [ - "development" - ], - "version": "2.8.3" - }, - { - "depends_on": [ - "pkg:npm/inherits@2.0.3", - "pkg:npm/readable-stream@2.3.6" - ], - "id": "pkg:npm/stream-splicer@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "stream-splicer", - "package_ref": "pkg:npm/stream-splicer@2.0.0", - "purl": "pkg:npm/stream-splicer@2.0.0", - "scopes": [ - "development" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/streamifier@0.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "streamifier", - "package_ref": "pkg:npm/streamifier@0.1.1", - "purl": "pkg:npm/streamifier@0.1.1", - "scopes": [ - "runtime" - ], - "version": "0.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/streamsearch@0.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "streamsearch", - "package_ref": "pkg:npm/streamsearch@0.1.2", - "purl": "pkg:npm/streamsearch@0.1.2", - "scopes": [ - "runtime" - ], - "version": "0.1.2" - }, - { - "depends_on": [ - "pkg:npm/code-point-at@1.1.0", - "pkg:npm/is-fullwidth-code-point@1.0.0", - "pkg:npm/strip-ansi@3.0.1" - ], - "id": "pkg:npm/string-width@1.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "string-width", - "package_ref": "pkg:npm/string-width@1.0.2", - "purl": "pkg:npm/string-width@1.0.2", - "scopes": [ - "development", - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [ - "pkg:npm/is-fullwidth-code-point@2.0.0", - "pkg:npm/strip-ansi@4.0.0" - ], - "id": "pkg:npm/string-width@2.1.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "string-width", - "package_ref": "pkg:npm/string-width@2.1.1", - "purl": "pkg:npm/string-width@2.1.1", - "scopes": [ - "development", - "runtime" - ], - "version": "2.1.1" - }, - { - "depends_on": [ - "pkg:npm/emoji-regex@7.0.3", - "pkg:npm/is-fullwidth-code-point@2.0.0", - "pkg:npm/strip-ansi@5.2.0" - ], - "id": "pkg:npm/string-width@3.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "string-width", - "package_ref": "pkg:npm/string-width@3.1.0", - "purl": "pkg:npm/string-width@3.1.0", - "scopes": [ - "development", - "runtime" - ], - "version": "3.1.0" - }, - { - "depends_on": [ - "pkg:npm/emoji-regex@8.0.0", - "pkg:npm/is-fullwidth-code-point@3.0.0", - "pkg:npm/strip-ansi@6.0.0" - ], - "id": "pkg:npm/string-width@4.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "string-width", - "package_ref": "pkg:npm/string-width@4.2.0", - "purl": "pkg:npm/string-width@4.2.0", - "scopes": [ - "runtime" - ], - "version": "4.2.0" - }, - { - "depends_on": [ - "pkg:npm/emoji-regex@8.0.0", - "pkg:npm/is-fullwidth-code-point@3.0.0", - "pkg:npm/strip-ansi@6.0.0" - ], - "id": "pkg:npm/string-width@4.2.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "string-width", - "package_ref": "pkg:npm/string-width@4.2.2", - "purl": "pkg:npm/string-width@4.2.2", - "scopes": [ - "development" - ], - "version": "4.2.2" - }, - { - "depends_on": [], - "id": "pkg:npm/string_decoder@0.10.31", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "string_decoder", - "package_ref": "pkg:npm/string_decoder@0.10.31", - "purl": "pkg:npm/string_decoder@0.10.31", - "scopes": [ - "development", - "runtime" - ], - "version": "0.10.31" - }, - { - "depends_on": [ - "pkg:npm/safe-buffer@5.1.2" - ], - "id": "pkg:npm/string_decoder@1.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "string_decoder", - "package_ref": "pkg:npm/string_decoder@1.1.1", - "purl": "pkg:npm/string_decoder@1.1.1", - "scopes": [ - "development", - "runtime" - ], - "version": "1.1.1" - }, - { - "depends_on": [ - "pkg:npm/safe-buffer@5.2.0" - ], - "id": "pkg:npm/string_decoder@1.3.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "string_decoder", - "package_ref": "pkg:npm/string_decoder@1.3.0", - "purl": "pkg:npm/string_decoder@1.3.0", - "scopes": [ - "development" - ], - "version": "1.3.0" - }, - { - "depends_on": [ - "pkg:npm/ansi-regex@2.1.1" - ], - "id": "pkg:npm/strip-ansi@3.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "strip-ansi", - "package_ref": "pkg:npm/strip-ansi@3.0.1", - "purl": "pkg:npm/strip-ansi@3.0.1", - "scopes": [ - "runtime" - ], - "version": "3.0.1" - }, - { - "depends_on": [ - "pkg:npm/ansi-regex@3.0.0" - ], - "id": "pkg:npm/strip-ansi@4.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "strip-ansi", - "package_ref": "pkg:npm/strip-ansi@4.0.0", - "purl": "pkg:npm/strip-ansi@4.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "4.0.0" - }, - { - "depends_on": [ - "pkg:npm/ansi-regex@4.1.0" - ], - "id": "pkg:npm/strip-ansi@5.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "strip-ansi", - "package_ref": "pkg:npm/strip-ansi@5.2.0", - "purl": "pkg:npm/strip-ansi@5.2.0", - "scopes": [ - "development", - "runtime" - ], - "version": "5.2.0" - }, - { - "depends_on": [ - "pkg:npm/ansi-regex@5.0.0" - ], - "id": "pkg:npm/strip-ansi@6.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "strip-ansi", - "package_ref": "pkg:npm/strip-ansi@6.0.0", - "purl": "pkg:npm/strip-ansi@6.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "6.0.0" - }, - { - "depends_on": [ - "pkg:npm/is-utf8@0.2.1" - ], - "id": "pkg:npm/strip-bom@2.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "strip-bom", - "package_ref": "pkg:npm/strip-bom@2.0.0", - "purl": "pkg:npm/strip-bom@2.0.0", - "scopes": [ - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/strip-eof@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "strip-eof", - "package_ref": "pkg:npm/strip-eof@1.0.0", - "purl": "pkg:npm/strip-eof@1.0.0", - "scopes": [ - "development", - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/strip-json-comments@2.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "strip-json-comments", - "package_ref": "pkg:npm/strip-json-comments@2.0.1", - "purl": "pkg:npm/strip-json-comments@2.0.1", - "scopes": [ - "development" - ], - "version": "2.0.1" - }, - { - "depends_on": [ - "pkg:npm/minimist@1.2.0" - ], - "id": "pkg:npm/subarg@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "subarg", - "package_ref": "pkg:npm/subarg@1.0.0", - "purl": "pkg:npm/subarg@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/supports-color@2.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "supports-color", - "package_ref": "pkg:npm/supports-color@2.0.0", - "purl": "pkg:npm/supports-color@2.0.0", - "scopes": [ - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/has-flag@1.0.0" - ], - "id": "pkg:npm/supports-color@3.2.3", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "supports-color", - "package_ref": "pkg:npm/supports-color@3.2.3", - "purl": "pkg:npm/supports-color@3.2.3", - "scopes": [ - "runtime" - ], - "version": "3.2.3" - }, - { - "depends_on": [ - "pkg:npm/has-flag@3.0.0" - ], - "id": "pkg:npm/supports-color@5.5.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "supports-color", - "package_ref": "pkg:npm/supports-color@5.5.0", - "purl": "pkg:npm/supports-color@5.5.0", - "scopes": [ - "development", - "runtime" - ], - "version": "5.5.0" - }, - { - "depends_on": [ - "pkg:npm/has-flag@4.0.0" - ], - "id": "pkg:npm/supports-color@7.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "supports-color", - "package_ref": "pkg:npm/supports-color@7.1.0", - "purl": "pkg:npm/supports-color@7.1.0", - "scopes": [ - "runtime" - ], - "version": "7.1.0" - }, - { - "depends_on": [ - "pkg:npm/has-flag@4.0.0" - ], - "id": "pkg:npm/supports-color@7.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "supports-color", - "package_ref": "pkg:npm/supports-color@7.2.0", - "purl": "pkg:npm/supports-color@7.2.0", - "scopes": [ - "development", - "runtime" - ], - "version": "7.2.0" - }, - { - "depends_on": [ - "pkg:npm/acorn-node@1.6.2" - ], - "id": "pkg:npm/syntax-error@1.4.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "syntax-error", - "package_ref": "pkg:npm/syntax-error@1.4.0", - "purl": "pkg:npm/syntax-error@1.4.0", - "scopes": [ - "development" - ], - "version": "1.4.0" - }, - { - "depends_on": [ - "pkg:npm/color-support@1.1.3", - "pkg:npm/debug@2.6.9", - "pkg:npm/diff@1.4.0", - "pkg:npm/escape-string-regexp@1.0.5", - "pkg:npm/glob@7.1.3", - "pkg:npm/js-yaml@3.13.1", - "pkg:npm/readable-stream@2.3.7", - "pkg:npm/tap-parser@5.4.0", - "pkg:npm/unicode-length@1.0.3" - ], - "id": "pkg:npm/tap-mocha-reporter@3.0.9", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "tap-mocha-reporter", - "package_ref": "pkg:npm/tap-mocha-reporter@3.0.9", - "purl": "pkg:npm/tap-mocha-reporter@3.0.9", - "scopes": [ - "runtime" - ], - "version": "3.0.9" - }, - { - "depends_on": [ - "pkg:npm/events-to-array@1.1.2", - "pkg:npm/js-yaml@3.13.1", - "pkg:npm/readable-stream@2.3.7" - ], - "id": "pkg:npm/tap-parser@5.4.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "tap-parser", - "package_ref": "pkg:npm/tap-parser@5.4.0", - "purl": "pkg:npm/tap-parser@5.4.0", - "scopes": [ - "runtime" - ], - "version": "5.4.0" - }, - { - "depends_on": [ - "pkg:npm/events-to-array@1.1.2", - "pkg:npm/js-yaml@3.13.1", - "pkg:npm/minipass@2.9.0" - ], - "id": "pkg:npm/tap-parser@7.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "tap-parser", - "package_ref": "pkg:npm/tap-parser@7.0.0", - "purl": "pkg:npm/tap-parser@7.0.0", - "scopes": [ - "runtime" - ], - "version": "7.0.0" - }, - { - "depends_on": [ - "pkg:npm/bind-obj-methods@2.0.0", - "pkg:npm/bluebird@3.5.4", - "pkg:npm/clean-yaml-object@0.1.0", - "pkg:npm/color-support@1.1.3", - "pkg:npm/coveralls@3.0.9", - "pkg:npm/foreground-child@1.5.6", - "pkg:npm/fs-exists-cached@1.0.0", - "pkg:npm/function-loop@1.0.2", - "pkg:npm/glob@7.1.3", - "pkg:npm/isexe@2.0.0", - "pkg:npm/js-yaml@3.13.1", - "pkg:npm/minipass@2.9.0", - "pkg:npm/mkdirp@0.5.1", - "pkg:npm/nyc@11.9.0", - "pkg:npm/opener@1.5.1", - "pkg:npm/os-homedir@1.0.2", - "pkg:npm/own-or-env@1.0.1", - "pkg:npm/own-or@1.0.0", - "pkg:npm/rimraf@2.6.3", - "pkg:npm/signal-exit@3.0.2", - "pkg:npm/source-map-support@0.5.16", - "pkg:npm/stack-utils@1.0.2", - "pkg:npm/tap-mocha-reporter@3.0.9", - "pkg:npm/tap-parser@7.0.0", - "pkg:npm/tmatch@3.1.0", - "pkg:npm/trivial-deferred@1.0.1", - "pkg:npm/tsame@1.1.2", - "pkg:npm/write-file-atomic@2.4.3", - "pkg:npm/yapool@1.0.0" - ], - "id": "pkg:npm/tap@11.1.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "tap", - "package_ref": "pkg:npm/tap@11.1.5", - "purl": "pkg:npm/tap@11.1.5", - "scopes": [ - "runtime" - ], - "version": "11.1.5" - }, - { - "depends_on": [ - "pkg:npm/bl@3.0.0", - "pkg:npm/end-of-stream@1.4.4", - "pkg:npm/fs-constants@1.0.0", - "pkg:npm/inherits@2.0.3", - "pkg:npm/readable-stream@3.4.0" - ], - "id": "pkg:npm/tar-stream@2.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "tar-stream", - "package_ref": "pkg:npm/tar-stream@2.1.0", - "purl": "pkg:npm/tar-stream@2.1.0", - "scopes": [ - "development" - ], - "version": "2.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/temp-dir@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "temp-dir", - "package_ref": "pkg:npm/temp-dir@1.0.0", - "purl": "pkg:npm/temp-dir@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/temp-dir@1.0.0", - "pkg:npm/uuid@3.3.2" - ], - "id": "pkg:npm/tempfile@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "tempfile", - "package_ref": "pkg:npm/tempfile@2.0.0", - "purl": "pkg:npm/tempfile@2.0.0", - "scopes": [ - "development" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/execa@0.7.0" - ], - "id": "pkg:npm/term-size@1.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "term-size", - "package_ref": "pkg:npm/term-size@1.2.0", - "purl": "pkg:npm/term-size@1.2.0", - "scopes": [ - "development" - ], - "version": "1.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/term-size@2.2.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "term-size", - "package_ref": "pkg:npm/term-size@2.2.1", - "purl": "pkg:npm/term-size@2.2.1", - "scopes": [ - "development" - ], - "version": "2.2.1" - }, - { - "depends_on": [ - "pkg:npm/arrify@1.0.1", - "pkg:npm/micromatch@3.1.10", - "pkg:npm/object-assign@4.1.1", - "pkg:npm/read-pkg-up@1.0.1", - "pkg:npm/require-main-filename@1.0.1" - ], - "id": "pkg:npm/test-exclude@4.2.1", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "test-exclude", - "package_ref": "pkg:npm/test-exclude@4.2.1", - "purl": "pkg:npm/test-exclude@4.2.1", - "scopes": [ - "runtime" - ], - "version": "4.2.1" - }, - { - "depends_on": [ - "pkg:npm/promise@7.3.1" - ], - "id": "pkg:npm/then-fs@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "then-fs", - "package_ref": "pkg:npm/then-fs@2.0.0", - "purl": "pkg:npm/then-fs@2.0.0", - "scopes": [ - "development" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/thenify@3.3.1" - ], - "id": "pkg:npm/thenify-all@1.6.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "thenify-all", - "package_ref": "pkg:npm/thenify-all@1.6.0", - "purl": "pkg:npm/thenify-all@1.6.0", - "scopes": [ - "runtime" - ], - "version": "1.6.0" - }, - { - "depends_on": [ - "pkg:npm/any-promise@1.3.0" - ], - "id": "pkg:npm/thenify@3.3.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "thenify", - "package_ref": "pkg:npm/thenify@3.3.1", - "purl": "pkg:npm/thenify@3.3.1", - "scopes": [ - "runtime" - ], - "version": "3.3.1" - }, - { - "depends_on": [ - "pkg:npm/readable-stream@2.3.6", - "pkg:npm/xtend@4.0.1" - ], - "id": "pkg:npm/through2@2.0.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "through2", - "package_ref": "pkg:npm/through2@2.0.5", - "purl": "pkg:npm/through2@2.0.5", - "scopes": [ - "development" - ], - "version": "2.0.5" - }, - { - "depends_on": [], - "id": "pkg:npm/through@2.3.8", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "through", - "package_ref": "pkg:npm/through@2.3.8", - "purl": "pkg:npm/through@2.3.8", - "scopes": [ - "development" - ], - "version": "2.3.8" - }, - { - "depends_on": [], - "id": "pkg:npm/thunkify@2.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "thunkify", - "package_ref": "pkg:npm/thunkify@2.1.2", - "purl": "pkg:npm/thunkify@2.1.2", - "scopes": [ - "development" - ], - "version": "2.1.2" - }, - { - "depends_on": [], - "id": "pkg:npm/timed-out@4.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "timed-out", - "package_ref": "pkg:npm/timed-out@4.0.1", - "purl": "pkg:npm/timed-out@4.0.1", - "scopes": [ - "development" - ], - "version": "4.0.1" - }, - { - "depends_on": [ - "pkg:npm/process@0.11.10" - ], - "id": "pkg:npm/timers-browserify@1.4.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "timers-browserify", - "package_ref": "pkg:npm/timers-browserify@1.4.2", - "purl": "pkg:npm/timers-browserify@1.4.2", - "scopes": [ - "development" - ], - "version": "1.4.2" - }, - { - "depends_on": [], - "id": "pkg:npm/tmatch@3.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "tmatch", - "package_ref": "pkg:npm/tmatch@3.1.0", - "purl": "pkg:npm/tmatch@3.1.0", - "scopes": [ - "runtime" - ], - "version": "3.1.0" - }, - { - "depends_on": [ - "pkg:npm/os-tmpdir@1.0.2" - ], - "id": "pkg:npm/tmp@0.0.33", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "tmp", - "package_ref": "pkg:npm/tmp@0.0.33", - "purl": "pkg:npm/tmp@0.0.33", - "scopes": [ - "development" - ], - "version": "0.0.33" - }, - { - "depends_on": [ - "pkg:npm/rimraf@2.6.3" - ], - "id": "pkg:npm/tmp@0.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "tmp", - "package_ref": "pkg:npm/tmp@0.1.0", - "purl": "pkg:npm/tmp@0.1.0", - "scopes": [ - "development" - ], - "version": "0.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/to-arraybuffer@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "to-arraybuffer", - "package_ref": "pkg:npm/to-arraybuffer@1.0.1", - "purl": "pkg:npm/to-arraybuffer@1.0.1", - "scopes": [ - "development" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/to-fast-properties@1.0.3", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "to-fast-properties", - "package_ref": "pkg:npm/to-fast-properties@1.0.3", - "purl": "pkg:npm/to-fast-properties@1.0.3", - "scopes": [ - "runtime" - ], - "version": "1.0.3" - }, - { - "depends_on": [ - "pkg:npm/kind-of@3.2.2" - ], - "id": "pkg:npm/to-object-path@0.3.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "to-object-path", - "package_ref": "pkg:npm/to-object-path@0.3.0", - "purl": "pkg:npm/to-object-path@0.3.0", - "scopes": [ - "runtime" - ], - "version": "0.3.0" - }, - { - "depends_on": [], - "id": "pkg:npm/to-readable-stream@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "to-readable-stream", - "package_ref": "pkg:npm/to-readable-stream@1.0.0", - "purl": "pkg:npm/to-readable-stream@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/is-number@3.0.0", - "pkg:npm/repeat-string@1.6.1" - ], - "id": "pkg:npm/to-regex-range@2.1.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "to-regex-range", - "package_ref": "pkg:npm/to-regex-range@2.1.1", - "purl": "pkg:npm/to-regex-range@2.1.1", - "scopes": [ - "runtime" - ], - "version": "2.1.1" - }, - { - "depends_on": [ - "pkg:npm/is-number@7.0.0" - ], - "id": "pkg:npm/to-regex-range@5.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "to-regex-range", - "package_ref": "pkg:npm/to-regex-range@5.0.1", - "purl": "pkg:npm/to-regex-range@5.0.1", - "scopes": [ - "development" - ], - "version": "5.0.1" - }, - { - "depends_on": [ - "pkg:npm/define-property@2.0.2", - "pkg:npm/extend-shallow@3.0.2", - "pkg:npm/regex-not@1.0.2", - "pkg:npm/safe-regex@1.1.0" - ], - "id": "pkg:npm/to-regex@3.0.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "to-regex", - "package_ref": "pkg:npm/to-regex@3.0.2", - "purl": "pkg:npm/to-regex@3.0.2", - "scopes": [ - "runtime" - ], - "version": "3.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/toidentifier@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "toidentifier", - "package_ref": "pkg:npm/toidentifier@1.0.0", - "purl": "pkg:npm/toidentifier@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/toml@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "toml", - "package_ref": "pkg:npm/toml@3.0.0", - "purl": "pkg:npm/toml@3.0.0", - "scopes": [ - "development" - ], - "version": "3.0.0" - }, - { - "depends_on": [ - "pkg:npm/nopt@1.0.10" - ], - "id": "pkg:npm/touch@3.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "touch", - "package_ref": "pkg:npm/touch@3.1.0", - "purl": "pkg:npm/touch@3.1.0", - "scopes": [ - "development" - ], - "version": "3.1.0" - }, - { - "depends_on": [ - "pkg:npm/psl@1.7.0", - "pkg:npm/punycode@1.4.1" - ], - "id": "pkg:npm/tough-cookie@2.4.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "tough-cookie", - "package_ref": "pkg:npm/tough-cookie@2.4.3", - "purl": "pkg:npm/tough-cookie@2.4.3", - "scopes": [ - "runtime" - ], - "version": "2.4.3" - }, - { - "depends_on": [], - "id": "pkg:npm/tree-kill@1.2.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "tree-kill", - "package_ref": "pkg:npm/tree-kill@1.2.2", - "purl": "pkg:npm/tree-kill@1.2.2", - "scopes": [ - "development" - ], - "version": "1.2.2" - }, - { - "depends_on": [], - "id": "pkg:npm/trim-right@1.0.1", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "trim-right", - "package_ref": "pkg:npm/trim-right@1.0.1", - "purl": "pkg:npm/trim-right@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/trivial-deferred@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "trivial-deferred", - "package_ref": "pkg:npm/trivial-deferred@1.0.1", - "purl": "pkg:npm/trivial-deferred@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/tsame@1.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "tsame", - "package_ref": "pkg:npm/tsame@1.1.2", - "purl": "pkg:npm/tsame@1.1.2", - "scopes": [ - "runtime" - ], - "version": "1.1.2" - }, - { - "depends_on": [], - "id": "pkg:npm/tslib@1.10.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "tslib", - "package_ref": "pkg:npm/tslib@1.10.0", - "purl": "pkg:npm/tslib@1.10.0", - "scopes": [ - "runtime" - ], - "version": "1.10.0" - }, - { - "depends_on": [], - "id": "pkg:npm/tslib@1.9.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "tslib", - "package_ref": "pkg:npm/tslib@1.9.3", - "purl": "pkg:npm/tslib@1.9.3", - "scopes": [ - "development" - ], - "version": "1.9.3" - }, - { - "depends_on": [], - "id": "pkg:npm/tty-browserify@0.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "tty-browserify", - "package_ref": "pkg:npm/tty-browserify@0.0.1", - "purl": "pkg:npm/tty-browserify@0.0.1", - "scopes": [ - "development" - ], - "version": "0.0.1" - }, - { - "depends_on": [ - "pkg:npm/safe-buffer@5.1.2" - ], - "id": "pkg:npm/tunnel-agent@0.6.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "tunnel-agent", - "package_ref": "pkg:npm/tunnel-agent@0.6.0", - "purl": "pkg:npm/tunnel-agent@0.6.0", - "scopes": [ - "runtime" - ], - "version": "0.6.0" - }, - { - "depends_on": [], - "id": "pkg:npm/tweetnacl@0.14.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "tweetnacl", - "package_ref": "pkg:npm/tweetnacl@0.14.5", - "purl": "pkg:npm/tweetnacl@0.14.5", - "scopes": [ - "runtime" - ], - "version": "0.14.5" - }, - { - "depends_on": [ - "pkg:npm/prelude-ls@1.1.2" - ], - "id": "pkg:npm/type-check@0.3.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "type-check", - "package_ref": "pkg:npm/type-check@0.3.2", - "purl": "pkg:npm/type-check@0.3.2", - "scopes": [ - "development" - ], - "version": "0.3.2" - }, - { - "depends_on": [], - "id": "pkg:npm/type-fest@0.8.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "type-fest", - "package_ref": "pkg:npm/type-fest@0.8.1", - "purl": "pkg:npm/type-fest@0.8.1", - "scopes": [ - "development" - ], - "version": "0.8.1" - }, - { - "depends_on": [ - "pkg:npm/media-typer@0.3.0", - "pkg:npm/mime-types@2.0.14" - ], - "id": "pkg:npm/type-is@1.5.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "type-is", - "package_ref": "pkg:npm/type-is@1.5.7", - "purl": "pkg:npm/type-is@1.5.7", - "scopes": [ - "runtime" - ], - "version": "1.5.7" - }, - { - "depends_on": [ - "pkg:npm/media-typer@0.3.0", - "pkg:npm/mime-types@2.1.23" - ], - "id": "pkg:npm/type-is@1.6.16", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "type-is", - "package_ref": "pkg:npm/type-is@1.6.16", - "purl": "pkg:npm/type-is@1.6.16", - "scopes": [ - "runtime" - ], - "version": "1.6.16" - }, - { - "depends_on": [ - "pkg:npm/is-typedarray@1.0.0" - ], - "id": "pkg:npm/typedarray-to-buffer@3.1.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "typedarray-to-buffer", - "package_ref": "pkg:npm/typedarray-to-buffer@3.1.5", - "purl": "pkg:npm/typedarray-to-buffer@3.1.5", - "scopes": [ - "development" - ], - "version": "3.1.5" - }, - { - "depends_on": [], - "id": "pkg:npm/typedarray@0.0.6", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "typedarray", - "package_ref": "pkg:npm/typedarray@0.0.6", - "purl": "pkg:npm/typedarray@0.0.6", - "scopes": [ - "development" - ], - "version": "0.0.6" - }, - { - "depends_on": [ - "pkg:npm/app-root-path@3.0.0", - "pkg:npm/buffer@5.6.0", - "pkg:npm/chalk@2.4.2", - "pkg:npm/cli-highlight@2.1.4", - "pkg:npm/debug@4.1.1", - "pkg:npm/dotenv@6.2.0", - "pkg:npm/glob@7.1.3", - "pkg:npm/js-yaml@3.13.1", - "pkg:npm/mkdirp@0.5.5", - "pkg:npm/reflect-metadata@0.1.13", - "pkg:npm/sha.js@2.4.11", - "pkg:npm/tslib@1.10.0", - "pkg:npm/xml2js@0.4.23", - "pkg:npm/yargonaut@1.1.4", - "pkg:npm/yargs@13.3.2" - ], - "id": "pkg:npm/typeorm@0.2.24", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "typeorm", - "package_ref": "pkg:npm/typeorm@0.2.24", - "purl": "pkg:npm/typeorm@0.2.24", - "scopes": [ - "runtime" - ], - "version": "0.2.24" - }, - { - "depends_on": [ - "pkg:npm/source-map@0.5.7", - "pkg:npm/uglify-to-browserify@1.0.2", - "pkg:npm/yargs@3.10.0" - ], - "id": "pkg:npm/uglify-js@2.8.29", - "licenses": [ - { - "type": "declared", - "value": "BSD-2-Clause" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "uglify-js", - "package_ref": "pkg:npm/uglify-js@2.8.29", - "purl": "pkg:npm/uglify-js@2.8.29", - "scopes": [ - "runtime" - ], - "version": "2.8.29" - }, - { - "depends_on": [], - "id": "pkg:npm/uglify-js@3.13.9", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "uglify-js", - "package_ref": "pkg:npm/uglify-js@3.13.9", - "purl": "pkg:npm/uglify-js@3.13.9", - "scopes": [ - "runtime" - ], - "version": "3.13.9" - }, - { - "depends_on": [], - "id": "pkg:npm/uglify-to-browserify@1.0.2", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "uglify-to-browserify", - "package_ref": "pkg:npm/uglify-to-browserify@1.0.2", - "purl": "pkg:npm/uglify-to-browserify@1.0.2", - "scopes": [ - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [ - "pkg:npm/random-bytes@1.0.0" - ], - "id": "pkg:npm/uid-safe@2.1.5", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "uid-safe", - "package_ref": "pkg:npm/uid-safe@2.1.5", - "purl": "pkg:npm/uid-safe@2.1.5", - "scopes": [ - "runtime" - ], - "version": "2.1.5" - }, - { - "depends_on": [], - "id": "pkg:npm/umd@3.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "umd", - "package_ref": "pkg:npm/umd@3.0.3", - "purl": "pkg:npm/umd@3.0.3", - "scopes": [ - "development" - ], - "version": "3.0.3" - }, - { - "depends_on": [ - "pkg:npm/acorn-node@1.6.2", - "pkg:npm/dash-ast@1.0.0", - "pkg:npm/get-assigned-identifiers@1.2.0", - "pkg:npm/simple-concat@1.0.0", - "pkg:npm/xtend@4.0.1" - ], - "id": "pkg:npm/undeclared-identifiers@1.1.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "undeclared-identifiers", - "package_ref": "pkg:npm/undeclared-identifiers@1.1.3", - "purl": "pkg:npm/undeclared-identifiers@1.1.3", - "scopes": [ - "development" - ], - "version": "1.1.3" - }, - { - "depends_on": [ - "pkg:npm/debug@2.6.9" - ], - "id": "pkg:npm/undefsafe@2.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "undefsafe", - "package_ref": "pkg:npm/undefsafe@2.0.3", - "purl": "pkg:npm/undefsafe@2.0.3", - "scopes": [ - "development" - ], - "version": "2.0.3" - }, - { - "depends_on": [], - "id": "pkg:npm/underscore@1.9.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "underscore", - "package_ref": "pkg:npm/underscore@1.9.1", - "purl": "pkg:npm/underscore@1.9.1", - "scopes": [ - "runtime" - ], - "version": "1.9.1" - }, - { - "depends_on": [ - "pkg:npm/punycode@1.4.1", - "pkg:npm/strip-ansi@3.0.1" - ], - "id": "pkg:npm/unicode-length@1.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "unicode-length", - "package_ref": "pkg:npm/unicode-length@1.0.3", - "purl": "pkg:npm/unicode-length@1.0.3", - "scopes": [ - "runtime" - ], - "version": "1.0.3" - }, - { - "depends_on": [ - "pkg:npm/arr-union@3.1.0", - "pkg:npm/get-value@2.0.6", - "pkg:npm/is-extendable@0.1.1", - "pkg:npm/set-value@0.4.3" - ], - "id": "pkg:npm/union-value@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "union-value", - "package_ref": "pkg:npm/union-value@1.0.0", - "purl": "pkg:npm/union-value@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/crypto-random-string@1.0.0" - ], - "id": "pkg:npm/unique-string@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "unique-string", - "package_ref": "pkg:npm/unique-string@1.0.0", - "purl": "pkg:npm/unique-string@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/crypto-random-string@2.0.0" - ], - "id": "pkg:npm/unique-string@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "unique-string", - "package_ref": "pkg:npm/unique-string@2.0.0", - "purl": "pkg:npm/unique-string@2.0.0", - "scopes": [ - "development" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/unpipe@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "unpipe", - "package_ref": "pkg:npm/unpipe@1.0.0", - "purl": "pkg:npm/unpipe@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/has-value@0.3.1", - "pkg:npm/isobject@3.0.1" - ], - "id": "pkg:npm/unset-value@1.0.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "unset-value", - "package_ref": "pkg:npm/unset-value@1.0.0", - "purl": "pkg:npm/unset-value@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/unzip-response@2.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "unzip-response", - "package_ref": "pkg:npm/unzip-response@2.0.1", - "purl": "pkg:npm/unzip-response@2.0.1", - "scopes": [ - "development" - ], - "version": "2.0.1" - }, - { - "depends_on": [ - "pkg:npm/boxen@1.3.0", - "pkg:npm/chalk@2.4.2", - "pkg:npm/configstore@3.1.2", - "pkg:npm/import-lazy@2.1.0", - "pkg:npm/is-ci@1.2.1", - "pkg:npm/is-installed-globally@0.1.0", - "pkg:npm/is-npm@1.0.0", - "pkg:npm/latest-version@3.1.0", - "pkg:npm/semver-diff@2.1.0", - "pkg:npm/xdg-basedir@3.0.0" - ], - "id": "pkg:npm/update-notifier@2.5.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "update-notifier", - "package_ref": "pkg:npm/update-notifier@2.5.0", - "purl": "pkg:npm/update-notifier@2.5.0", - "scopes": [ - "development" - ], - "version": "2.5.0" - }, - { - "depends_on": [ - "pkg:npm/boxen@4.2.0", - "pkg:npm/chalk@3.0.0", - "pkg:npm/configstore@5.0.1", - "pkg:npm/has-yarn@2.1.0", - "pkg:npm/import-lazy@2.1.0", - "pkg:npm/is-ci@2.0.0", - "pkg:npm/is-installed-globally@0.3.2", - "pkg:npm/is-npm@4.0.0", - "pkg:npm/is-yarn-global@0.3.0", - "pkg:npm/latest-version@5.1.0", - "pkg:npm/pupa@2.1.1", - "pkg:npm/semver-diff@3.1.1", - "pkg:npm/xdg-basedir@4.0.0" - ], - "id": "pkg:npm/update-notifier@4.1.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "update-notifier", - "package_ref": "pkg:npm/update-notifier@4.1.3", - "purl": "pkg:npm/update-notifier@4.1.3", - "scopes": [ - "development" - ], - "version": "4.1.3" - }, - { - "depends_on": [ - "pkg:npm/punycode@2.1.1" - ], - "id": "pkg:npm/uri-js@4.2.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "uri-js", - "package_ref": "pkg:npm/uri-js@4.2.2", - "purl": "pkg:npm/uri-js@4.2.2", - "scopes": [ - "runtime" - ], - "version": "4.2.2" - }, - { - "depends_on": [], - "id": "pkg:npm/urix@0.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "urix", - "package_ref": "pkg:npm/urix@0.1.0", - "purl": "pkg:npm/urix@0.1.0", - "scopes": [ - "runtime" - ], - "version": "0.1.0" - }, - { - "depends_on": [ - "pkg:npm/prepend-http@1.0.4" - ], - "id": "pkg:npm/url-parse-lax@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "url-parse-lax", - "package_ref": "pkg:npm/url-parse-lax@1.0.0", - "purl": "pkg:npm/url-parse-lax@1.0.0", - "scopes": [ - "development" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/prepend-http@2.0.0" - ], - "id": "pkg:npm/url-parse-lax@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "url-parse-lax", - "package_ref": "pkg:npm/url-parse-lax@3.0.0", - "purl": "pkg:npm/url-parse-lax@3.0.0", - "scopes": [ - "development" - ], - "version": "3.0.0" - }, - { - "depends_on": [ - "pkg:npm/punycode@1.3.2", - "pkg:npm/querystring@0.2.0" - ], - "id": "pkg:npm/url@0.11.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "url", - "package_ref": "pkg:npm/url@0.11.0", - "purl": "pkg:npm/url@0.11.0", - "scopes": [ - "development" - ], - "version": "0.11.0" - }, - { - "depends_on": [ - "pkg:npm/kind-of@6.0.2" - ], - "id": "pkg:npm/use@3.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "use", - "package_ref": "pkg:npm/use@3.1.0", - "purl": "pkg:npm/use@3.1.0", - "scopes": [ - "runtime" - ], - "version": "3.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/util-deprecate@1.0.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "util-deprecate", - "package_ref": "pkg:npm/util-deprecate@1.0.2", - "purl": "pkg:npm/util-deprecate@1.0.2", - "scopes": [ - "development", - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [ - "pkg:npm/inherits@2.0.1" - ], - "id": "pkg:npm/util@0.10.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "util", - "package_ref": "pkg:npm/util@0.10.3", - "purl": "pkg:npm/util@0.10.3", - "scopes": [ - "development" - ], - "version": "0.10.3" - }, - { - "depends_on": [ - "pkg:npm/inherits@2.0.3" - ], - "id": "pkg:npm/util@0.10.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "util", - "package_ref": "pkg:npm/util@0.10.4", - "purl": "pkg:npm/util@0.10.4", - "scopes": [ - "development" - ], - "version": "0.10.4" - }, - { - "depends_on": [], - "id": "pkg:npm/utils-merge@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "utils-merge", - "package_ref": "pkg:npm/utils-merge@1.0.0", - "purl": "pkg:npm/utils-merge@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/uuid@3.3.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "uuid", - "package_ref": "pkg:npm/uuid@3.3.2", - "purl": "pkg:npm/uuid@3.3.2", - "scopes": [ - "development", - "runtime" - ], - "version": "3.3.2" - }, - { - "depends_on": [ - "pkg:npm/spdx-correct@3.0.0", - "pkg:npm/spdx-expression-parse@3.0.0" - ], - "id": "pkg:npm/validate-npm-package-license@3.0.3", - "licenses": [ - { - "type": "declared", - "value": "Apache-2.0" - } - ], - "name": "validate-npm-package-license", - "package_ref": "pkg:npm/validate-npm-package-license@3.0.3", - "purl": "pkg:npm/validate-npm-package-license@3.0.3", - "scopes": [ - "runtime" - ], - "version": "3.0.3" - }, - { - "depends_on": [], - "id": "pkg:npm/validator@13.5.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "validator", - "package_ref": "pkg:npm/validator@13.5.2", - "purl": "pkg:npm/validator@13.5.2", - "scopes": [ - "runtime" - ], - "version": "13.5.2" - }, - { - "depends_on": [], - "id": "pkg:npm/vary@1.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "vary", - "package_ref": "pkg:npm/vary@1.0.1", - "purl": "pkg:npm/vary@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/vary@1.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "vary", - "package_ref": "pkg:npm/vary@1.1.2", - "purl": "pkg:npm/vary@1.1.2", - "scopes": [ - "runtime" - ], - "version": "1.1.2" - }, - { - "depends_on": [ - "pkg:npm/assert-plus@1.0.0", - "pkg:npm/core-util-is@1.0.2", - "pkg:npm/extsprintf@1.3.0" - ], - "id": "pkg:npm/verror@1.10.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "verror", - "package_ref": "pkg:npm/verror@1.10.0", - "purl": "pkg:npm/verror@1.10.0", - "scopes": [ - "runtime" - ], - "version": "1.10.0" - }, - { - "depends_on": [ - "pkg:npm/indexof@0.0.1" - ], - "id": "pkg:npm/vm-browserify@0.0.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "vm-browserify", - "package_ref": "pkg:npm/vm-browserify@0.0.4", - "purl": "pkg:npm/vm-browserify@0.0.4", - "scopes": [ - "development" - ], - "version": "0.0.4" - }, - { - "depends_on": [], - "id": "pkg:npm/vscode-languageserver-types@3.15.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "vscode-languageserver-types", - "package_ref": "pkg:npm/vscode-languageserver-types@3.15.0", - "purl": "pkg:npm/vscode-languageserver-types@3.15.0", - "scopes": [ - "development" - ], - "version": "3.15.0" - }, - { - "depends_on": [ - "pkg:npm/foreachasync@3.0.0" - ], - "id": "pkg:npm/walk@2.3.9", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "walk", - "package_ref": "pkg:npm/walk@2.3.9", - "purl": "pkg:npm/walk@2.3.9", - "scopes": [ - "runtime" - ], - "version": "2.3.9" - }, - { - "depends_on": [], - "id": "pkg:npm/which-module@2.0.0", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "which-module", - "package_ref": "pkg:npm/which-module@2.0.0", - "purl": "pkg:npm/which-module@2.0.0", - "scopes": [ - "runtime" - ], - "version": "2.0.0" - }, - { - "depends_on": [ - "pkg:npm/isexe@2.0.0" - ], - "id": "pkg:npm/which@1.3.0", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "which", - "package_ref": "pkg:npm/which@1.3.0", - "purl": "pkg:npm/which@1.3.0", - "scopes": [ - "runtime" - ], - "version": "1.3.0" - }, - { - "depends_on": [ - "pkg:npm/isexe@2.0.0" - ], - "id": "pkg:npm/which@1.3.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "which", - "package_ref": "pkg:npm/which@1.3.1", - "purl": "pkg:npm/which@1.3.1", - "scopes": [ - "runtime" - ], - "version": "1.3.1" - }, - { - "depends_on": [ - "pkg:npm/string-width@2.1.1" - ], - "id": "pkg:npm/widest-line@2.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "widest-line", - "package_ref": "pkg:npm/widest-line@2.0.1", - "purl": "pkg:npm/widest-line@2.0.1", - "scopes": [ - "development" - ], - "version": "2.0.1" - }, - { - "depends_on": [ - "pkg:npm/string-width@4.2.2" - ], - "id": "pkg:npm/widest-line@3.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "widest-line", - "package_ref": "pkg:npm/widest-line@3.1.0", - "purl": "pkg:npm/widest-line@3.1.0", - "scopes": [ - "development" - ], - "version": "3.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/window-size@0.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "window-size", - "package_ref": "pkg:npm/window-size@0.1.0", - "purl": "pkg:npm/window-size@0.1.0", - "scopes": [ - "runtime" - ], - "version": "0.1.0" - }, - { - "depends_on": [], - "id": "pkg:npm/window-size@0.1.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "window-size", - "package_ref": "pkg:npm/window-size@0.1.4", - "purl": "pkg:npm/window-size@0.1.4", - "scopes": [ - "development" - ], - "version": "0.1.4" - }, - { - "depends_on": [ - "pkg:npm/execa@1.0.0" - ], - "id": "pkg:npm/windows-release@3.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "windows-release", - "package_ref": "pkg:npm/windows-release@3.2.0", - "purl": "pkg:npm/windows-release@3.2.0", - "scopes": [ - "development" - ], - "version": "3.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/word-wrap@1.2.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "word-wrap", - "package_ref": "pkg:npm/word-wrap@1.2.3", - "purl": "pkg:npm/word-wrap@1.2.3", - "scopes": [ - "development" - ], - "version": "1.2.3" - }, - { - "depends_on": [], - "id": "pkg:npm/wordwrap@0.0.2", - "licenses": [ - { - "type": "declared", - "value": "MIT/X11" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "wordwrap", - "package_ref": "pkg:npm/wordwrap@0.0.2", - "purl": "pkg:npm/wordwrap@0.0.2", - "scopes": [ - "runtime" - ], - "version": "0.0.2" - }, - { - "depends_on": [], - "id": "pkg:npm/wordwrap@0.0.3", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "wordwrap", - "package_ref": "pkg:npm/wordwrap@0.0.3", - "purl": "pkg:npm/wordwrap@0.0.3", - "scopes": [ - "runtime" - ], - "version": "0.0.3" - }, - { - "depends_on": [ - "pkg:npm/string-width@1.0.2", - "pkg:npm/strip-ansi@3.0.1" - ], - "id": "pkg:npm/wrap-ansi@2.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "wrap-ansi", - "package_ref": "pkg:npm/wrap-ansi@2.1.0", - "purl": "pkg:npm/wrap-ansi@2.1.0", - "scopes": [ - "development", - "runtime" - ], - "version": "2.1.0" - }, - { - "depends_on": [ - "pkg:npm/ansi-styles@3.2.1", - "pkg:npm/string-width@3.1.0", - "pkg:npm/strip-ansi@5.2.0" - ], - "id": "pkg:npm/wrap-ansi@5.1.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "wrap-ansi", - "package_ref": "pkg:npm/wrap-ansi@5.1.0", - "purl": "pkg:npm/wrap-ansi@5.1.0", - "scopes": [ - "development", - "runtime" - ], - "version": "5.1.0" - }, - { - "depends_on": [ - "pkg:npm/ansi-styles@4.2.1", - "pkg:npm/string-width@4.2.0", - "pkg:npm/strip-ansi@6.0.0" - ], - "id": "pkg:npm/wrap-ansi@6.2.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "wrap-ansi", - "package_ref": "pkg:npm/wrap-ansi@6.2.0", - "purl": "pkg:npm/wrap-ansi@6.2.0", - "scopes": [ - "runtime" - ], - "version": "6.2.0" - }, - { - "depends_on": [], - "id": "pkg:npm/wrappy@1.0.2", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "wrappy", - "package_ref": "pkg:npm/wrappy@1.0.2", - "purl": "pkg:npm/wrappy@1.0.2", - "scopes": [ - "runtime" - ], - "version": "1.0.2" - }, - { - "depends_on": [ - "pkg:npm/graceful-fs@4.1.11", - "pkg:npm/imurmurhash@0.1.4", - "pkg:npm/slide@1.1.6" - ], - "id": "pkg:npm/write-file-atomic@1.3.4", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "write-file-atomic", - "package_ref": "pkg:npm/write-file-atomic@1.3.4", - "purl": "pkg:npm/write-file-atomic@1.3.4", - "scopes": [ - "runtime" - ], - "version": "1.3.4" - }, - { - "depends_on": [ - "pkg:npm/graceful-fs@4.1.15", - "pkg:npm/imurmurhash@0.1.4", - "pkg:npm/signal-exit@3.0.2" - ], - "id": "pkg:npm/write-file-atomic@2.4.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "write-file-atomic", - "package_ref": "pkg:npm/write-file-atomic@2.4.3", - "purl": "pkg:npm/write-file-atomic@2.4.3", - "scopes": [ - "runtime" - ], - "version": "2.4.3" - }, - { - "depends_on": [ - "pkg:npm/imurmurhash@0.1.4", - "pkg:npm/is-typedarray@1.0.0", - "pkg:npm/signal-exit@3.0.2", - "pkg:npm/typedarray-to-buffer@3.1.5" - ], - "id": "pkg:npm/write-file-atomic@3.0.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "write-file-atomic", - "package_ref": "pkg:npm/write-file-atomic@3.0.3", - "purl": "pkg:npm/write-file-atomic@3.0.3", - "scopes": [ - "development" - ], - "version": "3.0.3" - }, - { - "depends_on": [], - "id": "pkg:npm/xdg-basedir@3.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "xdg-basedir", - "package_ref": "pkg:npm/xdg-basedir@3.0.0", - "purl": "pkg:npm/xdg-basedir@3.0.0", - "scopes": [ - "development" - ], - "version": "3.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/xdg-basedir@4.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "xdg-basedir", - "package_ref": "pkg:npm/xdg-basedir@4.0.0", - "purl": "pkg:npm/xdg-basedir@4.0.0", - "scopes": [ - "development" - ], - "version": "4.0.0" - }, - { - "depends_on": [ - "pkg:npm/sax@1.2.4", - "pkg:npm/xmlbuilder@9.0.7" - ], - "id": "pkg:npm/xml2js@0.4.19", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "xml2js", - "package_ref": "pkg:npm/xml2js@0.4.19", - "purl": "pkg:npm/xml2js@0.4.19", - "scopes": [ - "development" - ], - "version": "0.4.19" - }, - { - "depends_on": [ - "pkg:npm/sax@1.2.4", - "pkg:npm/xmlbuilder@11.0.1" - ], - "id": "pkg:npm/xml2js@0.4.23", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "xml2js", - "package_ref": "pkg:npm/xml2js@0.4.23", - "purl": "pkg:npm/xml2js@0.4.23", - "scopes": [ - "runtime" - ], - "version": "0.4.23" - }, - { - "depends_on": [], - "id": "pkg:npm/xmlbuilder@11.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "xmlbuilder", - "package_ref": "pkg:npm/xmlbuilder@11.0.1", - "purl": "pkg:npm/xmlbuilder@11.0.1", - "scopes": [ - "runtime" - ], - "version": "11.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/xmlbuilder@9.0.7", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "xmlbuilder", - "package_ref": "pkg:npm/xmlbuilder@9.0.7", - "purl": "pkg:npm/xmlbuilder@9.0.7", - "scopes": [ - "development" - ], - "version": "9.0.7" - }, - { - "depends_on": [], - "id": "pkg:npm/xregexp@2.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "xregexp", - "package_ref": "pkg:npm/xregexp@2.0.0", - "purl": "pkg:npm/xregexp@2.0.0", - "scopes": [ - "development" - ], - "version": "2.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/xtend@4.0.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "xtend", - "package_ref": "pkg:npm/xtend@4.0.1", - "purl": "pkg:npm/xtend@4.0.1", - "scopes": [ - "development" - ], - "version": "4.0.1" - }, - { - "depends_on": [], - "id": "pkg:npm/y18n@3.2.1", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "y18n", - "package_ref": "pkg:npm/y18n@3.2.1", - "purl": "pkg:npm/y18n@3.2.1", - "scopes": [ - "development", - "runtime" - ], - "version": "3.2.1" - }, - { - "depends_on": [], - "id": "pkg:npm/y18n@4.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "y18n", - "package_ref": "pkg:npm/y18n@4.0.0", - "purl": "pkg:npm/y18n@4.0.0", - "scopes": [ - "runtime" - ], - "version": "4.0.0" - }, - { - "depends_on": [], - "id": "pkg:npm/yallist@2.1.2", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "yallist", - "package_ref": "pkg:npm/yallist@2.1.2", - "purl": "pkg:npm/yallist@2.1.2", - "scopes": [ - "development", - "runtime" - ], - "version": "2.1.2" - }, - { - "depends_on": [], - "id": "pkg:npm/yallist@3.1.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "yallist", - "package_ref": "pkg:npm/yallist@3.1.1", - "purl": "pkg:npm/yallist@3.1.1", - "scopes": [ - "development", - "runtime" - ], - "version": "3.1.1" - }, - { - "depends_on": [], - "id": "pkg:npm/yapool@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "yapool", - "package_ref": "pkg:npm/yapool@1.0.0", - "purl": "pkg:npm/yapool@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:npm/chalk@1.1.3", - "pkg:npm/figlet@1.5.0", - "pkg:npm/parent-require@1.0.0" - ], - "id": "pkg:npm/yargonaut@1.1.4", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "yargonaut", - "package_ref": "pkg:npm/yargonaut@1.1.4", - "purl": "pkg:npm/yargonaut@1.1.4", - "scopes": [ - "runtime" - ], - "version": "1.1.4" - }, - { - "depends_on": [ - "pkg:npm/camelcase@5.3.1", - "pkg:npm/decamelize@1.2.0" - ], - "id": "pkg:npm/yargs-parser@13.1.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "yargs-parser", - "package_ref": "pkg:npm/yargs-parser@13.1.2", - "purl": "pkg:npm/yargs-parser@13.1.2", - "scopes": [ - "runtime" - ], - "version": "13.1.2" - }, - { - "depends_on": [ - "pkg:npm/camelcase@5.3.1", - "pkg:npm/decamelize@1.2.0" - ], - "id": "pkg:npm/yargs-parser@18.1.3", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "yargs-parser", - "package_ref": "pkg:npm/yargs-parser@18.1.3", - "purl": "pkg:npm/yargs-parser@18.1.3", - "scopes": [ - "runtime" - ], - "version": "18.1.3" - }, - { - "depends_on": [ - "pkg:npm/camelcase@4.1.0" - ], - "id": "pkg:npm/yargs-parser@8.1.0", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "yargs-parser", - "package_ref": "pkg:npm/yargs-parser@8.1.0", - "purl": "pkg:npm/yargs-parser@8.1.0", - "scopes": [ - "runtime" - ], - "version": "8.1.0" - }, - { - "depends_on": [ - "pkg:npm/camelcase@4.1.0" - ], - "id": "pkg:npm/yargs-parser@9.0.2", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "matched": true, - "name": "yargs-parser", - "package_ref": "pkg:npm/yargs-parser@9.0.2", - "purl": "pkg:npm/yargs-parser@9.0.2", - "scopes": [ - "runtime" - ], - "version": "9.0.2" - }, - { - "depends_on": [ - "pkg:npm/cliui@4.1.0", - "pkg:npm/decamelize@1.2.0", - "pkg:npm/find-up@2.1.0", - "pkg:npm/get-caller-file@1.0.2", - "pkg:npm/os-locale@2.1.0", - "pkg:npm/require-directory@2.1.1", - "pkg:npm/require-main-filename@1.0.1", - "pkg:npm/set-blocking@2.0.0", - "pkg:npm/string-width@2.1.1", - "pkg:npm/which-module@2.0.0", - "pkg:npm/y18n@3.2.1", - "pkg:npm/yargs-parser@9.0.2" - ], - "id": "pkg:npm/yargs@11.1.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "yargs", - "package_ref": "pkg:npm/yargs@11.1.0", - "purl": "pkg:npm/yargs@11.1.0", - "scopes": [ - "runtime" - ], - "version": "11.1.0" - }, - { - "depends_on": [ - "pkg:npm/cliui@5.0.0", - "pkg:npm/find-up@3.0.0", - "pkg:npm/get-caller-file@2.0.5", - "pkg:npm/require-directory@2.1.1", - "pkg:npm/require-main-filename@2.0.0", - "pkg:npm/set-blocking@2.0.0", - "pkg:npm/string-width@3.1.0", - "pkg:npm/which-module@2.0.0", - "pkg:npm/y18n@4.0.0", - "pkg:npm/yargs-parser@13.1.2" - ], - "id": "pkg:npm/yargs@13.3.2", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "yargs", - "package_ref": "pkg:npm/yargs@13.3.2", - "purl": "pkg:npm/yargs@13.3.2", - "scopes": [ - "runtime" - ], - "version": "13.3.2" - }, - { - "depends_on": [ - "pkg:npm/cliui@6.0.0", - "pkg:npm/decamelize@1.2.0", - "pkg:npm/find-up@4.1.0", - "pkg:npm/get-caller-file@2.0.5", - "pkg:npm/require-directory@2.1.1", - "pkg:npm/require-main-filename@2.0.0", - "pkg:npm/set-blocking@2.0.0", - "pkg:npm/string-width@4.2.0", - "pkg:npm/which-module@2.0.0", - "pkg:npm/y18n@4.0.0", - "pkg:npm/yargs-parser@18.1.3" - ], - "id": "pkg:npm/yargs@15.4.1", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "yargs", - "package_ref": "pkg:npm/yargs@15.4.1", - "purl": "pkg:npm/yargs@15.4.1", - "scopes": [ - "runtime" - ], - "version": "15.4.1" - }, - { - "depends_on": [ - "pkg:npm/camelcase@1.2.1", - "pkg:npm/cliui@2.1.0", - "pkg:npm/decamelize@1.2.0", - "pkg:npm/window-size@0.1.0" - ], - "id": "pkg:npm/yargs@3.10.0", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "yargs", - "package_ref": "pkg:npm/yargs@3.10.0", - "purl": "pkg:npm/yargs@3.10.0", - "scopes": [ - "runtime" - ], - "version": "3.10.0" - }, - { - "depends_on": [ - "pkg:npm/camelcase@2.1.1", - "pkg:npm/cliui@3.2.0", - "pkg:npm/decamelize@1.2.0", - "pkg:npm/os-locale@1.4.0", - "pkg:npm/string-width@1.0.2", - "pkg:npm/window-size@0.1.4", - "pkg:npm/y18n@3.2.1" - ], - "id": "pkg:npm/yargs@3.32.0", - "licenses": [], - "locations": [ - { - "access_path": "package-lock.json", - "position": { - "file": "package-lock.json", - "line": 0 - }, - "real_path": "package-lock.json" - } - ], - "name": "yargs", - "package_ref": "pkg:npm/yargs@3.32.0", - "purl": "pkg:npm/yargs@3.32.0", - "scopes": [ - "development" - ], - "version": "3.32.0" - } - ], - "detector": "npm-detector", - "ecosystem": "npm", - "kind": "package-lock.json", - "package_manager": "npm", - "path": "package-lock.json", - "subproject": "." - } - ], - "metadata": { - "analyzer_runs": [ - "JavaScript Reachability" - ], - "analyzer_stats": { - "jsreach": { - "reachable": 140, - "unreachable": 137 - } - }, - "duration_ms": 0, - "reachability_enabled": true - }, - "packages": [ - { - "ecosystem": "github-actions", - "licenses": [], - "name": ".github/workflows/codeql-analysis.yml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fcodeql-analysis.yml@local", - "version": "local", - "vulnerabilities": [] - }, - { - "ecosystem": "github-actions", - "licenses": [], - "name": ".github/workflows/snyk-code-manual.yml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fsnyk-code-manual.yml@local", - "version": "local", - "vulnerabilities": [] - }, - { - "ecosystem": "github-actions", - "licenses": [], - "name": ".github/workflows/snyk-code.yml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fsnyk-code.yml@local", - "version": "local", - "vulnerabilities": [] - }, - { - "ecosystem": "github-actions", - "licenses": [], - "name": ".github/workflows/snyk-test-sarif.yml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fsnyk-test-sarif.yml@local", - "version": "local", - "vulnerabilities": [] - }, - { - "ecosystem": "github-actions", - "licenses": [], - "name": "checkout", - "purl": "pkg:githubactions/actions/checkout@v3", - "version": "v3", - "vulnerabilities": [] - }, - { - "ecosystem": "github-actions", - "licenses": [], - "name": "codeql-action/analyze", - "purl": "pkg:githubactions/github/codeql-action%2Fanalyze@v1", - "version": "v1", - "vulnerabilities": [] - }, - { - "ecosystem": "github-actions", - "licenses": [], - "name": "codeql-action/autobuild", - "purl": "pkg:githubactions/github/codeql-action%2Fautobuild@v1", - "version": "v1", - "vulnerabilities": [] - }, - { - "ecosystem": "github-actions", - "licenses": [], - "name": "codeql-action/init", - "purl": "pkg:githubactions/github/codeql-action%2Finit@v1", - "version": "v1", - "vulnerabilities": [] - }, - { - "ecosystem": "github-actions", - "licenses": [], - "name": "codeql-action/upload-sarif", - "purl": "pkg:githubactions/github/codeql-action%2Fupload-sarif@v2", - "version": "v2", - "vulnerabilities": [] - }, - { - "ecosystem": "github-actions", - "licenses": [], - "name": "actions/setup", - "purl": "pkg:githubactions/snyk/actions%2Fsetup@master", - "version": "master", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "is", - "purl": "pkg:npm/%40sindresorhus/is@0.14.0", - "version": "0.14.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "cli-interface", - "purl": "pkg:npm/%40snyk/cli-interface@1.5.0", - "version": "1.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "cli-interface", - "purl": "pkg:npm/%40snyk/cli-interface@2.2.0", - "version": "2.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "cli-interface", - "purl": "pkg:npm/%40snyk/cli-interface@2.3.0", - "version": "2.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "cocoapods-lockfile-parser", - "purl": "pkg:npm/%40snyk/cocoapods-lockfile-parser@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "composer-lockfile-parser", - "purl": "pkg:npm/%40snyk/composer-lockfile-parser@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "dep-graph", - "purl": "pkg:npm/%40snyk/dep-graph@1.13.1", - "version": "1.13.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "gemfile", - "purl": "pkg:npm/%40snyk/gemfile@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "ruby-semver", - "purl": "pkg:npm/%40snyk/ruby-semver@2.0.4", - "version": "2.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "snyk-cocoapods-plugin", - "purl": "pkg:npm/%40snyk/snyk-cocoapods-plugin@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "http-timer", - "purl": "pkg:npm/%40szmarczak/http-timer@1.1.2", - "version": "1.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "agent-base", - "purl": "pkg:npm/%40types/agent-base@4.2.0", - "version": "4.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "bunyan", - "purl": "pkg:npm/%40types/bunyan@1.8.6", - "version": "1.8.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "color-name", - "purl": "pkg:npm/%40types/color-name@1.1.1", - "version": "1.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "debug", - "purl": "pkg:npm/%40types/debug@4.1.5", - "version": "4.1.5", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=4.0.0,\u003c4.3.1 (semantic)", - "aliases": [ - "CVE-2017-16137" - ], - "cvss": [ - { - "score": 3.7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2017-16137", - "id": "CWE-400", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2017-16137", - "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-gxpj-cx7g-858c", - "description": "Regular Expression Denial of Service in debug", - "epss": [ - { - "cve": "CVE-2017-16137", - "date": "2026-06-14", - "epss": 0.00102, - "percentile": 0.2768 - } - ], - "fix_available": [ - { - "date": "2023-10-03", - "kind": "first-observed", - "version": "4.3.1" - } - ], - "fix_state": "fixed", - "fixed_in": "4.3.1", - "fixed_versions": [ - "4.3.1" - ], - "id": "GHSA-gxpj-cx7g-858c", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-16137", - "Fix available: upgrade to 4.3.1", - "Fix state: fixed", - "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", - "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", - "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", - "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", - "https://github.com/debug-js/debug/issues/797", - "https://github.com/visionmedia/debug/issues/501", - "https://github.com/visionmedia/debug/pull/504", - "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", - "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16137" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137" - }, - { - "type": "advisory", - "url": "https://github.com/visionmedia/debug/issues/501" - }, - { - "type": "advisory", - "url": "https://github.com/visionmedia/debug/pull/504" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/issues/797" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a" - } - ], - "risk_score": 0.03417, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in debug" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "events", - "purl": "pkg:npm/%40types/events@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "js-yaml", - "purl": "pkg:npm/%40types/js-yaml@3.12.1", - "version": "3.12.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c3.13.0 (semantic)", - "cvss": [ - { - "score": 5.9, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-2pr6-76vf-7546", - "description": "Denial of Service in js-yaml", - "fix_available": [ - { - "date": "2020-09-12", - "kind": "first-observed", - "version": "3.13.0" - } - ], - "fix_state": "fixed", - "fixed_in": "3.13.0", - "fixed_versions": [ - "3.13.0" - ], - "id": "GHSA-2pr6-76vf-7546", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 3.13.0", - "Fix state: fixed", - "https://github.com/nodeca/js-yaml/commit/a567ef3c6e61eb319f0bfc2671d91061afb01235", - "https://github.com/nodeca/js-yaml/issues/475", - "https://snyk.io/vuln/SNYK-JS-JSYAML-173999", - "https://www.npmjs.com/advisories/788", - "https://www.npmjs.com/advisories/788/versions" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-2pr6-76vf-7546" - }, - { - "type": "advisory", - "url": "https://github.com/nodeca/js-yaml/issues/475" - }, - { - "type": "advisory", - "url": "https://github.com/nodeca/js-yaml/commit/a567ef3c6e61eb319f0bfc2671d91061afb01235" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/788" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/788/versions" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-JSYAML-173999" - } - ], - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Denial of Service in js-yaml" - }, - { - "affected_version_range": "\u003c3.13.1 (semantic)", - "data_source": "https://github.com/advisories/GHSA-8j8c-7jfh-h6hx", - "description": "Code Injection in js-yaml", - "fix_available": [ - { - "date": "2020-09-12", - "kind": "first-observed", - "version": "3.13.1" - } - ], - "fix_state": "fixed", - "fixed_in": "3.13.1", - "fixed_versions": [ - "3.13.1" - ], - "id": "GHSA-8j8c-7jfh-h6hx", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 3.13.1", - "Fix state: fixed", - "https://github.com/nodeca/js-yaml/pull/480", - "https://github.com/nodeca/js-yaml/pull/480/commits/e18afbf1edcafb7add2c4c7b22abc8d6ebc2fa61", - "https://www.npmjs.com/advisories/813" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-8j8c-7jfh-h6hx" - }, - { - "type": "advisory", - "url": "https://github.com/nodeca/js-yaml/pull/480" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/813" - }, - { - "type": "advisory", - "url": "https://github.com/nodeca/js-yaml/pull/480/commits/e18afbf1edcafb7add2c4c7b22abc8d6ebc2fa61" - } - ], - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Code Injection in js-yaml" - }, - { - "affected_version_range": "\u003c3.14.2 (semantic)", - "aliases": [ - "CVE-2025-64718" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2025-64718", - "id": "CWE-1321", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-mh29-5h37-fv8m", - "description": "js-yaml has prototype pollution in merge (\u003c\u003c)", - "epss": [ - { - "cve": "CVE-2025-64718", - "date": "2026-06-14", - "epss": 0.00025, - "percentile": 0.07522 - } - ], - "fix_available": [ - { - "date": "2025-11-18", - "kind": "first-observed", - "version": "3.14.2" - } - ], - "fix_state": "fixed", - "fixed_in": "3.14.2", - "fixed_versions": [ - "3.14.2" - ], - "id": "GHSA-mh29-5h37-fv8m", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-64718", - "Fix available: upgrade to 3.14.2", - "Fix state: fixed", - "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879", - "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266", - "https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876", - "https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m", - "https://nvd.nist.gov/vuln/detail/CVE-2025-64718" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m" - }, - { - "type": "advisory", - "url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64718" - }, - { - "type": "advisory", - "url": "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879" - }, - { - "type": "advisory", - "url": "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266" - }, - { - "type": "advisory", - "url": "https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876" - } - ], - "risk_score": 0.012875000000000001, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "js-yaml has prototype pollution in merge (\u003c\u003c)" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "node", - "purl": "pkg:npm/%40types/node@13.1.7", - "version": "13.1.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "node", - "purl": "pkg:npm/%40types/node@6.14.9", - "version": "6.14.9", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "restify", - "purl": "pkg:npm/%40types/restify@4.3.6", - "version": "4.3.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "semver", - "purl": "pkg:npm/%40types/semver@5.5.0", - "version": "5.5.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=2.0.0-alpha,\u003c5.7.2 (semantic)", - "aliases": [ - "CVE-2022-25883" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-25883", - "id": "CWE-1333", - "source": "report@snyk.io", - "type": "Secondary" - }, - { - "cve": "CVE-2022-25883", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-25883", - "id": "CWE-1333", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", - "description": "semver vulnerable to Regular Expression Denial of Service", - "epss": [ - { - "cve": "CVE-2022-25883", - "date": "2026-06-14", - "epss": 0.00581, - "percentile": 0.69508 - } - ], - "fix_available": [ - { - "date": "2023-07-11", - "kind": "first-observed", - "version": "5.7.2" - } - ], - "fix_state": "fixed", - "fixed_in": "5.7.2", - "fixed_versions": [ - "5.7.2" - ], - "id": "GHSA-c2qf-rxjj-qqgw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-25883", - "Fix available: upgrade to 5.7.2", - "Fix state: fixed", - "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", - "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", - "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", - "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", - "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", - "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", - "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", - "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", - "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", - "https://github.com/npm/node-semver/pull/564", - "https://github.com/npm/node-semver/pull/585", - "https://github.com/npm/node-semver/pull/593", - "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", - "https://security.netapp.com/advisory/ntap-20241025-0004", - "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/564" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/585" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/593" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241025-0004" - } - ], - "risk_score": 0.43575, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "semver vulnerable to Regular Expression Denial of Service" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "xml2js", - "purl": "pkg:npm/%40types/xml2js@0.4.3", - "version": "0.4.3", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.5.0 (semantic)", - "aliases": [ - "CVE-2023-0842" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2023-0842", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2023-0842", - "id": "CWE-1321", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-776f-qx25-q3cc", - "description": "xml2js is vulnerable to prototype pollution", - "epss": [ - { - "cve": "CVE-2023-0842", - "date": "2026-06-14", - "epss": 0.00291, - "percentile": 0.53005 - } - ], - "fix_available": [ - { - "date": "2023-04-11", - "kind": "first-observed", - "version": "0.5.0" - } - ], - "fix_state": "fixed", - "fixed_in": "0.5.0", - "fixed_versions": [ - "0.5.0" - ], - "id": "GHSA-776f-qx25-q3cc", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-0842", - "Fix available: upgrade to 0.5.0", - "Fix state: fixed", - "https://fluidattacks.com/advisories/myers", - "https://github.com/Leonidas-from-XIV/node-xml2js", - "https://github.com/Leonidas-from-XIV/node-xml2js/issues/663", - "https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5", - "https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-0842" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-776f-qx25-q3cc" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0842" - }, - { - "type": "advisory", - "url": "https://github.com/Leonidas-from-XIV/node-xml2js/issues/663" - }, - { - "type": "advisory", - "url": "https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5" - }, - { - "type": "advisory", - "url": "https://fluidattacks.com/advisories/myers" - }, - { - "type": "advisory", - "url": "https://github.com/Leonidas-from-XIV/node-xml2js" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html" - } - ], - "risk_score": 0.149865, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "xml2js is vulnerable to prototype pollution" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "BSD-2-Clause", - "type": "external-depsdev", - "value": "BSD-2-Clause" - } - ], - "matched": true, - "name": "lockfile", - "purl": "pkg:npm/%40yarnpkg/lockfile@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "ISC", - "type": "external-depsdev", - "value": "ISC" - } - ], - "matched": true, - "name": "abbrev", - "purl": "pkg:npm/abbrev@1.1.1", - "version": "1.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "accepts", - "purl": "pkg:npm/accepts@1.1.4", - "version": "1.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "accepts", - "purl": "pkg:npm/accepts@1.2.13", - "version": "1.2.13", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "acorn-dynamic-import", - "purl": "pkg:npm/acorn-dynamic-import@4.0.0", - "version": "4.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "acorn-node", - "purl": "pkg:npm/acorn-node@1.6.2", - "version": "1.6.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "acorn-walk", - "purl": "pkg:npm/acorn-walk@6.1.1", - "version": "6.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "acorn", - "purl": "pkg:npm/acorn@5.7.4", - "version": "5.7.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "acorn", - "purl": "pkg:npm/acorn@6.4.2", - "version": "6.4.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "adm-zip", - "purl": "pkg:npm/adm-zip@0.4.7", - "version": "0.4.7", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.4.11 (semantic)", - "aliases": [ - "CVE-2018-1002204" - ], - "cvss": [ - { - "score": 5.5, - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2018-1002204", - "id": "CWE-22", - "source": "report@snyk.io", - "type": "Secondary" - }, - { - "cve": "CVE-2018-1002204", - "id": "CWE-22", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3v6h-hqm4-2rg6", - "description": "Arbitrary File Write in adm-zip", - "epss": [ - { - "cve": "CVE-2018-1002204", - "date": "2026-06-14", - "epss": 0.17577, - "percentile": 0.95262 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "0.4.11" - } - ], - "fix_state": "fixed", - "fixed_in": "0.4.11", - "fixed_versions": [ - "0.4.11" - ], - "id": "GHSA-3v6h-hqm4-2rg6", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2018-1002204", - "Fix available: upgrade to 0.4.11", - "Fix state: fixed", - "http://www.securityfocus.com/bid/107001", - "https://github.com/cthackers/adm-zip/commit/62f64004fefb894c523a7143e8a88ebe6c84df25", - "https://github.com/cthackers/adm-zip/pull/212", - "https://github.com/snyk/zip-slip-vulnerability", - "https://hackerone.com/reports/362118", - "https://nvd.nist.gov/vuln/detail/CVE-2018-1002204", - "https://snyk.io/research/zip-slip-vulnerability", - "https://snyk.io/vuln/npm:adm-zip:20180415", - "https://www.npmjs.com/advisories/681", - "https://www.npmjs.com/advisories/994" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3v6h-hqm4-2rg6" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1002204" - }, - { - "type": "advisory", - "url": "https://github.com/cthackers/adm-zip/pull/212" - }, - { - "type": "advisory", - "url": "https://snyk.io/research/zip-slip-vulnerability" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/681" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/362118" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/994" - }, - { - "type": "advisory", - "url": "https://github.com/cthackers/adm-zip/commit/62f64004fefb894c523a7143e8a88ebe6c84df25" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/zip-slip-vulnerability" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/npm:adm-zip:20180415" - }, - { - "type": "advisory", - "url": "http://www.securityfocus.com/bid/107001" - } - ], - "risk_score": 9.227925, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Arbitrary File Write in adm-zip" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "agent-base", - "purl": "pkg:npm/agent-base@4.2.1", - "version": "4.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "agent-base", - "purl": "pkg:npm/agent-base@4.3.0", - "version": "4.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "ajv", - "purl": "pkg:npm/ajv@6.10.2", - "version": "6.10.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003c6.14.0 (semantic)", - "aliases": [ - "CVE-2025-69873" - ], - "cvss": [ - { - "score": 5.5, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-69873", - "id": "CWE-1333", - "source": "cve@mitre.org", - "type": "Secondary" - }, - { - "cve": "CVE-2025-69873", - "id": "CWE-400", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6", - "description": "ajv has ReDoS when using `$data` option", - "epss": [ - { - "cve": "CVE-2025-69873", - "date": "2026-06-14", - "epss": 0.00017, - "percentile": 0.04549 - } - ], - "fix_available": [ - { - "date": "2026-03-04", - "kind": "first-observed", - "version": "6.14.0" - } - ], - "fix_state": "fixed", - "fixed_in": "6.14.0", - "fixed_versions": [ - "6.14.0" - ], - "id": "GHSA-2g4f-4pwh-qvx6", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-69873", - "Fix available: upgrade to 6.14.0", - "Fix state: fixed", - "https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md", - "https://github.com/ajv-validator/ajv/commit/720a23fa453ffae8340e92c9b0fe886c54cfe0d5", - "https://github.com/ajv-validator/ajv/pull/2586", - "https://github.com/ajv-validator/ajv/pull/2588", - "https://github.com/ajv-validator/ajv/pull/2590", - "https://github.com/ajv-validator/ajv/releases/tag/v6.14.0", - "https://github.com/ajv-validator/ajv/releases/tag/v8.18.0", - "https://github.com/github/advisory-database/pull/6991", - "https://nvd.nist.gov/vuln/detail/CVE-2025-69873" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873" - }, - { - "type": "advisory", - "url": "https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md" - }, - { - "type": "advisory", - "url": "https://github.com/ajv-validator/ajv/pull/2586" - }, - { - "type": "advisory", - "url": "https://github.com/ajv-validator/ajv/commit/720a23fa453ffae8340e92c9b0fe886c54cfe0d5" - }, - { - "type": "advisory", - "url": "https://github.com/ajv-validator/ajv/releases/tag/v8.18.0" - }, - { - "type": "advisory", - "url": "https://github.com/ajv-validator/ajv/pull/2588" - }, - { - "type": "advisory", - "url": "https://github.com/ajv-validator/ajv/releases/tag/v6.14.0" - }, - { - "type": "advisory", - "url": "https://github.com/ajv-validator/ajv/pull/2590" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/6991" - } - ], - "risk_score": 0.008925, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "ajv has ReDoS when using `$data` option" - }, - { - "affected_version_range": "\u003c6.12.3 (semantic)", - "aliases": [ - "CVE-2020-15366" - ], - "cvss": [ - { - "score": 5.6, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-15366", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-v88g-cgmw-v5xw", - "description": "Prototype Pollution in Ajv", - "epss": [ - { - "cve": "CVE-2020-15366", - "date": "2026-06-14", - "epss": 0.00331, - "percentile": 0.56546 - } - ], - "fix_available": [ - { - "date": "2022-02-11", - "kind": "first-observed", - "version": "6.12.3" - } - ], - "fix_state": "fixed", - "fixed_in": "6.12.3", - "fixed_versions": [ - "6.12.3" - ], - "id": "GHSA-v88g-cgmw-v5xw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-15366", - "Fix available: upgrade to 6.12.3", - "Fix state: fixed", - "https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f", - "https://github.com/ajv-validator/ajv/releases/tag/v6.12.3", - "https://github.com/ajv-validator/ajv/tags", - "https://hackerone.com/bugs?subject=user\u0026report_id=894259", - "https://nvd.nist.gov/vuln/detail/CVE-2020-15366", - "https://security.netapp.com/advisory/ntap-20240621-0007" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-v88g-cgmw-v5xw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15366" - }, - { - "type": "advisory", - "url": "https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f" - }, - { - "type": "advisory", - "url": "https://github.com/ajv-validator/ajv/releases/tag/v6.12.3" - }, - { - "type": "advisory", - "url": "https://hackerone.com/bugs?subject=user\u0026report_id=894259" - }, - { - "type": "advisory", - "url": "https://github.com/ajv-validator/ajv/tags" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240621-0007" - } - ], - "risk_score": 0.17543, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in Ajv" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "align-text", - "purl": "pkg:npm/align-text@0.1.4", - "version": "0.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause OR MIT" - } - ], - "name": "amdefine", - "purl": "pkg:npm/amdefine@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "ISC", - "type": "external-depsdev", - "value": "ISC" - } - ], - "matched": true, - "name": "ansi-align", - "purl": "pkg:npm/ansi-align@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "ISC", - "type": "external-depsdev", - "value": "ISC" - } - ], - "matched": true, - "name": "ansi-align", - "purl": "pkg:npm/ansi-align@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "ansi-escapes", - "purl": "pkg:npm/ansi-escapes@3.2.0", - "version": "3.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "ansi-regex", - "purl": "pkg:npm/ansi-regex@2.1.1", - "version": "2.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "ansi-regex", - "purl": "pkg:npm/ansi-regex@3.0.0", - "version": "3.0.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=3.0.0,\u003c3.0.1 (semantic)", - "aliases": [ - "CVE-2021-3807" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-3807", - "id": "CWE-1333", - "source": "security@huntr.dev", - "type": "Secondary" - }, - { - "cve": "CVE-2021-3807", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", - "description": "Inefficient Regular Expression Complexity in chalk/ansi-regex", - "epss": [ - { - "cve": "CVE-2021-3807", - "date": "2026-06-14", - "epss": 0.00215, - "percentile": 0.44305 - } - ], - "fix_available": [ - { - "date": "2022-03-29", - "kind": "first-observed", - "version": "3.0.1" - } - ], - "fix_state": "fixed", - "fixed_in": "3.0.1", - "fixed_versions": [ - "3.0.1" - ], - "id": "GHSA-93q8-gq69-wqmw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-3807", - "Fix available: upgrade to 3.0.1", - "Fix state: fixed", - "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", - "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", - "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", - "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", - "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", - "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", - "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", - "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", - "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", - "https://security.netapp.com/advisory/ntap-20221014-0002/", - "https://www.oracle.com/security-alerts/cpuapr2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9" - }, - { - "type": "advisory", - "url": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311" - }, - { - "type": "advisory", - "url": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20221014-0002/" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8" - } - ], - "risk_score": 0.16125, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "ansi-regex", - "purl": "pkg:npm/ansi-regex@4.1.0", - "version": "4.1.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=4.0.0,\u003c4.1.1 (semantic)", - "aliases": [ - "CVE-2021-3807" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-3807", - "id": "CWE-1333", - "source": "security@huntr.dev", - "type": "Secondary" - }, - { - "cve": "CVE-2021-3807", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", - "description": "Inefficient Regular Expression Complexity in chalk/ansi-regex", - "epss": [ - { - "cve": "CVE-2021-3807", - "date": "2026-06-14", - "epss": 0.00215, - "percentile": 0.44305 - } - ], - "fix_available": [ - { - "date": "2022-03-26", - "kind": "first-observed", - "version": "4.1.1" - } - ], - "fix_state": "fixed", - "fixed_in": "4.1.1", - "fixed_versions": [ - "4.1.1" - ], - "id": "GHSA-93q8-gq69-wqmw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "low", - "hops": 4, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-3807", - "Fix available: upgrade to 4.1.1", - "Fix state: fixed", - "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", - "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", - "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", - "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", - "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", - "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", - "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", - "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", - "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", - "https://security.netapp.com/advisory/ntap-20221014-0002/", - "https://www.oracle.com/security-alerts/cpuapr2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9" - }, - { - "type": "advisory", - "url": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311" - }, - { - "type": "advisory", - "url": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20221014-0002/" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8" - } - ], - "risk_score": 0.16125, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "ansi-regex", - "purl": "pkg:npm/ansi-regex@5.0.0", - "version": "5.0.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=5.0.0,\u003c5.0.1 (semantic)", - "aliases": [ - "CVE-2021-3807" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-3807", - "id": "CWE-1333", - "source": "security@huntr.dev", - "type": "Secondary" - }, - { - "cve": "CVE-2021-3807", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", - "description": "Inefficient Regular Expression Complexity in chalk/ansi-regex", - "epss": [ - { - "cve": "CVE-2021-3807", - "date": "2026-06-14", - "epss": 0.00215, - "percentile": 0.44305 - } - ], - "fix_available": [ - { - "date": "2021-09-23", - "kind": "first-observed", - "version": "5.0.1" - } - ], - "fix_state": "fixed", - "fixed_in": "5.0.1", - "fixed_versions": [ - "5.0.1" - ], - "id": "GHSA-93q8-gq69-wqmw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "low", - "hops": 5, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-3807", - "Fix available: upgrade to 5.0.1", - "Fix state: fixed", - "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", - "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", - "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", - "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", - "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", - "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", - "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", - "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", - "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", - "https://security.netapp.com/advisory/ntap-20221014-0002/", - "https://www.oracle.com/security-alerts/cpuapr2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9" - }, - { - "type": "advisory", - "url": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311" - }, - { - "type": "advisory", - "url": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20221014-0002/" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a" - }, - { - "type": "advisory", - "url": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8" - } - ], - "risk_score": 0.16125, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "ansi-styles", - "purl": "pkg:npm/ansi-styles@2.2.1", - "version": "2.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "ansi-styles", - "purl": "pkg:npm/ansi-styles@3.2.1", - "version": "3.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "ansi-styles", - "purl": "pkg:npm/ansi-styles@4.2.1", - "version": "4.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "ansi-styles", - "purl": "pkg:npm/ansi-styles@4.3.0", - "version": "4.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "ansicolors", - "purl": "pkg:npm/ansicolors@0.3.2", - "version": "0.3.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "any-promise", - "purl": "pkg:npm/any-promise@1.3.0", - "version": "1.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "ISC", - "type": "external-depsdev", - "value": "ISC" - } - ], - "matched": true, - "name": "anymatch", - "purl": "pkg:npm/anymatch@3.1.2", - "version": "3.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "app-root-path", - "purl": "pkg:npm/app-root-path@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "append-transform", - "purl": "pkg:npm/append-transform@0.4.0", - "version": "0.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "archy", - "purl": "pkg:npm/archy@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "argparse", - "purl": "pkg:npm/argparse@1.0.10", - "version": "1.0.10", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "arr-diff", - "purl": "pkg:npm/arr-diff@4.0.0", - "version": "4.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "arr-flatten", - "purl": "pkg:npm/arr-flatten@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "arr-union", - "purl": "pkg:npm/arr-union@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "array-filter", - "purl": "pkg:npm/array-filter@0.0.1", - "version": "0.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "array-map", - "purl": "pkg:npm/array-map@0.0.0", - "version": "0.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "array-reduce", - "purl": "pkg:npm/array-reduce@0.0.0", - "version": "0.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "array-unique", - "purl": "pkg:npm/array-unique@0.3.2", - "version": "0.3.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "arrify", - "purl": "pkg:npm/arrify@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "asap", - "purl": "pkg:npm/asap@2.0.6", - "version": "2.0.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "asn1.js", - "purl": "pkg:npm/asn1.js@4.10.1", - "version": "4.10.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "asn1", - "purl": "pkg:npm/asn1@0.2.4", - "version": "0.2.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "assert-plus", - "purl": "pkg:npm/assert-plus@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "assert", - "purl": "pkg:npm/assert@1.4.1", - "version": "1.4.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "assign-symbols", - "purl": "pkg:npm/assign-symbols@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "ast-types", - "purl": "pkg:npm/ast-types@0.13.2", - "version": "0.13.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "ISC", - "type": "external-depsdev", - "value": "ISC" - } - ], - "matched": true, - "name": "async-cache", - "purl": "pkg:npm/async-cache@0.1.5", - "version": "0.1.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "async", - "purl": "pkg:npm/async@0.9.0", - "version": "0.9.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "async", - "purl": "pkg:npm/async@1.5.2", - "version": "1.5.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "async", - "purl": "pkg:npm/async@2.6.3", - "version": "2.6.3", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=2.0.0,\u003c2.6.4 (semantic)", - "aliases": [ - "CVE-2021-43138" - ], - "cvss": [ - { - "score": 7.8, - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-43138", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", - "description": "Prototype Pollution in async", - "epss": [ - { - "cve": "CVE-2021-43138", - "date": "2026-06-14", - "epss": 0.00657, - "percentile": 0.71614 - } - ], - "fix_available": [ - { - "date": "2022-04-15", - "kind": "first-observed", - "version": "2.6.4" - } - ], - "fix_state": "fixed", - "fixed_in": "2.6.4", - "fixed_versions": [ - "2.6.4" - ], - "id": "GHSA-fwr7-v2mv-hh25", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 2, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-43138", - "Fix available: upgrade to 2.6.4", - "Fix state: fixed", - "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", - "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", - "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", - "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", - "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", - "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", - "https://github.com/caolan/async/pull/1828", - "https://jsfiddle.net/oz5twjd9", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", - "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", - "https://security.netapp.com/advisory/ntap-20240621-0006" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138" - }, - { - "type": "advisory", - "url": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d" - }, - { - "type": "advisory", - "url": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js" - }, - { - "type": "advisory", - "url": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js" - }, - { - "type": "advisory", - "url": "https://github.com/caolan/async/pull/1828" - }, - { - "type": "advisory", - "url": "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2" - }, - { - "type": "advisory", - "url": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264" - }, - { - "type": "advisory", - "url": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4" - }, - { - "type": "advisory", - "url": "https://jsfiddle.net/oz5twjd9" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240621-0006" - } - ], - "risk_score": 0.5026050000000001, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in async" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "asynckit", - "purl": "pkg:npm/asynckit@0.4.0", - "version": "0.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "(MIT OR Apache-2.0)" - } - ], - "name": "atob", - "purl": "pkg:npm/atob@2.1.1", - "version": "2.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "aws-sign2", - "purl": "pkg:npm/aws-sign2@0.7.0", - "version": "0.7.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "aws4", - "purl": "pkg:npm/aws4@1.9.1", - "version": "1.9.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "babel-code-frame", - "purl": "pkg:npm/babel-code-frame@6.26.0", - "version": "6.26.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "babel-generator", - "purl": "pkg:npm/babel-generator@6.26.1", - "version": "6.26.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "babel-messages", - "purl": "pkg:npm/babel-messages@6.23.0", - "version": "6.23.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "babel-runtime", - "purl": "pkg:npm/babel-runtime@6.26.0", - "version": "6.26.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "babel-template", - "purl": "pkg:npm/babel-template@6.26.0", - "version": "6.26.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "babel-traverse", - "purl": "pkg:npm/babel-traverse@6.26.0", - "version": "6.26.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c7.23.2 (semantic)", - "aliases": [ - "CVE-2023-45133" - ], - "cvss": [ - { - "score": 9.3, - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2023-45133", - "id": "CWE-184", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2023-45133", - "id": "CWE-697", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-67hx-6x53-jw92", - "description": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code", - "epss": [ - { - "cve": "CVE-2023-45133", - "date": "2026-06-14", - "epss": 0.00093, - "percentile": 0.26225 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-67hx-6x53-jw92", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-45133", - "Fix state: not-fixed", - "https://babeljs.io/blog/2023/10/16/cve-2023-45133", - "https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82", - "https://github.com/babel/babel/pull/16033", - "https://github.com/babel/babel/releases/tag/v7.23.2", - "https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4", - "https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92", - "https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-45133", - "https://www.debian.org/security/2023/dsa-5528" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-67hx-6x53-jw92" - }, - { - "type": "advisory", - "url": "https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-45133" - }, - { - "type": "advisory", - "url": "https://github.com/babel/babel/pull/16033" - }, - { - "type": "advisory", - "url": "https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82" - }, - { - "type": "advisory", - "url": "https://github.com/babel/babel/releases/tag/v7.23.2" - }, - { - "type": "advisory", - "url": "https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2023/dsa-5528" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html" - }, - { - "type": "advisory", - "url": "https://babeljs.io/blog/2023/10/16/cve-2023-45133" - } - ], - "risk_score": 0.085095, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "babel-types", - "purl": "pkg:npm/babel-types@6.26.0", - "version": "6.26.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "babylon", - "purl": "pkg:npm/babylon@6.18.0", - "version": "6.18.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "balanced-match", - "purl": "pkg:npm/balanced-match@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "base64-js", - "purl": "pkg:npm/base64-js@1.3.0", - "version": "1.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "base", - "purl": "pkg:npm/base@0.11.2", - "version": "0.11.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "basic-auth", - "purl": "pkg:npm/basic-auth@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "BSD-3-Clause", - "type": "external-depsdev", - "value": "BSD-3-Clause" - } - ], - "matched": true, - "name": "bcrypt-pbkdf", - "purl": "pkg:npm/bcrypt-pbkdf@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "bignumber.js", - "purl": "pkg:npm/bignumber.js@9.0.0", - "version": "9.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "binary-extensions", - "purl": "pkg:npm/binary-extensions@2.2.0", - "version": "2.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "ISC", - "type": "external-depsdev", - "value": "ISC" - } - ], - "matched": true, - "name": "bind-obj-methods", - "purl": "pkg:npm/bind-obj-methods@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "bl", - "purl": "pkg:npm/bl@2.2.0", - "version": "2.2.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=2.0.0,\u003c2.2.1 (semantic)", - "aliases": [ - "CVE-2020-8244" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-8244", - "id": "CWE-126", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2020-8244", - "id": "CWE-125", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-pp7h-53gx-mx7r", - "description": "Remote Memory Exposure in bl", - "epss": [ - { - "cve": "CVE-2020-8244", - "date": "2026-06-14", - "epss": 0.0114, - "percentile": 0.78905 - } - ], - "fix_available": [ - { - "date": "2020-09-04", - "kind": "first-observed", - "version": "2.2.1" - } - ], - "fix_state": "fixed", - "fixed_in": "2.2.1", - "fixed_versions": [ - "2.2.1" - ], - "id": "GHSA-pp7h-53gx-mx7r", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-8244", - "Fix available: upgrade to 2.2.1", - "Fix state: fixed", - "https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e", - "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190", - "https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466", - "https://hackerone.com/reports/966347", - "https://lists.debian.org/debian-lts-announce/2021/06/msg00028.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8244" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-pp7h-53gx-mx7r" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8244" - }, - { - "type": "advisory", - "url": "https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e" - }, - { - "type": "advisory", - "url": "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190" - }, - { - "type": "advisory", - "url": "https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/966347" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00028.html" - } - ], - "risk_score": 0.6555, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Remote Memory Exposure in bl" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "bl", - "purl": "pkg:npm/bl@3.0.0", - "version": "3.0.0", - "vulnerabilities": [ - { - "affected_version_range": "=3.0.0 (semantic)", - "aliases": [ - "CVE-2020-8244" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-8244", - "id": "CWE-126", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2020-8244", - "id": "CWE-125", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-pp7h-53gx-mx7r", - "description": "Remote Memory Exposure in bl", - "epss": [ - { - "cve": "CVE-2020-8244", - "date": "2026-06-14", - "epss": 0.0114, - "percentile": 0.78905 - } - ], - "fix_available": [ - { - "date": "2021-03-30", - "kind": "first-observed", - "version": "3.0.1" - } - ], - "fix_state": "fixed", - "fixed_in": "3.0.1", - "fixed_versions": [ - "3.0.1" - ], - "id": "GHSA-pp7h-53gx-mx7r", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-8244", - "Fix available: upgrade to 3.0.1", - "Fix state: fixed", - "https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e", - "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190", - "https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466", - "https://hackerone.com/reports/966347", - "https://lists.debian.org/debian-lts-announce/2021/06/msg00028.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8244" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-pp7h-53gx-mx7r" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8244" - }, - { - "type": "advisory", - "url": "https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e" - }, - { - "type": "advisory", - "url": "https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190" - }, - { - "type": "advisory", - "url": "https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/966347" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00028.html" - } - ], - "risk_score": 0.6555, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Remote Memory Exposure in bl" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "bluebird", - "purl": "pkg:npm/bluebird@2.9.26", - "version": "2.9.26", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "bluebird", - "purl": "pkg:npm/bluebird@3.5.4", - "version": "3.5.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "bn.js", - "purl": "pkg:npm/bn.js@4.11.8", - "version": "4.11.8", - "vulnerabilities": [ - { - "affected_version_range": "\u003c4.12.3 (semantic)", - "aliases": [ - "CVE-2026-2739" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - }, - { - "score": 5.5, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2026-2739", - "id": "CWE-835", - "source": "report@snyk.io", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-378v-28hj-76wf", - "description": "bn.js affected by an infinite loop", - "epss": [ - { - "cve": "CVE-2026-2739", - "date": "2026-06-14", - "epss": 0.00022, - "percentile": 0.06534 - } - ], - "fix_available": [ - { - "date": "2026-03-04", - "kind": "first-observed", - "version": "4.12.3" - } - ], - "fix_state": "fixed", - "fixed_in": "4.12.3", - "fixed_versions": [ - "4.12.3" - ], - "id": "GHSA-378v-28hj-76wf", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-2739", - "Fix available: upgrade to 4.12.3", - "Fix state: fixed", - "https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91", - "https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b", - "https://github.com/indutny/bn.js/issues/186", - "https://github.com/indutny/bn.js/issues/316", - "https://github.com/indutny/bn.js/issues/316#issuecomment-3924217358", - "https://github.com/indutny/bn.js/pull/317", - "https://github.com/indutny/bn.js/releases/tag/v5.2.3", - "https://nvd.nist.gov/vuln/detail/CVE-2026-2739", - "https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-378v-28hj-76wf" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2739" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/bn.js/issues/186" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/bn.js/issues/316" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/bn.js/pull/317" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b" - }, - { - "type": "advisory", - "url": "https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/bn.js/releases/tag/v5.2.3" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/bn.js/issues/316#issuecomment-3924217358" - } - ], - "risk_score": 0.01144, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "bn.js affected by an infinite loop" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "body-parser", - "purl": "pkg:npm/body-parser@1.9.0", - "version": "1.9.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.20.3 (semantic)", - "aliases": [ - "CVE-2024-45590" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - }, - { - "score": 8.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-45590", - "id": "CWE-405", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7", - "description": "body-parser vulnerable to denial of service when url encoding is enabled", - "epss": [ - { - "cve": "CVE-2024-45590", - "date": "2026-06-14", - "epss": 0.01535, - "percentile": 0.81801 - } - ], - "fix_available": [ - { - "date": "2024-09-11", - "kind": "first-observed", - "version": "1.20.3" - } - ], - "fix_state": "fixed", - "fixed_in": "1.20.3", - "fixed_versions": [ - "1.20.3" - ], - "id": "GHSA-qwcr-r2fm-qrc7", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-45590", - "Fix available: upgrade to 1.20.3", - "Fix state: fixed", - "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce", - "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7", - "https://nvd.nist.gov/vuln/detail/CVE-2024-45590" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-qwcr-r2fm-qrc7" - }, - { - "type": "advisory", - "url": "https://github.com/expressjs/body-parser/security/advisories/GHSA-qwcr-r2fm-qrc7" - }, - { - "type": "advisory", - "url": "https://github.com/expressjs/body-parser/commit/b2695c4450f06ba3b0ccf48d872a229bb41c9bce" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45590" - } - ], - "risk_score": 1.1973, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "body-parser vulnerable to denial of service when url encoding is enabled" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "boxen", - "purl": "pkg:npm/boxen@1.3.0", - "version": "1.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "boxen", - "purl": "pkg:npm/boxen@4.2.0", - "version": "4.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "brace-expansion", - "purl": "pkg:npm/brace-expansion@1.1.11", - "version": "1.1.11", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.1.13 (semantic)", - "aliases": [ - "CVE-2026-33750" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33750", - "id": "CWE-400", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", - "description": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", - "epss": [ - { - "cve": "CVE-2026-33750", - "date": "2026-06-14", - "epss": 0.00028, - "percentile": 0.08361 - } - ], - "fix_available": [ - { - "date": "2026-03-27", - "kind": "first-observed", - "version": "1.1.13" - } - ], - "fix_state": "fixed", - "fixed_in": "1.1.13", - "fixed_versions": [ - "1.1.13" - ], - "id": "GHSA-f886-m6hf-6m8v", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 3, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33750", - "Fix available: upgrade to 1.1.13", - "Fix state: fixed", - "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113", - "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184", - "https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5", - "https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2", - "https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a", - "https://github.com/juliangruber/brace-expansion/issues/98", - "https://github.com/juliangruber/brace-expansion/pull/95", - "https://github.com/juliangruber/brace-expansion/pull/96", - "https://github.com/juliangruber/brace-expansion/pull/97", - "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33750" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/issues/98" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/pull/95" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/pull/96" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/pull/97" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750" - } - ], - "risk_score": 0.0161, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion" - }, - { - "affected_version_range": "\u003e=1.0.0,\u003c=1.1.11 (semantic)", - "aliases": [ - "CVE-2025-5889" - ], - "cvss": [ - { - "score": 3.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - }, - { - "score": 1.3, - "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-5889", - "id": "CWE-400", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2025-5889", - "id": "CWE-1333", - "source": "cna@vuldb.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw", - "description": "brace-expansion Regular Expression Denial of Service vulnerability", - "epss": [ - { - "cve": "CVE-2025-5889", - "date": "2026-06-14", - "epss": 0.00092, - "percentile": 0.26014 - } - ], - "fix_available": [ - { - "date": "2025-06-12", - "kind": "first-observed", - "version": "1.1.12" - } - ], - "fix_state": "fixed", - "fixed_in": "1.1.12", - "fixed_versions": [ - "1.1.12" - ], - "id": "GHSA-v6h2-p8h4-qcjw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 3, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-5889", - "Fix available: upgrade to 1.1.12", - "Fix state: fixed", - "https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466", - "https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2", - "https://github.com/juliangruber/brace-expansion/commit/15f9b3c75ebf5988198241fecaebdc45eff28a9f", - "https://github.com/juliangruber/brace-expansion/commit/36603d5f3599a37af9e85eda30acd7d28599c36e", - "https://github.com/juliangruber/brace-expansion/commit/c3c73c8b088defc70851843be88ccc3af08e7217", - "https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5", - "https://nvd.nist.gov/vuln/detail/CVE-2025-5889", - "https://vuldb.com/?ctiid.311660", - "https://vuldb.com/?id.311660", - "https://vuldb.com/?submit.585717" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5889" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5" - }, - { - "type": "advisory", - "url": "https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466" - }, - { - "type": "advisory", - "url": "https://vuldb.com/?ctiid.311660" - }, - { - "type": "advisory", - "url": "https://vuldb.com/?id.311660" - }, - { - "type": "advisory", - "url": "https://vuldb.com/?submit.585717" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/commit/15f9b3c75ebf5988198241fecaebdc45eff28a9f" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/commit/36603d5f3599a37af9e85eda30acd7d28599c36e" - }, - { - "type": "advisory", - "url": "https://github.com/juliangruber/brace-expansion/commit/c3c73c8b088defc70851843be88ccc3af08e7217" - } - ], - "risk_score": 0.02392, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "brace-expansion Regular Expression Denial of Service vulnerability" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "braces", - "purl": "pkg:npm/braces@2.3.2", - "version": "2.3.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003c3.0.3 (semantic)", - "aliases": [ - "CVE-2024-4068" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2024-4068", - "id": "CWE-1050", - "source": "596c5446-0ce5-4ba2-aa66-48b3b757a647", - "type": "Secondary" - }, - { - "cve": "CVE-2024-4068", - "id": "CWE-400", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg", - "description": "Uncontrolled resource consumption in braces", - "epss": [ - { - "cve": "CVE-2024-4068", - "date": "2026-06-14", - "epss": 0.00305, - "percentile": 0.54261 - } - ], - "fix_available": [ - { - "date": "2024-06-11", - "kind": "first-observed", - "version": "3.0.3" - } - ], - "fix_state": "fixed", - "fixed_in": "3.0.3", - "fixed_versions": [ - "3.0.3" - ], - "id": "GHSA-grv7-fg5c-xmjg", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-4068", - "Fix available: upgrade to 3.0.3", - "Fix state: fixed", - "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", - "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", - "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", - "https://github.com/micromatch/braces/issues/35", - "https://github.com/micromatch/braces/pull/37", - "https://github.com/micromatch/braces/pull/40", - "https://nvd.nist.gov/vuln/detail/CVE-2024-4068" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/braces/issues/35" - }, - { - "type": "advisory", - "url": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/braces/pull/37" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/braces/pull/40" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff" - } - ], - "risk_score": 0.22875, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Uncontrolled resource consumption in braces" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "braces", - "purl": "pkg:npm/braces@3.0.2", - "version": "3.0.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003c3.0.3 (semantic)", - "aliases": [ - "CVE-2024-4068" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2024-4068", - "id": "CWE-1050", - "source": "596c5446-0ce5-4ba2-aa66-48b3b757a647", - "type": "Secondary" - }, - { - "cve": "CVE-2024-4068", - "id": "CWE-400", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg", - "description": "Uncontrolled resource consumption in braces", - "epss": [ - { - "cve": "CVE-2024-4068", - "date": "2026-06-14", - "epss": 0.00305, - "percentile": 0.54261 - } - ], - "fix_available": [ - { - "date": "2024-06-11", - "kind": "first-observed", - "version": "3.0.3" - } - ], - "fix_state": "fixed", - "fixed_in": "3.0.3", - "fixed_versions": [ - "3.0.3" - ], - "id": "GHSA-grv7-fg5c-xmjg", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-4068", - "Fix available: upgrade to 3.0.3", - "Fix state: fixed", - "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", - "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", - "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", - "https://github.com/micromatch/braces/issues/35", - "https://github.com/micromatch/braces/pull/37", - "https://github.com/micromatch/braces/pull/40", - "https://nvd.nist.gov/vuln/detail/CVE-2024-4068" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/braces/issues/35" - }, - { - "type": "advisory", - "url": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/braces/pull/37" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/braces/pull/40" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff" - } - ], - "risk_score": 0.22875, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Uncontrolled resource consumption in braces" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "brorand", - "purl": "pkg:npm/brorand@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "browser-pack", - "purl": "pkg:npm/browser-pack@6.1.0", - "version": "6.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "browser-resolve", - "purl": "pkg:npm/browser-resolve@1.11.3", - "version": "1.11.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "browserify-aes", - "purl": "pkg:npm/browserify-aes@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "browserify-cipher", - "purl": "pkg:npm/browserify-cipher@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "browserify-des", - "purl": "pkg:npm/browserify-des@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "browserify-rsa", - "purl": "pkg:npm/browserify-rsa@4.0.1", - "version": "4.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "ISC", - "type": "external-depsdev", - "value": "ISC" - } - ], - "matched": true, - "name": "browserify-sign", - "purl": "pkg:npm/browserify-sign@4.0.4", - "version": "4.0.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=2.6.0,\u003c=4.2.1 (semantic)", - "aliases": [ - "CVE-2023-46234" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2023-46234", - "id": "CWE-347", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2023-46234", - "id": "CWE-347", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw", - "description": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack", - "epss": [ - { - "cve": "CVE-2023-46234", - "date": "2026-06-14", - "epss": 0.00433, - "percentile": 0.63287 - } - ], - "fix_available": [ - { - "date": "2023-10-27", - "kind": "first-observed", - "version": "4.2.2" - } - ], - "fix_state": "fixed", - "fixed_in": "4.2.2", - "fixed_versions": [ - "4.2.2" - ], - "id": "GHSA-x9w5-v3q2-3rhw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-46234", - "Fix available: upgrade to 4.2.2", - "Fix state: fixed", - "https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30", - "https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw", - "https://lists.debian.org/debian-lts-announce/2023/10/msg00040.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", - "https://nvd.nist.gov/vuln/detail/CVE-2023-46234", - "https://www.debian.org/security/2023/dsa-5539" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-x9w5-v3q2-3rhw" - }, - { - "type": "advisory", - "url": "https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-46234" - }, - { - "type": "advisory", - "url": "https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/10/msg00040.html" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2023/dsa-5539" - } - ], - "risk_score": 0.3247499999999999, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "browserify-zlib", - "purl": "pkg:npm/browserify-zlib@0.1.4", - "version": "0.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "browserify", - "purl": "pkg:npm/browserify@13.3.0", - "version": "13.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "bson", - "purl": "pkg:npm/bson@0.4.23", - "version": "0.4.23", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.1.4 (semantic)", - "aliases": [ - "CVE-2019-2391" - ], - "cvss": [ - { - "score": 5.4, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-2391", - "id": "CWE-502", - "source": "cna@mongodb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2019-2391", - "id": "CWE-502", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-4jwp-vfvf-657p", - "description": "Deserialization of Untrusted Data in bson", - "epss": [ - { - "cve": "CVE-2019-2391", - "date": "2026-06-14", - "epss": 0.00379, - "percentile": 0.59937 - } - ], - "fix_available": [ - { - "date": "2022-02-11", - "kind": "first-observed", - "version": "1.1.4" - } - ], - "fix_state": "fixed", - "fixed_in": "1.1.4", - "fixed_versions": [ - "1.1.4" - ], - "id": "GHSA-4jwp-vfvf-657p", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-2391", - "Fix available: upgrade to 1.1.4", - "Fix state: fixed", - "https://github.com/mongodb/js-bson/releases/tag/v1.1.4", - "https://nvd.nist.gov/vuln/detail/CVE-2019-2391" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-4jwp-vfvf-657p" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-2391" - }, - { - "type": "advisory", - "url": "https://github.com/mongodb/js-bson/releases/tag/v1.1.4" - } - ], - "risk_score": 0.19708, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Deserialization of Untrusted Data in bson" - }, - { - "affected_version_range": "\u003c1.1.4 (semantic)", - "aliases": [ - "CVE-2020-7610" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-7610", - "id": "CWE-502", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-v8w9-2789-6hhr", - "description": "Deserialization of Untrusted Data in bson", - "epss": [ - { - "cve": "CVE-2020-7610", - "date": "2026-06-14", - "epss": 0.00541, - "percentile": 0.68216 - } - ], - "fix_available": [ - { - "date": "2021-05-08", - "kind": "first-observed", - "version": "1.1.4" - } - ], - "fix_state": "fixed", - "fixed_in": "1.1.4", - "fixed_versions": [ - "1.1.4" - ], - "id": "GHSA-v8w9-2789-6hhr", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-7610", - "Fix available: upgrade to 1.1.4", - "Fix state: fixed", - "https://github.com/mongodb/js-bson/commit/3809c1313a7b2a8001065f0271199df9fa3d16a8", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7610", - "https://snyk.io/vuln/SNYK-JS-BSON-561052" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-v8w9-2789-6hhr" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7610" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-BSON-561052" - }, - { - "type": "advisory", - "url": "https://github.com/mongodb/js-bson/commit/3809c1313a7b2a8001065f0271199df9fa3d16a8" - } - ], - "risk_score": 0.50854, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Deserialization of Untrusted Data in bson" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "bson", - "purl": "pkg:npm/bson@1.1.4", - "version": "1.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "buffer-from", - "purl": "pkg:npm/buffer-from@1.1.1", - "version": "1.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "buffer-xor", - "purl": "pkg:npm/buffer-xor@1.0.3", - "version": "1.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "buffer", - "purl": "pkg:npm/buffer@4.9.1", - "version": "4.9.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "buffer", - "purl": "pkg:npm/buffer@5.6.0", - "version": "5.6.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "builtin-modules", - "purl": "pkg:npm/builtin-modules@1.1.1", - "version": "1.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "builtin-status-codes", - "purl": "pkg:npm/builtin-status-codes@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "busboy", - "purl": "pkg:npm/busboy@0.3.1", - "version": "0.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "bytes", - "purl": "pkg:npm/bytes@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "bytes", - "purl": "pkg:npm/bytes@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "cache-base", - "purl": "pkg:npm/cache-base@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "cacheable-request", - "purl": "pkg:npm/cacheable-request@6.1.0", - "version": "6.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "cached-path-relative", - "purl": "pkg:npm/cached-path-relative@1.0.2", - "version": "1.0.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.1.0 (semantic)", - "aliases": [ - "CVE-2021-23518" - ], - "cvss": [ - { - "score": 7.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-23518", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-wg6g-ppvx-927h", - "description": "Prototype Pollution in cached-path-relative", - "epss": [ - { - "cve": "CVE-2021-23518", - "date": "2026-06-14", - "epss": 0.00648, - "percentile": 0.71367 - } - ], - "fix_available": [ - { - "date": "2022-01-28", - "kind": "first-observed", - "version": "1.1.0" - } - ], - "fix_state": "fixed", - "fixed_in": "1.1.0", - "fixed_versions": [ - "1.1.0" - ], - "id": "GHSA-wg6g-ppvx-927h", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23518", - "Fix available: upgrade to 1.1.0", - "Fix state: fixed", - "https://github.com/ashaffer/cached-path-relative/commit/40c73bf70c58add5aec7d11e4f36b93d144bb760", - "https://lists.debian.org/debian-lts-announce/2022/12/msg00006.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23518", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2348246", - "https://snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-2342653" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-wg6g-ppvx-927h" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23518" - }, - { - "type": "advisory", - "url": "https://github.com/ashaffer/cached-path-relative/commit/40c73bf70c58add5aec7d11e4f36b93d144bb760" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-2342653" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00006.html" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2348246" - } - ], - "risk_score": 0.47951999999999995, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in cached-path-relative" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "caching-transform", - "purl": "pkg:npm/caching-transform@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "camelcase", - "purl": "pkg:npm/camelcase@1.2.1", - "version": "1.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "camelcase", - "purl": "pkg:npm/camelcase@2.1.1", - "version": "2.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "camelcase", - "purl": "pkg:npm/camelcase@4.1.0", - "version": "4.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "camelcase", - "purl": "pkg:npm/camelcase@5.3.1", - "version": "5.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "capture-stack-trace", - "purl": "pkg:npm/capture-stack-trace@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "caseless", - "purl": "pkg:npm/caseless@0.12.0", - "version": "0.12.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "center-align", - "purl": "pkg:npm/center-align@0.1.3", - "version": "0.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "cfenv", - "purl": "pkg:npm/cfenv@1.2.2", - "version": "1.2.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "chalk", - "purl": "pkg:npm/chalk@1.1.3", - "version": "1.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "chalk", - "purl": "pkg:npm/chalk@2.4.2", - "version": "2.4.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "chalk", - "purl": "pkg:npm/chalk@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "chardet", - "purl": "pkg:npm/chardet@0.7.0", - "version": "0.7.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "chokidar", - "purl": "pkg:npm/chokidar@3.5.1", - "version": "3.5.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ci-info", - "purl": "pkg:npm/ci-info@1.6.0", - "version": "1.6.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ci-info", - "purl": "pkg:npm/ci-info@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "cipher-base", - "purl": "pkg:npm/cipher-base@1.0.4", - "version": "1.0.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003c=1.0.4 (semantic)", - "aliases": [ - "CVE-2025-9287" - ], - "cvss": [ - { - "score": 9.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", - "version": "3.1" - }, - { - "score": 9.1, - "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-9287", - "id": "CWE-20", - "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-cpq7-6gpm-g9rc", - "description": "cipher-base is missing type checks, leading to hash rewind and passing on crafted data", - "epss": [ - { - "cve": "CVE-2025-9287", - "date": "2026-06-14", - "epss": 0.00142, - "percentile": 0.34335 - } - ], - "fix_available": [ - { - "date": "2025-08-22", - "kind": "first-observed", - "version": "1.0.5" - } - ], - "fix_state": "fixed", - "fixed_in": "1.0.5", - "fixed_versions": [ - "1.0.5" - ], - "id": "GHSA-cpq7-6gpm-g9rc", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-9287", - "Fix available: upgrade to 1.0.5", - "Fix state: fixed", - "https://github.com/browserify/cipher-base/commit/8fd136432ca298a664f5637629cf2b42a6c7f294", - "https://github.com/browserify/cipher-base/pull/23", - "https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc", - "https://lists.debian.org/debian-lts-announce/2025/09/msg00005.html", - "https://nvd.nist.gov/vuln/detail/CVE-2025-9287" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-cpq7-6gpm-g9rc" - }, - { - "type": "advisory", - "url": "https://github.com/browserify/cipher-base/security/advisories/GHSA-cpq7-6gpm-g9rc" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9287" - }, - { - "type": "advisory", - "url": "https://github.com/browserify/cipher-base/pull/23" - }, - { - "type": "advisory", - "url": "https://github.com/browserify/cipher-base/commit/8fd136432ca298a664f5637629cf2b42a6c7f294" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00005.html" - } - ], - "risk_score": 0.12851, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "cipher-base is missing type checks, leading to hash rewind and passing on crafted data" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "class-utils", - "purl": "pkg:npm/class-utils@0.3.6", - "version": "0.3.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "clean-yaml-object", - "purl": "pkg:npm/clean-yaml-object@0.1.0", - "version": "0.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "cli-boxes", - "purl": "pkg:npm/cli-boxes@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "cli-boxes", - "purl": "pkg:npm/cli-boxes@2.2.1", - "version": "2.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "cli-cursor", - "purl": "pkg:npm/cli-cursor@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "cli-highlight", - "purl": "pkg:npm/cli-highlight@2.1.4", - "version": "2.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "cli-spinner", - "purl": "pkg:npm/cli-spinner@0.2.10", - "version": "0.2.10", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "cli-width", - "purl": "pkg:npm/cli-width@2.2.0", - "version": "2.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "cliui", - "purl": "pkg:npm/cliui@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "cliui", - "purl": "pkg:npm/cliui@3.2.0", - "version": "3.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "cliui", - "purl": "pkg:npm/cliui@4.1.0", - "version": "4.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "cliui", - "purl": "pkg:npm/cliui@5.0.0", - "version": "5.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "cliui", - "purl": "pkg:npm/cliui@6.0.0", - "version": "6.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "clone-deep", - "purl": "pkg:npm/clone-deep@0.3.0", - "version": "0.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "clone-response", - "purl": "pkg:npm/clone-response@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "co", - "purl": "pkg:npm/co@4.6.0", - "version": "4.6.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "code-point-at", - "purl": "pkg:npm/code-point-at@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "collection-visit", - "purl": "pkg:npm/collection-visit@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "color-convert", - "purl": "pkg:npm/color-convert@1.9.3", - "version": "1.9.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "color-convert", - "purl": "pkg:npm/color-convert@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "color-name", - "purl": "pkg:npm/color-name@1.1.3", - "version": "1.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "color-name", - "purl": "pkg:npm/color-name@1.1.4", - "version": "1.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "color-support", - "purl": "pkg:npm/color-support@1.1.3", - "version": "1.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "combine-source-map", - "purl": "pkg:npm/combine-source-map@0.8.0", - "version": "0.8.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "combined-stream", - "purl": "pkg:npm/combined-stream@1.0.8", - "version": "1.0.8", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "commondir", - "purl": "pkg:npm/commondir@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "component-emitter", - "purl": "pkg:npm/component-emitter@1.2.1", - "version": "1.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "concat-map", - "purl": "pkg:npm/concat-map@0.0.1", - "version": "0.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "concat-stream", - "purl": "pkg:npm/concat-stream@1.5.2", - "version": "1.5.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "concat-stream", - "purl": "pkg:npm/concat-stream@1.6.2", - "version": "1.6.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "config-chain", - "purl": "pkg:npm/config-chain@1.1.12", - "version": "1.1.12", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "configstore", - "purl": "pkg:npm/configstore@3.1.2", - "version": "3.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "configstore", - "purl": "pkg:npm/configstore@5.0.1", - "version": "5.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "connect-busboy", - "purl": "pkg:npm/connect-busboy@0.0.2", - "version": "0.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "console-browserify", - "purl": "pkg:npm/console-browserify@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "consolidate", - "purl": "pkg:npm/consolidate@0.14.5", - "version": "0.14.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "constants-browserify", - "purl": "pkg:npm/constants-browserify@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "content-disposition", - "purl": "pkg:npm/content-disposition@0.5.0", - "version": "0.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "content-type", - "purl": "pkg:npm/content-type@1.0.4", - "version": "1.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "convert-source-map", - "purl": "pkg:npm/convert-source-map@1.1.3", - "version": "1.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "convert-source-map", - "purl": "pkg:npm/convert-source-map@1.5.1", - "version": "1.5.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "cookie-signature", - "purl": "pkg:npm/cookie-signature@1.0.6", - "version": "1.0.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "cookie", - "purl": "pkg:npm/cookie@0.1.2", - "version": "0.1.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.7.0 (semantic)", - "aliases": [ - "CVE-2024-47764" - ], - "cwes": [ - { - "cve": "CVE-2024-47764", - "id": "CWE-74", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", - "description": "cookie accepts cookie name, path, and domain with out of bounds characters", - "epss": [ - { - "cve": "CVE-2024-47764", - "date": "2026-06-14", - "epss": 0.00205, - "percentile": 0.42873 - } - ], - "fix_available": [ - { - "date": "2024-10-05", - "kind": "first-observed", - "version": "0.7.0" - } - ], - "fix_state": "fixed", - "fixed_in": "0.7.0", - "fixed_versions": [ - "0.7.0" - ], - "id": "GHSA-pxg6-pf52-xh8x", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-47764", - "Fix available: upgrade to 0.7.0", - "Fix state: fixed", - "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", - "https://github.com/jshttp/cookie/pull/167", - "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x" - }, - { - "type": "advisory", - "url": "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x" - }, - { - "type": "advisory", - "url": "https://github.com/jshttp/cookie/pull/167" - }, - { - "type": "advisory", - "url": "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c" - } - ], - "risk_score": 0.0615, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "cookie accepts cookie name, path, and domain with out of bounds characters" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "cookie", - "purl": "pkg:npm/cookie@0.4.1", - "version": "0.4.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.7.0 (semantic)", - "aliases": [ - "CVE-2024-47764" - ], - "cwes": [ - { - "cve": "CVE-2024-47764", - "id": "CWE-74", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x", - "description": "cookie accepts cookie name, path, and domain with out of bounds characters", - "epss": [ - { - "cve": "CVE-2024-47764", - "date": "2026-06-14", - "epss": 0.00205, - "percentile": 0.42873 - } - ], - "fix_available": [ - { - "date": "2024-10-05", - "kind": "first-observed", - "version": "0.7.0" - } - ], - "fix_state": "fixed", - "fixed_in": "0.7.0", - "fixed_versions": [ - "0.7.0" - ], - "id": "GHSA-pxg6-pf52-xh8x", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-47764", - "Fix available: upgrade to 0.7.0", - "Fix state: fixed", - "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c", - "https://github.com/jshttp/cookie/pull/167", - "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x" - }, - { - "type": "advisory", - "url": "https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x" - }, - { - "type": "advisory", - "url": "https://github.com/jshttp/cookie/pull/167" - }, - { - "type": "advisory", - "url": "https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c" - } - ], - "risk_score": 0.0615, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "cookie accepts cookie name, path, and domain with out of bounds characters" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "copy-descriptor", - "purl": "pkg:npm/copy-descriptor@0.1.1", - "version": "0.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "core-js", - "purl": "pkg:npm/core-js@2.5.6", - "version": "2.5.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "core-js", - "purl": "pkg:npm/core-js@3.6.4", - "version": "3.6.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "core-util-is", - "purl": "pkg:npm/core-util-is@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "coveralls", - "purl": "pkg:npm/coveralls@3.0.9", - "version": "3.0.9", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "crc", - "purl": "pkg:npm/crc@3.2.1", - "version": "3.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "create-ecdh", - "purl": "pkg:npm/create-ecdh@4.0.3", - "version": "4.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "create-error-class", - "purl": "pkg:npm/create-error-class@3.0.2", - "version": "3.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "create-hash", - "purl": "pkg:npm/create-hash@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "create-hmac", - "purl": "pkg:npm/create-hmac@1.1.7", - "version": "1.1.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "cross-spawn", - "purl": "pkg:npm/cross-spawn@4.0.2", - "version": "4.0.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003c6.0.6 (semantic)", - "aliases": [ - "CVE-2024-21538" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - }, - { - "score": 7.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-21538", - "id": "CWE-1333", - "source": "report@snyk.io", - "type": "Secondary" - }, - { - "cve": "CVE-2024-21538", - "id": "CWE-1333", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3xgq-45jj-v275", - "description": "Regular Expression Denial of Service (ReDoS) in cross-spawn", - "epss": [ - { - "cve": "CVE-2024-21538", - "date": "2026-06-14", - "epss": 0.00067, - "percentile": 0.21094 - } - ], - "fix_available": [ - { - "date": "2024-11-19", - "kind": "first-observed", - "version": "6.0.6" - } - ], - "fix_state": "fixed", - "fixed_in": "6.0.6", - "fixed_versions": [ - "6.0.6" - ], - "id": "GHSA-3xgq-45jj-v275", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-21538", - "Fix available: upgrade to 6.0.6", - "Fix state: fixed", - "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff", - "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f", - "https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd", - "https://github.com/moxystudio/node-cross-spawn/issues/165", - "https://github.com/moxystudio/node-cross-spawn/pull/160", - "https://nvd.nist.gov/vuln/detail/CVE-2024-21538", - "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349", - "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21538" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/pull/160" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/issues/165" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349" - } - ], - "risk_score": 0.050585000000000005, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "cross-spawn", - "purl": "pkg:npm/cross-spawn@5.1.0", - "version": "5.1.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c6.0.6 (semantic)", - "aliases": [ - "CVE-2024-21538" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - }, - { - "score": 7.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-21538", - "id": "CWE-1333", - "source": "report@snyk.io", - "type": "Secondary" - }, - { - "cve": "CVE-2024-21538", - "id": "CWE-1333", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3xgq-45jj-v275", - "description": "Regular Expression Denial of Service (ReDoS) in cross-spawn", - "epss": [ - { - "cve": "CVE-2024-21538", - "date": "2026-06-14", - "epss": 0.00067, - "percentile": 0.21094 - } - ], - "fix_available": [ - { - "date": "2024-11-19", - "kind": "first-observed", - "version": "6.0.6" - } - ], - "fix_state": "fixed", - "fixed_in": "6.0.6", - "fixed_versions": [ - "6.0.6" - ], - "id": "GHSA-3xgq-45jj-v275", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-21538", - "Fix available: upgrade to 6.0.6", - "Fix state: fixed", - "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff", - "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f", - "https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd", - "https://github.com/moxystudio/node-cross-spawn/issues/165", - "https://github.com/moxystudio/node-cross-spawn/pull/160", - "https://nvd.nist.gov/vuln/detail/CVE-2024-21538", - "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349", - "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21538" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/pull/160" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/issues/165" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349" - } - ], - "risk_score": 0.050585000000000005, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "cross-spawn", - "purl": "pkg:npm/cross-spawn@6.0.5", - "version": "6.0.5", - "vulnerabilities": [ - { - "affected_version_range": "\u003c6.0.6 (semantic)", - "aliases": [ - "CVE-2024-21538" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - }, - { - "score": 7.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-21538", - "id": "CWE-1333", - "source": "report@snyk.io", - "type": "Secondary" - }, - { - "cve": "CVE-2024-21538", - "id": "CWE-1333", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3xgq-45jj-v275", - "description": "Regular Expression Denial of Service (ReDoS) in cross-spawn", - "epss": [ - { - "cve": "CVE-2024-21538", - "date": "2026-06-14", - "epss": 0.00067, - "percentile": 0.21094 - } - ], - "fix_available": [ - { - "date": "2024-11-19", - "kind": "first-observed", - "version": "6.0.6" - } - ], - "fix_state": "fixed", - "fixed_in": "6.0.6", - "fixed_versions": [ - "6.0.6" - ], - "id": "GHSA-3xgq-45jj-v275", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-21538", - "Fix available: upgrade to 6.0.6", - "Fix state: fixed", - "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff", - "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f", - "https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd", - "https://github.com/moxystudio/node-cross-spawn/issues/165", - "https://github.com/moxystudio/node-cross-spawn/pull/160", - "https://nvd.nist.gov/vuln/detail/CVE-2024-21538", - "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349", - "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3xgq-45jj-v275" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21538" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/pull/160" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/issues/165" - }, - { - "type": "advisory", - "url": "https://github.com/moxystudio/node-cross-spawn/commit/d35c865b877d2f9ded7c1ed87521c2fdb689c8dd" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8366349" - } - ], - "risk_score": 0.050585000000000005, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service (ReDoS) in cross-spawn" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "crypto-browserify", - "purl": "pkg:npm/crypto-browserify@3.12.0", - "version": "3.12.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "crypto-random-string", - "purl": "pkg:npm/crypto-random-string@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "crypto-random-string", - "purl": "pkg:npm/crypto-random-string@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "dash-ast", - "purl": "pkg:npm/dash-ast@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "dashdash", - "purl": "pkg:npm/dashdash@1.14.1", - "version": "1.14.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "data-uri-to-buffer", - "purl": "pkg:npm/data-uri-to-buffer@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "date-now", - "purl": "pkg:npm/date-now@0.1.4", - "version": "0.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "debug-log", - "purl": "pkg:npm/debug-log@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "debug", - "purl": "pkg:npm/debug@2.2.0", - "version": "2.2.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c2.6.9 (semantic)", - "aliases": [ - "CVE-2017-20165" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2017-20165", - "id": "CWE-1333", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2017-20165", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-9vvw-cc9w-f27h", - "description": "debug Inefficient Regular Expression Complexity vulnerability", - "epss": [ - { - "cve": "CVE-2017-20165", - "date": "2026-06-14", - "epss": 0.01578, - "percentile": 0.82046 - } - ], - "fix_available": [ - { - "date": "2023-01-13", - "kind": "first-observed", - "version": "2.6.9" - } - ], - "fix_state": "fixed", - "fixed_in": "2.6.9", - "fixed_versions": [ - "2.6.9" - ], - "id": "GHSA-9vvw-cc9w-f27h", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-20165", - "Fix available: upgrade to 2.6.9", - "Fix state: fixed", - "https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685", - "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", - "https://github.com/debug-js/debug/pull/504", - "https://github.com/debug-js/debug/releases/tag/2.6.9", - "https://github.com/debug-js/debug/releases/tag/3.1.0", - "https://nvd.nist.gov/vuln/detail/CVE-2017-20165", - "https://vuldb.com/?ctiid.217665", - "https://vuldb.com/?id.217665" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-9vvw-cc9w-f27h" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20165" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/pull/504" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/c38a0166c266a679c8de012d4eaccec3f944e685" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/releases/tag/3.1.0" - }, - { - "type": "advisory", - "url": "https://vuldb.com/?id.217665" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/releases/tag/2.6.9" - }, - { - "type": "advisory", - "url": "https://vuldb.com/?ctiid.217665" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a" - } - ], - "risk_score": 1.1834999999999998, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "debug Inefficient Regular Expression Complexity vulnerability" - }, - { - "affected_version_range": "\u003c2.6.9 (semantic)", - "aliases": [ - "CVE-2017-16137" - ], - "cvss": [ - { - "score": 3.7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2017-16137", - "id": "CWE-400", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2017-16137", - "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-gxpj-cx7g-858c", - "description": "Regular Expression Denial of Service in debug", - "epss": [ - { - "cve": "CVE-2017-16137", - "date": "2026-06-14", - "epss": 0.00102, - "percentile": 0.2768 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "2.6.9" - } - ], - "fix_state": "fixed", - "fixed_in": "2.6.9", - "fixed_versions": [ - "2.6.9" - ], - "id": "GHSA-gxpj-cx7g-858c", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-16137", - "Fix available: upgrade to 2.6.9", - "Fix state: fixed", - "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", - "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", - "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", - "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", - "https://github.com/debug-js/debug/issues/797", - "https://github.com/visionmedia/debug/issues/501", - "https://github.com/visionmedia/debug/pull/504", - "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", - "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16137" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137" - }, - { - "type": "advisory", - "url": "https://github.com/visionmedia/debug/issues/501" - }, - { - "type": "advisory", - "url": "https://github.com/visionmedia/debug/pull/504" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/issues/797" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a" - } - ], - "risk_score": 0.03417, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in debug" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "debug", - "purl": "pkg:npm/debug@2.6.9", - "version": "2.6.9", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "debug", - "purl": "pkg:npm/debug@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "debug", - "purl": "pkg:npm/debug@3.2.6", - "version": "3.2.6", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=3.2.0,\u003c3.2.7 (semantic)", - "aliases": [ - "CVE-2017-16137" - ], - "cvss": [ - { - "score": 3.7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2017-16137", - "id": "CWE-400", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2017-16137", - "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-gxpj-cx7g-858c", - "description": "Regular Expression Denial of Service in debug", - "epss": [ - { - "cve": "CVE-2017-16137", - "date": "2026-06-14", - "epss": 0.00102, - "percentile": 0.2768 - } - ], - "fix_available": [ - { - "date": "2023-10-03", - "kind": "first-observed", - "version": "3.2.7" - } - ], - "fix_state": "fixed", - "fixed_in": "3.2.7", - "fixed_versions": [ - "3.2.7" - ], - "id": "GHSA-gxpj-cx7g-858c", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-16137", - "Fix available: upgrade to 3.2.7", - "Fix state: fixed", - "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", - "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", - "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", - "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", - "https://github.com/debug-js/debug/issues/797", - "https://github.com/visionmedia/debug/issues/501", - "https://github.com/visionmedia/debug/pull/504", - "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", - "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16137" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137" - }, - { - "type": "advisory", - "url": "https://github.com/visionmedia/debug/issues/501" - }, - { - "type": "advisory", - "url": "https://github.com/visionmedia/debug/pull/504" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/issues/797" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a" - } - ], - "risk_score": 0.03417, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in debug" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "debug", - "purl": "pkg:npm/debug@3.2.7", - "version": "3.2.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "debug", - "purl": "pkg:npm/debug@4.1.1", - "version": "4.1.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=4.0.0,\u003c4.3.1 (semantic)", - "aliases": [ - "CVE-2017-16137" - ], - "cvss": [ - { - "score": 3.7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2017-16137", - "id": "CWE-400", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2017-16137", - "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-gxpj-cx7g-858c", - "description": "Regular Expression Denial of Service in debug", - "epss": [ - { - "cve": "CVE-2017-16137", - "date": "2026-06-14", - "epss": 0.00102, - "percentile": 0.2768 - } - ], - "fix_available": [ - { - "date": "2023-10-03", - "kind": "first-observed", - "version": "4.3.1" - } - ], - "fix_state": "fixed", - "fixed_in": "4.3.1", - "fixed_versions": [ - "4.3.1" - ], - "id": "GHSA-gxpj-cx7g-858c", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-16137", - "Fix available: upgrade to 4.3.1", - "Fix state: fixed", - "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", - "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", - "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", - "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", - "https://github.com/debug-js/debug/issues/797", - "https://github.com/visionmedia/debug/issues/501", - "https://github.com/visionmedia/debug/pull/504", - "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", - "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16137" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137" - }, - { - "type": "advisory", - "url": "https://github.com/visionmedia/debug/issues/501" - }, - { - "type": "advisory", - "url": "https://github.com/visionmedia/debug/pull/504" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/issues/797" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac" - }, - { - "type": "advisory", - "url": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a" - } - ], - "risk_score": 0.03417, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in debug" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "decamelize", - "purl": "pkg:npm/decamelize@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "decode-uri-component", - "purl": "pkg:npm/decode-uri-component@0.2.0", - "version": "0.2.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.2.1 (semantic)", - "aliases": [ - "CVE-2022-38900" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-38900", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-38900", - "id": "CWE-20", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-w573-4hg7-7wgq", - "description": "decode-uri-component vulnerable to Denial of Service (DoS)", - "epss": [ - { - "cve": "CVE-2022-38900", - "date": "2026-06-14", - "epss": 0.00429, - "percentile": 0.63055 - } - ], - "fix_available": [ - { - "date": "2022-12-02", - "kind": "first-observed", - "version": "0.2.1" - } - ], - "fix_state": "fixed", - "fixed_in": "0.2.1", - "fixed_versions": [ - "0.2.1" - ], - "id": "GHSA-w573-4hg7-7wgq", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-38900", - "Fix available: upgrade to 0.2.1", - "Fix state: fixed", - "https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9", - "https://github.com/SamVerschueren/decode-uri-component/issues/5", - "https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1", - "https://github.com/sindresorhus/query-string/issues/345", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/", - "https://nvd.nist.gov/vuln/detail/CVE-2022-38900" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-w573-4hg7-7wgq" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-38900" - }, - { - "type": "advisory", - "url": "https://github.com/SamVerschueren/decode-uri-component/issues/5" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/query-string/issues/345" - }, - { - "type": "advisory", - "url": "https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9" - }, - { - "type": "advisory", - "url": "https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/" - } - ], - "risk_score": 0.32175000000000004, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "decode-uri-component vulnerable to Denial of Service (DoS)" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "decompress-response", - "purl": "pkg:npm/decompress-response@3.3.0", - "version": "3.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "deep-extend", - "purl": "pkg:npm/deep-extend@0.6.0", - "version": "0.6.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "deep-is", - "purl": "pkg:npm/deep-is@0.1.3", - "version": "0.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "default-require-extensions", - "purl": "pkg:npm/default-require-extensions@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "defer-to-connect", - "purl": "pkg:npm/defer-to-connect@1.1.3", - "version": "1.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "define-property", - "purl": "pkg:npm/define-property@0.2.5", - "version": "0.2.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "define-property", - "purl": "pkg:npm/define-property@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "define-property", - "purl": "pkg:npm/define-property@2.0.2", - "version": "2.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "defined", - "purl": "pkg:npm/defined@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "degenerator", - "purl": "pkg:npm/degenerator@1.0.4", - "version": "1.0.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003c3.0.1 (semantic)", - "aliases": [ - "CVE-2021-23406" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-9j49-mfvp-vmhm", - "description": "Code Injection in pac-resolver", - "epss": [ - { - "cve": "CVE-2021-23406", - "date": "2026-06-14", - "epss": 0.00999, - "percentile": 0.77481 - } - ], - "fix_available": [ - { - "date": "2022-09-27", - "kind": "first-observed", - "version": "3.0.1" - } - ], - "fix_state": "fixed", - "fixed_in": "3.0.1", - "fixed_versions": [ - "3.0.1" - ], - "id": "GHSA-9j49-mfvp-vmhm", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23406", - "Fix available: upgrade to 3.0.1", - "Fix state: fixed", - "https://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e", - "https://github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5", - "https://github.com/TooTallNate/node-pac-resolver/releases/tag/5.0.0", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23406", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1568506", - "https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-9j49-mfvp-vmhm" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23406" - }, - { - "type": "advisory", - "url": "https://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e" - }, - { - "type": "advisory", - "url": "https://github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5" - }, - { - "type": "advisory", - "url": "https://github.com/TooTallNate/node-pac-resolver/releases/tag/5.0.0" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1568506" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857" - } - ], - "risk_score": 0.7792200000000001, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Code Injection in pac-resolver" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "delayed-stream", - "purl": "pkg:npm/delayed-stream@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "denque", - "purl": "pkg:npm/denque@1.4.1", - "version": "1.4.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "depd", - "purl": "pkg:npm/depd@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "depd", - "purl": "pkg:npm/depd@1.1.2", - "version": "1.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "depd", - "purl": "pkg:npm/depd@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "deps-sort", - "purl": "pkg:npm/deps-sort@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "des.js", - "purl": "pkg:npm/des.js@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "destroy", - "purl": "pkg:npm/destroy@1.0.3", - "version": "1.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "detect-indent", - "purl": "pkg:npm/detect-indent@4.0.0", - "version": "4.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "detective", - "purl": "pkg:npm/detective@4.7.1", - "version": "4.7.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "dicer", - "purl": "pkg:npm/dicer@0.3.0", - "version": "0.3.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c=0.3.1 (semantic)", - "aliases": [ - "CVE-2022-24434" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-wm7h-9275-46v2", - "description": "Crash in HeaderParser in dicer", - "epss": [ - { - "cve": "CVE-2022-24434", - "date": "2026-06-14", - "epss": 0.01989, - "percentile": 0.84037 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-wm7h-9275-46v2", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 3, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-24434", - "Fix state: not-fixed", - "https://github.com/mscdex/busboy/issues/250", - "https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac", - "https://github.com/mscdex/dicer/pull/22", - "https://nvd.nist.gov/vuln/detail/CVE-2022-24434", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865", - "https://snyk.io/vuln/SNYK-JS-DICER-2311764" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-wm7h-9275-46v2" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24434" - }, - { - "type": "advisory", - "url": "https://github.com/mscdex/busboy/issues/250" - }, - { - "type": "advisory", - "url": "https://github.com/mscdex/dicer/pull/22" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-DICER-2311764" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865" - }, - { - "type": "advisory", - "url": "https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac" - } - ], - "risk_score": 1.4917500000000001, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Crash in HeaderParser in dicer" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "diff", - "purl": "pkg:npm/diff@1.4.0", - "version": "1.4.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c3.5.1 (semantic)", - "aliases": [ - "CVE-2026-24001" - ], - "cvss": [ - { - "score": 2.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2026-24001", - "id": "CWE-400", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2026-24001", - "id": "CWE-1333", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx", - "description": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch", - "epss": [ - { - "cve": "CVE-2026-24001", - "date": "2026-06-14", - "epss": 0.00023, - "percentile": 0.06707 - } - ], - "fix_available": [ - { - "date": "2026-01-31", - "kind": "first-observed", - "version": "3.5.1" - } - ], - "fix_state": "fixed", - "fixed_in": "3.5.1", - "fixed_versions": [ - "3.5.1" - ], - "id": "GHSA-73rr-hh4g-fpgx", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-24001", - "Fix available: upgrade to 3.5.1", - "Fix state: fixed", - "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5", - "https://github.com/kpdecker/jsdiff/issues/653", - "https://github.com/kpdecker/jsdiff/pull/649", - "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx", - "https://nvd.nist.gov/vuln/detail/CVE-2026-24001" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx" - }, - { - "type": "advisory", - "url": "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx" - }, - { - "type": "advisory", - "url": "https://github.com/kpdecker/jsdiff/pull/649" - }, - { - "type": "advisory", - "url": "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5" - }, - { - "type": "advisory", - "url": "https://github.com/kpdecker/jsdiff/issues/653" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24001" - } - ], - "risk_score": 0.006555000000000001, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch" - }, - { - "affected_version_range": "\u003c3.5.0 (semantic)", - "data_source": "https://github.com/advisories/GHSA-h6ch-v84p-w6p9", - "description": "Regular Expression Denial of Service (ReDoS)", - "fix_available": [ - { - "date": "2021-02-25", - "kind": "first-observed", - "version": "3.5.0" - } - ], - "fix_state": "fixed", - "fixed_in": "3.5.0", - "fixed_versions": [ - "3.5.0" - ], - "id": "GHSA-h6ch-v84p-w6p9", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 3.5.0", - "Fix state: fixed", - "https://bugzilla.redhat.com/show_bug.cgi?id=1552148", - "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0", - "https://snyk.io/vuln/npm:diff:20180305", - "https://www.npmjs.com/advisories/1631", - "https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0590" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-h6ch-v84p-w6p9" - }, - { - "type": "advisory", - "url": "https://github.com/kpdecker/jsdiff/commit/2aec4298639bf30fb88a00b356bf404d3551b8c0" - }, - { - "type": "advisory", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1552148" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/npm:diff:20180305" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1631" - }, - { - "type": "advisory", - "url": "https://www.whitesourcesoftware.com/vulnerability-database/WS-2018-0590" - } - ], - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service (ReDoS)" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "diff", - "purl": "pkg:npm/diff@4.0.2", - "version": "4.0.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=4.0.0,\u003c4.0.4 (semantic)", - "aliases": [ - "CVE-2026-24001" - ], - "cvss": [ - { - "score": 2.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2026-24001", - "id": "CWE-400", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2026-24001", - "id": "CWE-1333", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx", - "description": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch", - "epss": [ - { - "cve": "CVE-2026-24001", - "date": "2026-06-14", - "epss": 0.00023, - "percentile": 0.06707 - } - ], - "fix_available": [ - { - "date": "2026-01-21", - "kind": "first-observed", - "version": "4.0.4" - } - ], - "fix_state": "fixed", - "fixed_in": "4.0.4", - "fixed_versions": [ - "4.0.4" - ], - "id": "GHSA-73rr-hh4g-fpgx", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-24001", - "Fix available: upgrade to 4.0.4", - "Fix state: fixed", - "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5", - "https://github.com/kpdecker/jsdiff/issues/653", - "https://github.com/kpdecker/jsdiff/pull/649", - "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx", - "https://nvd.nist.gov/vuln/detail/CVE-2026-24001" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx" - }, - { - "type": "advisory", - "url": "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx" - }, - { - "type": "advisory", - "url": "https://github.com/kpdecker/jsdiff/pull/649" - }, - { - "type": "advisory", - "url": "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5" - }, - { - "type": "advisory", - "url": "https://github.com/kpdecker/jsdiff/issues/653" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24001" - } - ], - "risk_score": 0.006555000000000001, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "diffie-hellman", - "purl": "pkg:npm/diffie-hellman@5.0.3", - "version": "5.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "dockerfile-ast", - "purl": "pkg:npm/dockerfile-ast@0.0.16", - "version": "0.0.16", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "domain-browser", - "purl": "pkg:npm/domain-browser@1.1.7", - "version": "1.1.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "dot-prop", - "purl": "pkg:npm/dot-prop@4.2.0", - "version": "4.2.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c4.2.1 (semantic)", - "aliases": [ - "CVE-2020-8116" - ], - "cvss": [ - { - "score": 7.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-8116", - "id": "CWE-471", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2020-8116", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-ff7x-qrg7-qggm", - "description": "dot-prop Prototype Pollution vulnerability", - "epss": [ - { - "cve": "CVE-2020-8116", - "date": "2026-06-14", - "epss": 0.00764, - "percentile": 0.7397 - } - ], - "fix_available": [ - { - "date": "2020-08-19", - "kind": "first-observed", - "version": "4.2.1" - } - ], - "fix_state": "fixed", - "fixed_in": "4.2.1", - "fixed_versions": [ - "4.2.1" - ], - "id": "GHSA-ff7x-qrg7-qggm", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-8116", - "Fix available: upgrade to 4.2.1", - "Fix state: fixed", - "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2", - "https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587", - "https://github.com/sindresorhus/dot-prop/issues/63", - "https://github.com/sindresorhus/dot-prop/tree/v4", - "https://hackerone.com/reports/719856", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8116" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-ff7x-qrg7-qggm" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8116" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/719856" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/dot-prop/issues/63" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/dot-prop/tree/v4" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/dot-prop/commit/3039c8c07f6fdaa8b595ec869ae0895686a7a0f2" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/dot-prop/commit/c914124f418f55edea27928e89c94d931babe587" - } - ], - "risk_score": 0.56536, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "dot-prop Prototype Pollution vulnerability" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "dot-prop", - "purl": "pkg:npm/dot-prop@5.3.0", - "version": "5.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "dotenv", - "purl": "pkg:npm/dotenv@6.2.0", - "version": "6.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "dotnet-deps-parser", - "purl": "pkg:npm/dotnet-deps-parser@4.9.0", - "version": "4.9.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "duplexer2", - "purl": "pkg:npm/duplexer2@0.1.4", - "version": "0.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "duplexer3", - "purl": "pkg:npm/duplexer3@0.1.4", - "version": "0.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "dustjs-helpers", - "purl": "pkg:npm/dustjs-helpers@1.5.0", - "version": "1.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "dustjs-linkedin", - "purl": "pkg:npm/dustjs-linkedin@2.5.0", - "version": "2.5.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c3.0.0 (semantic)", - "aliases": [ - "CVE-2021-4264" - ], - "cvss": [ - { - "score": 8.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-4264", - "id": "CWE-1321", - "source": "cna@vuldb.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-c6rp-wrp9-qr4q", - "description": "dustjs-linkedin vulnerable to Prototype Pollution", - "epss": [ - { - "cve": "CVE-2021-4264", - "date": "2026-06-14", - "epss": 0.00697, - "percentile": 0.72496 - } - ], - "fix_available": [ - { - "date": "2022-12-23", - "kind": "first-observed", - "version": "3.0.0" - } - ], - "fix_state": "fixed", - "fixed_in": "3.0.0", - "fixed_versions": [ - "3.0.0" - ], - "id": "GHSA-c6rp-wrp9-qr4q", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-4264", - "Fix available: upgrade to 3.0.0", - "Fix state: fixed", - "https://github.com/linkedin/dustjs/commit/ddb6523832465d38c9d80189e9de60519ac307c3", - "https://github.com/linkedin/dustjs/issues/804", - "https://github.com/linkedin/dustjs/pull/805", - "https://github.com/linkedin/dustjs/releases/tag/v3.0.0", - "https://nvd.nist.gov/vuln/detail/CVE-2021-4264", - "https://vuldb.com/?ctiid.216464", - "https://vuldb.com/?id.216464" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-c6rp-wrp9-qr4q" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4264" - }, - { - "type": "advisory", - "url": "https://github.com/linkedin/dustjs/issues/804" - }, - { - "type": "advisory", - "url": "https://github.com/linkedin/dustjs/pull/805" - }, - { - "type": "advisory", - "url": "https://github.com/linkedin/dustjs/commit/ddb6523832465d38c9d80189e9de60519ac307c3" - }, - { - "type": "advisory", - "url": "https://vuldb.com/?id.216464" - }, - { - "type": "advisory", - "url": "https://github.com/linkedin/dustjs/releases/tag/v3.0.0" - }, - { - "type": "advisory", - "url": "https://vuldb.com/?ctiid.216464" - } - ], - "risk_score": 0.5680550000000001, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "dustjs-linkedin vulnerable to Prototype Pollution" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ecc-jsbn", - "purl": "pkg:npm/ecc-jsbn@0.1.2", - "version": "0.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ee-first", - "purl": "pkg:npm/ee-first@1.0.5", - "version": "1.0.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ee-first", - "purl": "pkg:npm/ee-first@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ee-first", - "purl": "pkg:npm/ee-first@1.1.1", - "version": "1.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ejs-locals", - "purl": "pkg:npm/ejs-locals@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "ejs", - "purl": "pkg:npm/ejs@0.8.8", - "version": "0.8.8", - "vulnerabilities": [ - { - "affected_version_range": "\u003c2.5.3 (semantic)", - "aliases": [ - "CVE-2017-1000228" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-1000228", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3w5v-p54c-f74x", - "description": "ejs is vulnerable to remote code execution due to weak input validation", - "epss": [ - { - "cve": "CVE-2017-1000228", - "date": "2026-06-14", - "epss": 0.0718, - "percentile": 0.91805 - } - ], - "fix_available": [ - { - "date": "2021-03-30", - "kind": "first-observed", - "version": "2.5.5" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.5", - "fixed_versions": [ - "2.5.5" - ], - "id": "GHSA-3w5v-p54c-f74x", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-1000228", - "Fix available: upgrade to 2.5.5", - "Fix state: fixed", - "https://nvd.nist.gov/vuln/detail/CVE-2017-1000228", - "https://snyk.io/vuln/npm:ejs:20161128", - "https://web.archive.org/web/20171123041219/http://www.securityfocus.com/bid/101897" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3w5v-p54c-f74x" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000228" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/npm:ejs:20161128" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20171123041219/http://www.securityfocus.com/bid/101897" - } - ], - "risk_score": 6.749200000000001, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "ejs is vulnerable to remote code execution due to weak input validation" - }, - { - "affected_version_range": "\u003c2.5.5 (semantic)", - "aliases": [ - "CVE-2017-1000189" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-1000189", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-6x77-rpqf-j6mw", - "description": "ejs vulnerable to DoS due to weak input validation", - "epss": [ - { - "cve": "CVE-2017-1000189", - "date": "2026-06-14", - "epss": 0.00913, - "percentile": 0.76405 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "2.5.5" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.5", - "fixed_versions": [ - "2.5.5" - ], - "id": "GHSA-6x77-rpqf-j6mw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-1000189", - "Fix available: upgrade to 2.5.5", - "Fix state: fixed", - "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f", - "https://nvd.nist.gov/vuln/detail/CVE-2017-1000189", - "https://web.archive.org/web/20171123041449/http://www.securityfocus.com/bid/101893" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-6x77-rpqf-j6mw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000189" - }, - { - "type": "advisory", - "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20171123041449/http://www.securityfocus.com/bid/101893" - } - ], - "risk_score": 0.68475, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "ejs vulnerable to DoS due to weak input validation" - }, - { - "affected_version_range": "\u003c3.1.10 (semantic)", - "aliases": [ - "CVE-2024-33883" - ], - "cvss": [ - { - "score": 4, - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - }, - { - "score": 6.9, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-33883", - "id": "CWE-693", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-ghr5-ch3p-vcr6", - "description": "ejs lacks certain pollution protection", - "epss": [ - { - "cve": "CVE-2024-33883", - "date": "2026-06-14", - "epss": 0.01499, - "percentile": 0.81593 - } - ], - "fix_available": [ - { - "date": "2024-05-02", - "kind": "first-observed", - "version": "3.1.10" - } - ], - "fix_state": "fixed", - "fixed_in": "3.1.10", - "fixed_versions": [ - "3.1.10" - ], - "id": "GHSA-ghr5-ch3p-vcr6", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-33883", - "Fix available: upgrade to 3.1.10", - "Fix state: fixed", - "https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5", - "https://github.com/mde/ejs/compare/v3.1.9...v3.1.10", - "https://nvd.nist.gov/vuln/detail/CVE-2024-33883", - "https://security.netapp.com/advisory/ntap-20240605-0003" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-ghr5-ch3p-vcr6" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33883" - }, - { - "type": "advisory", - "url": "https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5" - }, - { - "type": "advisory", - "url": "https://github.com/mde/ejs/compare/v3.1.9...v3.1.10" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240605-0003" - } - ], - "risk_score": 0.7832275, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "ejs lacks certain pollution protection" - }, - { - "affected_version_range": "\u003c2.5.5 (semantic)", - "aliases": [ - "CVE-2017-1000188" - ], - "cvss": [ - { - "score": 6.1, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-1000188", - "id": "CWE-79", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-hwcf-pp87-7x6p", - "description": "mde ejs vulnerable to XSS", - "epss": [ - { - "cve": "CVE-2017-1000188", - "date": "2026-06-14", - "epss": 0.00234, - "percentile": 0.46598 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "2.5.5" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.5", - "fixed_versions": [ - "2.5.5" - ], - "id": "GHSA-hwcf-pp87-7x6p", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-1000188", - "Fix available: upgrade to 2.5.5", - "Fix state: fixed", - "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f", - "https://nvd.nist.gov/vuln/detail/CVE-2017-1000188", - "https://web.archive.org/web/20200227134555/http://www.securityfocus.com/bid/101889" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-hwcf-pp87-7x6p" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000188" - }, - { - "type": "advisory", - "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20200227134555/http://www.securityfocus.com/bid/101889" - } - ], - "risk_score": 0.12986999999999999, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "mde ejs vulnerable to XSS" - }, - { - "affected_version_range": "\u003c3.1.7 (semantic)", - "aliases": [ - "CVE-2022-29078" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-29078", - "id": "CWE-94", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-phwq-j96m-2c2q", - "description": "ejs template injection vulnerability", - "epss": [ - { - "cve": "CVE-2022-29078", - "date": "2026-06-14", - "epss": 0.93462, - "percentile": 0.99831 - } - ], - "fix_available": [ - { - "date": "2022-04-28", - "kind": "first-observed", - "version": "3.1.7" - } - ], - "fix_state": "fixed", - "fixed_in": "3.1.7", - "fixed_versions": [ - "3.1.7" - ], - "id": "GHSA-phwq-j96m-2c2q", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-29078", - "Fix available: upgrade to 3.1.7", - "Fix state: fixed", - "https://eslam.io/posts/ejs-server-side-template-injection-rce/", - "https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf", - "https://github.com/mde/ejs/releases", - "https://nvd.nist.gov/vuln/detail/CVE-2022-29078", - "https://security.netapp.com/advisory/ntap-20220804-0001/" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-phwq-j96m-2c2q" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29078" - }, - { - "type": "advisory", - "url": "https://eslam.io/posts/ejs-server-side-template-injection-rce/" - }, - { - "type": "advisory", - "url": "https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf" - }, - { - "type": "advisory", - "url": "https://github.com/mde/ejs/releases" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20220804-0001/" - } - ], - "risk_score": 87.85428, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "ejs template injection vulnerability" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "ejs", - "purl": "pkg:npm/ejs@1.0.0", - "version": "1.0.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c2.5.3 (semantic)", - "aliases": [ - "CVE-2017-1000228" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-1000228", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3w5v-p54c-f74x", - "description": "ejs is vulnerable to remote code execution due to weak input validation", - "epss": [ - { - "cve": "CVE-2017-1000228", - "date": "2026-06-14", - "epss": 0.0718, - "percentile": 0.91805 - } - ], - "fix_available": [ - { - "date": "2021-03-30", - "kind": "first-observed", - "version": "2.5.5" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.5", - "fixed_versions": [ - "2.5.5" - ], - "id": "GHSA-3w5v-p54c-f74x", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-1000228", - "Fix available: upgrade to 2.5.5", - "Fix state: fixed", - "https://nvd.nist.gov/vuln/detail/CVE-2017-1000228", - "https://snyk.io/vuln/npm:ejs:20161128", - "https://web.archive.org/web/20171123041219/http://www.securityfocus.com/bid/101897" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3w5v-p54c-f74x" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000228" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/npm:ejs:20161128" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20171123041219/http://www.securityfocus.com/bid/101897" - } - ], - "risk_score": 6.749200000000001, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "ejs is vulnerable to remote code execution due to weak input validation" - }, - { - "affected_version_range": "\u003c2.5.5 (semantic)", - "aliases": [ - "CVE-2017-1000189" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-1000189", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-6x77-rpqf-j6mw", - "description": "ejs vulnerable to DoS due to weak input validation", - "epss": [ - { - "cve": "CVE-2017-1000189", - "date": "2026-06-14", - "epss": 0.00913, - "percentile": 0.76405 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "2.5.5" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.5", - "fixed_versions": [ - "2.5.5" - ], - "id": "GHSA-6x77-rpqf-j6mw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-1000189", - "Fix available: upgrade to 2.5.5", - "Fix state: fixed", - "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f", - "https://nvd.nist.gov/vuln/detail/CVE-2017-1000189", - "https://web.archive.org/web/20171123041449/http://www.securityfocus.com/bid/101893" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-6x77-rpqf-j6mw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000189" - }, - { - "type": "advisory", - "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20171123041449/http://www.securityfocus.com/bid/101893" - } - ], - "risk_score": 0.68475, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "ejs vulnerable to DoS due to weak input validation" - }, - { - "affected_version_range": "\u003c3.1.10 (semantic)", - "aliases": [ - "CVE-2024-33883" - ], - "cvss": [ - { - "score": 4, - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - }, - { - "score": 6.9, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-33883", - "id": "CWE-693", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-ghr5-ch3p-vcr6", - "description": "ejs lacks certain pollution protection", - "epss": [ - { - "cve": "CVE-2024-33883", - "date": "2026-06-14", - "epss": 0.01499, - "percentile": 0.81593 - } - ], - "fix_available": [ - { - "date": "2024-05-02", - "kind": "first-observed", - "version": "3.1.10" - } - ], - "fix_state": "fixed", - "fixed_in": "3.1.10", - "fixed_versions": [ - "3.1.10" - ], - "id": "GHSA-ghr5-ch3p-vcr6", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-33883", - "Fix available: upgrade to 3.1.10", - "Fix state: fixed", - "https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5", - "https://github.com/mde/ejs/compare/v3.1.9...v3.1.10", - "https://nvd.nist.gov/vuln/detail/CVE-2024-33883", - "https://security.netapp.com/advisory/ntap-20240605-0003" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-ghr5-ch3p-vcr6" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33883" - }, - { - "type": "advisory", - "url": "https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5" - }, - { - "type": "advisory", - "url": "https://github.com/mde/ejs/compare/v3.1.9...v3.1.10" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240605-0003" - } - ], - "risk_score": 0.7832275, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "ejs lacks certain pollution protection" - }, - { - "affected_version_range": "\u003c2.5.5 (semantic)", - "aliases": [ - "CVE-2017-1000188" - ], - "cvss": [ - { - "score": 6.1, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-1000188", - "id": "CWE-79", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-hwcf-pp87-7x6p", - "description": "mde ejs vulnerable to XSS", - "epss": [ - { - "cve": "CVE-2017-1000188", - "date": "2026-06-14", - "epss": 0.00234, - "percentile": 0.46598 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "2.5.5" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.5", - "fixed_versions": [ - "2.5.5" - ], - "id": "GHSA-hwcf-pp87-7x6p", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-1000188", - "Fix available: upgrade to 2.5.5", - "Fix state: fixed", - "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f", - "https://nvd.nist.gov/vuln/detail/CVE-2017-1000188", - "https://web.archive.org/web/20200227134555/http://www.securityfocus.com/bid/101889" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-hwcf-pp87-7x6p" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000188" - }, - { - "type": "advisory", - "url": "https://github.com/mde/ejs/commit/49264e0037e313a0a3e033450b5c184112516d8f" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20200227134555/http://www.securityfocus.com/bid/101889" - } - ], - "risk_score": 0.12986999999999999, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "mde ejs vulnerable to XSS" - }, - { - "affected_version_range": "\u003c3.1.7 (semantic)", - "aliases": [ - "CVE-2022-29078" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-29078", - "id": "CWE-94", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-phwq-j96m-2c2q", - "description": "ejs template injection vulnerability", - "epss": [ - { - "cve": "CVE-2022-29078", - "date": "2026-06-14", - "epss": 0.93462, - "percentile": 0.99831 - } - ], - "fix_available": [ - { - "date": "2022-04-28", - "kind": "first-observed", - "version": "3.1.7" - } - ], - "fix_state": "fixed", - "fixed_in": "3.1.7", - "fixed_versions": [ - "3.1.7" - ], - "id": "GHSA-phwq-j96m-2c2q", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-29078", - "Fix available: upgrade to 3.1.7", - "Fix state: fixed", - "https://eslam.io/posts/ejs-server-side-template-injection-rce/", - "https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf", - "https://github.com/mde/ejs/releases", - "https://nvd.nist.gov/vuln/detail/CVE-2022-29078", - "https://security.netapp.com/advisory/ntap-20220804-0001/" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-phwq-j96m-2c2q" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-29078" - }, - { - "type": "advisory", - "url": "https://eslam.io/posts/ejs-server-side-template-injection-rce/" - }, - { - "type": "advisory", - "url": "https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf" - }, - { - "type": "advisory", - "url": "https://github.com/mde/ejs/releases" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20220804-0001/" - } - ], - "risk_score": 87.85428, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "ejs template injection vulnerability" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "elliptic", - "purl": "pkg:npm/elliptic@6.4.1", - "version": "6.4.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c6.5.6 (semantic)", - "aliases": [ - "CVE-2024-48949" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "version": "3.1" - }, - { - "score": 2.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-48949", - "id": "CWE-347", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2024-48949", - "id": "CWE-347", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-434g-2637-qmqr", - "description": "Elliptic's verify function omits uniqueness validation", - "epss": [ - { - "cve": "CVE-2024-48949", - "date": "2026-06-14", - "epss": 0.00292, - "percentile": 0.53099 - } - ], - "fix_available": [ - { - "date": "2024-10-11", - "kind": "first-observed", - "version": "6.5.6" - } - ], - "fix_state": "fixed", - "fixed_in": "6.5.6", - "fixed_versions": [ - "6.5.6" - ], - "id": "GHSA-434g-2637-qmqr", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-48949", - "Fix available: upgrade to 6.5.6", - "Fix state: fixed", - "https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof", - "https://github.com/indutny/elliptic/commit/7ac5360118f74eb02da73bdf9f24fd0c72ff5281", - "https://github.com/indutny/elliptic/compare/v6.5.5...v6.5.6", - "https://nvd.nist.gov/vuln/detail/CVE-2024-48949", - "https://security.netapp.com/advisory/ntap-20241227-0003" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-434g-2637-qmqr" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48949" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/commit/7ac5360118f74eb02da73bdf9f24fd0c72ff5281" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/compare/v6.5.5...v6.5.6" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241227-0003" - }, - { - "type": "advisory", - "url": "https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof" - } - ], - "risk_score": 0.10219999999999999, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Elliptic's verify function omits uniqueness validation" - }, - { - "affected_version_range": "\u003e=5.2.1,\u003c=6.5.6 (semantic)", - "aliases": [ - "CVE-2024-42461" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "version": "3.1" - }, - { - "score": 2.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-42461", - "id": "CWE-347", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2024-42461", - "id": "CWE-347", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-49q7-c7j4-3p7m", - "description": "Elliptic allows BER-encoded signatures", - "epss": [ - { - "cve": "CVE-2024-42461", - "date": "2026-06-14", - "epss": 0.02898, - "percentile": 0.86704 - } - ], - "fix_available": [ - { - "date": "2024-08-16", - "kind": "first-observed", - "version": "6.5.7" - } - ], - "fix_state": "fixed", - "fixed_in": "6.5.7", - "fixed_versions": [ - "6.5.7" - ], - "id": "GHSA-49q7-c7j4-3p7m", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-42461", - "Fix available: upgrade to 6.5.7", - "Fix state: fixed", - "https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100bb42d11", - "https://github.com/indutny/elliptic/pull/317", - "https://nvd.nist.gov/vuln/detail/CVE-2024-42461", - "https://security.netapp.com/advisory/ntap-20241004-0005" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-49q7-c7j4-3p7m" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42461" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/pull/317" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100bb42d11" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241004-0005" - } - ], - "risk_score": 1.0143, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Elliptic allows BER-encoded signatures" - }, - { - "affected_version_range": "\u003c=6.6.1 (semantic)", - "aliases": [ - "CVE-2025-14505" - ], - "cvss": [ - { - "score": 5.6, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - }, - { - "score": 2.9, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-14505", - "id": "CWE-1240", - "source": "36c7be3b-2937-45df-85ea-ca7133ea542c", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-848j-6mx2-7j84", - "description": "Elliptic Uses a Cryptographic Primitive with a Risky Implementation", - "epss": [ - { - "cve": "CVE-2025-14505", - "date": "2026-06-14", - "epss": 0.00009, - "percentile": 0.01063 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-848j-6mx2-7j84", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-14505", - "Fix state: not-fixed", - "https://github.com/indutny/elliptic/issues/321", - "https://nvd.nist.gov/vuln/detail/CVE-2025-14505", - "https://www.herodevs.com/vulnerability-directory/cve-2025-14505" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-848j-6mx2-7j84" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14505" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/issues/321" - }, - { - "type": "advisory", - "url": "https://www.herodevs.com/vulnerability-directory/cve-2025-14505" - } - ], - "risk_score": 0.0032625, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Elliptic Uses a Cryptographic Primitive with a Risky Implementation" - }, - { - "affected_version_range": "\u003e=2.0.0,\u003c=6.5.6 (semantic)", - "aliases": [ - "CVE-2024-42460" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "version": "3.1" - }, - { - "score": 2.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-42460", - "id": "CWE-130", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-977x-g7h5-7qgw", - "description": "Elliptic's ECDSA missing check for whether leading bit of r and s is zero", - "epss": [ - { - "cve": "CVE-2024-42460", - "date": "2026-06-14", - "epss": 0.00241, - "percentile": 0.47763 - } - ], - "fix_available": [ - { - "date": "2024-08-16", - "kind": "first-observed", - "version": "6.5.7" - } - ], - "fix_state": "fixed", - "fixed_in": "6.5.7", - "fixed_versions": [ - "6.5.7" - ], - "id": "GHSA-977x-g7h5-7qgw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-42460", - "Fix available: upgrade to 6.5.7", - "Fix state: fixed", - "https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100bb42d11", - "https://github.com/indutny/elliptic/commit/b6ff1758d9a6d1a7aec177ff6df9f586492a6315", - "https://github.com/indutny/elliptic/pull/317", - "https://nvd.nist.gov/vuln/detail/CVE-2024-42460", - "https://security.netapp.com/advisory/ntap-20241004-0005" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-977x-g7h5-7qgw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42460" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/pull/317" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/commit/b6ff1758d9a6d1a7aec177ff6df9f586492a6315" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100bb42d11" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241004-0005" - } - ], - "risk_score": 0.08434999999999998, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Elliptic's ECDSA missing check for whether leading bit of r and s is zero" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=6.5.6 (semantic)", - "aliases": [ - "CVE-2024-42459" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", - "version": "3.1" - }, - { - "score": 2.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-42459", - "id": "CWE-347", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-f7q4-pwc6-w24p", - "description": "Elliptic's EDDSA missing signature length check", - "epss": [ - { - "cve": "CVE-2024-42459", - "date": "2026-06-14", - "epss": 0.00131, - "percentile": 0.32391 - } - ], - "fix_available": [ - { - "date": "2024-08-16", - "kind": "first-observed", - "version": "6.5.7" - } - ], - "fix_state": "fixed", - "fixed_in": "6.5.7", - "fixed_versions": [ - "6.5.7" - ], - "id": "GHSA-f7q4-pwc6-w24p", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-42459", - "Fix available: upgrade to 6.5.7", - "Fix state: fixed", - "https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100bb42d11", - "https://github.com/indutny/elliptic/commit/c0690b36be043ee73c1780ae4b7df48632b11cf9", - "https://github.com/indutny/elliptic/pull/317", - "https://nvd.nist.gov/vuln/detail/CVE-2024-42459", - "https://security.netapp.com/advisory/ntap-20241004-0005" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-f7q4-pwc6-w24p" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-42459" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/pull/317" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/commit/c0690b36be043ee73c1780ae4b7df48632b11cf9" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/commit/accb61e9c1a005e5c8ff96a8b33893100bb42d11" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241004-0005" - } - ], - "risk_score": 0.045849999999999995, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Elliptic's EDDSA missing signature length check" - }, - { - "affected_version_range": "\u003c6.6.0 (semantic)", - "aliases": [ - "CVE-2024-48948" - ], - "cvss": [ - { - "score": 4.8, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", - "version": "3.1" - }, - { - "score": 2.3, - "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-48948", - "id": "CWE-347", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-fc9h-whq2-v747", - "description": "Valid ECDSA signatures erroneously rejected in Elliptic", - "epss": [ - { - "cve": "CVE-2024-48948", - "date": "2026-06-14", - "epss": 0.00162, - "percentile": 0.37099 - } - ], - "fix_available": [ - { - "date": "2024-10-29", - "kind": "first-observed", - "version": "6.6.0" - } - ], - "fix_state": "fixed", - "fixed_in": "6.6.0", - "fixed_versions": [ - "6.6.0" - ], - "id": "GHSA-fc9h-whq2-v747", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-48948", - "Fix available: upgrade to 6.6.0", - "Fix state: fixed", - "https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof", - "https://github.com/indutny/elliptic/commit/34c853478cec1be4e37260ed2cb12cdbdc6402cf", - "https://github.com/indutny/elliptic/issues/321", - "https://github.com/indutny/elliptic/pull/322", - "https://nvd.nist.gov/vuln/detail/CVE-2024-48948", - "https://security.netapp.com/advisory/ntap-20241220-0004" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-fc9h-whq2-v747" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48948" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/issues/321" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/pull/322" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/commit/34c853478cec1be4e37260ed2cb12cdbdc6402cf" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241220-0004" - }, - { - "type": "advisory", - "url": "https://blog.trailofbits.com/2025/11/18/we-found-cryptography-bugs-in-the-elliptic-library-using-wycheproof" - } - ], - "risk_score": 0.053055, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Valid ECDSA signatures erroneously rejected in Elliptic" - }, - { - "affected_version_range": "\u003c6.5.4 (semantic)", - "aliases": [ - "CVE-2020-28498" - ], - "cvss": [ - { - "score": 6.8, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-28498", - "id": "CWE-327", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-r9p9-mrjm-926w", - "description": "Elliptic Uses a Broken or Risky Cryptographic Algorithm", - "epss": [ - { - "cve": "CVE-2020-28498", - "date": "2026-06-14", - "epss": 0.03935, - "percentile": 0.88643 - } - ], - "fix_available": [ - { - "date": "2021-03-09", - "kind": "first-observed", - "version": "6.5.4" - } - ], - "fix_state": "fixed", - "fixed_in": "6.5.4", - "fixed_versions": [ - "6.5.4" - ], - "id": "GHSA-r9p9-mrjm-926w", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-28498", - "Fix available: upgrade to 6.5.4", - "Fix state: fixed", - "https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md", - "https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f", - "https://github.com/indutny/elliptic/pull/244/commits", - "https://nvd.nist.gov/vuln/detail/CVE-2020-28498", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1069836", - "https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899", - "https://www.npmjs.com/package/elliptic" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-r9p9-mrjm-926w" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28498" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/pull/244/commits" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f" - }, - { - "type": "advisory", - "url": "https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1069836" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-ELLIPTIC-1064899" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/elliptic" - } - ], - "risk_score": 2.32165, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Elliptic Uses a Broken or Risky Cryptographic Algorithm" - }, - { - "affected_version_range": "\u003c6.5.3 (semantic)", - "aliases": [ - "CVE-2020-13822" - ], - "cvss": [ - { - "score": 7.7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-13822", - "id": "CWE-190", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-vh7m-p724-62c2", - "description": "Signature Malleabillity in elliptic", - "epss": [ - { - "cve": "CVE-2020-13822", - "date": "2026-06-14", - "epss": 0.00411, - "percentile": 0.61923 - } - ], - "fix_available": [ - { - "date": "2020-07-30", - "kind": "first-observed", - "version": "6.5.3" - } - ], - "fix_state": "fixed", - "fixed_in": "6.5.3", - "fixed_versions": [ - "6.5.3" - ], - "id": "GHSA-vh7m-p724-62c2", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-13822", - "Fix available: upgrade to 6.5.3", - "Fix state: fixed", - "https://github.com/indutny/elliptic/commit/856fe4d99fe7b6200556e6400b3bf585b1721bec", - "https://github.com/indutny/elliptic/issues/226", - "https://medium.com/%40herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4", - "https://medium.com/@herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4", - "https://nvd.nist.gov/vuln/detail/CVE-2020-13822", - "https://www.npmjs.com/package/elliptic", - "https://yondon.blog/2019/01/01/how-not-to-use-ecdsa" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-vh7m-p724-62c2" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13822" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/issues/226" - }, - { - "type": "advisory", - "url": "https://medium.com/@herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/elliptic" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/commit/856fe4d99fe7b6200556e6400b3bf585b1721bec" - }, - { - "type": "advisory", - "url": "https://medium.com/%40herman_10687/malleability-attack-why-it-matters-7b5f59fb99a4" - }, - { - "type": "advisory", - "url": "https://yondon.blog/2019/01/01/how-not-to-use-ecdsa" - } - ], - "risk_score": 0.31235999999999997, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Signature Malleabillity in elliptic" - }, - { - "affected_version_range": "\u003c=6.6.0 (semantic)", - "cvss": [ - { - "score": 9, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N", - "version": "4.0" - } - ], - "data_source": "https://github.com/advisories/GHSA-vjh7-7g9h-fjfh", - "description": "Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)", - "fix_available": [ - { - "date": "2025-02-13", - "kind": "first-observed", - "version": "6.6.1" - } - ], - "fix_state": "fixed", - "fixed_in": "6.6.1", - "fixed_versions": [ - "6.6.1" - ], - "id": "GHSA-vjh7-7g9h-fjfh", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 6.6.1", - "Fix state: fixed", - "https://github.com/indutny/elliptic/commit/04cb6f54ce552b3ebde6be06d6050419e1c7333e", - "https://github.com/indutny/elliptic/security/advisories/GHSA-vjh7-7g9h-fjfh" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-vjh7-7g9h-fjfh" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/security/advisories/GHSA-vjh7-7g9h-fjfh" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/elliptic/commit/04cb6f54ce552b3ebde6be06d6050419e1c7333e" - } - ], - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "email-validator", - "purl": "pkg:npm/email-validator@2.0.4", - "version": "2.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "emoji-regex", - "purl": "pkg:npm/emoji-regex@7.0.3", - "version": "7.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "emoji-regex", - "purl": "pkg:npm/emoji-regex@8.0.0", - "version": "8.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "end-of-stream", - "purl": "pkg:npm/end-of-stream@1.4.4", - "version": "1.4.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "error-ex", - "purl": "pkg:npm/error-ex@1.3.1", - "version": "1.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "errorhandler", - "purl": "pkg:npm/errorhandler@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "es6-promise", - "purl": "pkg:npm/es6-promise@2.1.1", - "version": "2.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "es6-promise", - "purl": "pkg:npm/es6-promise@4.2.8", - "version": "4.2.8", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "es6-promisify", - "purl": "pkg:npm/es6-promisify@5.0.0", - "version": "5.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "escape-goat", - "purl": "pkg:npm/escape-goat@2.1.1", - "version": "2.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "escape-html", - "purl": "pkg:npm/escape-html@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "escape-string-regexp", - "purl": "pkg:npm/escape-string-regexp@1.0.5", - "version": "1.0.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "escodegen", - "purl": "pkg:npm/escodegen@1.12.1", - "version": "1.12.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "esprima", - "purl": "pkg:npm/esprima@3.1.3", - "version": "3.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "esprima", - "purl": "pkg:npm/esprima@4.0.1", - "version": "4.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "estraverse", - "purl": "pkg:npm/estraverse@4.3.0", - "version": "4.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "esutils", - "purl": "pkg:npm/esutils@2.0.2", - "version": "2.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "esutils", - "purl": "pkg:npm/esutils@2.0.3", - "version": "2.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "etag", - "purl": "pkg:npm/etag@1.6.0", - "version": "1.6.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "events-to-array", - "purl": "pkg:npm/events-to-array@1.1.2", - "version": "1.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "events", - "purl": "pkg:npm/events@1.1.1", - "version": "1.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "evp_bytestokey", - "purl": "pkg:npm/evp_bytestokey@1.0.3", - "version": "1.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "execa", - "purl": "pkg:npm/execa@0.7.0", - "version": "0.7.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "execa", - "purl": "pkg:npm/execa@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "expand-brackets", - "purl": "pkg:npm/expand-brackets@2.1.4", - "version": "2.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "express-fileupload", - "purl": "pkg:npm/express-fileupload@0.0.5", - "version": "0.0.5", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.1.9 (semantic)", - "aliases": [ - "CVE-2020-7699" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-7699", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-9wcg-jrwf-8gg7", - "description": "Prototype Pollution in express-fileupload", - "epss": [ - { - "cve": "CVE-2020-7699", - "date": "2026-06-14", - "epss": 0.02269, - "percentile": 0.85053 - } - ], - "fix_available": [ - { - "date": "2020-08-06", - "kind": "first-observed", - "version": "1.1.9" - } - ], - "fix_state": "fixed", - "fixed_in": "1.1.9", - "fixed_versions": [ - "1.1.9" - ], - "id": "GHSA-9wcg-jrwf-8gg7", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-7699", - "Fix available: upgrade to 1.1.9", - "Fix state: fixed", - "https://github.com/richardgirges/express-fileupload/commit/db495357d7557ceb5c034de91a7a574bd12f9b9f", - "https://github.com/richardgirges/express-fileupload/issues/236", - "https://github.com/richardgirges/express-fileupload/pull/237", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7699", - "https://security.netapp.com/advisory/ntap-20200821-0003/", - "https://snyk.io/vuln/SNYK-JS-EXPRESSFILEUPLOAD-595969" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-9wcg-jrwf-8gg7" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7699" - }, - { - "type": "advisory", - "url": "https://github.com/richardgirges/express-fileupload/issues/236" - }, - { - "type": "advisory", - "url": "https://github.com/richardgirges/express-fileupload/pull/237" - }, - { - "type": "advisory", - "url": "https://github.com/richardgirges/express-fileupload/commit/db495357d7557ceb5c034de91a7a574bd12f9b9f" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-EXPRESSFILEUPLOAD-595969" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20200821-0003/" - } - ], - "risk_score": 2.13286, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in express-fileupload" - }, - { - "affected_version_range": "\u003c1.1.6-alpha.6 (semantic)", - "data_source": "https://github.com/advisories/GHSA-q3w9-g74q-vp5f", - "description": "Denial of Service in express-fileupload", - "fix_available": [ - { - "date": "2020-09-04", - "kind": "first-observed", - "version": "1.1.6-alpha.6" - } - ], - "fix_state": "fixed", - "fixed_in": "1.1.6-alpha.6", - "fixed_versions": [ - "1.1.6-alpha.6" - ], - "id": "GHSA-q3w9-g74q-vp5f", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 1.1.6-alpha.6", - "Fix state: fixed", - "https://www.npmjs.com/advisories/1216" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-q3w9-g74q-vp5f" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1216" - } - ], - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Denial of Service in express-fileupload" - }, - { - "affected_version_range": "\u003c=1.3.1 (semantic)", - "aliases": [ - "CVE-2022-27261" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-27261", - "id": "CWE-434", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-w4m6-x6c2-j5c9", - "description": "Express-FileUpload Arbitrary File Overwrite", - "epss": [ - { - "cve": "CVE-2022-27261", - "date": "2026-06-14", - "epss": 0.00377, - "percentile": 0.59769 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-w4m6-x6c2-j5c9", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-27261", - "Fix state: not-fixed", - "https://github.com/richardgirges/express-fileupload/issues/312", - "https://github.com/richardgirges/express-fileupload/issues/316", - "https://nvd.nist.gov/vuln/detail/CVE-2022-27261", - "https://www.npmjs.com/package/express-fileupload", - "https://www.youtube.com/watch?v=3ROHB3ck4tA" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-w4m6-x6c2-j5c9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-27261" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/express-fileupload" - }, - { - "type": "advisory", - "url": "https://www.youtube.com/watch?v=3ROHB3ck4tA" - }, - { - "type": "advisory", - "url": "https://github.com/richardgirges/express-fileupload/issues/312" - }, - { - "type": "advisory", - "url": "https://github.com/richardgirges/express-fileupload/issues/316" - } - ], - "risk_score": 0.28275, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Express-FileUpload Arbitrary File Overwrite" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "express-session", - "purl": "pkg:npm/express-session@1.17.2", - "version": "1.17.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "express", - "purl": "pkg:npm/express@4.12.4", - "version": "4.12.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003c4.20.0 (semantic)", - "aliases": [ - "CVE-2024-43796" - ], - "cvss": [ - { - "score": 5, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", - "version": "3.1" - }, - { - "score": 2.3, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-43796", - "id": "CWE-79", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx", - "description": "express vulnerable to XSS via response.redirect()", - "epss": [ - { - "cve": "CVE-2024-43796", - "date": "2026-06-14", - "epss": 0.0012, - "percentile": 0.30687 - } - ], - "fix_available": [ - { - "date": "2024-09-11", - "kind": "first-observed", - "version": "4.20.0" - } - ], - "fix_state": "fixed", - "fixed_in": "4.20.0", - "fixed_versions": [ - "4.20.0" - ], - "id": "GHSA-qw6h-vgh9-j6wx", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-43796", - "Fix available: upgrade to 4.20.0", - "Fix state: fixed", - "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553", - "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx", - "https://nvd.nist.gov/vuln/detail/CVE-2024-43796" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-qw6h-vgh9-j6wx" - }, - { - "type": "advisory", - "url": "https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43796" - }, - { - "type": "advisory", - "url": "https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553" - } - ], - "risk_score": 0.0399, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "express vulnerable to XSS via response.redirect()" - }, - { - "affected_version_range": "\u003c4.19.2 (semantic)", - "aliases": [ - "CVE-2024-29041" - ], - "cvss": [ - { - "score": 6.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2024-29041", - "id": "CWE-601", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2024-29041", - "id": "CWE-1286", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-rv95-896h-c2vc", - "description": "Express.js Open Redirect in malformed URLs", - "epss": [ - { - "cve": "CVE-2024-29041", - "date": "2026-06-14", - "epss": 0.00154, - "percentile": 0.36128 - } - ], - "fix_available": [ - { - "date": "2024-03-26", - "kind": "first-observed", - "version": "4.19.2" - } - ], - "fix_state": "fixed", - "fixed_in": "4.19.2", - "fixed_versions": [ - "4.19.2" - ], - "id": "GHSA-rv95-896h-c2vc", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-29041", - "Fix available: upgrade to 4.19.2", - "Fix state: fixed", - "https://expressjs.com/en/4x/api.html#res.location", - "https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd", - "https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94", - "https://github.com/expressjs/express/pull/5539", - "https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc", - "https://github.com/koajs/koa/issues/1800", - "https://nvd.nist.gov/vuln/detail/CVE-2024-29041" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-rv95-896h-c2vc" - }, - { - "type": "advisory", - "url": "https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc" - }, - { - "type": "advisory", - "url": "https://github.com/koajs/koa/issues/1800" - }, - { - "type": "advisory", - "url": "https://github.com/expressjs/express/pull/5539" - }, - { - "type": "advisory", - "url": "https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd" - }, - { - "type": "advisory", - "url": "https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94" - }, - { - "type": "advisory", - "url": "https://expressjs.com/en/4x/api.html#res.location" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29041" - } - ], - "risk_score": 0.08546999999999999, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Express.js Open Redirect in malformed URLs" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "extend-shallow", - "purl": "pkg:npm/extend-shallow@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "extend-shallow", - "purl": "pkg:npm/extend-shallow@3.0.2", - "version": "3.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "extend", - "purl": "pkg:npm/extend@3.0.2", - "version": "3.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "external-editor", - "purl": "pkg:npm/external-editor@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "extglob", - "purl": "pkg:npm/extglob@2.0.4", - "version": "2.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "extsprintf", - "purl": "pkg:npm/extsprintf@1.3.0", - "version": "1.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "fast-deep-equal", - "purl": "pkg:npm/fast-deep-equal@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "fast-json-stable-stringify", - "purl": "pkg:npm/fast-json-stable-stringify@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "fast-levenshtein", - "purl": "pkg:npm/fast-levenshtein@2.0.6", - "version": "2.0.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "fd", - "purl": "pkg:npm/fd@0.0.3", - "version": "0.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "figlet", - "purl": "pkg:npm/figlet@1.5.0", - "version": "1.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "figures", - "purl": "pkg:npm/figures@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "file-type", - "purl": "pkg:npm/file-type@8.1.0", - "version": "8.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "file-uri-to-path", - "purl": "pkg:npm/file-uri-to-path@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "fill-range", - "purl": "pkg:npm/fill-range@4.0.0", - "version": "4.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "fill-range", - "purl": "pkg:npm/fill-range@7.0.1", - "version": "7.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "finalhandler", - "purl": "pkg:npm/finalhandler@0.3.6", - "version": "0.3.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "find-cache-dir", - "purl": "pkg:npm/find-cache-dir@0.1.1", - "version": "0.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "find-up", - "purl": "pkg:npm/find-up@1.1.2", - "version": "1.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "find-up", - "purl": "pkg:npm/find-up@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "find-up", - "purl": "pkg:npm/find-up@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "find-up", - "purl": "pkg:npm/find-up@4.1.0", - "version": "4.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "for-in", - "purl": "pkg:npm/for-in@0.1.8", - "version": "0.1.8", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "for-in", - "purl": "pkg:npm/for-in@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "for-own", - "purl": "pkg:npm/for-own@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "foreachasync", - "purl": "pkg:npm/foreachasync@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "foreground-child", - "purl": "pkg:npm/foreground-child@1.5.6", - "version": "1.5.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "forever-agent", - "purl": "pkg:npm/forever-agent@0.6.1", - "version": "0.6.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "form-data", - "purl": "pkg:npm/form-data@2.3.3", - "version": "2.3.3", - "vulnerabilities": [ - { - "affected_version_range": "\u003c2.5.4 (semantic)", - "aliases": [ - "CVE-2025-7783" - ], - "cvss": [ - { - "score": 9.4, - "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-7783", - "id": "CWE-330", - "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4", - "description": "form-data uses unsafe random function in form-data for choosing boundary", - "epss": [ - { - "cve": "CVE-2025-7783", - "date": "2026-06-14", - "epss": 0.01319, - "percentile": 0.80357 - } - ], - "fix_available": [ - { - "date": "2025-07-22", - "kind": "first-observed", - "version": "2.5.4" - } - ], - "fix_state": "fixed", - "fixed_in": "2.5.4", - "fixed_versions": [ - "2.5.4" - ], - "id": "GHSA-fjxv-7rqg-78g4", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-7783", - "Fix available: upgrade to 2.5.4", - "Fix state: fixed", - "https://github.com/benweissmann/CVE-2025-7783-poc", - "https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0", - "https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4", - "https://lists.debian.org/debian-lts-announce/2025/07/msg00023.html", - "https://nvd.nist.gov/vuln/detail/CVE-2025-7783" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-fjxv-7rqg-78g4" - }, - { - "type": "advisory", - "url": "https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7783" - }, - { - "type": "advisory", - "url": "https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0" - }, - { - "type": "advisory", - "url": "https://github.com/benweissmann/CVE-2025-7783-poc" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2025/07/msg00023.html" - } - ], - "risk_score": 1.2134800000000001, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "form-data uses unsafe random function in form-data for choosing boundary" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "forwarded", - "purl": "pkg:npm/forwarded@0.1.2", - "version": "0.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "fragment-cache", - "purl": "pkg:npm/fragment-cache@0.2.1", - "version": "0.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "fresh", - "purl": "pkg:npm/fresh@0.2.4", - "version": "0.2.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.5.2 (semantic)", - "aliases": [ - "CVE-2017-16119" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-16119", - "id": "CWE-400", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2017-16119", - "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-9qj9-36jm-prpv", - "description": "Regular Expression Denial of Service in fresh", - "epss": [ - { - "cve": "CVE-2017-16119", - "date": "2026-06-14", - "epss": 0.00328, - "percentile": 0.56221 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "0.5.2" - } - ], - "fix_state": "fixed", - "fixed_in": "0.5.2", - "fixed_versions": [ - "0.5.2" - ], - "id": "GHSA-9qj9-36jm-prpv", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-16119", - "Fix available: upgrade to 0.5.2", - "Fix state: fixed", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16119", - "https://www.npmjs.com/advisories/526" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-9qj9-36jm-prpv" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16119" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/526" - } - ], - "risk_score": 0.246, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in fresh" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "fs-constants", - "purl": "pkg:npm/fs-constants@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "fs-exists-cached", - "purl": "pkg:npm/fs-exists-cached@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "fs-extra", - "purl": "pkg:npm/fs-extra@0.22.1", - "version": "0.22.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "fs.realpath", - "purl": "pkg:npm/fs.realpath@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "fsevents", - "purl": "pkg:npm/fsevents@2.3.2", - "version": "2.3.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ftp", - "purl": "pkg:npm/ftp@0.3.10", - "version": "0.3.10", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "function-bind", - "purl": "pkg:npm/function-bind@1.1.1", - "version": "1.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "function-loop", - "purl": "pkg:npm/function-loop@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "get-assigned-identifiers", - "purl": "pkg:npm/get-assigned-identifiers@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "get-caller-file", - "purl": "pkg:npm/get-caller-file@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "get-caller-file", - "purl": "pkg:npm/get-caller-file@2.0.5", - "version": "2.0.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "get-stream", - "purl": "pkg:npm/get-stream@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "get-stream", - "purl": "pkg:npm/get-stream@4.1.0", - "version": "4.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "get-stream", - "purl": "pkg:npm/get-stream@5.2.0", - "version": "5.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "get-uri", - "purl": "pkg:npm/get-uri@2.0.4", - "version": "2.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "get-value", - "purl": "pkg:npm/get-value@2.0.6", - "version": "2.0.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "getpass", - "purl": "pkg:npm/getpass@0.1.7", - "version": "0.1.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "git-up", - "purl": "pkg:npm/git-up@4.0.1", - "version": "4.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "git-url-parse", - "purl": "pkg:npm/git-url-parse@11.1.2", - "version": "11.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "glob-parent", - "purl": "pkg:npm/glob-parent@5.1.2", - "version": "5.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "glob", - "purl": "pkg:npm/glob@7.1.2", - "version": "7.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "glob", - "purl": "pkg:npm/glob@7.1.3", - "version": "7.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "global-dirs", - "purl": "pkg:npm/global-dirs@0.1.1", - "version": "0.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "global-dirs", - "purl": "pkg:npm/global-dirs@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "globals", - "purl": "pkg:npm/globals@9.18.0", - "version": "9.18.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "goof", - "purl": "pkg:npm/goof@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "got", - "purl": "pkg:npm/got@6.7.1", - "version": "6.7.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c11.8.5 (semantic)", - "aliases": [ - "CVE-2022-33987" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-pfrx-2q88-qq97", - "description": "Got allows a redirect to a UNIX socket", - "epss": [ - { - "cve": "CVE-2022-33987", - "date": "2026-06-14", - "epss": 0.00847, - "percentile": 0.75361 - } - ], - "fix_available": [ - { - "date": "2022-06-22", - "kind": "first-observed", - "version": "11.8.5" - } - ], - "fix_state": "fixed", - "fixed_in": "11.8.5", - "fixed_versions": [ - "11.8.5" - ], - "id": "GHSA-pfrx-2q88-qq97", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-33987", - "Fix available: upgrade to 11.8.5", - "Fix state: fixed", - "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", - "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", - "https://github.com/sindresorhus/got/pull/2047", - "https://github.com/sindresorhus/got/releases/tag/v11.8.5", - "https://github.com/sindresorhus/got/releases/tag/v12.1.0", - "https://nvd.nist.gov/vuln/detail/CVE-2022-33987" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-pfrx-2q88-qq97" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/got/pull/2047" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/got/releases/tag/v11.8.5" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/got/releases/tag/v12.1.0" - } - ], - "risk_score": 0.436205, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Got allows a redirect to a UNIX socket" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "got", - "purl": "pkg:npm/got@9.6.0", - "version": "9.6.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c11.8.5 (semantic)", - "aliases": [ - "CVE-2022-33987" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-pfrx-2q88-qq97", - "description": "Got allows a redirect to a UNIX socket", - "epss": [ - { - "cve": "CVE-2022-33987", - "date": "2026-06-14", - "epss": 0.00847, - "percentile": 0.75361 - } - ], - "fix_available": [ - { - "date": "2022-06-22", - "kind": "first-observed", - "version": "11.8.5" - } - ], - "fix_state": "fixed", - "fixed_in": "11.8.5", - "fixed_versions": [ - "11.8.5" - ], - "id": "GHSA-pfrx-2q88-qq97", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-33987", - "Fix available: upgrade to 11.8.5", - "Fix state: fixed", - "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc", - "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0", - "https://github.com/sindresorhus/got/pull/2047", - "https://github.com/sindresorhus/got/releases/tag/v11.8.5", - "https://github.com/sindresorhus/got/releases/tag/v12.1.0", - "https://nvd.nist.gov/vuln/detail/CVE-2022-33987" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-pfrx-2q88-qq97" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/got/pull/2047" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/got/releases/tag/v11.8.5" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/got/releases/tag/v12.1.0" - } - ], - "risk_score": 0.436205, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Got allows a redirect to a UNIX socket" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "graceful-fs", - "purl": "pkg:npm/graceful-fs@1.2.3", - "version": "1.2.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "graceful-fs", - "purl": "pkg:npm/graceful-fs@4.1.11", - "version": "4.1.11", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "graceful-fs", - "purl": "pkg:npm/graceful-fs@4.1.15", - "version": "4.1.15", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "graphlib", - "purl": "pkg:npm/graphlib@2.1.8", - "version": "2.1.8", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "handlebars", - "purl": "pkg:npm/handlebars@4.0.11", - "version": "4.0.11", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=4.0.0,\u003c4.5.2 (semantic)", - "cvss": [ - { - "score": 7.3, - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-2cf5-4w76-r9qv", - "description": "Arbitrary Code Execution in handlebars", - "fix_available": [ - { - "date": "2020-09-05", - "kind": "first-observed", - "version": "4.5.2" - } - ], - "fix_state": "fixed", - "fixed_in": "4.5.2", - "fixed_versions": [ - "4.5.2" - ], - "id": "GHSA-2cf5-4w76-r9qv", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 4.5.2", - "Fix state: fixed", - "https://www.npmjs.com/advisories/1316" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-2cf5-4w76-r9qv" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1316" - } - ], - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Arbitrary Code Execution in handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.7.9 (semantic)", - "aliases": [ - "CVE-2026-33916" - ], - "cvss": [ - { - "score": 4.7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33916", - "id": "CWE-79", - "source": "security-advisories@github.com", - "type": "Primary" - }, - { - "cve": "CVE-2026-33916", - "id": "CWE-1321", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-2qvq-rjwj-gvw9", - "description": "Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection", - "epss": [ - { - "cve": "CVE-2026-33916", - "date": "2026-06-14", - "epss": 0.00072, - "percentile": 0.22205 - } - ], - "fix_available": [ - { - "date": "2026-03-27", - "kind": "first-observed", - "version": "4.7.9" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.9", - "fixed_versions": [ - "4.7.9" - ], - "id": "GHSA-2qvq-rjwj-gvw9", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33916", - "Fix available: upgrade to 4.7.9", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", - "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", - "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23369", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23383", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33916" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-2qvq-rjwj-gvw9" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33916" - } - ], - "risk_score": 0.03492000000000001, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.7.8 (semantic)", - "aliases": [ - "CVE-2026-33937" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33937", - "id": "CWE-94", - "source": "security-advisories@github.com", - "type": "Primary" - }, - { - "cve": "CVE-2026-33937", - "id": "CWE-843", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-2w6w-674q-4c4q", - "description": "Handlebars.js has JavaScript Injection via AST Type Confusion", - "epss": [ - { - "cve": "CVE-2026-33937", - "date": "2026-06-14", - "epss": 0.0024, - "percentile": 0.47678 - } - ], - "fix_available": [ - { - "date": "2026-03-28", - "kind": "first-observed", - "version": "4.7.9" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.9", - "fixed_versions": [ - "4.7.9" - ], - "id": "GHSA-2w6w-674q-4c4q", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33937", - "Fix available: upgrade to 4.7.9", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", - "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", - "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33937" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-2w6w-674q-4c4q" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33937" - } - ], - "risk_score": 0.22559999999999997, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Handlebars.js has JavaScript Injection via AST Type Confusion" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.5.3 (semantic)", - "aliases": [ - "CVE-2019-20920" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-20920", - "id": "CWE-94", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3cqr-58rm-57f8", - "description": "Arbitrary Code Execution in Handlebars", - "epss": [ - { - "cve": "CVE-2019-20920", - "date": "2026-06-14", - "epss": 0.00343, - "percentile": 0.57393 - } - ], - "fix_available": [ - { - "date": "2022-02-11", - "kind": "first-observed", - "version": "4.5.3" - } - ], - "fix_state": "fixed", - "fixed_in": "4.5.3", - "fixed_versions": [ - "4.5.3" - ], - "id": "GHSA-3cqr-58rm-57f8", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-20920", - "Fix available: upgrade to 4.5.3", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee", - "https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e", - "https://nvd.nist.gov/vuln/detail/CVE-2019-20920", - "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478", - "https://www.npmjs.com/advisories/1316", - "https://www.npmjs.com/advisories/1324", - "https://www.npmjs.com/package/handlebars" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3cqr-58rm-57f8" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1316" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1324" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/handlebars" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee" - } - ], - "risk_score": 0.26754, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Arbitrary Code Execution in Handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.7.8 (semantic)", - "aliases": [ - "CVE-2026-33938" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33938", - "id": "CWE-94", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2026-33938", - "id": "CWE-843", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3mfm-83xf-c92r", - "description": "Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block", - "epss": [ - { - "cve": "CVE-2026-33938", - "date": "2026-06-14", - "epss": 0.00048, - "percentile": 0.15324 - } - ], - "fix_available": [ - { - "date": "2026-03-28", - "kind": "first-observed", - "version": "4.7.9" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.9", - "fixed_versions": [ - "4.7.9" - ], - "id": "GHSA-3mfm-83xf-c92r", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33938", - "Fix available: upgrade to 4.7.9", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", - "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", - "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33938" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3mfm-83xf-c92r" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33938" - } - ], - "risk_score": 0.03744000000000001, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.7.8 (semantic)", - "cvss": [ - { - "score": 3.7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-442j-39wm-28r2", - "description": "Handlebars.js has a Property Access Validation Bypass in container.lookup", - "fix_available": [ - { - "date": "2026-03-29", - "kind": "first-observed", - "version": "4.7.9" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.9", - "fixed_versions": [ - "4.7.9" - ], - "id": "GHSA-442j-39wm-28r2", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 4.7.9", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", - "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", - "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-442j-39wm-28r2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" - } - ], - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Handlebars.js has a Property Access Validation Bypass in container.lookup" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.4.5 (semantic)", - "aliases": [ - "CVE-2019-20922" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-20922", - "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-62gr-4qp9-h98f", - "description": "Regular Expression Denial of Service in Handlebars", - "epss": [ - { - "cve": "CVE-2019-20922", - "date": "2026-06-14", - "epss": 0.00291, - "percentile": 0.52984 - } - ], - "fix_available": [ - { - "date": "2022-02-11", - "kind": "first-observed", - "version": "4.4.5" - } - ], - "fix_state": "fixed", - "fixed_in": "4.4.5", - "fixed_versions": [ - "4.4.5" - ], - "id": "GHSA-62gr-4qp9-h98f", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-20922", - "Fix available: upgrade to 4.4.5", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b", - "https://nvd.nist.gov/vuln/detail/CVE-2019-20922", - "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388", - "https://www.npmjs.com/advisories/1300", - "https://www.npmjs.com/package/handlebars" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-62gr-4qp9-h98f" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1300" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/handlebars" - } - ], - "risk_score": 0.21825, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in Handlebars" - }, - { - "affected_version_range": "\u003c4.7.7 (semantic)", - "aliases": [ - "CVE-2021-23383" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-23383", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-765h-qjxv-5f44", - "description": "Prototype Pollution in handlebars", - "epss": [ - { - "cve": "CVE-2021-23383", - "date": "2026-06-14", - "epss": 0.05666, - "percentile": 0.90622 - } - ], - "fix_available": [ - { - "date": "2022-02-11", - "kind": "first-observed", - "version": "4.7.7" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.7", - "fixed_versions": [ - "4.7.7" - ], - "id": "GHSA-765h-qjxv-5f44", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23383", - "Fix available: upgrade to 4.7.7", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23383", - "https://security.netapp.com/advisory/ntap-20210618-0007/", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030", - "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029", - "https://www.npmjs.com/package/handlebars" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-765h-qjxv-5f44" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/handlebars" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210618-0007/" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml" - } - ], - "risk_score": 5.326040000000001, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.7.8 (semantic)", - "aliases": [ - "CVE-2026-33939" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33939", - "id": "CWE-754", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-9cx6-37pm-9jff", - "description": "Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation", - "epss": [ - { - "cve": "CVE-2026-33939", - "date": "2026-06-14", - "epss": 0.00076, - "percentile": 0.23091 - } - ], - "fix_available": [ - { - "date": "2026-03-28", - "kind": "first-observed", - "version": "4.7.9" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.9", - "fixed_versions": [ - "4.7.9" - ], - "id": "GHSA-9cx6-37pm-9jff", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33939", - "Fix available: upgrade to 4.7.9", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", - "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", - "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33939" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-9cx6-37pm-9jff" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33939" - } - ], - "risk_score": 0.056999999999999995, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation" - }, - { - "affected_version_range": "\u003c4.7.7 (semantic)", - "aliases": [ - "CVE-2021-23369" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-f2jv-r9rf-7988", - "description": "Remote code execution in handlebars when compiling templates", - "epss": [ - { - "cve": "CVE-2021-23369", - "date": "2026-06-14", - "epss": 0.03582, - "percentile": 0.88061 - } - ], - "fix_available": [ - { - "date": "2021-05-07", - "kind": "first-observed", - "version": "4.7.7" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.7", - "fixed_versions": [ - "4.7.7" - ], - "id": "GHSA-f2jv-r9rf-7988", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23369", - "Fix available: upgrade to 4.7.7", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8", - "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23369", - "https://security.netapp.com/advisory/ntap-20210604-0008/", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952", - "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-f2jv-r9rf-7988" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210604-0008/" - } - ], - "risk_score": 3.36708, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Remote code execution in handlebars when compiling templates" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.4.5 (semantic)", - "data_source": "https://github.com/advisories/GHSA-f52g-6jhx-586p", - "description": "Denial of Service in handlebars", - "fix_available": [ - { - "date": "2020-09-04", - "kind": "first-observed", - "version": "4.4.5" - } - ], - "fix_state": "fixed", - "fixed_in": "4.4.5", - "fixed_versions": [ - "4.4.5" - ], - "id": "GHSA-f52g-6jhx-586p", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 4.4.5", - "Fix state: fixed", - "https://www.npmjs.com/advisories/1300" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-f52g-6jhx-586p" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1300" - } - ], - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Denial of Service in handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.5.3 (semantic)", - "data_source": "https://github.com/advisories/GHSA-g9r4-xpmj-mj65", - "description": "Prototype Pollution in handlebars", - "fix_available": [ - { - "date": "2020-09-05", - "kind": "first-observed", - "version": "4.5.3" - } - ], - "fix_state": "fixed", - "fixed_in": "4.5.3", - "fixed_versions": [ - "4.5.3" - ], - "id": "GHSA-g9r4-xpmj-mj65", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 4.5.3", - "Fix state: fixed", - "https://www.npmjs.com/advisories/1325" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-g9r4-xpmj-mj65" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1325" - } - ], - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.5.3 (semantic)", - "data_source": "https://github.com/advisories/GHSA-q2c6-c6pm-g3gh", - "description": "Arbitrary Code Execution in handlebars", - "fix_available": [ - { - "date": "2020-09-05", - "kind": "first-observed", - "version": "4.5.3" - } - ], - "fix_state": "fixed", - "fixed_in": "4.5.3", - "fixed_versions": [ - "4.5.3" - ], - "id": "GHSA-q2c6-c6pm-g3gh", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 4.5.3", - "Fix state: fixed", - "https://www.npmjs.com/advisories/1324" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-q2c6-c6pm-g3gh" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1324" - } - ], - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Arbitrary Code Execution in handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.0.14 (semantic)", - "cvss": [ - { - "score": 7.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-q42p-pg8m-cqh6", - "description": "Prototype Pollution in handlebars", - "fix_available": [ - { - "date": "2020-09-12", - "kind": "first-observed", - "version": "4.0.14" - } - ], - "fix_state": "fixed", - "fixed_in": "4.0.14", - "fixed_versions": [ - "4.0.14" - ], - "id": "GHSA-q42p-pg8m-cqh6", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 4.0.14", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac", - "https://github.com/handlebars-lang/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86", - "https://github.com/handlebars-lang/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4", - "https://github.com/handlebars-lang/handlebars.js/commit/cd38583216dce3252831916323202749431c773e", - "https://github.com/handlebars-lang/handlebars.js/issues/1495", - "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692", - "https://www.npmjs.com/advisories/755" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-q42p-pg8m-cqh6" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/issues/1495" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-173692" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/755" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/0d6d8c335ad81bad1b672fc56b6a44f6aa472dac" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/85c8783b34fc6d36145d8b53885ad0b9e3c3f9c4" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/cd38583216dce3252831916323202749431c773e" - } - ], - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.3.0 (semantic)", - "aliases": [ - "CVE-2019-19919" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-19919", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-w457-6q6x-cgp9", - "description": "Prototype Pollution in handlebars", - "epss": [ - { - "cve": "CVE-2019-19919", - "date": "2026-06-14", - "epss": 0.24752, - "percentile": 0.96284 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "4.3.0" - } - ], - "fix_state": "fixed", - "fixed_in": "4.3.0", - "fixed_versions": [ - "4.3.0" - ], - "id": "GHSA-w457-6q6x-cgp9", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-19919", - "Fix available: upgrade to 4.3.0", - "Fix state: fixed", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919", - "https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js", - "https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5", - "https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee", - "https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml", - "https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc", - "https://github.com/wycats/handlebars.js/issues/1558", - "https://nvd.nist.gov/vuln/detail/CVE-2019-19919", - "https://www.tenable.com/security/tns-2021-14" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-w457-6q6x-cgp9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19919" - }, - { - "type": "advisory", - "url": "https://github.com/wycats/handlebars.js/issues/1558" - }, - { - "type": "advisory", - "url": "https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc" - }, - { - "type": "advisory", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2021-14" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db" - }, - { - "type": "advisory", - "url": "https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js" - }, - { - "type": "advisory", - "url": "https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml" - } - ], - "risk_score": 23.26688, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.7.8 (semantic)", - "aliases": [ - "CVE-2026-33940" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33940", - "id": "CWE-94", - "source": "security-advisories@github.com", - "type": "Primary" - }, - { - "cve": "CVE-2026-33940", - "id": "CWE-843", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xhpv-hc6g-r9c6", - "description": "Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial", - "epss": [ - { - "cve": "CVE-2026-33940", - "date": "2026-06-14", - "epss": 0.00032, - "percentile": 0.09903 - } - ], - "fix_available": [ - { - "date": "2026-03-28", - "kind": "first-observed", - "version": "4.7.9" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.9", - "fixed_versions": [ - "4.7.9" - ], - "id": "GHSA-xhpv-hc6g-r9c6", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33940", - "Fix available: upgrade to 4.7.9", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", - "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", - "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33940" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xhpv-hc6g-r9c6" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33940" - } - ], - "risk_score": 0.024960000000000006, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.7.8 (semantic)", - "aliases": [ - "CVE-2026-33941" - ], - "cvss": [ - { - "score": 8.2, - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33941", - "id": "CWE-79", - "source": "security-advisories@github.com", - "type": "Primary" - }, - { - "cve": "CVE-2026-33941", - "id": "CWE-94", - "source": "security-advisories@github.com", - "type": "Primary" - }, - { - "cve": "CVE-2026-33941", - "id": "CWE-116", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xjpj-3mr7-gcpf", - "description": "Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options", - "epss": [ - { - "cve": "CVE-2026-33941", - "date": "2026-06-14", - "epss": 0.00009, - "percentile": 0.00937 - } - ], - "fix_available": [ - { - "date": "2026-03-28", - "kind": "first-observed", - "version": "4.7.9" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.9", - "fixed_versions": [ - "4.7.9" - ], - "id": "GHSA-xjpj-3mr7-gcpf", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33941", - "Fix available: upgrade to 4.7.9", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", - "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", - "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33941" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xjpj-3mr7-gcpf" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33941" - } - ], - "risk_score": 0.007064999999999999, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "handlebars", - "purl": "pkg:npm/handlebars@4.0.14", - "version": "4.0.14", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=4.0.0,\u003c4.5.2 (semantic)", - "cvss": [ - { - "score": 7.3, - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:L", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-2cf5-4w76-r9qv", - "description": "Arbitrary Code Execution in handlebars", - "fix_available": [ - { - "date": "2020-09-05", - "kind": "first-observed", - "version": "4.5.2" - } - ], - "fix_state": "fixed", - "fixed_in": "4.5.2", - "fixed_versions": [ - "4.5.2" - ], - "id": "GHSA-2cf5-4w76-r9qv", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 4.5.2", - "Fix state: fixed", - "https://www.npmjs.com/advisories/1316" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-2cf5-4w76-r9qv" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1316" - } - ], - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Arbitrary Code Execution in handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.7.9 (semantic)", - "aliases": [ - "CVE-2026-33916" - ], - "cvss": [ - { - "score": 4.7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33916", - "id": "CWE-79", - "source": "security-advisories@github.com", - "type": "Primary" - }, - { - "cve": "CVE-2026-33916", - "id": "CWE-1321", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-2qvq-rjwj-gvw9", - "description": "Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection", - "epss": [ - { - "cve": "CVE-2026-33916", - "date": "2026-06-14", - "epss": 0.00072, - "percentile": 0.22205 - } - ], - "fix_available": [ - { - "date": "2026-03-27", - "kind": "first-observed", - "version": "4.7.9" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.9", - "fixed_versions": [ - "4.7.9" - ], - "id": "GHSA-2qvq-rjwj-gvw9", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33916", - "Fix available: upgrade to 4.7.9", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", - "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", - "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23369", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23383", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33916" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-2qvq-rjwj-gvw9" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2qvq-rjwj-gvw9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33916" - } - ], - "risk_score": 0.03492000000000001, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.7.8 (semantic)", - "aliases": [ - "CVE-2026-33937" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33937", - "id": "CWE-94", - "source": "security-advisories@github.com", - "type": "Primary" - }, - { - "cve": "CVE-2026-33937", - "id": "CWE-843", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-2w6w-674q-4c4q", - "description": "Handlebars.js has JavaScript Injection via AST Type Confusion", - "epss": [ - { - "cve": "CVE-2026-33937", - "date": "2026-06-14", - "epss": 0.0024, - "percentile": 0.47678 - } - ], - "fix_available": [ - { - "date": "2026-03-28", - "kind": "first-observed", - "version": "4.7.9" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.9", - "fixed_versions": [ - "4.7.9" - ], - "id": "GHSA-2w6w-674q-4c4q", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33937", - "Fix available: upgrade to 4.7.9", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", - "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", - "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33937" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-2w6w-674q-4c4q" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-2w6w-674q-4c4q" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33937" - } - ], - "risk_score": 0.22559999999999997, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Handlebars.js has JavaScript Injection via AST Type Confusion" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.5.3 (semantic)", - "aliases": [ - "CVE-2019-20920" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-20920", - "id": "CWE-94", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3cqr-58rm-57f8", - "description": "Arbitrary Code Execution in Handlebars", - "epss": [ - { - "cve": "CVE-2019-20920", - "date": "2026-06-14", - "epss": 0.00343, - "percentile": 0.57393 - } - ], - "fix_available": [ - { - "date": "2022-02-11", - "kind": "first-observed", - "version": "4.5.3" - } - ], - "fix_state": "fixed", - "fixed_in": "4.5.3", - "fixed_versions": [ - "4.5.3" - ], - "id": "GHSA-3cqr-58rm-57f8", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-20920", - "Fix available: upgrade to 4.5.3", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee", - "https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e", - "https://nvd.nist.gov/vuln/detail/CVE-2019-20920", - "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478", - "https://www.npmjs.com/advisories/1316", - "https://www.npmjs.com/advisories/1324", - "https://www.npmjs.com/package/handlebars" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3cqr-58rm-57f8" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20920" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/d54137810a49939fd2ad01a91a34e182ece4528e" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1316" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1324" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/handlebars" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee" - } - ], - "risk_score": 0.26754, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Arbitrary Code Execution in Handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.7.8 (semantic)", - "aliases": [ - "CVE-2026-33938" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33938", - "id": "CWE-94", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2026-33938", - "id": "CWE-843", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3mfm-83xf-c92r", - "description": "Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block", - "epss": [ - { - "cve": "CVE-2026-33938", - "date": "2026-06-14", - "epss": 0.00048, - "percentile": 0.15324 - } - ], - "fix_available": [ - { - "date": "2026-03-28", - "kind": "first-observed", - "version": "4.7.9" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.9", - "fixed_versions": [ - "4.7.9" - ], - "id": "GHSA-3mfm-83xf-c92r", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33938", - "Fix available: upgrade to 4.7.9", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", - "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", - "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33938" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3mfm-83xf-c92r" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-3mfm-83xf-c92r" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33938" - } - ], - "risk_score": 0.03744000000000001, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.7.8 (semantic)", - "cvss": [ - { - "score": 3.7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-442j-39wm-28r2", - "description": "Handlebars.js has a Property Access Validation Bypass in container.lookup", - "fix_available": [ - { - "date": "2026-03-29", - "kind": "first-observed", - "version": "4.7.9" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.9", - "fixed_versions": [ - "4.7.9" - ], - "id": "GHSA-442j-39wm-28r2", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 4.7.9", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", - "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", - "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-442j-39wm-28r2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-442j-39wm-28r2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" - } - ], - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Handlebars.js has a Property Access Validation Bypass in container.lookup" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.4.5 (semantic)", - "aliases": [ - "CVE-2019-20922" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-20922", - "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-62gr-4qp9-h98f", - "description": "Regular Expression Denial of Service in Handlebars", - "epss": [ - { - "cve": "CVE-2019-20922", - "date": "2026-06-14", - "epss": 0.00291, - "percentile": 0.52984 - } - ], - "fix_available": [ - { - "date": "2022-02-11", - "kind": "first-observed", - "version": "4.4.5" - } - ], - "fix_state": "fixed", - "fixed_in": "4.4.5", - "fixed_versions": [ - "4.4.5" - ], - "id": "GHSA-62gr-4qp9-h98f", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-20922", - "Fix available: upgrade to 4.4.5", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b", - "https://nvd.nist.gov/vuln/detail/CVE-2019-20922", - "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388", - "https://www.npmjs.com/advisories/1300", - "https://www.npmjs.com/package/handlebars" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-62gr-4qp9-h98f" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20922" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/8d5530ee2c3ea9f0aee3fde310b9f36887d00b8b" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-480388" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1300" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/handlebars" - } - ], - "risk_score": 0.21825, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in Handlebars" - }, - { - "affected_version_range": "\u003c4.7.7 (semantic)", - "aliases": [ - "CVE-2021-23383" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-23383", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-765h-qjxv-5f44", - "description": "Prototype Pollution in handlebars", - "epss": [ - { - "cve": "CVE-2021-23383", - "date": "2026-06-14", - "epss": 0.05666, - "percentile": 0.90622 - } - ], - "fix_available": [ - { - "date": "2022-02-11", - "kind": "first-observed", - "version": "4.7.7" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.7", - "fixed_versions": [ - "4.7.7" - ], - "id": "GHSA-765h-qjxv-5f44", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23383", - "Fix available: upgrade to 4.7.7", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23383", - "https://security.netapp.com/advisory/ntap-20210618-0007/", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030", - "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029", - "https://www.npmjs.com/package/handlebars" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-765h-qjxv-5f44" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23383" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1279031" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1279032" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279030" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1279029" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/handlebars" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210618-0007/" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/handlebars-source/CVE-2021-23383.yml" - } - ], - "risk_score": 5.326040000000001, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.7.8 (semantic)", - "aliases": [ - "CVE-2026-33939" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33939", - "id": "CWE-754", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-9cx6-37pm-9jff", - "description": "Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation", - "epss": [ - { - "cve": "CVE-2026-33939", - "date": "2026-06-14", - "epss": 0.00076, - "percentile": 0.23091 - } - ], - "fix_available": [ - { - "date": "2026-03-28", - "kind": "first-observed", - "version": "4.7.9" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.9", - "fixed_versions": [ - "4.7.9" - ], - "id": "GHSA-9cx6-37pm-9jff", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33939", - "Fix available: upgrade to 4.7.9", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", - "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", - "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33939" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-9cx6-37pm-9jff" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-9cx6-37pm-9jff" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33939" - } - ], - "risk_score": 0.056999999999999995, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation" - }, - { - "affected_version_range": "\u003c4.7.7 (semantic)", - "aliases": [ - "CVE-2021-23369" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-f2jv-r9rf-7988", - "description": "Remote code execution in handlebars when compiling templates", - "epss": [ - { - "cve": "CVE-2021-23369", - "date": "2026-06-14", - "epss": 0.03582, - "percentile": 0.88061 - } - ], - "fix_available": [ - { - "date": "2021-05-07", - "kind": "first-observed", - "version": "4.7.7" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.7", - "fixed_versions": [ - "4.7.7" - ], - "id": "GHSA-f2jv-r9rf-7988", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23369", - "Fix available: upgrade to 4.7.7", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8", - "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23369", - "https://security.netapp.com/advisory/ntap-20210604-0008/", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952", - "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-f2jv-r9rf-7988" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23369" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/b6d3de7123eebba603e321f04afdbae608e8fea8" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074950" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074951" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074952" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210604-0008/" - } - ], - "risk_score": 3.36708, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Remote code execution in handlebars when compiling templates" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.4.5 (semantic)", - "data_source": "https://github.com/advisories/GHSA-f52g-6jhx-586p", - "description": "Denial of Service in handlebars", - "fix_available": [ - { - "date": "2020-09-04", - "kind": "first-observed", - "version": "4.4.5" - } - ], - "fix_state": "fixed", - "fixed_in": "4.4.5", - "fixed_versions": [ - "4.4.5" - ], - "id": "GHSA-f52g-6jhx-586p", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 4.4.5", - "Fix state: fixed", - "https://www.npmjs.com/advisories/1300" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-f52g-6jhx-586p" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1300" - } - ], - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Denial of Service in handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.5.3 (semantic)", - "data_source": "https://github.com/advisories/GHSA-g9r4-xpmj-mj65", - "description": "Prototype Pollution in handlebars", - "fix_available": [ - { - "date": "2020-09-05", - "kind": "first-observed", - "version": "4.5.3" - } - ], - "fix_state": "fixed", - "fixed_in": "4.5.3", - "fixed_versions": [ - "4.5.3" - ], - "id": "GHSA-g9r4-xpmj-mj65", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 4.5.3", - "Fix state: fixed", - "https://www.npmjs.com/advisories/1325" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-g9r4-xpmj-mj65" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1325" - } - ], - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.5.3 (semantic)", - "data_source": "https://github.com/advisories/GHSA-q2c6-c6pm-g3gh", - "description": "Arbitrary Code Execution in handlebars", - "fix_available": [ - { - "date": "2020-09-05", - "kind": "first-observed", - "version": "4.5.3" - } - ], - "fix_state": "fixed", - "fixed_in": "4.5.3", - "fixed_versions": [ - "4.5.3" - ], - "id": "GHSA-q2c6-c6pm-g3gh", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 4.5.3", - "Fix state: fixed", - "https://www.npmjs.com/advisories/1324" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-q2c6-c6pm-g3gh" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1324" - } - ], - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Arbitrary Code Execution in handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c4.3.0 (semantic)", - "aliases": [ - "CVE-2019-19919" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-19919", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-w457-6q6x-cgp9", - "description": "Prototype Pollution in handlebars", - "epss": [ - { - "cve": "CVE-2019-19919", - "date": "2026-06-14", - "epss": 0.24752, - "percentile": 0.96284 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "4.3.0" - } - ], - "fix_state": "fixed", - "fixed_in": "4.3.0", - "fixed_versions": [ - "4.3.0" - ], - "id": "GHSA-w457-6q6x-cgp9", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-19919", - "Fix available: upgrade to 4.3.0", - "Fix state: fixed", - "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919", - "https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js", - "https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5", - "https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee", - "https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml", - "https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc", - "https://github.com/wycats/handlebars.js/issues/1558", - "https://nvd.nist.gov/vuln/detail/CVE-2019-19919", - "https://www.tenable.com/security/tns-2021-14" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-w457-6q6x-cgp9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-19919" - }, - { - "type": "advisory", - "url": "https://github.com/wycats/handlebars.js/issues/1558" - }, - { - "type": "advisory", - "url": "https://github.com/wycats/handlebars.js/commit/2078c727c627f25d4a149962f05c1e069beb18bc" - }, - { - "type": "advisory", - "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19919" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2021-14" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/156061eb7707575293613d7fdf90e2bdaac029ee" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/90ad8d97ad2933852fb83fcc054699dc99e094db" - }, - { - "type": "advisory", - "url": "https://github.com/Nerian/bootstrap-wysihtml5-rails/blob/master/vendor/assets/javascripts/bootstrap-wysihtml5/handlebars.runtime.min.js" - }, - { - "type": "advisory", - "url": "https://github.com/Nerian/bootstrap-wysihtml5-rails/tree/master/vendor/assets/javascripts/bootstrap-wysihtml5" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-wysihtml5-rails/CVE-2019-19919.yml" - } - ], - "risk_score": 23.26688, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in handlebars" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.7.8 (semantic)", - "aliases": [ - "CVE-2026-33940" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33940", - "id": "CWE-94", - "source": "security-advisories@github.com", - "type": "Primary" - }, - { - "cve": "CVE-2026-33940", - "id": "CWE-843", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xhpv-hc6g-r9c6", - "description": "Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial", - "epss": [ - { - "cve": "CVE-2026-33940", - "date": "2026-06-14", - "epss": 0.00032, - "percentile": 0.09903 - } - ], - "fix_available": [ - { - "date": "2026-03-28", - "kind": "first-observed", - "version": "4.7.9" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.9", - "fixed_versions": [ - "4.7.9" - ], - "id": "GHSA-xhpv-hc6g-r9c6", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33940", - "Fix available: upgrade to 4.7.9", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", - "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", - "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33940" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xhpv-hc6g-r9c6" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xhpv-hc6g-r9c6" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33940" - } - ], - "risk_score": 0.024960000000000006, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.7.8 (semantic)", - "aliases": [ - "CVE-2026-33941" - ], - "cvss": [ - { - "score": 8.2, - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33941", - "id": "CWE-79", - "source": "security-advisories@github.com", - "type": "Primary" - }, - { - "cve": "CVE-2026-33941", - "id": "CWE-94", - "source": "security-advisories@github.com", - "type": "Primary" - }, - { - "cve": "CVE-2026-33941", - "id": "CWE-116", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xjpj-3mr7-gcpf", - "description": "Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options", - "epss": [ - { - "cve": "CVE-2026-33941", - "date": "2026-06-14", - "epss": 0.00009, - "percentile": 0.00937 - } - ], - "fix_available": [ - { - "date": "2026-03-28", - "kind": "first-observed", - "version": "4.7.9" - } - ], - "fix_state": "fixed", - "fixed_in": "4.7.9", - "fixed_versions": [ - "4.7.9" - ], - "id": "GHSA-xjpj-3mr7-gcpf", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33941", - "Fix available: upgrade to 4.7.9", - "Fix state: fixed", - "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2", - "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9", - "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33941" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xjpj-3mr7-gcpf" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/security/advisories/GHSA-xjpj-3mr7-gcpf" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/commit/68d8df5a88e0a26fe9e6084c5c6aaebe67b07da2" - }, - { - "type": "advisory", - "url": "https://github.com/handlebars-lang/handlebars.js/releases/tag/v4.7.9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33941" - } - ], - "risk_score": 0.007064999999999999, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "har-schema", - "purl": "pkg:npm/har-schema@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "har-validator", - "purl": "pkg:npm/har-validator@5.1.3", - "version": "5.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "has-ansi", - "purl": "pkg:npm/has-ansi@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "has-flag", - "purl": "pkg:npm/has-flag@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "has-flag", - "purl": "pkg:npm/has-flag@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "has-flag", - "purl": "pkg:npm/has-flag@4.0.0", - "version": "4.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "has-value", - "purl": "pkg:npm/has-value@0.3.1", - "version": "0.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "has-value", - "purl": "pkg:npm/has-value@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "has-values", - "purl": "pkg:npm/has-values@0.1.4", - "version": "0.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "has-values", - "purl": "pkg:npm/has-values@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "has-yarn", - "purl": "pkg:npm/has-yarn@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "has", - "purl": "pkg:npm/has@1.0.3", - "version": "1.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "hash-base", - "purl": "pkg:npm/hash-base@3.0.4", - "version": "3.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "hash.js", - "purl": "pkg:npm/hash.js@1.1.7", - "version": "1.1.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "hbs", - "purl": "pkg:npm/hbs@4.0.4", - "version": "4.0.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003c=4.1.2 (semantic)", - "aliases": [ - "CVE-2021-32822" - ], - "cvss": [ - { - "score": 4, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-32822", - "id": "CWE-538", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2021-32822", - "id": "CWE-94", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-7f5c-rpf4-86p8", - "description": "Insertion of Sensitive Information into Externally-Accessible File or Directory and Exposure of Sensitive Information to an Unauthorized Actor in hbs", - "epss": [ - { - "cve": "CVE-2021-32822", - "date": "2026-06-14", - "epss": 0.00299, - "percentile": 0.53786 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-7f5c-rpf4-86p8", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-32822", - "Fix state: not-fixed", - "https://nvd.nist.gov/vuln/detail/CVE-2021-32822", - "https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs/" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-7f5c-rpf4-86p8" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32822" - }, - { - "type": "advisory", - "url": "https://securitylab.github.com/advisories/GHSL-2021-020-pillarjs-hbs/" - } - ], - "risk_score": 0.13455, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Insertion of Sensitive Information into Externally-Accessible File or Directory and Exposure of Sensitive Information to an Unauthorized Actor in hbs" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "highlight.js", - "purl": "pkg:npm/highlight.js@9.18.1", - "version": "9.18.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=9.0.0,\u003c10.4.1 (semantic)", - "data_source": "https://github.com/advisories/GHSA-7wwv-vh3v-89cq", - "description": "ReDOS vulnerabities: multiple grammars", - "fix_available": [ - { - "date": "2020-12-05", - "kind": "first-observed", - "version": "10.4.1" - } - ], - "fix_state": "fixed", - "fixed_in": "10.4.1", - "fixed_versions": [ - "10.4.1" - ], - "id": "GHSA-7wwv-vh3v-89cq", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 2, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 10.4.1", - "Fix state: fixed", - "https://github.com/highlightjs/highlight.js/commit/373b9d862401162e832ce77305e49b859e110f9c", - "https://github.com/highlightjs/highlight.js/security/advisories/GHSA-7wwv-vh3v-89cq", - "https://www.npmjs.com/package/@highlightjs/cdn-assets", - "https://www.npmjs.com/package/highlight.js" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-7wwv-vh3v-89cq" - }, - { - "type": "advisory", - "url": "https://github.com/highlightjs/highlight.js/security/advisories/GHSA-7wwv-vh3v-89cq" - }, - { - "type": "advisory", - "url": "https://github.com/highlightjs/highlight.js/commit/373b9d862401162e832ce77305e49b859e110f9c" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/@highlightjs/cdn-assets" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/highlight.js" - } - ], - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "ReDOS vulnerabities: multiple grammars" - }, - { - "affected_version_range": "\u003c9.18.2 (semantic)", - "aliases": [ - "CVE-2020-26237" - ], - "cvss": [ - { - "score": 5.8, - "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-26237", - "id": "CWE-471", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-vfrc-7r7c-w9mx", - "description": "Prototype Pollution in highlight.js", - "epss": [ - { - "cve": "CVE-2020-26237", - "date": "2026-06-14", - "epss": 0.00602, - "percentile": 0.70104 - } - ], - "fix_available": [ - { - "date": "2020-11-25", - "kind": "first-observed", - "version": "9.18.2" - } - ], - "fix_state": "fixed", - "fixed_in": "9.18.2", - "fixed_versions": [ - "9.18.2" - ], - "id": "GHSA-vfrc-7r7c-w9mx", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 2, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-26237", - "Fix available: upgrade to 9.18.2", - "Fix state: fixed", - "https://github.com/highlightjs/highlight.js/commit/7241013ae011a585983e176ddc0489a7a52f6bb0", - "https://github.com/highlightjs/highlight.js/pull/2636", - "https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx", - "https://lists.debian.org/debian-lts-announce/2020/12/msg00041.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-26237", - "https://www.npmjs.com/package/highlight.js", - "https://www.oracle.com/security-alerts/cpujul2022.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-vfrc-7r7c-w9mx" - }, - { - "type": "advisory", - "url": "https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx" - }, - { - "type": "advisory", - "url": "https://github.com/highlightjs/highlight.js/pull/2636" - }, - { - "type": "advisory", - "url": "https://github.com/highlightjs/highlight.js/commit/7241013ae011a585983e176ddc0489a7a52f6bb0" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/highlight.js" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-26237" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00041.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - } - ], - "risk_score": 0.32508000000000004, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in highlight.js" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "hmac-drbg", - "purl": "pkg:npm/hmac-drbg@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "hooks-fixed", - "purl": "pkg:npm/hooks-fixed@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "matched": true, - "name": "hosted-git-info", - "purl": "pkg:npm/hosted-git-info@2.6.0", - "version": "2.6.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c2.8.9 (semantic)", - "aliases": [ - "CVE-2021-23362" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-23362", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-43f8-2h32-f4cj", - "description": "Regular Expression Denial of Service in hosted-git-info", - "epss": [ - { - "cve": "CVE-2021-23362", - "date": "2026-06-14", - "epss": 0.00554, - "percentile": 0.68641 - } - ], - "fix_available": [ - { - "date": "2021-05-08", - "kind": "first-observed", - "version": "2.8.9" - } - ], - "fix_state": "fixed", - "fixed_in": "2.8.9", - "fixed_versions": [ - "2.8.9" - ], - "id": "GHSA-43f8-2h32-f4cj", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23362", - "Fix available: upgrade to 2.8.9", - "Fix state: fixed", - "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", - "https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7", - "https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01", - "https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3", - "https://github.com/npm/hosted-git-info/commits/v2", - "https://github.com/npm/hosted-git-info/pull/76", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23362", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356", - "https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-43f8-2h32-f4cj" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23362" - }, - { - "type": "advisory", - "url": "https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355" - }, - { - "type": "advisory", - "url": "https://github.com/npm/hosted-git-info/pull/76" - }, - { - "type": "advisory", - "url": "https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7" - }, - { - "type": "advisory", - "url": "https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01" - }, - { - "type": "advisory", - "url": "https://github.com/npm/hosted-git-info/commits/v2" - }, - { - "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" - } - ], - "risk_score": 0.28531, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in hosted-git-info" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "hosted-git-info", - "purl": "pkg:npm/hosted-git-info@2.8.5", - "version": "2.8.5", - "vulnerabilities": [ - { - "affected_version_range": "\u003c2.8.9 (semantic)", - "aliases": [ - "CVE-2021-23362" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-23362", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-43f8-2h32-f4cj", - "description": "Regular Expression Denial of Service in hosted-git-info", - "epss": [ - { - "cve": "CVE-2021-23362", - "date": "2026-06-14", - "epss": 0.00554, - "percentile": 0.68641 - } - ], - "fix_available": [ - { - "date": "2021-05-08", - "kind": "first-observed", - "version": "2.8.9" - } - ], - "fix_state": "fixed", - "fixed_in": "2.8.9", - "fixed_versions": [ - "2.8.9" - ], - "id": "GHSA-43f8-2h32-f4cj", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23362", - "Fix available: upgrade to 2.8.9", - "Fix state: fixed", - "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", - "https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7", - "https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01", - "https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3", - "https://github.com/npm/hosted-git-info/commits/v2", - "https://github.com/npm/hosted-git-info/pull/76", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23362", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356", - "https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-43f8-2h32-f4cj" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23362" - }, - { - "type": "advisory", - "url": "https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1088356" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355" - }, - { - "type": "advisory", - "url": "https://github.com/npm/hosted-git-info/pull/76" - }, - { - "type": "advisory", - "url": "https://github.com/npm/hosted-git-info/commit/29adfe5ef789784c861b2cdeb15051ec2ba651a7" - }, - { - "type": "advisory", - "url": "https://github.com/npm/hosted-git-info/commit/8d4b3697d79bcd89cdb36d1db165e3696c783a01" - }, - { - "type": "advisory", - "url": "https://github.com/npm/hosted-git-info/commits/v2" - }, - { - "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" - } - ], - "risk_score": 0.28531, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in hosted-git-info" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "htmlescape", - "purl": "pkg:npm/htmlescape@1.1.1", - "version": "1.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "http-cache-semantics", - "purl": "pkg:npm/http-cache-semantics@4.1.0", - "version": "4.1.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c4.1.1 (semantic)", - "aliases": [ - "CVE-2022-25881" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-25881", - "id": "CWE-1333", - "source": "report@snyk.io", - "type": "Secondary" - }, - { - "cve": "CVE-2022-25881", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-25881", - "id": "CWE-1333", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-rc47-6667-2j5j", - "description": "http-cache-semantics vulnerable to Regular Expression Denial of Service", - "epss": [ - { - "cve": "CVE-2022-25881", - "date": "2026-06-14", - "epss": 0.00175, - "percentile": 0.38981 - } - ], - "fix_available": [ - { - "date": "2023-02-03", - "kind": "first-observed", - "version": "4.1.1" - } - ], - "fix_state": "fixed", - "fixed_in": "4.1.1", - "fixed_versions": [ - "4.1.1" - ], - "id": "GHSA-rc47-6667-2j5j", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-25881", - "Fix available: upgrade to 4.1.1", - "Fix state: fixed", - "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83", - "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74", - "https://nvd.nist.gov/vuln/detail/CVE-2022-25881", - "https://security.netapp.com/advisory/ntap-20230622-0008", - "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332", - "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-rc47-6667-2j5j" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881" - }, - { - "type": "advisory", - "url": "https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783" - }, - { - "type": "advisory", - "url": "https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20230622-0008" - } - ], - "risk_score": 0.13125, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "http-cache-semantics vulnerable to Regular Expression Denial of Service" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "http-errors", - "purl": "pkg:npm/http-errors@1.7.3", - "version": "1.7.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "http-proxy-agent", - "purl": "pkg:npm/http-proxy-agent@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "http-signature", - "purl": "pkg:npm/http-signature@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "https-browserify", - "purl": "pkg:npm/https-browserify@0.0.1", - "version": "0.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "https-proxy-agent", - "purl": "pkg:npm/https-proxy-agent@3.0.1", - "version": "3.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "humanize-ms", - "purl": "pkg:npm/humanize-ms@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "iconv-lite", - "purl": "pkg:npm/iconv-lite@0.4.24", - "version": "0.4.24", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "iconv-lite", - "purl": "pkg:npm/iconv-lite@0.4.4", - "version": "0.4.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ieee754", - "purl": "pkg:npm/ieee754@1.1.13", - "version": "1.1.13", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ignore-by-default", - "purl": "pkg:npm/ignore-by-default@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "immediate", - "purl": "pkg:npm/immediate@3.0.6", - "version": "3.0.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "import-lazy", - "purl": "pkg:npm/import-lazy@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "imurmurhash", - "purl": "pkg:npm/imurmurhash@0.1.4", - "version": "0.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "indexof", - "purl": "pkg:npm/indexof@0.0.1", - "version": "0.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "inflight", - "purl": "pkg:npm/inflight@1.0.6", - "version": "1.0.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "inherits", - "purl": "pkg:npm/inherits@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "inherits", - "purl": "pkg:npm/inherits@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "inherits", - "purl": "pkg:npm/inherits@2.0.3", - "version": "2.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "inherits", - "purl": "pkg:npm/inherits@2.0.4", - "version": "2.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "ini", - "purl": "pkg:npm/ini@1.1.0", - "version": "1.1.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.3.6 (semantic)", - "aliases": [ - "CVE-2020-7788" - ], - "cvss": [ - { - "score": 7.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-7788", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-qqgx-2p2h-9c37", - "description": "ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse", - "epss": [ - { - "cve": "CVE-2020-7788", - "date": "2026-06-14", - "epss": 0.00291, - "percentile": 0.52985 - } - ], - "fix_available": [ - { - "date": "2020-12-11", - "kind": "first-observed", - "version": "1.3.6" - } - ], - "fix_state": "fixed", - "fixed_in": "1.3.6", - "fixed_versions": [ - "1.3.6" - ], - "id": "GHSA-qqgx-2p2h-9c37", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-7788", - "Fix available: upgrade to 1.3.6", - "Fix state: fixed", - "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1", - "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", - "https://snyk.io/vuln/SNYK-JS-INI-1048974", - "https://www.npmjs.com/advisories/1589" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-qqgx-2p2h-9c37" - }, - { - "type": "advisory", - "url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1589" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-INI-1048974" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html" - } - ], - "risk_score": 0.21533999999999998, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "ini", - "purl": "pkg:npm/ini@1.3.5", - "version": "1.3.5", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.3.6 (semantic)", - "aliases": [ - "CVE-2020-7788" - ], - "cvss": [ - { - "score": 7.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-7788", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-qqgx-2p2h-9c37", - "description": "ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse", - "epss": [ - { - "cve": "CVE-2020-7788", - "date": "2026-06-14", - "epss": 0.00291, - "percentile": 0.52985 - } - ], - "fix_available": [ - { - "date": "2020-12-11", - "kind": "first-observed", - "version": "1.3.6" - } - ], - "fix_state": "fixed", - "fixed_in": "1.3.6", - "fixed_versions": [ - "1.3.6" - ], - "id": "GHSA-qqgx-2p2h-9c37", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-7788", - "Fix available: upgrade to 1.3.6", - "Fix state: fixed", - "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1", - "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7788", - "https://snyk.io/vuln/SNYK-JS-INI-1048974", - "https://www.npmjs.com/advisories/1589" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-qqgx-2p2h-9c37" - }, - { - "type": "advisory", - "url": "https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1589" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-INI-1048974" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7788" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/12/msg00032.html" - } - ], - "risk_score": 0.21533999999999998, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ini", - "purl": "pkg:npm/ini@1.3.7", - "version": "1.3.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "inline-source-map", - "purl": "pkg:npm/inline-source-map@0.6.2", - "version": "0.6.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "inquirer", - "purl": "pkg:npm/inquirer@6.5.2", - "version": "6.5.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "insert-module-globals", - "purl": "pkg:npm/insert-module-globals@7.2.0", - "version": "7.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "invariant", - "purl": "pkg:npm/invariant@2.2.4", - "version": "2.2.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "invert-kv", - "purl": "pkg:npm/invert-kv@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "ip", - "purl": "pkg:npm/ip@1.1.5", - "version": "1.1.5", - "vulnerabilities": [ - { - "affected_version_range": "\u003c=2.0.1 (semantic)", - "aliases": [ - "CVE-2024-29415" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2024-29415", - "id": "CWE-918", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - }, - { - "cve": "CVE-2024-29415", - "id": "CWE-941", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-2p57-rm9w-gvfp", - "description": "ip SSRF improper categorization in isPublic", - "epss": [ - { - "cve": "CVE-2024-29415", - "date": "2026-06-14", - "epss": 0.8434, - "percentile": 0.9934 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-2p57-rm9w-gvfp", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-29415", - "Fix state: not-fixed", - "https://github.com/indutny/node-ip/issues/150", - "https://github.com/indutny/node-ip/pull/143", - "https://github.com/indutny/node-ip/pull/144", - "https://nvd.nist.gov/vuln/detail/CVE-2024-29415", - "https://security.netapp.com/advisory/ntap-20250117-0010" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-2p57-rm9w-gvfp" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29415" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/node-ip/issues/150" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/node-ip/pull/143" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/node-ip/pull/144" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20250117-0010" - } - ], - "risk_score": 65.7852, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "ip SSRF improper categorization in isPublic" - }, - { - "affected_version_range": "\u003c1.1.9 (semantic)", - "aliases": [ - "CVE-2023-42282" - ], - "cwes": [ - { - "cve": "CVE-2023-42282", - "id": "CWE-918", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2023-42282", - "id": "CWE-918", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-78xj-cgh5-2h22", - "description": "NPM IP package incorrectly identifies some private IP addresses as public", - "epss": [ - { - "cve": "CVE-2023-42282", - "date": "2026-06-14", - "epss": 0.00652, - "percentile": 0.71474 - } - ], - "fix_available": [ - { - "date": "2024-02-21", - "kind": "first-observed", - "version": "1.1.9" - } - ], - "fix_state": "fixed", - "fixed_in": "1.1.9", - "fixed_versions": [ - "1.1.9" - ], - "id": "GHSA-78xj-cgh5-2h22", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-42282", - "Fix available: upgrade to 1.1.9", - "Fix state: fixed", - "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html", - "https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447", - "https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999", - "https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa", - "https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894", - "https://github.com/indutny/node-ip/pull/138", - "https://nvd.nist.gov/vuln/detail/CVE-2023-42282" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-78xj-cgh5-2h22" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42282" - }, - { - "type": "advisory", - "url": "https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html" - }, - { - "type": "advisory", - "url": "https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/node-ip/pull/138" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/node-ip/commit/32f468f1245574785ec080705737a579be1223aa" - }, - { - "type": "advisory", - "url": "https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894" - } - ], - "risk_score": 0.1956, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "NPM IP package incorrectly identifies some private IP addresses as public" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ipaddr.js", - "purl": "pkg:npm/ipaddr.js@1.0.5", - "version": "1.0.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-accessor-descriptor", - "purl": "pkg:npm/is-accessor-descriptor@0.1.6", - "version": "0.1.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-accessor-descriptor", - "purl": "pkg:npm/is-accessor-descriptor@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-arrayish", - "purl": "pkg:npm/is-arrayish@0.2.1", - "version": "0.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-binary-path", - "purl": "pkg:npm/is-binary-path@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-buffer", - "purl": "pkg:npm/is-buffer@1.1.6", - "version": "1.1.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-builtin-module", - "purl": "pkg:npm/is-builtin-module@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-ci", - "purl": "pkg:npm/is-ci@1.2.1", - "version": "1.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-ci", - "purl": "pkg:npm/is-ci@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-data-descriptor", - "purl": "pkg:npm/is-data-descriptor@0.1.4", - "version": "0.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-data-descriptor", - "purl": "pkg:npm/is-data-descriptor@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-descriptor", - "purl": "pkg:npm/is-descriptor@0.1.6", - "version": "0.1.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-descriptor", - "purl": "pkg:npm/is-descriptor@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-extendable", - "purl": "pkg:npm/is-extendable@0.1.1", - "version": "0.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-extendable", - "purl": "pkg:npm/is-extendable@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-extglob", - "purl": "pkg:npm/is-extglob@2.1.1", - "version": "2.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-finite", - "purl": "pkg:npm/is-finite@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-fullwidth-code-point", - "purl": "pkg:npm/is-fullwidth-code-point@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-fullwidth-code-point", - "purl": "pkg:npm/is-fullwidth-code-point@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-fullwidth-code-point", - "purl": "pkg:npm/is-fullwidth-code-point@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-glob", - "purl": "pkg:npm/is-glob@4.0.1", - "version": "4.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-installed-globally", - "purl": "pkg:npm/is-installed-globally@0.1.0", - "version": "0.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-installed-globally", - "purl": "pkg:npm/is-installed-globally@0.3.2", - "version": "0.3.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-npm", - "purl": "pkg:npm/is-npm@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-npm", - "purl": "pkg:npm/is-npm@4.0.0", - "version": "4.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-number", - "purl": "pkg:npm/is-number@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-number", - "purl": "pkg:npm/is-number@4.0.0", - "version": "4.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-number", - "purl": "pkg:npm/is-number@7.0.0", - "version": "7.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-obj", - "purl": "pkg:npm/is-obj@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-obj", - "purl": "pkg:npm/is-obj@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-odd", - "purl": "pkg:npm/is-odd@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-path-inside", - "purl": "pkg:npm/is-path-inside@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-path-inside", - "purl": "pkg:npm/is-path-inside@3.0.3", - "version": "3.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-plain-object", - "purl": "pkg:npm/is-plain-object@2.0.4", - "version": "2.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-promise", - "purl": "pkg:npm/is-promise@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-redirect", - "purl": "pkg:npm/is-redirect@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-retry-allowed", - "purl": "pkg:npm/is-retry-allowed@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-ssh", - "purl": "pkg:npm/is-ssh@1.3.1", - "version": "1.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-stream", - "purl": "pkg:npm/is-stream@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-typedarray", - "purl": "pkg:npm/is-typedarray@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-utf8", - "purl": "pkg:npm/is-utf8@0.2.1", - "version": "0.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "is-windows", - "purl": "pkg:npm/is-windows@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-wsl", - "purl": "pkg:npm/is-wsl@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "is-yarn-global", - "purl": "pkg:npm/is-yarn-global@0.3.0", - "version": "0.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "isarray", - "purl": "pkg:npm/isarray@0.0.1", - "version": "0.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "isarray", - "purl": "pkg:npm/isarray@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "isarray", - "purl": "pkg:npm/isarray@2.0.4", - "version": "2.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "isexe", - "purl": "pkg:npm/isexe@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "isobject", - "purl": "pkg:npm/isobject@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "isobject", - "purl": "pkg:npm/isobject@3.0.1", - "version": "3.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "isstream", - "purl": "pkg:npm/isstream@0.1.2", - "version": "0.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "name": "istanbul-lib-coverage", - "purl": "pkg:npm/istanbul-lib-coverage@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "name": "istanbul-lib-hook", - "purl": "pkg:npm/istanbul-lib-hook@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "name": "istanbul-lib-instrument", - "purl": "pkg:npm/istanbul-lib-instrument@1.10.1", - "version": "1.10.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "name": "istanbul-lib-report", - "purl": "pkg:npm/istanbul-lib-report@1.1.3", - "version": "1.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "name": "istanbul-lib-source-maps", - "purl": "pkg:npm/istanbul-lib-source-maps@1.2.3", - "version": "1.2.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "name": "istanbul-reports", - "purl": "pkg:npm/istanbul-reports@1.4.0", - "version": "1.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "jquery", - "purl": "pkg:npm/jquery@2.2.4", - "version": "2.2.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=1.1.4,\u003c3.4.0 (semantic)", - "aliases": [ - "CVE-2019-11358" - ], - "cvss": [ - { - "score": 6.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-11358", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-6c3j-c64m-qhgq", - "description": "XSS in jQuery as used in Drupal, Backdrop CMS, and other products", - "epss": [ - { - "cve": "CVE-2019-11358", - "date": "2026-06-14", - "epss": 0.01319, - "percentile": 0.80358 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "3.4.0" - } - ], - "fix_state": "fixed", - "fixed_in": "3.4.0", - "fixed_versions": [ - "3.4.0" - ], - "id": "GHSA-6c3j-c64m-qhgq", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-11358", - "Fix available: upgrade to 3.4.0", - "Fix state: fixed", - "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html", - "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html", - "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html", - "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html", - "http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html", - "http://seclists.org/fulldisclosure/2019/May/10", - "http://seclists.org/fulldisclosure/2019/May/11", - "http://seclists.org/fulldisclosure/2019/May/13", - "http://www.openwall.com/lists/oss-security/2019/06/03/2", - "http://www.securityfocus.com/bid/108023", - "https://access.redhat.com/errata/RHBA-2019:1570", - "https://access.redhat.com/errata/RHSA-2019:1456", - "https://access.redhat.com/errata/RHSA-2019:2587", - "https://access.redhat.com/errata/RHSA-2019:3023", - "https://access.redhat.com/errata/RHSA-2019:3024", - "https://backdropcms.org/security/backdrop-sa-core-2019-009", - "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released", - "https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f", - "https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829", - "https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad", - "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b", - "https://github.com/jquery/jquery/pull/4333", - "https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc", - "https://github.com/maximebf/php-debugbar/issues/447", - "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2019-11358.yml", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601", - "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc%40%3Ccommits.airflow.apache.org%3E", - "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E", - "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", - "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", - "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844%40%3Ccommits.airflow.apache.org%3E", - "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E", - "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f%40%3Ccommits.airflow.apache.org%3E", - "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E", - "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7%40%3Ccommits.airflow.apache.org%3E", - "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E", - "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", - "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", - "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205%40%3Ccommits.airflow.apache.org%3E", - "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E", - "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E", - "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E", - "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E", - "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E", - "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", - "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", - "https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766%40%3Cdev.syncope.apache.org%3E", - "https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E", - "https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355%40%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734%40%3Cdev.storm.apache.org%3E", - "https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E", - "https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E", - "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html", - "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html", - "https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html", - "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5", - "https://nvd.nist.gov/vuln/detail/CVE-2019-11358", - "https://seclists.org/bugtraq/2019/Apr/32", - "https://seclists.org/bugtraq/2019/Jun/12", - "https://seclists.org/bugtraq/2019/May/18", - "https://security.netapp.com/advisory/ntap-20190919-0001", - "https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450226", - "https://snyk.io/vuln/SNYK-JS-JQUERY-174006", - "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1", - "https://web.archive.org/web/20190824065237/http://www.securityfocus.com/bid/108023", - "https://www.debian.org/security/2019/dsa-4434", - "https://www.debian.org/security/2019/dsa-4460", - "https://www.djangoproject.com/weblog/2019/jun/03/security-releases", - "https://www.drupal.org/sa-core-2019-006", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuapr2020.html", - "https://www.oracle.com/security-alerts/cpujan2020.html", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpujul2020.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", - "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", - "https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery", - "https://www.synology.com/security/advisory/Synology_SA_19_19", - "https://www.tenable.com/security/tns-2019-08", - "https://www.tenable.com/security/tns-2020-02" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-6c3j-c64m-qhgq" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358" - }, - { - "type": "advisory", - "url": "https://backdropcms.org/security/backdrop-sa-core-2019-009" - }, - { - "type": "advisory", - "url": "https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b" - }, - { - "type": "advisory", - "url": "https://github.com/jquery/jquery/pull/4333" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-JQUERY-174006" - }, - { - "type": "advisory", - "url": "https://www.drupal.org/sa-core-2019-006" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2019:3023" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2019:3024" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc@%3Ccommits.airflow.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844@%3Ccommits.airflow.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f@%3Ccommits.airflow.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7@%3Ccommits.airflow.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205@%3Ccommits.airflow.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766@%3Cdev.syncope.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355@%3Cdev.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b@%3Ccommits.nifi.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00006.html" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2019/05/msg00029.html" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2020/02/msg00024.html" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2019/dsa-4434" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2019/dsa-4460" - }, - { - "type": "advisory", - "url": "https://www.synology.com/security/advisory/Synology_SA_19_19" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2019-08" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2020-02" - }, - { - "type": "advisory", - "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00006.html" - }, - { - "type": "advisory", - "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00025.html" - }, - { - "type": "advisory", - "url": "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html" - }, - { - "type": "advisory", - "url": "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html" - }, - { - "type": "advisory", - "url": "http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2019/06/03/2" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734@%3Cdev.storm.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601" - }, - { - "type": "advisory", - "url": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2019-11358.yml" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450226" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHBA-2019:1570" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2019:1456" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2019:2587" - }, - { - "type": "advisory", - "url": "https://seclists.org/bugtraq/2019/Apr/32" - }, - { - "type": "advisory", - "url": "https://seclists.org/bugtraq/2019/Jun/12" - }, - { - "type": "advisory", - "url": "https://seclists.org/bugtraq/2019/May/18" - }, - { - "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2020.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" - }, - { - "type": "advisory", - "url": "http://seclists.org/fulldisclosure/2019/May/10" - }, - { - "type": "advisory", - "url": "http://seclists.org/fulldisclosure/2019/May/11" - }, - { - "type": "advisory", - "url": "http://seclists.org/fulldisclosure/2019/May/13" - }, - { - "type": "advisory", - "url": "https://supportportal.juniper.net/s/article/2021-07-Security-Bulletin-Junos-OS-Multiple-J-Web-vulnerabilities-resolved-in-Junos-OS-21-2R1" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20190824065237/http://www.securityfocus.com/bid/108023" - }, - { - "type": "advisory", - "url": "https://github.com/django/django/commit/34ec52269ade54af31a021b12969913129571a3f" - }, - { - "type": "advisory", - "url": "https://github.com/django/django/commit/95649bc08547a878cebfa1d019edec8cb1b80829" - }, - { - "type": "advisory", - "url": "https://github.com/django/django/commit/baaf187a4e354bf3976c51e2c83a0d2f8ee6e6ad" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html" - }, - { - "type": "advisory", - "url": "http://www.securityfocus.com/bid/108023" - }, - { - "type": "advisory", - "url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/08720ef215ee7ab3386c05a1a90a7d1c852bf0706f176a7816bf65fc%40%3Ccommits.airflow.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/5928aa293e39d248266472210c50f176cac1535220f2486e6a7fa844%40%3Ccommits.airflow.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/6097cdbd6f0a337bedd9bb5cc441b2d525ff002a96531de367e4259f%40%3Ccommits.airflow.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/88fb0362fd40e5b605ea8149f63241537b8b6fb5bfa315391fc5cbb7%40%3Ccommits.airflow.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/b736d0784cf02f5a30fbb4c5902762a15ad6d47e17e2c5a17b7d6205%40%3Ccommits.airflow.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3%40%3Ccommits.nifi.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2041a75d3fc09dec55adfd95d598b38d22715303f65c997c054844c9%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2baacab6e0acb5a2092eb46ae04fd6c3e8277b4fd79b1ffb7f3254fa%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r38f0d1aa3c923c22977fe7376508f030f22e22c1379fbb155bf29766%40%3Cdev.syncope.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r41b5bfe009c845f67d4f68948cc9419ac2d62e287804aafd72892b08%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7aac081cbddb6baa24b75e74abf0929bf309b176755a53e3ed810355%40%3Cdev.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7d64895cc4dff84d0becfc572b20c0e4bf9bfa7b10c6f5f73e783734%40%3Cdev.storm.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r7e8ebccb7c022e41295f6fdb7b971209b83702339f872ddd8cf8bf73%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rac25da84ecdcd36f6de5ad0d255f4e967209bbbebddb285e231da37d%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rca37935d661f4689cb4119f1b3b224413b22be161b678e6e6ce0c69b%40%3Ccommits.nifi.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4UOAZIFCSZ3ENEFOR5IXX6NFAD3HV7FA" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5IABSKTYZ5JUGL735UKGXL5YPRYOPUYI" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KYH3OAGR2RTCHRA5NOKX2TES7SNQMWGO" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QV3PKZC3PQCO3273HAT76PAQZFBEO4KP" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLXRX23725JL366CNZGJZ7AQQB7LHQ6F" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WZW27UCJ5CYFL4KFFFMYMIBNMIU2ALG5" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20190919-0001" - }, - { - "type": "advisory", - "url": "https://www.djangoproject.com/weblog/2019/jun/03/security-releases" - }, - { - "type": "advisory", - "url": "https://www.privacy-wise.com/mitigating-cve-2019-11358-in-old-versions-of-jquery" - }, - { - "type": "advisory", - "url": "https://github.com/maximebf/php-debugbar/issues/447" - }, - { - "type": "advisory", - "url": "https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc" - } - ], - "risk_score": 0.732045, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "XSS in jQuery as used in Drupal, Backdrop CMS, and other products" - }, - { - "affected_version_range": "\u003e=1.12.0,\u003c3.5.0 (semantic)", - "aliases": [ - "CVE-2020-11022" - ], - "cvss": [ - { - "score": 6.9, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-11022", - "id": "CWE-79", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2020-11022", - "id": "CWE-79", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2", - "description": "Potential XSS vulnerability in jQuery", - "epss": [ - { - "cve": "CVE-2020-11022", - "date": "2026-06-14", - "epss": 0.02391, - "percentile": 0.85414 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "3.5.0" - } - ], - "fix_state": "fixed", - "fixed_in": "3.5.0", - "fixed_versions": [ - "3.5.0" - ], - "id": "GHSA-gxr4-xjj5-5px2", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-11022", - "Fix available: upgrade to 3.5.0", - "Fix state: fixed", - "http://security.netapp.com/advisory/ntap-20200511-0006", - "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released", - "https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77", - "https://github.com/jquery/jquery/releases/tag/3.5.0", - "https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2", - "https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc", - "https://github.com/maximebf/php-debugbar/issues/447", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11022.yml", - "https://jquery.com/upgrade-guide/3.5", - "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3Ccommits.airflow.apache.org%3E", - "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html", - "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W", - "https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html", - "https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html", - "https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html", - "https://nvd.nist.gov/vuln/detail/CVE-2020-11022", - "https://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html", - "https://security.gentoo.org/glsa/202007-03", - "https://www.debian.org/security/2020/dsa-4693", - "https://www.drupal.org/sa-core-2020-002", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpujul2020.html", - "https://www.oracle.com/security-alerts/cpujul2022.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2020-10", - "https://www.tenable.com/security/tns-2020-11", - "https://www.tenable.com/security/tns-2021-02", - "https://www.tenable.com/security/tns-2021-10" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-gxr4-xjj5-5px2" - }, - { - "type": "advisory", - "url": "https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2" - }, - { - "type": "advisory", - "url": "https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11022" - }, - { - "type": "advisory", - "url": "https://www.drupal.org/sa-core-2020-002" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2020/dsa-4693" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html" - }, - { - "type": "advisory", - "url": "https://security.gentoo.org/glsa/202007-03" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3Ccommits.airflow.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2020-10" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2020-11" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2021.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2021-02" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2021-10" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://github.com/jquery/jquery/releases/tag/3.5.0" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11022.yml" - }, - { - "type": "advisory", - "url": "https://github.com/maximebf/php-debugbar/issues/447" - }, - { - "type": "advisory", - "url": "https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W" - }, - { - "type": "advisory", - "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released" - }, - { - "type": "advisory", - "url": "https://jquery.com/upgrade-guide/3.5" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4" - }, - { - "type": "advisory", - "url": "https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html" - }, - { - "type": "advisory", - "url": "https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html" - }, - { - "type": "advisory", - "url": "https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html" - }, - { - "type": "advisory", - "url": "https://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html" - }, - { - "type": "advisory", - "url": "http://security.netapp.com/advisory/ntap-20200511-0006" - } - ], - "risk_score": 1.422645, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Potential XSS vulnerability in jQuery" - }, - { - "affected_version_range": "\u003e=1.0.3,\u003c3.5.0 (semantic)", - "aliases": [ - "CVE-2020-11023" - ], - "cvss": [ - { - "score": 6.9, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N/E:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-11023", - "id": "CWE-79", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2020-11023", - "id": "CWE-79", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-jpcq-cgw6-v4j6", - "description": "Potential XSS vulnerability in jQuery", - "epss": [ - { - "cve": "CVE-2020-11023", - "date": "2026-06-14", - "epss": 0.3063, - "percentile": 0.96846 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "3.5.0" - } - ], - "fix_state": "fixed", - "fixed_in": "3.5.0", - "fixed_versions": [ - "3.5.0" - ], - "id": "GHSA-jpcq-cgw6-v4j6", - "kev_exploited": true, - "known_exploited": [ - { - "cve": "CVE-2020-11023", - "cwes": [ - "CWE-79" - ], - "date_added": "2025-01-23", - "due_date": "2025-02-13", - "known_ransomware_campaign_use": "unknown", - "notes": "This vulnerability could affect an open-source component, third-party library, protocol, or proprietary implementation that could be used by different products. For more information, please see: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6", - "product": "JQuery", - "required_action": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", - "urls": [ - "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/", - "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" - ], - "vendor_project": "JQuery" - } - ], - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-11023", - "Fix available: upgrade to 3.5.0", - "Fix state: fixed", - "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html", - "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html", - "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html", - "http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html", - "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released", - "https://github.com/github/advisory-database/blob/99afa6fdeaf5d1d23e1021ff915a5e5dbc82c1f1/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json#L20-L37", - "https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77", - "https://github.com/jquery/jquery/releases/tag/3.5.0", - "https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6", - "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410", - "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440", - "https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979", - "https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11023.yml", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-23064.yml", - "https://jquery.com/upgrade-guide/3.5", - "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb%40%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb@%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6%40%3Cdev.felix.apache.org%3E", - "https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6@%3Cdev.felix.apache.org%3E", - "https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec%40%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec@%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c%40%3Cgitbox.hive.apache.org%3E", - "https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c@%3Cgitbox.hive.apache.org%3E", - "https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330%40%3Cdev.felix.apache.org%3E", - "https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330@%3Cdev.felix.apache.org%3E", - "https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef%40%3Cdev.felix.apache.org%3E", - "https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef@%3Cdev.felix.apache.org%3E", - "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5%40%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5@%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16%40%3Cdev.felix.apache.org%3E", - "https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16@%3Cdev.felix.apache.org%3E", - "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494%40%3Cdev.felix.apache.org%3E", - "https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494@%3Cdev.felix.apache.org%3E", - "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1%40%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1@%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49%40%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49@%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c%40%3Ccommits.felix.apache.org%3E", - "https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c@%3Ccommits.felix.apache.org%3E", - "https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15%40%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15@%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e%40%3Cdev.felix.apache.org%3E", - "https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e@%3Cdev.felix.apache.org%3E", - "https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac%40%3Cgitbox.hive.apache.org%3E", - "https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac@%3Cgitbox.hive.apache.org%3E", - "https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72%40%3Cgitbox.hive.apache.org%3E", - "https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72@%3Cgitbox.hive.apache.org%3E", - "https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c%40%3Cgitbox.hive.apache.org%3E", - "https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c@%3Cgitbox.hive.apache.org%3E", - "https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6%40%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6@%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9%40%3Ccommits.hive.apache.org%3E", - "https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9@%3Ccommits.hive.apache.org%3E", - "https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea%40%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea@%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61%40%3Cgitbox.hive.apache.org%3E", - "https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61@%3Cgitbox.hive.apache.org%3E", - "https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7%40%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7@%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9%40%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9@%3Cissues.hive.apache.org%3E", - "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E", - "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E", - "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E", - "https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817%40%3Cdev.felix.apache.org%3E", - "https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817@%3Cdev.felix.apache.org%3E", - "https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93%40%3Cgitbox.hive.apache.org%3E", - "https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93@%3Cgitbox.hive.apache.org%3E", - "https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248%40%3Cdev.hive.apache.org%3E", - "https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248@%3Cdev.hive.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html", - "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B", - "https://nvd.nist.gov/vuln/detail/CVE-2020-11023", - "https://security.gentoo.org/glsa/202007-03", - "https://security.netapp.com/advisory/ntap-20200511-0006", - "https://security.netapp.com/advisory/ntap-20230725-0003", - "https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-565440", - "https://snyk.io/vuln/SNYK-JS-JQUERY-565129", - "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11023", - "https://www.debian.org/security/2020/dsa-4693", - "https://www.drupal.org/sa-core-2020-002", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpuApr2021.html", - "https://www.oracle.com/security-alerts/cpuapr2022.html", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpujul2020.html", - "https://www.oracle.com/security-alerts/cpujul2022.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html", - "https://www.tenable.com/security/tns-2021-02", - "https://www.tenable.com/security/tns-2021-10" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-jpcq-cgw6-v4j6" - }, - { - "type": "advisory", - "url": "https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6" - }, - { - "type": "advisory", - "url": "https://blog.jquery.com/2020/04/10/jquery-3-5-0-released" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-11023" - }, - { - "type": "advisory", - "url": "https://www.drupal.org/sa-core-2020-002" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2020/dsa-4693" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html" - }, - { - "type": "advisory", - "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html" - }, - { - "type": "advisory", - "url": "https://security.gentoo.org/glsa/202007-03" - }, - { - "type": "advisory", - "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb@%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec@%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c@%3Cgitbox.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5@%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1@%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49@%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15@%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac@%3Cgitbox.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72@%3Cgitbox.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c@%3Cgitbox.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6@%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9@%3Ccommits.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea@%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61@%3Cgitbox.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7@%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9@%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679@%3Ccommits.nifi.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93@%3Cgitbox.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248@%3Cdev.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6@%3Cdev.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330@%3Cdev.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef@%3Cdev.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16@%3Cdev.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494@%3Cdev.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c@%3Ccommits.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e@%3Cdev.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817@%3Cdev.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2021.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2021-02" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html" - }, - { - "type": "advisory", - "url": "http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2021-10" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://github.com/jquery/jquery/releases/tag/3.5.0" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11023.yml" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-565440" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html" - }, - { - "type": "advisory", - "url": "https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-JQUERY-565129" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20230725-0003" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20200511-0006" - }, - { - "type": "advisory", - "url": "https://jquery.com/upgrade-guide/3.5" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-23064.yml" - }, - { - "type": "advisory", - "url": "https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162" - }, - { - "type": "advisory", - "url": "https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979" - }, - { - "type": "advisory", - "url": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440" - }, - { - "type": "advisory", - "url": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817%40%3Cdev.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93%40%3Cgitbox.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248%40%3Cdev.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9%40%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7%40%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61%40%3Cgitbox.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea%40%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9%40%3Ccommits.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6%40%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5%40%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef%40%3Cdev.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330%40%3Cdev.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c%40%3Cgitbox.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec%40%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6%40%3Cdev.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb%40%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/blob/99afa6fdeaf5d1d23e1021ff915a5e5dbc82c1f1/advisories/github-reviewed/2020/04/GHSA-jpcq-cgw6-v4j6/GHSA-jpcq-cgw6-v4j6.json#L20-L37" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c%40%3Cgitbox.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72%40%3Cgitbox.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac%40%3Cgitbox.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e%40%3Cdev.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15%40%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c%40%3Ccommits.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49%40%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1%40%3Cissues.hive.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494%40%3Cdev.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16%40%3Cdev.felix.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-11023" - } - ], - "risk_score": 62.475, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Potential XSS vulnerability in jQuery" - }, - { - "affected_version_range": "\u003e=1.12.3,\u003c3.0.0 (semantic)", - "aliases": [ - "CVE-2015-9251" - ], - "cvss": [ - { - "score": 6.1, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2015-9251", - "id": "CWE-79", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-rmxg-73gg-4p98", - "description": "Cross-Site Scripting (XSS) in jquery", - "epss": [ - { - "cve": "CVE-2015-9251", - "date": "2026-06-14", - "epss": 0.18007, - "percentile": 0.95331 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "3.0.0" - } - ], - "fix_state": "fixed", - "fixed_in": "3.0.0", - "fixed_versions": [ - "3.0.0" - ], - "id": "GHSA-rmxg-73gg-4p98", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2015-9251", - "Fix available: upgrade to 3.0.0", - "Fix state: fixed", - "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html", - "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html", - "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html", - "http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html", - "http://seclists.org/fulldisclosure/2019/May/10", - "http://seclists.org/fulldisclosure/2019/May/11", - "http://seclists.org/fulldisclosure/2019/May/13", - "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", - "https://access.redhat.com/errata/RHSA-2020:0481", - "https://access.redhat.com/errata/RHSA-2020:0729", - "https://github.com/jquery/jquery/commit/b078a62013782c7424a4a61a240c23c4c0b42614", - "https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc", - "https://github.com/jquery/jquery/issues/2432", - "https://github.com/jquery/jquery/issues/2432#issuecomment-403761229", - "https://github.com/jquery/jquery/pull/2588", - "https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2", - "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#420", - "https://github.com/rails/jquery-rails/blob/v4.2.0/vendor/assets/javascripts/jquery3.js#L9377", - "https://github.com/rails/jquery-rails/releases/tag/v4.2.0", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2015-9251.yml", - "https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04", - "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601", - "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E", - "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E", - "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", - "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E", - "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E", - "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", - "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E", - "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2015-9251", - "https://seclists.org/bugtraq/2019/May/18", - "https://security.netapp.com/advisory/ntap-20210108-0004/", - "https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450227", - "https://snyk.io/vuln/npm:jquery:20150627", - "https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf", - "https://web.archive.org/web/20200227030101/http://www.securityfocus.com/bid/105658", - "https://www.oracle.com/security-alerts/cpuapr2020.html", - "https://www.oracle.com/security-alerts/cpujan2020.html", - "https://www.oracle.com/security-alerts/cpujul2020.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html", - "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", - "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", - "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", - "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", - "https://www.tenable.com/security/tns-2019-08" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-rmxg-73gg-4p98" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-9251" - }, - { - "type": "advisory", - "url": "https://github.com/jquery/jquery/issues/2432" - }, - { - "type": "advisory", - "url": "https://github.com/jquery/jquery/pull/2588" - }, - { - "type": "advisory", - "url": "https://github.com/jquery/jquery/commit/b078a62013782c7424a4a61a240c23c4c0b42614" - }, - { - "type": "advisory", - "url": "https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2" - }, - { - "type": "advisory", - "url": "https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0481" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2020:0729" - }, - { - "type": "advisory", - "url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-212-04" - }, - { - "type": "advisory", - "url": "https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44601" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3Cdev.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3Cuser.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3Cuser.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3Cuser.flink.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3Ccommits.roller.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://seclists.org/bugtraq/2019/May/18" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210108-0004/" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/npm:jquery:20150627" - }, - { - "type": "advisory", - "url": "https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2020.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2020.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2019-08" - }, - { - "type": "advisory", - "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html" - }, - { - "type": "advisory", - "url": "http://packetstormsecurity.com/files/152787/dotCMS-5.1.1-Vulnerable-Dependencies.html" - }, - { - "type": "advisory", - "url": "http://packetstormsecurity.com/files/153237/RetireJS-CORS-Issue-Script-Execution.html" - }, - { - "type": "advisory", - "url": "http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html" - }, - { - "type": "advisory", - "url": "http://seclists.org/fulldisclosure/2019/May/10" - }, - { - "type": "advisory", - "url": "http://seclists.org/fulldisclosure/2019/May/11" - }, - { - "type": "advisory", - "url": "http://seclists.org/fulldisclosure/2019/May/13" - }, - { - "type": "advisory", - "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450227" - }, - { - "type": "advisory", - "url": "https://github.com/jquery/jquery/issues/2432#issuecomment-403761229" - }, - { - "type": "advisory", - "url": "https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#420" - }, - { - "type": "advisory", - "url": "https://github.com/rails/jquery-rails/blob/v4.2.0/vendor/assets/javascripts/jquery3.js#L9377" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20200227030101/http://www.securityfocus.com/bid/105658" - }, - { - "type": "advisory", - "url": "https://github.com/rails/jquery-rails/releases/tag/v4.2.0" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2015-9251.yml" - } - ], - "risk_score": 9.993884999999999, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Cross-Site Scripting (XSS) in jquery" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "js-tokens", - "purl": "pkg:npm/js-tokens@3.0.2", - "version": "3.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "js-yaml", - "purl": "pkg:npm/js-yaml@3.13.1", - "version": "3.13.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c3.14.2 (semantic)", - "aliases": [ - "CVE-2025-64718" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2025-64718", - "id": "CWE-1321", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-mh29-5h37-fv8m", - "description": "js-yaml has prototype pollution in merge (\u003c\u003c)", - "epss": [ - { - "cve": "CVE-2025-64718", - "date": "2026-06-14", - "epss": 0.00025, - "percentile": 0.07522 - } - ], - "fix_available": [ - { - "date": "2025-11-18", - "kind": "first-observed", - "version": "3.14.2" - } - ], - "fix_state": "fixed", - "fixed_in": "3.14.2", - "fixed_versions": [ - "3.14.2" - ], - "id": "GHSA-mh29-5h37-fv8m", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-64718", - "Fix available: upgrade to 3.14.2", - "Fix state: fixed", - "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879", - "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266", - "https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876", - "https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m", - "https://nvd.nist.gov/vuln/detail/CVE-2025-64718" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m" - }, - { - "type": "advisory", - "url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64718" - }, - { - "type": "advisory", - "url": "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879" - }, - { - "type": "advisory", - "url": "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266" - }, - { - "type": "advisory", - "url": "https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876" - } - ], - "risk_score": 0.012875000000000001, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "js-yaml has prototype pollution in merge (\u003c\u003c)" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "jsbn", - "purl": "pkg:npm/jsbn@0.1.1", - "version": "0.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "jsesc", - "purl": "pkg:npm/jsesc@1.3.0", - "version": "1.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "json-buffer", - "purl": "pkg:npm/json-buffer@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "json-schema-traverse", - "purl": "pkg:npm/json-schema-traverse@0.4.1", - "version": "0.4.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "json-schema", - "purl": "pkg:npm/json-schema@0.2.3", - "version": "0.2.3", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.4.0 (semantic)", - "aliases": [ - "CVE-2021-3918" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-3918", - "id": "CWE-1321", - "source": "security@huntr.dev", - "type": "Secondary" - }, - { - "cve": "CVE-2021-3918", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-896r-f27r-55mw", - "description": "json-schema is vulnerable to Prototype Pollution", - "epss": [ - { - "cve": "CVE-2021-3918", - "date": "2026-06-14", - "epss": 0.01262, - "percentile": 0.7992 - } - ], - "fix_available": [ - { - "date": "2021-11-30", - "kind": "first-observed", - "version": "0.4.0" - } - ], - "fix_state": "fixed", - "fixed_in": "0.4.0", - "fixed_versions": [ - "0.4.0" - ], - "id": "GHSA-896r-f27r-55mw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-3918", - "Fix available: upgrade to 0.4.0", - "Fix state: fixed", - "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741", - "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a", - "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa", - "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9", - "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3918", - "https://security.netapp.com/advisory/ntap-20250117-0004" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-896r-f27r-55mw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3918" - }, - { - "type": "advisory", - "url": "https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741" - }, - { - "type": "advisory", - "url": "https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9" - }, - { - "type": "advisory", - "url": "https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a" - }, - { - "type": "advisory", - "url": "https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00013.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20250117-0004" - } - ], - "risk_score": 1.18628, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "json-schema is vulnerable to Prototype Pollution" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "json-stable-stringify", - "purl": "pkg:npm/json-stable-stringify@0.0.1", - "version": "0.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "json-stringify-safe", - "purl": "pkg:npm/json-stringify-safe@5.0.1", - "version": "5.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "jsonfile", - "purl": "pkg:npm/jsonfile@2.4.0", - "version": "2.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "jsonify", - "purl": "pkg:npm/jsonify@0.0.0", - "version": "0.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "jsonparse", - "purl": "pkg:npm/jsonparse@1.3.1", - "version": "1.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "jsonstream", - "purl": "pkg:npm/jsonstream@1.3.5", - "version": "1.3.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "jsprim", - "purl": "pkg:npm/jsprim@1.4.1", - "version": "1.4.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "jszip", - "purl": "pkg:npm/jszip@3.2.2", - "version": "3.2.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003c3.8.0 (semantic)", - "aliases": [ - "CVE-2022-48285" - ], - "cvss": [ - { - "score": 7.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - }, - { - "score": 6.9, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2022-48285", - "id": "CWE-22", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-48285", - "id": "CWE-22", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-36fh-84j7-cv5h", - "description": "JSZip contains Path Traversal via loadAsync", - "epss": [ - { - "cve": "CVE-2022-48285", - "date": "2026-06-14", - "epss": 0.01266, - "percentile": 0.79943 - } - ], - "fix_available": [ - { - "date": "2023-02-03", - "kind": "first-observed", - "version": "3.8.0" - } - ], - "fix_state": "fixed", - "fixed_in": "3.8.0", - "fixed_versions": [ - "3.8.0" - ], - "id": "GHSA-36fh-84j7-cv5h", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-48285", - "Fix available: upgrade to 3.8.0", - "Fix state: fixed", - "https://exchange.xforce.ibmcloud.com/vulnerabilities/244499", - "https://github.com/Stuk/jszip/commit/2edab366119c9ee948357c02f1206c28566cdf15", - "https://github.com/Stuk/jszip/compare/v3.7.1...v3.8.0", - "https://nvd.nist.gov/vuln/detail/CVE-2022-48285", - "https://security.netapp.com/advisory/ntap-20240621-0005", - "https://www.mend.io/vulnerability-database/WS-2023-0004" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-36fh-84j7-cv5h" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48285" - }, - { - "type": "advisory", - "url": "https://github.com/Stuk/jszip/commit/2edab366119c9ee948357c02f1206c28566cdf15" - }, - { - "type": "advisory", - "url": "https://github.com/Stuk/jszip/compare/v3.7.1...v3.8.0" - }, - { - "type": "advisory", - "url": "https://www.mend.io/vulnerability-database/WS-2023-0004" - }, - { - "type": "advisory", - "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/244499" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240621-0005" - } - ], - "risk_score": 0.7659299999999999, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "JSZip contains Path Traversal via loadAsync" - }, - { - "affected_version_range": "\u003e=3.0.0,\u003c3.7.0 (semantic)", - "aliases": [ - "CVE-2021-23413" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-jg8v-48h5-wgxg", - "description": "jszip Vulnerable to Prototype Pollution", - "epss": [ - { - "cve": "CVE-2021-23413", - "date": "2026-06-14", - "epss": 0.01214, - "percentile": 0.79485 - } - ], - "fix_available": [ - { - "date": "2021-08-11", - "kind": "first-observed", - "version": "3.7.0" - } - ], - "fix_state": "fixed", - "fixed_in": "3.7.0", - "fixed_versions": [ - "3.7.0" - ], - "id": "GHSA-jg8v-48h5-wgxg", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23413", - "Fix available: upgrade to 3.7.0", - "Fix state: fixed", - "https://github.com/Stuk/jszip/blob/master/lib/object.js%23L88", - "https://github.com/Stuk/jszip/commit/22357494f424178cb416cdb7d93b26dd4f824b36", - "https://github.com/Stuk/jszip/pull/766", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23413", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1251499", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1251498", - "https://snyk.io/vuln/SNYK-JS-JSZIP-1251497" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-jg8v-48h5-wgxg" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23413" - }, - { - "type": "advisory", - "url": "https://github.com/Stuk/jszip/pull/766" - }, - { - "type": "advisory", - "url": "https://github.com/Stuk/jszip/commit/22357494f424178cb416cdb7d93b26dd4f824b36" - }, - { - "type": "advisory", - "url": "https://github.com/Stuk/jszip/blob/master/lib/object.js%23L88" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-JSZIP-1251497" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1251499" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1251498" - } - ], - "risk_score": 0.62521, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "jszip Vulnerable to Prototype Pollution" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "kareem", - "purl": "pkg:npm/kareem@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "kerberos", - "purl": "pkg:npm/kerberos@0.0.24", - "version": "0.0.24", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.0.0 (semantic)", - "aliases": [ - "CVE-2020-13110" - ], - "cvss": [ - { - "score": 7.8, - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-13110", - "id": "CWE-427", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-m2mx-rfpw-jghv", - "description": "DLL Injection in kerberos", - "epss": [ - { - "cve": "CVE-2020-13110", - "date": "2026-06-14", - "epss": 0.00068, - "percentile": 0.21353 - } - ], - "fix_available": [ - { - "date": "2020-09-05", - "kind": "first-observed", - "version": "1.0.0" - } - ], - "fix_state": "fixed", - "fixed_in": "1.0.0", - "fixed_versions": [ - "1.0.0" - ], - "id": "GHSA-m2mx-rfpw-jghv", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 3, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-13110", - "Fix available: upgrade to 1.0.0", - "Fix state: fixed", - "https://medium.com/@kiddo_Ha3ker/dll-injection-attack-in-kerberos-npm-package-cb4b32031cd", - "https://nvd.nist.gov/vuln/detail/CVE-2020-13110", - "https://www.linkedin.com/posts/op-innovate_dll-injection-attack-in-kerberos-npm-package-activity-6667043749547253760-kVlW", - "https://www.npmjs.com/advisories/1514", - "https://www.op-c.net/2020/05/15/dll-injection-attack-in-kerberos-npm-package/" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-m2mx-rfpw-jghv" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1514" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-13110" - }, - { - "type": "advisory", - "url": "https://medium.com/@kiddo_Ha3ker/dll-injection-attack-in-kerberos-npm-package-cb4b32031cd" - }, - { - "type": "advisory", - "url": "https://www.linkedin.com/posts/op-innovate_dll-injection-attack-in-kerberos-npm-package-activity-6667043749547253760-kVlW" - }, - { - "type": "advisory", - "url": "https://www.op-c.net/2020/05/15/dll-injection-attack-in-kerberos-npm-package/" - } - ], - "risk_score": 0.052020000000000004, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "DLL Injection in kerberos" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "keyv", - "purl": "pkg:npm/keyv@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "kind-of", - "purl": "pkg:npm/kind-of@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "kind-of", - "purl": "pkg:npm/kind-of@3.2.2", - "version": "3.2.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "kind-of", - "purl": "pkg:npm/kind-of@4.0.0", - "version": "4.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "kind-of", - "purl": "pkg:npm/kind-of@5.1.0", - "version": "5.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "kind-of", - "purl": "pkg:npm/kind-of@6.0.2", - "version": "6.0.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=6.0.0,\u003c6.0.3 (semantic)", - "aliases": [ - "CVE-2019-20149" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-20149", - "id": "CWE-668", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-6c8f-qphg-qjgp", - "description": "Validation Bypass in kind-of", - "epss": [ - { - "cve": "CVE-2019-20149", - "date": "2026-06-14", - "epss": 0.00214, - "percentile": 0.44196 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "6.0.3" - } - ], - "fix_state": "fixed", - "fixed_in": "6.0.3", - "fixed_versions": [ - "6.0.3" - ], - "id": "GHSA-6c8f-qphg-qjgp", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-20149", - "Fix available: upgrade to 6.0.3", - "Fix state: fixed", - "https://github.com/jonschlinkert/kind-of/commit/1df992ce6d5a1292048e5fe9c52c5382f941ee0b", - "https://github.com/jonschlinkert/kind-of/issues/30", - "https://github.com/jonschlinkert/kind-of/pull/31", - "https://nvd.nist.gov/vuln/detail/CVE-2019-20149", - "https://snyk.io/vuln/SNYK-JS-KINDOF-537849", - "https://www.npmjs.com/advisories/1490" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-6c8f-qphg-qjgp" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-20149" - }, - { - "type": "advisory", - "url": "https://github.com/jonschlinkert/kind-of/issues/30" - }, - { - "type": "advisory", - "url": "https://github.com/jonschlinkert/kind-of/pull/31" - }, - { - "type": "advisory", - "url": "https://github.com/jonschlinkert/kind-of/commit/1df992ce6d5a1292048e5fe9c52c5382f941ee0b" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-KINDOF-537849" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1490" - } - ], - "risk_score": 0.1605, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Validation Bypass in kind-of" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "labeled-stream-splicer", - "purl": "pkg:npm/labeled-stream-splicer@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "latest-version", - "purl": "pkg:npm/latest-version@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "latest-version", - "purl": "pkg:npm/latest-version@5.1.0", - "version": "5.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lazy-cache", - "purl": "pkg:npm/lazy-cache@0.2.7", - "version": "0.2.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "lazy-cache", - "purl": "pkg:npm/lazy-cache@1.0.4", - "version": "1.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lcid", - "purl": "pkg:npm/lcid@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lcov-parse", - "purl": "pkg:npm/lcov-parse@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "levn", - "purl": "pkg:npm/levn@0.3.0", - "version": "0.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lie", - "purl": "pkg:npm/lie@3.3.0", - "version": "3.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "load-json-file", - "purl": "pkg:npm/load-json-file@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "locate-path", - "purl": "pkg:npm/locate-path@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "locate-path", - "purl": "pkg:npm/locate-path@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "locate-path", - "purl": "pkg:npm/locate-path@5.0.0", - "version": "5.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lodash.assign", - "purl": "pkg:npm/lodash.assign@4.2.0", - "version": "4.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lodash.assignin", - "purl": "pkg:npm/lodash.assignin@4.2.0", - "version": "4.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lodash.clone", - "purl": "pkg:npm/lodash.clone@4.5.0", - "version": "4.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lodash.clonedeep", - "purl": "pkg:npm/lodash.clonedeep@4.5.0", - "version": "4.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lodash.flatten", - "purl": "pkg:npm/lodash.flatten@4.4.0", - "version": "4.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lodash.get", - "purl": "pkg:npm/lodash.get@4.4.2", - "version": "4.4.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lodash.memoize", - "purl": "pkg:npm/lodash.memoize@3.0.4", - "version": "3.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "lodash.set", - "purl": "pkg:npm/lodash.set@4.3.2", - "version": "4.3.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=3.7.0,\u003c=4.3.2 (semantic)", - "aliases": [ - "CVE-2020-8203" - ], - "cvss": [ - { - "score": 7.4, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-8203", - "id": "CWE-770", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2020-8203", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-p6mc-m468-83gw", - "description": "Prototype Pollution in lodash", - "epss": [ - { - "cve": "CVE-2020-8203", - "date": "2026-06-14", - "epss": 0.02615, - "percentile": 0.86036 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-p6mc-m468-83gw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-8203", - "Fix state: not-fixed", - "https://github.com/github/advisory-database/pull/2884", - "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", - "https://github.com/lodash/lodash/issues/4744", - "https://github.com/lodash/lodash/issues/4874", - "https://github.com/lodash/lodash/wiki/Changelog#v41719", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml", - "https://hackerone.com/reports/712065", - "https://hackerone.com/reports/864701", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", - "https://security.netapp.com/advisory/ntap-20200724-0006", - "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/issues/4744" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/712065" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/issues/4874" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/2884" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/864701" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/wiki/Changelog#v41719" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20200724-0006" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml" - } - ], - "risk_score": 1.948175, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in lodash" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "lodash", - "purl": "pkg:npm/lodash@4.17.10", - "version": "4.17.10", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=4.0.0,\u003c4.17.21 (semantic)", - "aliases": [ - "CVE-2020-28500" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-28500", - "id": "NVD-CWE-Other", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9", - "description": "Regular Expression Denial of Service (ReDoS) in lodash", - "epss": [ - { - "cve": "CVE-2020-28500", - "date": "2026-06-14", - "epss": 0.0018, - "percentile": 0.39612 - } - ], - "fix_available": [ - { - "date": "2022-01-07", - "kind": "first-observed", - "version": "4.17.21" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.21", - "fixed_versions": [ - "4.17.21" - ], - "id": "GHSA-29mw-wpgm-hmr9", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-28500", - "Fix available: upgrade to 4.17.21", - "Fix state: fixed", - "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", - "https://github.com/github/advisory-database/pull/6139", - "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", - "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", - "https://github.com/lodash/lodash/pull/5065", - "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml", - "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", - "https://security.netapp.com/advisory/ntap-20210312-0006", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", - "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/pull/5065" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893" - }, - { - "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210312-0006" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/6139" - } - ], - "risk_score": 0.0927, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service (ReDoS) in lodash" - }, - { - "affected_version_range": "\u003c4.17.21 (semantic)", - "aliases": [ - "CVE-2021-23337" - ], - "cvss": [ - { - "score": 7.2, - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-23337", - "id": "CWE-94", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "description": "Command Injection in lodash", - "epss": [ - { - "cve": "CVE-2021-23337", - "date": "2026-06-14", - "epss": 0.02399, - "percentile": 0.85446 - } - ], - "fix_available": [ - { - "date": "2021-05-07", - "kind": "first-observed", - "version": "4.17.21" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.21", - "fixed_versions": [ - "4.17.21" - ], - "id": "GHSA-35jh-r3h4-6jhm", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23337", - "Fix available: upgrade to 4.17.21", - "Fix state: fixed", - "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", - "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", - "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", - "https://security.netapp.com/advisory/ntap-20210312-0006", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", - "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929" - }, - { - "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210312-0006" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml" - } - ], - "risk_score": 1.763265, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Command Injection in lodash" - }, - { - "affected_version_range": "\u003c4.17.11 (semantic)", - "aliases": [ - "CVE-2018-16487" - ], - "cwes": [ - { - "cve": "CVE-2018-16487", - "id": "CWE-400", - "source": "support@hackerone.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-4xc9-xhrj-v574", - "description": "Prototype Pollution in lodash", - "epss": [ - { - "cve": "CVE-2018-16487", - "date": "2026-06-14", - "epss": 0.00468, - "percentile": 0.6504 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "4.17.11" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.11", - "fixed_versions": [ - "4.17.11" - ], - "id": "GHSA-4xc9-xhrj-v574", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2018-16487", - "Fix available: upgrade to 4.17.11", - "Fix state: fixed", - "https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml", - "https://hackerone.com/reports/380873", - "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", - "https://security.netapp.com/advisory/ntap-20190919-0004" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-4xc9-xhrj-v574" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16487" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/380873" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20190919-0004" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml" - } - ], - "risk_score": 0.35100000000000003, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in lodash" - }, - { - "affected_version_range": "\u003c=4.17.23 (semantic)", - "aliases": [ - "CVE-2026-2950" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-2950", - "id": "CWE-1321", - "source": "ce714d77-add3-4f53-aff5-83d477b104bb", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", - "description": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", - "epss": [ - { - "cve": "CVE-2026-2950", - "date": "2026-06-14", - "epss": 0.00026, - "percentile": 0.07972 - } - ], - "fix_available": [ - { - "date": "2026-04-02", - "kind": "first-observed", - "version": "4.18.0" - } - ], - "fix_state": "fixed", - "fixed_in": "4.18.0", - "fixed_versions": [ - "4.18.0" - ], - "id": "GHSA-f23m-r3pf-42rh", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-2950", - "Fix available: upgrade to 4.18.0", - "Fix state: fixed", - "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh", - "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg", - "https://nvd.nist.gov/vuln/detail/CVE-2026-2950" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950" - } - ], - "risk_score": 0.014949999999999998, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`" - }, - { - "affected_version_range": "\u003c4.17.12 (semantic)", - "aliases": [ - "CVE-2019-10744" - ], - "cvss": [ - { - "score": 9.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-10744", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-jf85-cpcp-j695", - "description": "Prototype Pollution in lodash", - "epss": [ - { - "cve": "CVE-2019-10744", - "date": "2026-06-14", - "epss": 0.14515, - "percentile": 0.94634 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "4.17.12" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.12", - "fixed_versions": [ - "4.17.12" - ], - "id": "GHSA-jf85-cpcp-j695", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-10744", - "Fix available: upgrade to 4.17.12", - "Fix state: fixed", - "https://access.redhat.com/errata/RHSA-2019:3024", - "https://github.com/lodash/lodash/pull/4336", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml", - "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", - "https://security.netapp.com/advisory/ntap-20191004-0005", - "https://snyk.io/vuln/SNYK-JS-LODASH-450202", - "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp%3Butm_medium=RSS", - "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-jf85-cpcp-j695" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/pull/4336" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-LODASH-450202" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2019:3024" - }, - { - "type": "advisory", - "url": "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" - }, - { - "type": "advisory", - "url": "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp%3Butm_medium=RSS" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20191004-0005" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml" - } - ], - "risk_score": 13.136075, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in lodash" - }, - { - "affected_version_range": "\u003e=3.7.0,\u003c4.17.19 (semantic)", - "aliases": [ - "CVE-2020-8203" - ], - "cvss": [ - { - "score": 7.4, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-8203", - "id": "CWE-770", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2020-8203", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-p6mc-m468-83gw", - "description": "Prototype Pollution in lodash", - "epss": [ - { - "cve": "CVE-2020-8203", - "date": "2026-06-14", - "epss": 0.02615, - "percentile": 0.86036 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "4.17.19" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.19", - "fixed_versions": [ - "4.17.19" - ], - "id": "GHSA-p6mc-m468-83gw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-8203", - "Fix available: upgrade to 4.17.19", - "Fix state: fixed", - "https://github.com/github/advisory-database/pull/2884", - "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", - "https://github.com/lodash/lodash/issues/4744", - "https://github.com/lodash/lodash/issues/4874", - "https://github.com/lodash/lodash/wiki/Changelog#v41719", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml", - "https://hackerone.com/reports/712065", - "https://hackerone.com/reports/864701", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", - "https://security.netapp.com/advisory/ntap-20200724-0006", - "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/issues/4744" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/712065" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/issues/4874" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/2884" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/864701" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/wiki/Changelog#v41719" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20200724-0006" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml" - } - ], - "risk_score": 1.948175, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in lodash" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.17.23 (semantic)", - "aliases": [ - "CVE-2026-4800" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-4800", - "id": "CWE-94", - "source": "ce714d77-add3-4f53-aff5-83d477b104bb", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", - "description": "lodash vulnerable to Code Injection via `_.template` imports key names", - "epss": [ - { - "cve": "CVE-2026-4800", - "date": "2026-06-14", - "epss": 0.00046, - "percentile": 0.1486 - } - ], - "fix_available": [ - { - "date": "2026-04-02", - "kind": "first-observed", - "version": "4.18.0" - } - ], - "fix_state": "fixed", - "fixed_in": "4.18.0", - "fixed_versions": [ - "4.18.0" - ], - "id": "GHSA-r5fr-rjxr-66jc", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-4800", - "Fix available: upgrade to 4.18.0", - "Fix state: fixed", - "https://cna.openjsf.org/security-advisories.html", - "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", - "https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc", - "https://nvd.nist.gov/vuln/detail/CVE-2026-4800" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c" - }, - { - "type": "advisory", - "url": "https://cna.openjsf.org/security-advisories.html" - }, - { - "type": "advisory", - "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" - } - ], - "risk_score": 0.03588, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "lodash vulnerable to Code Injection via `_.template` imports key names" - }, - { - "affected_version_range": "\u003e=4.7.0,\u003c4.17.11 (semantic)", - "aliases": [ - "CVE-2019-1010266" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-1010266", - "id": "CWE-400", - "source": "josh@bress.net", - "type": "Secondary" - }, - { - "cve": "CVE-2019-1010266", - "id": "CWE-770", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm", - "description": "Regular Expression Denial of Service (ReDoS) in lodash", - "epss": [ - { - "cve": "CVE-2019-1010266", - "date": "2026-06-14", - "epss": 0.00207, - "percentile": 0.43362 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "4.17.11" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.11", - "fixed_versions": [ - "4.17.11" - ], - "id": "GHSA-x5rq-j2xg-h7qm", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-1010266", - "Fix available: upgrade to 4.17.11", - "Fix state: fixed", - "https://github.com/github/advisory-database/pull/6138", - "https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347", - "https://github.com/lodash/lodash/issues/3359", - "https://github.com/lodash/lodash/wiki/Changelog", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml", - "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", - "https://security.netapp.com/advisory/ntap-20190919-0004", - "https://snyk.io/vuln/SNYK-JS-LODASH-73639" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/issues/3359" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-LODASH-73639" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/wiki/Changelog" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20190919-0004" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/6138" - } - ], - "risk_score": 0.11902499999999996, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service (ReDoS) in lodash" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.17.22 (semantic)", - "aliases": [ - "CVE-2025-13465" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", - "version": "3.1" - }, - { - "score": 6.9, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-13465", - "id": "CWE-1321", - "source": "ce714d77-add3-4f53-aff5-83d477b104bb", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg", - "description": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions", - "epss": [ - { - "cve": "CVE-2025-13465", - "date": "2026-06-14", - "epss": 0.00028, - "percentile": 0.08363 - } - ], - "fix_available": [ - { - "date": "2026-01-22", - "kind": "first-observed", - "version": "4.17.23" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.23", - "fixed_versions": [ - "4.17.23" - ], - "id": "GHSA-xxjr-mmjv-4gpg", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-13465", - "Fix available: upgrade to 4.17.23", - "Fix state: fixed", - "https://cert-portal.siemens.com/productcert/html/ssa-253495.html", - "https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81", - "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg", - "https://nvd.nist.gov/vuln/detail/CVE-2025-13465" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81" - }, - { - "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html" - } - ], - "risk_score": 0.01638, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "lodash", - "purl": "pkg:npm/lodash@4.17.15", - "version": "4.17.15", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=4.0.0,\u003c4.17.21 (semantic)", - "aliases": [ - "CVE-2020-28500" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-28500", - "id": "NVD-CWE-Other", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9", - "description": "Regular Expression Denial of Service (ReDoS) in lodash", - "epss": [ - { - "cve": "CVE-2020-28500", - "date": "2026-06-14", - "epss": 0.0018, - "percentile": 0.39612 - } - ], - "fix_available": [ - { - "date": "2022-01-07", - "kind": "first-observed", - "version": "4.17.21" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.21", - "fixed_versions": [ - "4.17.21" - ], - "id": "GHSA-29mw-wpgm-hmr9", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-28500", - "Fix available: upgrade to 4.17.21", - "Fix state: fixed", - "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", - "https://github.com/github/advisory-database/pull/6139", - "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", - "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", - "https://github.com/lodash/lodash/pull/5065", - "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml", - "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", - "https://security.netapp.com/advisory/ntap-20210312-0006", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", - "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/pull/5065" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893" - }, - { - "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210312-0006" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/6139" - } - ], - "risk_score": 0.0927, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service (ReDoS) in lodash" - }, - { - "affected_version_range": "\u003c4.17.21 (semantic)", - "aliases": [ - "CVE-2021-23337" - ], - "cvss": [ - { - "score": 7.2, - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-23337", - "id": "CWE-94", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "description": "Command Injection in lodash", - "epss": [ - { - "cve": "CVE-2021-23337", - "date": "2026-06-14", - "epss": 0.02399, - "percentile": 0.85446 - } - ], - "fix_available": [ - { - "date": "2021-05-07", - "kind": "first-observed", - "version": "4.17.21" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.21", - "fixed_versions": [ - "4.17.21" - ], - "id": "GHSA-35jh-r3h4-6jhm", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23337", - "Fix available: upgrade to 4.17.21", - "Fix state: fixed", - "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", - "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", - "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", - "https://security.netapp.com/advisory/ntap-20210312-0006", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", - "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929" - }, - { - "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210312-0006" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml" - } - ], - "risk_score": 1.763265, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Command Injection in lodash" - }, - { - "affected_version_range": "\u003c=4.17.23 (semantic)", - "aliases": [ - "CVE-2026-2950" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-2950", - "id": "CWE-1321", - "source": "ce714d77-add3-4f53-aff5-83d477b104bb", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", - "description": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", - "epss": [ - { - "cve": "CVE-2026-2950", - "date": "2026-06-14", - "epss": 0.00026, - "percentile": 0.07972 - } - ], - "fix_available": [ - { - "date": "2026-04-02", - "kind": "first-observed", - "version": "4.18.0" - } - ], - "fix_state": "fixed", - "fixed_in": "4.18.0", - "fixed_versions": [ - "4.18.0" - ], - "id": "GHSA-f23m-r3pf-42rh", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-2950", - "Fix available: upgrade to 4.18.0", - "Fix state: fixed", - "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh", - "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg", - "https://nvd.nist.gov/vuln/detail/CVE-2026-2950" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950" - } - ], - "risk_score": 0.014949999999999998, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`" - }, - { - "affected_version_range": "\u003e=3.7.0,\u003c4.17.19 (semantic)", - "aliases": [ - "CVE-2020-8203" - ], - "cvss": [ - { - "score": 7.4, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-8203", - "id": "CWE-770", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2020-8203", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-p6mc-m468-83gw", - "description": "Prototype Pollution in lodash", - "epss": [ - { - "cve": "CVE-2020-8203", - "date": "2026-06-14", - "epss": 0.02615, - "percentile": 0.86036 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "4.17.19" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.19", - "fixed_versions": [ - "4.17.19" - ], - "id": "GHSA-p6mc-m468-83gw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-8203", - "Fix available: upgrade to 4.17.19", - "Fix state: fixed", - "https://github.com/github/advisory-database/pull/2884", - "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", - "https://github.com/lodash/lodash/issues/4744", - "https://github.com/lodash/lodash/issues/4874", - "https://github.com/lodash/lodash/wiki/Changelog#v41719", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml", - "https://hackerone.com/reports/712065", - "https://hackerone.com/reports/864701", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", - "https://security.netapp.com/advisory/ntap-20200724-0006", - "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/issues/4744" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/712065" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/issues/4874" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/2884" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/864701" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/wiki/Changelog#v41719" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20200724-0006" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml" - } - ], - "risk_score": 1.948175, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in lodash" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.17.23 (semantic)", - "aliases": [ - "CVE-2026-4800" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-4800", - "id": "CWE-94", - "source": "ce714d77-add3-4f53-aff5-83d477b104bb", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", - "description": "lodash vulnerable to Code Injection via `_.template` imports key names", - "epss": [ - { - "cve": "CVE-2026-4800", - "date": "2026-06-14", - "epss": 0.00046, - "percentile": 0.1486 - } - ], - "fix_available": [ - { - "date": "2026-04-02", - "kind": "first-observed", - "version": "4.18.0" - } - ], - "fix_state": "fixed", - "fixed_in": "4.18.0", - "fixed_versions": [ - "4.18.0" - ], - "id": "GHSA-r5fr-rjxr-66jc", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-4800", - "Fix available: upgrade to 4.18.0", - "Fix state: fixed", - "https://cna.openjsf.org/security-advisories.html", - "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", - "https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc", - "https://nvd.nist.gov/vuln/detail/CVE-2026-4800" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c" - }, - { - "type": "advisory", - "url": "https://cna.openjsf.org/security-advisories.html" - }, - { - "type": "advisory", - "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" - } - ], - "risk_score": 0.03588, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "lodash vulnerable to Code Injection via `_.template` imports key names" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.17.22 (semantic)", - "aliases": [ - "CVE-2025-13465" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", - "version": "3.1" - }, - { - "score": 6.9, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-13465", - "id": "CWE-1321", - "source": "ce714d77-add3-4f53-aff5-83d477b104bb", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg", - "description": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions", - "epss": [ - { - "cve": "CVE-2025-13465", - "date": "2026-06-14", - "epss": 0.00028, - "percentile": 0.08363 - } - ], - "fix_available": [ - { - "date": "2026-01-22", - "kind": "first-observed", - "version": "4.17.23" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.23", - "fixed_versions": [ - "4.17.23" - ], - "id": "GHSA-xxjr-mmjv-4gpg", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-13465", - "Fix available: upgrade to 4.17.23", - "Fix state: fixed", - "https://cert-portal.siemens.com/productcert/html/ssa-253495.html", - "https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81", - "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg", - "https://nvd.nist.gov/vuln/detail/CVE-2025-13465" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81" - }, - { - "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html" - } - ], - "risk_score": 0.01638, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "lodash", - "purl": "pkg:npm/lodash@4.17.21", - "version": "4.17.21", - "vulnerabilities": [ - { - "affected_version_range": "\u003c=4.17.23 (semantic)", - "aliases": [ - "CVE-2026-2950" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-2950", - "id": "CWE-1321", - "source": "ce714d77-add3-4f53-aff5-83d477b104bb", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", - "description": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", - "epss": [ - { - "cve": "CVE-2026-2950", - "date": "2026-06-14", - "epss": 0.00026, - "percentile": 0.07972 - } - ], - "fix_available": [ - { - "date": "2026-04-02", - "kind": "first-observed", - "version": "4.18.0" - } - ], - "fix_state": "fixed", - "fixed_in": "4.18.0", - "fixed_versions": [ - "4.18.0" - ], - "id": "GHSA-f23m-r3pf-42rh", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-2950", - "Fix available: upgrade to 4.18.0", - "Fix state: fixed", - "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh", - "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg", - "https://nvd.nist.gov/vuln/detail/CVE-2026-2950" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950" - } - ], - "risk_score": 0.014949999999999998, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.17.23 (semantic)", - "aliases": [ - "CVE-2026-4800" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-4800", - "id": "CWE-94", - "source": "ce714d77-add3-4f53-aff5-83d477b104bb", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", - "description": "lodash vulnerable to Code Injection via `_.template` imports key names", - "epss": [ - { - "cve": "CVE-2026-4800", - "date": "2026-06-14", - "epss": 0.00046, - "percentile": 0.1486 - } - ], - "fix_available": [ - { - "date": "2026-04-02", - "kind": "first-observed", - "version": "4.18.0" - } - ], - "fix_state": "fixed", - "fixed_in": "4.18.0", - "fixed_versions": [ - "4.18.0" - ], - "id": "GHSA-r5fr-rjxr-66jc", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-4800", - "Fix available: upgrade to 4.18.0", - "Fix state: fixed", - "https://cna.openjsf.org/security-advisories.html", - "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", - "https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc", - "https://nvd.nist.gov/vuln/detail/CVE-2026-4800" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c" - }, - { - "type": "advisory", - "url": "https://cna.openjsf.org/security-advisories.html" - }, - { - "type": "advisory", - "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" - } - ], - "risk_score": 0.03588, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "lodash vulnerable to Code Injection via `_.template` imports key names" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.17.22 (semantic)", - "aliases": [ - "CVE-2025-13465" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", - "version": "3.1" - }, - { - "score": 6.9, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-13465", - "id": "CWE-1321", - "source": "ce714d77-add3-4f53-aff5-83d477b104bb", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg", - "description": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions", - "epss": [ - { - "cve": "CVE-2025-13465", - "date": "2026-06-14", - "epss": 0.00028, - "percentile": 0.08363 - } - ], - "fix_available": [ - { - "date": "2026-01-22", - "kind": "first-observed", - "version": "4.17.23" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.23", - "fixed_versions": [ - "4.17.23" - ], - "id": "GHSA-xxjr-mmjv-4gpg", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-13465", - "Fix available: upgrade to 4.17.23", - "Fix state: fixed", - "https://cert-portal.siemens.com/productcert/html/ssa-253495.html", - "https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81", - "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg", - "https://nvd.nist.gov/vuln/detail/CVE-2025-13465" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81" - }, - { - "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html" - } - ], - "risk_score": 0.01638, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "lodash", - "purl": "pkg:npm/lodash@4.17.4", - "version": "4.17.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=4.0.0,\u003c4.17.21 (semantic)", - "aliases": [ - "CVE-2020-28500" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-28500", - "id": "NVD-CWE-Other", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9", - "description": "Regular Expression Denial of Service (ReDoS) in lodash", - "epss": [ - { - "cve": "CVE-2020-28500", - "date": "2026-06-14", - "epss": 0.0018, - "percentile": 0.39612 - } - ], - "fix_available": [ - { - "date": "2022-01-07", - "kind": "first-observed", - "version": "4.17.21" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.21", - "fixed_versions": [ - "4.17.21" - ], - "id": "GHSA-29mw-wpgm-hmr9", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-28500", - "Fix available: upgrade to 4.17.21", - "Fix state: fixed", - "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", - "https://github.com/github/advisory-database/pull/6139", - "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", - "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", - "https://github.com/lodash/lodash/pull/5065", - "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml", - "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", - "https://security.netapp.com/advisory/ntap-20210312-0006", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", - "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/pull/5065" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893" - }, - { - "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210312-0006" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/6139" - } - ], - "risk_score": 0.0927, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service (ReDoS) in lodash" - }, - { - "affected_version_range": "\u003c4.17.21 (semantic)", - "aliases": [ - "CVE-2021-23337" - ], - "cvss": [ - { - "score": 7.2, - "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-23337", - "id": "CWE-94", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "description": "Command Injection in lodash", - "epss": [ - { - "cve": "CVE-2021-23337", - "date": "2026-06-14", - "epss": 0.02399, - "percentile": 0.85446 - } - ], - "fix_available": [ - { - "date": "2021-05-07", - "kind": "first-observed", - "version": "4.17.21" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.21", - "fixed_versions": [ - "4.17.21" - ], - "id": "GHSA-35jh-r3h4-6jhm", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23337", - "Fix available: upgrade to 4.17.21", - "Fix state: fixed", - "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", - "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", - "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", - "https://security.netapp.com/advisory/ntap-20210312-0006", - "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", - "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", - "https://www.oracle.com//security-alerts/cpujul2021.html", - "https://www.oracle.com/security-alerts/cpujan2022.html", - "https://www.oracle.com/security-alerts/cpujul2022.html", - "https://www.oracle.com/security-alerts/cpuoct2021.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929" - }, - { - "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujul2022.html" - }, - { - "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210312-0006" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml" - } - ], - "risk_score": 1.763265, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Command Injection in lodash" - }, - { - "affected_version_range": "\u003c4.17.11 (semantic)", - "aliases": [ - "CVE-2018-16487" - ], - "cwes": [ - { - "cve": "CVE-2018-16487", - "id": "CWE-400", - "source": "support@hackerone.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-4xc9-xhrj-v574", - "description": "Prototype Pollution in lodash", - "epss": [ - { - "cve": "CVE-2018-16487", - "date": "2026-06-14", - "epss": 0.00468, - "percentile": 0.6504 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "4.17.11" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.11", - "fixed_versions": [ - "4.17.11" - ], - "id": "GHSA-4xc9-xhrj-v574", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2018-16487", - "Fix available: upgrade to 4.17.11", - "Fix state: fixed", - "https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml", - "https://hackerone.com/reports/380873", - "https://nvd.nist.gov/vuln/detail/CVE-2018-16487", - "https://security.netapp.com/advisory/ntap-20190919-0004" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-4xc9-xhrj-v574" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16487" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/380873" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20190919-0004" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-16487.yml" - } - ], - "risk_score": 0.35100000000000003, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in lodash" - }, - { - "affected_version_range": "\u003c=4.17.23 (semantic)", - "aliases": [ - "CVE-2026-2950" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-2950", - "id": "CWE-1321", - "source": "ce714d77-add3-4f53-aff5-83d477b104bb", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", - "description": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", - "epss": [ - { - "cve": "CVE-2026-2950", - "date": "2026-06-14", - "epss": 0.00026, - "percentile": 0.07972 - } - ], - "fix_available": [ - { - "date": "2026-04-02", - "kind": "first-observed", - "version": "4.18.0" - } - ], - "fix_state": "fixed", - "fixed_in": "4.18.0", - "fixed_versions": [ - "4.18.0" - ], - "id": "GHSA-f23m-r3pf-42rh", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-2950", - "Fix available: upgrade to 4.18.0", - "Fix state: fixed", - "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh", - "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg", - "https://nvd.nist.gov/vuln/detail/CVE-2026-2950" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950" - } - ], - "risk_score": 0.014949999999999998, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`" - }, - { - "affected_version_range": "\u003c4.17.5 (semantic)", - "aliases": [ - "CVE-2018-3721" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2018-3721", - "id": "CWE-471", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2018-3721", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-fvqr-27wr-82fm", - "description": "Prototype Pollution in lodash", - "epss": [ - { - "cve": "CVE-2018-3721", - "date": "2026-06-14", - "epss": 0.00249, - "percentile": 0.48553 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "4.17.5" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.5", - "fixed_versions": [ - "4.17.5" - ], - "id": "GHSA-fvqr-27wr-82fm", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2018-3721", - "Fix available: upgrade to 4.17.5", - "Fix state: fixed", - "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml", - "https://hackerone.com/reports/310443", - "https://nvd.nist.gov/vuln/detail/CVE-2018-3721", - "https://security.netapp.com/advisory/ntap-20190919-0004" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-fvqr-27wr-82fm" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3721" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/310443" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20190919-0004" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2018-3721.yml" - } - ], - "risk_score": 0.143175, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in lodash" - }, - { - "affected_version_range": "\u003c4.17.12 (semantic)", - "aliases": [ - "CVE-2019-10744" - ], - "cvss": [ - { - "score": 9.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-10744", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-jf85-cpcp-j695", - "description": "Prototype Pollution in lodash", - "epss": [ - { - "cve": "CVE-2019-10744", - "date": "2026-06-14", - "epss": 0.14515, - "percentile": 0.94634 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "4.17.12" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.12", - "fixed_versions": [ - "4.17.12" - ], - "id": "GHSA-jf85-cpcp-j695", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-10744", - "Fix available: upgrade to 4.17.12", - "Fix state: fixed", - "https://access.redhat.com/errata/RHSA-2019:3024", - "https://github.com/lodash/lodash/pull/4336", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml", - "https://nvd.nist.gov/vuln/detail/CVE-2019-10744", - "https://security.netapp.com/advisory/ntap-20191004-0005", - "https://snyk.io/vuln/SNYK-JS-LODASH-450202", - "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp%3Butm_medium=RSS", - "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS", - "https://www.oracle.com/security-alerts/cpujan2021.html", - "https://www.oracle.com/security-alerts/cpuoct2020.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-jf85-cpcp-j695" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/pull/4336" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10744" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-LODASH-450202" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2019:3024" - }, - { - "type": "advisory", - "url": "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp;utm_medium=RSS" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2021.html" - }, - { - "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" - }, - { - "type": "advisory", - "url": "https://support.f5.com/csp/article/K47105354?utm_source=f5support\u0026amp%3Butm_medium=RSS" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20191004-0005" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-10744.yml" - } - ], - "risk_score": 13.136075, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in lodash" - }, - { - "affected_version_range": "\u003e=3.7.0,\u003c4.17.19 (semantic)", - "aliases": [ - "CVE-2020-8203" - ], - "cvss": [ - { - "score": 7.4, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-8203", - "id": "CWE-770", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2020-8203", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-p6mc-m468-83gw", - "description": "Prototype Pollution in lodash", - "epss": [ - { - "cve": "CVE-2020-8203", - "date": "2026-06-14", - "epss": 0.02615, - "percentile": 0.86036 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "4.17.19" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.19", - "fixed_versions": [ - "4.17.19" - ], - "id": "GHSA-p6mc-m468-83gw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-8203", - "Fix available: upgrade to 4.17.19", - "Fix state: fixed", - "https://github.com/github/advisory-database/pull/2884", - "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", - "https://github.com/lodash/lodash/issues/4744", - "https://github.com/lodash/lodash/issues/4874", - "https://github.com/lodash/lodash/wiki/Changelog#v41719", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml", - "https://hackerone.com/reports/712065", - "https://hackerone.com/reports/864701", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", - "https://security.netapp.com/advisory/ntap-20200724-0006", - "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/issues/4744" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/712065" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/issues/4874" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/2884" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/864701" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/wiki/Changelog#v41719" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20200724-0006" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml" - } - ], - "risk_score": 1.948175, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in lodash" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.17.23 (semantic)", - "aliases": [ - "CVE-2026-4800" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-4800", - "id": "CWE-94", - "source": "ce714d77-add3-4f53-aff5-83d477b104bb", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", - "description": "lodash vulnerable to Code Injection via `_.template` imports key names", - "epss": [ - { - "cve": "CVE-2026-4800", - "date": "2026-06-14", - "epss": 0.00046, - "percentile": 0.1486 - } - ], - "fix_available": [ - { - "date": "2026-04-02", - "kind": "first-observed", - "version": "4.18.0" - } - ], - "fix_state": "fixed", - "fixed_in": "4.18.0", - "fixed_versions": [ - "4.18.0" - ], - "id": "GHSA-r5fr-rjxr-66jc", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-4800", - "Fix available: upgrade to 4.18.0", - "Fix state: fixed", - "https://cna.openjsf.org/security-advisories.html", - "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", - "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", - "https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc", - "https://nvd.nist.gov/vuln/detail/CVE-2026-4800" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c" - }, - { - "type": "advisory", - "url": "https://cna.openjsf.org/security-advisories.html" - }, - { - "type": "advisory", - "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" - } - ], - "risk_score": 0.03588, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "lodash vulnerable to Code Injection via `_.template` imports key names" - }, - { - "affected_version_range": "\u003e=4.7.0,\u003c4.17.11 (semantic)", - "aliases": [ - "CVE-2019-1010266" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-1010266", - "id": "CWE-400", - "source": "josh@bress.net", - "type": "Secondary" - }, - { - "cve": "CVE-2019-1010266", - "id": "CWE-770", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm", - "description": "Regular Expression Denial of Service (ReDoS) in lodash", - "epss": [ - { - "cve": "CVE-2019-1010266", - "date": "2026-06-14", - "epss": 0.00207, - "percentile": 0.43362 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "4.17.11" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.11", - "fixed_versions": [ - "4.17.11" - ], - "id": "GHSA-x5rq-j2xg-h7qm", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-1010266", - "Fix available: upgrade to 4.17.11", - "Fix state: fixed", - "https://github.com/github/advisory-database/pull/6138", - "https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347", - "https://github.com/lodash/lodash/issues/3359", - "https://github.com/lodash/lodash/wiki/Changelog", - "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml", - "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266", - "https://security.netapp.com/advisory/ntap-20190919-0004", - "https://snyk.io/vuln/SNYK-JS-LODASH-73639" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-x5rq-j2xg-h7qm" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-1010266" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/issues/3359" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-LODASH-73639" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/wiki/Changelog" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20190919-0004" - }, - { - "type": "advisory", - "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2019-1010266.yml" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/6138" - } - ], - "risk_score": 0.11902499999999996, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service (ReDoS) in lodash" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.17.22 (semantic)", - "aliases": [ - "CVE-2025-13465" - ], - "cvss": [ - { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", - "version": "3.1" - }, - { - "score": 6.9, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-13465", - "id": "CWE-1321", - "source": "ce714d77-add3-4f53-aff5-83d477b104bb", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg", - "description": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions", - "epss": [ - { - "cve": "CVE-2025-13465", - "date": "2026-06-14", - "epss": 0.00028, - "percentile": 0.08363 - } - ], - "fix_available": [ - { - "date": "2026-01-22", - "kind": "first-observed", - "version": "4.17.23" - } - ], - "fix_state": "fixed", - "fixed_in": "4.17.23", - "fixed_versions": [ - "4.17.23" - ], - "id": "GHSA-xxjr-mmjv-4gpg", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-13465", - "Fix available: upgrade to 4.17.23", - "Fix state: fixed", - "https://cert-portal.siemens.com/productcert/html/ssa-253495.html", - "https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81", - "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg", - "https://nvd.nist.gov/vuln/detail/CVE-2025-13465" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465" - }, - { - "type": "advisory", - "url": "https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81" - }, - { - "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html" - } - ], - "risk_score": 0.01638, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "log-driver", - "purl": "pkg:npm/log-driver@1.2.7", - "version": "1.2.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "longest", - "purl": "pkg:npm/longest@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "loose-envify", - "purl": "pkg:npm/loose-envify@1.3.1", - "version": "1.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lowercase-keys", - "purl": "pkg:npm/lowercase-keys@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lowercase-keys", - "purl": "pkg:npm/lowercase-keys@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lru-cache", - "purl": "pkg:npm/lru-cache@2.3.1", - "version": "2.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "lru-cache", - "purl": "pkg:npm/lru-cache@4.1.3", - "version": "4.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lru-cache", - "purl": "pkg:npm/lru-cache@4.1.5", - "version": "4.1.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "lru-cache", - "purl": "pkg:npm/lru-cache@5.1.1", - "version": "5.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "macos-release", - "purl": "pkg:npm/macos-release@2.3.0", - "version": "2.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "make-dir", - "purl": "pkg:npm/make-dir@1.3.0", - "version": "1.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "make-dir", - "purl": "pkg:npm/make-dir@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "map-cache", - "purl": "pkg:npm/map-cache@0.2.2", - "version": "0.2.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "map-visit", - "purl": "pkg:npm/map-visit@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "marked", - "purl": "pkg:npm/marked@0.3.5", - "version": "0.3.5", - "vulnerabilities": [ - { - "affected_version_range": "\u003c4.0.10 (semantic)", - "aliases": [ - "CVE-2022-21681" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-21681", - "id": "CWE-400", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2022-21681", - "id": "CWE-1333", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2022-21681", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj", - "description": "Inefficient Regular Expression Complexity in marked", - "epss": [ - { - "cve": "CVE-2022-21681", - "date": "2026-06-14", - "epss": 0.00695, - "percentile": 0.72465 - } - ], - "fix_available": [ - { - "date": "2022-01-16", - "kind": "first-observed", - "version": "4.0.10" - } - ], - "fix_state": "fixed", - "fixed_in": "4.0.10", - "fixed_versions": [ - "4.0.10" - ], - "id": "GHSA-5v2h-r2cx-5xgj", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-21681", - "Fix available: upgrade to 4.0.10", - "Fix state: fixed", - "https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5", - "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0", - "https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/", - "https://nvd.nist.gov/vuln/detail/CVE-2022-21681" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj" - }, - { - "type": "advisory", - "url": "https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21681" - }, - { - "type": "advisory", - "url": "https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/" - }, - { - "type": "advisory", - "url": "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0" - } - ], - "risk_score": 0.52125, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Inefficient Regular Expression Complexity in marked" - }, - { - "affected_version_range": "\u003c0.3.7 (semantic)", - "aliases": [ - "CVE-2017-1000427" - ], - "cvss": [ - { - "score": 6.1, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-1000427", - "id": "CWE-79", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-7px7-7xjx-hxm8", - "description": "Marked vulnerable to XSS from data URIs", - "epss": [ - { - "cve": "CVE-2017-1000427", - "date": "2026-06-14", - "epss": 0.00388, - "percentile": 0.60423 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "0.3.7" - } - ], - "fix_state": "fixed", - "fixed_in": "0.3.7", - "fixed_versions": [ - "0.3.7" - ], - "id": "GHSA-7px7-7xjx-hxm8", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-1000427", - "Fix available: upgrade to 0.3.7", - "Fix state: fixed", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S/", - "https://nvd.nist.gov/vuln/detail/CVE-2017-1000427", - "https://snyk.io/vuln/npm:marked:20170112" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-7px7-7xjx-hxm8" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000427" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BO2RMVVZVV6NFTU46B5RYRK7ZCXYARZS/" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/M6BJG6RGDH7ZWVVAUFBFI5L32RSMQN2S/" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/npm:marked:20170112" - } - ], - "risk_score": 0.21533999999999998, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Marked vulnerable to XSS from data URIs" - }, - { - "affected_version_range": "\u003c0.3.17 (semantic)", - "aliases": [ - "CVE-2018-25110" - ], - "cvss": [ - { - "score": 6.9, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2018-25110", - "id": "CWE-1333", - "source": "596c5446-0ce5-4ba2-aa66-48b3b757a647", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-p9wx-2529-fp83", - "description": "Marked allows Regular Expression Denial of Service (ReDoS) attacks", - "epss": [ - { - "cve": "CVE-2018-25110", - "date": "2026-06-14", - "epss": 0.00774, - "percentile": 0.74127 - } - ], - "fix_available": [ - { - "date": "2025-05-28", - "kind": "first-observed", - "version": "0.3.17" - } - ], - "fix_state": "fixed", - "fixed_in": "0.3.17", - "fixed_versions": [ - "0.3.17" - ], - "id": "GHSA-p9wx-2529-fp83", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2018-25110", - "Fix available: upgrade to 0.3.17", - "Fix state: fixed", - "https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2018/CVE-2018-25110", - "https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485", - "https://github.com/markedjs/marked/issues/1070", - "https://github.com/markedjs/marked/pull/1083", - "https://nvd.nist.gov/vuln/detail/CVE-2018-25110" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-p9wx-2529-fp83" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25110" - }, - { - "type": "advisory", - "url": "https://github.com/markedjs/marked/issues/1070" - }, - { - "type": "advisory", - "url": "https://github.com/markedjs/marked/pull/1083" - }, - { - "type": "advisory", - "url": "https://github.com/markedjs/marked/commit/20bfc106013ed45713a21672ad4a34df94dcd485" - }, - { - "type": "advisory", - "url": "https://github.com/Checkmarx/Vulnerabilities-Proofs-of-Concept/tree/main/2018/CVE-2018-25110" - } - ], - "risk_score": 0.46053, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Marked allows Regular Expression Denial of Service (ReDoS) attacks" - }, - { - "affected_version_range": "\u003c4.0.10 (semantic)", - "aliases": [ - "CVE-2022-21680" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-21680", - "id": "CWE-400", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2022-21680", - "id": "CWE-1333", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2022-21680", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf", - "description": "Inefficient Regular Expression Complexity in marked", - "epss": [ - { - "cve": "CVE-2022-21680", - "date": "2026-06-14", - "epss": 0.00708, - "percentile": 0.72741 - } - ], - "fix_available": [ - { - "date": "2022-01-16", - "kind": "first-observed", - "version": "4.0.10" - } - ], - "fix_state": "fixed", - "fixed_in": "4.0.10", - "fixed_versions": [ - "4.0.10" - ], - "id": "GHSA-rrrm-qjm4-v8hf", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-21680", - "Fix available: upgrade to 4.0.10", - "Fix state: fixed", - "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0", - "https://github.com/markedjs/marked/releases/tag/v4.0.10", - "https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/", - "https://nvd.nist.gov/vuln/detail/CVE-2022-21680" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf" - }, - { - "type": "advisory", - "url": "https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21680" - }, - { - "type": "advisory", - "url": "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0" - }, - { - "type": "advisory", - "url": "https://github.com/markedjs/marked/releases/tag/v4.0.10" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/" - } - ], - "risk_score": 0.531, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Inefficient Regular Expression Complexity in marked" - }, - { - "affected_version_range": "\u003c0.3.6 (semantic)", - "aliases": [ - "CVE-2016-10531" - ], - "cvss": [ - { - "score": 6.1, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2016-10531", - "id": "CWE-79", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2016-10531", - "id": "CWE-79", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-vfvf-mqq8-rwqc", - "description": "Sanitization bypass using HTML Entities in marked", - "epss": [ - { - "cve": "CVE-2016-10531", - "date": "2026-06-14", - "epss": 0.00289, - "percentile": 0.5287 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "0.3.6" - } - ], - "fix_state": "fixed", - "fixed_in": "0.3.6", - "fixed_versions": [ - "0.3.6" - ], - "id": "GHSA-vfvf-mqq8-rwqc", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2016-10531", - "Fix available: upgrade to 0.3.6", - "Fix state: fixed", - "https://github.com/chjj/marked/pull/592", - "https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523", - "https://nvd.nist.gov/vuln/detail/CVE-2016-10531", - "https://www.npmjs.com/advisories/101" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-vfvf-mqq8-rwqc" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10531" - }, - { - "type": "advisory", - "url": "https://github.com/chjj/marked/pull/592" - }, - { - "type": "advisory", - "url": "https://github.com/chjj/marked/pull/592/commits/2cff85979be8e7a026a9aca35542c470cf5da523" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/101" - } - ], - "risk_score": 0.160395, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Sanitization bypass using HTML Entities in marked" - }, - { - "affected_version_range": "\u003c0.3.9 (semantic)", - "aliases": [ - "CVE-2017-16114" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-16114", - "id": "CWE-400", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2017-16114", - "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-x5pg-88wf-qq4p", - "description": "Regular Expression Denial of Service in marked", - "epss": [ - { - "cve": "CVE-2017-16114", - "date": "2026-06-14", - "epss": 0.00403, - "percentile": 0.61395 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "0.3.9" - } - ], - "fix_state": "fixed", - "fixed_in": "0.3.9", - "fixed_versions": [ - "0.3.9" - ], - "id": "GHSA-x5pg-88wf-qq4p", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-16114", - "Fix available: upgrade to 0.3.9", - "Fix state: fixed", - "https://github.com/chjj/marked/issues/937", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16114", - "https://www.npmjs.com/advisories/531" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-x5pg-88wf-qq4p" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16114" - }, - { - "type": "advisory", - "url": "https://github.com/chjj/marked/issues/937" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/531" - } - ], - "risk_score": 0.30225, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in marked" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "md5-hex", - "purl": "pkg:npm/md5-hex@1.3.0", - "version": "1.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "md5-o-matic", - "purl": "pkg:npm/md5-o-matic@0.1.1", - "version": "0.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "md5.js", - "purl": "pkg:npm/md5.js@1.3.5", - "version": "1.3.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "media-typer", - "purl": "pkg:npm/media-typer@0.3.0", - "version": "0.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "mem", - "purl": "pkg:npm/mem@1.1.0", - "version": "1.1.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c4.0.0 (semantic)", - "cvss": [ - { - "score": 5.1, - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-4xcv-9jjx-gfj3", - "description": "Denial of Service in mem", - "fix_available": [ - { - "date": "2020-09-12", - "kind": "first-observed", - "version": "4.0.0" - } - ], - "fix_state": "fixed", - "fixed_in": "4.0.0", - "fixed_versions": [ - "4.0.0" - ], - "id": "GHSA-4xcv-9jjx-gfj3", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 4.0.0", - "Fix state: fixed", - "https://bugzilla.redhat.com/show_bug.cgi?id=1623744", - "https://github.com/sindresorhus/mem/commit/da4e4398cb27b602de3bd55f746efa9b4a31702b", - "https://snyk.io/vuln/npm:mem:20180117", - "https://www.npmjs.com/advisories/1084" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-4xcv-9jjx-gfj3" - }, - { - "type": "advisory", - "url": "https://github.com/sindresorhus/mem/commit/da4e4398cb27b602de3bd55f746efa9b4a31702b" - }, - { - "type": "advisory", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1623744" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1084" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/npm:mem:20180117" - } - ], - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Denial of Service in mem" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "memory-pager", - "purl": "pkg:npm/memory-pager@1.5.0", - "version": "1.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "merge-descriptors", - "purl": "pkg:npm/merge-descriptors@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "merge-source-map", - "purl": "pkg:npm/merge-source-map@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "method-override", - "purl": "pkg:npm/method-override@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "methods", - "purl": "pkg:npm/methods@1.1.2", - "version": "1.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "micromatch", - "purl": "pkg:npm/micromatch@3.1.10", - "version": "3.1.10", - "vulnerabilities": [ - { - "affected_version_range": "\u003c4.0.8 (semantic)", - "aliases": [ - "CVE-2024-4067" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2024-4067", - "id": "CWE-1333", - "source": "596c5446-0ce5-4ba2-aa66-48b3b757a647", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-952p-6rrq-rcjv", - "description": "Regular Expression Denial of Service (ReDoS) in micromatch", - "epss": [ - { - "cve": "CVE-2024-4067", - "date": "2026-06-14", - "epss": 0.00171, - "percentile": 0.3836 - } - ], - "fix_available": [ - { - "date": "2024-08-24", - "kind": "first-observed", - "version": "4.0.8" - } - ], - "fix_state": "fixed", - "fixed_in": "4.0.8", - "fixed_versions": [ - "4.0.8" - ], - "id": "GHSA-952p-6rrq-rcjv", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-4067", - "Fix available: upgrade to 4.0.8", - "Fix state: fixed", - "https://advisory.checkmarx.net/advisory/CVE-2024-4067", - "https://devhub.checkmarx.com/cve-details/CVE-2024-4067", - "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448", - "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade", - "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0", - "https://github.com/micromatch/micromatch/issues/243", - "https://github.com/micromatch/micromatch/pull/247", - "https://github.com/micromatch/micromatch/pull/266", - "https://github.com/micromatch/micromatch/releases/tag/4.0.8", - "https://nvd.nist.gov/vuln/detail/CVE-2024-4067" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4067" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/micromatch/issues/243" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/micromatch/pull/247" - }, - { - "type": "advisory", - "url": "https://devhub.checkmarx.com/cve-details/CVE-2024-4067" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/micromatch/blob/2c56a8604b68c1099e7bc0f807ce0865a339747a/index.js#L448" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/micromatch/commit/500d5d6f42f0e8dfa1cb5464c6cb420b1b6aaaa0" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/micromatch/pull/266" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/micromatch/commit/03aa8052171e878897eee5d7bb2ae0ae83ec2ade" - }, - { - "type": "advisory", - "url": "https://advisory.checkmarx.net/advisory/CVE-2024-4067" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/micromatch/releases/tag/4.0.8" - } - ], - "risk_score": 0.08806499999999999, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service (ReDoS) in micromatch" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "miller-rabin", - "purl": "pkg:npm/miller-rabin@4.0.1", - "version": "4.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mime-db", - "purl": "pkg:npm/mime-db@1.12.0", - "version": "1.12.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mime-db", - "purl": "pkg:npm/mime-db@1.39.0", - "version": "1.39.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mime-db", - "purl": "pkg:npm/mime-db@1.43.0", - "version": "1.43.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mime-types", - "purl": "pkg:npm/mime-types@2.0.14", - "version": "2.0.14", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mime-types", - "purl": "pkg:npm/mime-types@2.1.23", - "version": "2.1.23", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mime-types", - "purl": "pkg:npm/mime-types@2.1.26", - "version": "2.1.26", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "mime", - "purl": "pkg:npm/mime@1.2.11", - "version": "1.2.11", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.4.1 (semantic)", - "aliases": [ - "CVE-2017-16138" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-16138", - "id": "CWE-400", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2017-16138", - "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-wrvr-8mpx-r7pp", - "description": "mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input", - "epss": [ - { - "cve": "CVE-2017-16138", - "date": "2026-06-14", - "epss": 0.00433, - "percentile": 0.6328 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "1.4.1" - } - ], - "fix_state": "fixed", - "fixed_in": "1.4.1", - "fixed_versions": [ - "1.4.1" - ], - "id": "GHSA-wrvr-8mpx-r7pp", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-16138", - "Fix available: upgrade to 1.4.1", - "Fix state: fixed", - "https://github.com/broofa/mime/commit/1df903fdeb9ae7eaa048795b8d580ce2c98f40b0", - "https://github.com/broofa/mime/commit/855d0c4b8b22e4a80b9401a81f2872058eae274d", - "https://github.com/broofa/node-mime/issues/167", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16138" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-wrvr-8mpx-r7pp" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16138" - }, - { - "type": "advisory", - "url": "https://github.com/broofa/node-mime/issues/167" - }, - { - "type": "advisory", - "url": "https://github.com/broofa/mime/commit/1df903fdeb9ae7eaa048795b8d580ce2c98f40b0" - }, - { - "type": "advisory", - "url": "https://github.com/broofa/mime/commit/855d0c4b8b22e4a80b9401a81f2872058eae274d" - } - ], - "risk_score": 0.3247499999999999, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "mime", - "purl": "pkg:npm/mime@1.3.4", - "version": "1.3.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.4.1 (semantic)", - "aliases": [ - "CVE-2017-16138" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-16138", - "id": "CWE-400", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2017-16138", - "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-wrvr-8mpx-r7pp", - "description": "mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input", - "epss": [ - { - "cve": "CVE-2017-16138", - "date": "2026-06-14", - "epss": 0.00433, - "percentile": 0.6328 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "1.4.1" - } - ], - "fix_state": "fixed", - "fixed_in": "1.4.1", - "fixed_versions": [ - "1.4.1" - ], - "id": "GHSA-wrvr-8mpx-r7pp", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 2, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-16138", - "Fix available: upgrade to 1.4.1", - "Fix state: fixed", - "https://github.com/broofa/mime/commit/1df903fdeb9ae7eaa048795b8d580ce2c98f40b0", - "https://github.com/broofa/mime/commit/855d0c4b8b22e4a80b9401a81f2872058eae274d", - "https://github.com/broofa/node-mime/issues/167", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16138" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-wrvr-8mpx-r7pp" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16138" - }, - { - "type": "advisory", - "url": "https://github.com/broofa/node-mime/issues/167" - }, - { - "type": "advisory", - "url": "https://github.com/broofa/mime/commit/1df903fdeb9ae7eaa048795b8d580ce2c98f40b0" - }, - { - "type": "advisory", - "url": "https://github.com/broofa/mime/commit/855d0c4b8b22e4a80b9401a81f2872058eae274d" - } - ], - "risk_score": 0.3247499999999999, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mimic-fn", - "purl": "pkg:npm/mimic-fn@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mimic-response", - "purl": "pkg:npm/mimic-response@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "minimalistic-assert", - "purl": "pkg:npm/minimalistic-assert@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "minimalistic-crypto-utils", - "purl": "pkg:npm/minimalistic-crypto-utils@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "minimatch", - "purl": "pkg:npm/minimatch@3.0.4", - "version": "3.0.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003c3.1.4 (semantic)", - "aliases": [ - "CVE-2026-27904" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-27904", - "id": "CWE-1333", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", - "description": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", - "epss": [ - { - "cve": "CVE-2026-27904", - "date": "2026-06-14", - "epss": 0.00026, - "percentile": 0.07795 - } - ], - "fix_available": [ - { - "date": "2026-02-27", - "kind": "first-observed", - "version": "3.1.4" - } - ], - "fix_state": "fixed", - "fixed_in": "3.1.4", - "fixed_versions": [ - "3.1.4" - ], - "id": "GHSA-23c5-xmqv-rm74", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 2, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-27904", - "Fix available: upgrade to 3.1.4", - "Fix state: fixed", - "https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce", - "https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74", - "https://nvd.nist.gov/vuln/detail/CVE-2026-27904" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74" - }, - { - "type": "advisory", - "url": "https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904" - }, - { - "type": "advisory", - "url": "https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce" - } - ], - "risk_score": 0.019499999999999997, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions" - }, - { - "affected_version_range": "\u003c3.1.3 (semantic)", - "aliases": [ - "CVE-2026-26996" - ], - "cvss": [ - { - "score": 8.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2026-26996", - "id": "CWE-1333", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", - "description": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", - "epss": [ - { - "cve": "CVE-2026-26996", - "date": "2026-06-14", - "epss": 0.00026, - "percentile": 0.07764 - } - ], - "fix_available": [ - { - "date": "2026-03-04", - "kind": "first-observed", - "version": "3.1.3" - } - ], - "fix_state": "fixed", - "fixed_in": "3.1.3", - "fixed_versions": [ - "3.1.3" - ], - "id": "GHSA-3ppc-4f35-3m26", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 2, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-26996", - "Fix available: upgrade to 3.1.3", - "Fix state: fixed", - "https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5", - "https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26", - "https://nvd.nist.gov/vuln/detail/CVE-2026-26996" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26" - }, - { - "type": "advisory", - "url": "https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26" - }, - { - "type": "advisory", - "url": "https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26996" - } - ], - "risk_score": 0.021059999999999995, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern" - }, - { - "affected_version_range": "\u003c3.1.3 (semantic)", - "aliases": [ - "CVE-2026-27903" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-27903", - "id": "CWE-407", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", - "description": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", - "epss": [ - { - "cve": "CVE-2026-27903", - "date": "2026-06-14", - "epss": 0.00036, - "percentile": 0.10985 - } - ], - "fix_available": [ - { - "date": "2026-02-27", - "kind": "first-observed", - "version": "3.1.3" - } - ], - "fix_state": "fixed", - "fixed_in": "3.1.3", - "fixed_versions": [ - "3.1.3" - ], - "id": "GHSA-7r86-cg39-jmmj", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 2, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-27903", - "Fix available: upgrade to 3.1.3", - "Fix state: fixed", - "https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748", - "https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj", - "https://nvd.nist.gov/vuln/detail/CVE-2026-27903" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj" - }, - { - "type": "advisory", - "url": "https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903" - }, - { - "type": "advisory", - "url": "https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748" - } - ], - "risk_score": 0.027, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments" - }, - { - "affected_version_range": "\u003c3.0.5 (semantic)", - "aliases": [ - "CVE-2022-3517" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-3517", - "id": "CWE-400", - "source": "secalert@redhat.com", - "type": "Secondary" - }, - { - "cve": "CVE-2022-3517", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", - "description": "minimatch ReDoS vulnerability", - "epss": [ - { - "cve": "CVE-2022-3517", - "date": "2026-06-14", - "epss": 0.00476, - "percentile": 0.65449 - } - ], - "fix_available": [ - { - "date": "2022-10-21", - "kind": "first-observed", - "version": "3.0.5" - } - ], - "fix_state": "fixed", - "fixed_in": "3.0.5", - "fixed_versions": [ - "3.0.5" - ], - "id": "GHSA-f8q6-p94x-37v3", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 2, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-3517", - "Fix available: upgrade to 3.0.5", - "Fix state: fixed", - "https://github.com/grafana/grafana-image-renderer/issues/329", - "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", - "https://github.com/nodejs/node/issues/42510", - "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", - "https://nvd.nist.gov/vuln/detail/CVE-2022-3517" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517" - }, - { - "type": "advisory", - "url": "https://github.com/grafana/grafana-image-renderer/issues/329" - }, - { - "type": "advisory", - "url": "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6" - }, - { - "type": "advisory", - "url": "https://github.com/nodejs/node/issues/42510" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK" - } - ], - "risk_score": 0.35700000000000004, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "minimatch ReDoS vulnerability" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "minimist", - "purl": "pkg:npm/minimist@0.0.10", - "version": "0.0.10", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.2.1 (semantic)", - "aliases": [ - "CVE-2020-7598" - ], - "cvss": [ - { - "score": 5.6, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-7598", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", - "description": "Prototype Pollution in minimist", - "epss": [ - { - "cve": "CVE-2020-7598", - "date": "2026-06-14", - "epss": 0.00189, - "percentile": 0.40821 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "0.2.1" - } - ], - "fix_state": "fixed", - "fixed_in": "0.2.1", - "fixed_versions": [ - "0.2.1" - ], - "id": "GHSA-vh95-rmgr-6w4m", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 3, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-7598", - "Fix available: upgrade to 0.2.1", - "Fix state: fixed", - "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html", - "https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68", - "https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab", - "https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95", - "https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7598", - "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", - "https://www.npmjs.com/advisories/1179" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764" - }, - { - "type": "advisory", - "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1179" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" - } - ], - "risk_score": 0.10017000000000001, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in minimist" - }, - { - "affected_version_range": "\u003c0.2.4 (semantic)", - "aliases": [ - "CVE-2021-44906" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-44906", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xvch-5gv4-984h", - "description": "Prototype Pollution in minimist", - "epss": [ - { - "cve": "CVE-2021-44906", - "date": "2026-06-14", - "epss": 0.00789, - "percentile": 0.74384 - } - ], - "fix_available": [ - { - "date": "2023-03-01", - "kind": "first-observed", - "version": "0.2.4" - } - ], - "fix_state": "fixed", - "fixed_in": "0.2.4", - "fixed_versions": [ - "0.2.4" - ], - "id": "GHSA-xvch-5gv4-984h", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 3, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-44906", - "Fix available: upgrade to 0.2.4", - "Fix state: fixed", - "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", - "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", - "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", - "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", - "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", - "https://github.com/minimistjs/minimist/commits/v0.2.4", - "https://github.com/minimistjs/minimist/issues/11", - "https://github.com/minimistjs/minimist/pull/24", - "https://github.com/substack/minimist/blob/master/index.js#L69", - "https://github.com/substack/minimist/issues/164", - "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", - "https://security.netapp.com/advisory/ntap-20240621-0006", - "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", - "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906" - }, - { - "type": "advisory", - "url": "https://github.com/substack/minimist/issues/164" - }, - { - "type": "advisory", - "url": "https://github.com/substack/minimist/blob/master/index.js#L69" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764" - }, - { - "type": "advisory", - "url": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" - }, - { - "type": "advisory", - "url": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/issues/11" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/pull/24" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commits/v0.2.4" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240621-0006" - } - ], - "risk_score": 0.74166, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in minimist" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "minimist", - "purl": "pkg:npm/minimist@0.0.8", - "version": "0.0.8", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.2.1 (semantic)", - "aliases": [ - "CVE-2020-7598" - ], - "cvss": [ - { - "score": 5.6, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-7598", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", - "description": "Prototype Pollution in minimist", - "epss": [ - { - "cve": "CVE-2020-7598", - "date": "2026-06-14", - "epss": 0.00189, - "percentile": 0.40821 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "0.2.1" - } - ], - "fix_state": "fixed", - "fixed_in": "0.2.1", - "fixed_versions": [ - "0.2.1" - ], - "id": "GHSA-vh95-rmgr-6w4m", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 3, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-7598", - "Fix available: upgrade to 0.2.1", - "Fix state: fixed", - "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html", - "https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68", - "https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab", - "https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95", - "https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7598", - "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", - "https://www.npmjs.com/advisories/1179" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764" - }, - { - "type": "advisory", - "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1179" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" - } - ], - "risk_score": 0.10017000000000001, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in minimist" - }, - { - "affected_version_range": "\u003c0.2.4 (semantic)", - "aliases": [ - "CVE-2021-44906" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-44906", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xvch-5gv4-984h", - "description": "Prototype Pollution in minimist", - "epss": [ - { - "cve": "CVE-2021-44906", - "date": "2026-06-14", - "epss": 0.00789, - "percentile": 0.74384 - } - ], - "fix_available": [ - { - "date": "2023-03-01", - "kind": "first-observed", - "version": "0.2.4" - } - ], - "fix_state": "fixed", - "fixed_in": "0.2.4", - "fixed_versions": [ - "0.2.4" - ], - "id": "GHSA-xvch-5gv4-984h", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 3, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-44906", - "Fix available: upgrade to 0.2.4", - "Fix state: fixed", - "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", - "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", - "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", - "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", - "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", - "https://github.com/minimistjs/minimist/commits/v0.2.4", - "https://github.com/minimistjs/minimist/issues/11", - "https://github.com/minimistjs/minimist/pull/24", - "https://github.com/substack/minimist/blob/master/index.js#L69", - "https://github.com/substack/minimist/issues/164", - "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", - "https://security.netapp.com/advisory/ntap-20240621-0006", - "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", - "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906" - }, - { - "type": "advisory", - "url": "https://github.com/substack/minimist/issues/164" - }, - { - "type": "advisory", - "url": "https://github.com/substack/minimist/blob/master/index.js#L69" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764" - }, - { - "type": "advisory", - "url": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" - }, - { - "type": "advisory", - "url": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/issues/11" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/pull/24" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commits/v0.2.4" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240621-0006" - } - ], - "risk_score": 0.74166, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in minimist" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "minimist", - "purl": "pkg:npm/minimist@1.2.0", - "version": "1.2.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=1.0.0,\u003c1.2.3 (semantic)", - "aliases": [ - "CVE-2020-7598" - ], - "cvss": [ - { - "score": 5.6, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-7598", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", - "description": "Prototype Pollution in minimist", - "epss": [ - { - "cve": "CVE-2020-7598", - "date": "2026-06-14", - "epss": 0.00189, - "percentile": 0.40821 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "1.2.3" - } - ], - "fix_state": "fixed", - "fixed_in": "1.2.3", - "fixed_versions": [ - "1.2.3" - ], - "id": "GHSA-vh95-rmgr-6w4m", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-7598", - "Fix available: upgrade to 1.2.3", - "Fix state: fixed", - "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html", - "https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68", - "https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab", - "https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95", - "https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7598", - "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", - "https://www.npmjs.com/advisories/1179" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764" - }, - { - "type": "advisory", - "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1179" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" - } - ], - "risk_score": 0.10017000000000001, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in minimist" - }, - { - "affected_version_range": "\u003e=1.0.0,\u003c1.2.6 (semantic)", - "aliases": [ - "CVE-2021-44906" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-44906", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xvch-5gv4-984h", - "description": "Prototype Pollution in minimist", - "epss": [ - { - "cve": "CVE-2021-44906", - "date": "2026-06-14", - "epss": 0.00789, - "percentile": 0.74384 - } - ], - "fix_available": [ - { - "date": "2022-03-24", - "kind": "first-observed", - "version": "1.2.6" - } - ], - "fix_state": "fixed", - "fixed_in": "1.2.6", - "fixed_versions": [ - "1.2.6" - ], - "id": "GHSA-xvch-5gv4-984h", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-44906", - "Fix available: upgrade to 1.2.6", - "Fix state: fixed", - "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", - "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", - "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", - "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", - "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", - "https://github.com/minimistjs/minimist/commits/v0.2.4", - "https://github.com/minimistjs/minimist/issues/11", - "https://github.com/minimistjs/minimist/pull/24", - "https://github.com/substack/minimist/blob/master/index.js#L69", - "https://github.com/substack/minimist/issues/164", - "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", - "https://security.netapp.com/advisory/ntap-20240621-0006", - "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", - "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906" - }, - { - "type": "advisory", - "url": "https://github.com/substack/minimist/issues/164" - }, - { - "type": "advisory", - "url": "https://github.com/substack/minimist/blob/master/index.js#L69" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764" - }, - { - "type": "advisory", - "url": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" - }, - { - "type": "advisory", - "url": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/issues/11" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/pull/24" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commits/v0.2.4" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240621-0006" - } - ], - "risk_score": 0.74166, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in minimist" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "minimist", - "purl": "pkg:npm/minimist@1.2.5", - "version": "1.2.5", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=1.0.0,\u003c1.2.6 (semantic)", - "aliases": [ - "CVE-2021-44906" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-44906", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-xvch-5gv4-984h", - "description": "Prototype Pollution in minimist", - "epss": [ - { - "cve": "CVE-2021-44906", - "date": "2026-06-14", - "epss": 0.00789, - "percentile": 0.74384 - } - ], - "fix_available": [ - { - "date": "2022-03-24", - "kind": "first-observed", - "version": "1.2.6" - } - ], - "fix_state": "fixed", - "fixed_in": "1.2.6", - "fixed_versions": [ - "1.2.6" - ], - "id": "GHSA-xvch-5gv4-984h", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 2, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-44906", - "Fix available: upgrade to 1.2.6", - "Fix state: fixed", - "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", - "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", - "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", - "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", - "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", - "https://github.com/minimistjs/minimist/commits/v0.2.4", - "https://github.com/minimistjs/minimist/issues/11", - "https://github.com/minimistjs/minimist/pull/24", - "https://github.com/substack/minimist/blob/master/index.js#L69", - "https://github.com/substack/minimist/issues/164", - "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", - "https://security.netapp.com/advisory/ntap-20240621-0006", - "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", - "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906" - }, - { - "type": "advisory", - "url": "https://github.com/substack/minimist/issues/164" - }, - { - "type": "advisory", - "url": "https://github.com/substack/minimist/blob/master/index.js#L69" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764" - }, - { - "type": "advisory", - "url": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" - }, - { - "type": "advisory", - "url": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/issues/11" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/pull/24" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11" - }, - { - "type": "advisory", - "url": "https://github.com/minimistjs/minimist/commits/v0.2.4" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240621-0006" - } - ], - "risk_score": 0.74166, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in minimist" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "minipass", - "purl": "pkg:npm/minipass@2.9.0", - "version": "2.9.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "mixin-deep", - "purl": "pkg:npm/mixin-deep@1.3.1", - "version": "1.3.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.3.2 (semantic)", - "aliases": [ - "CVE-2019-10746" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2019-10746", - "id": "CWE-88", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-fhjf-83wg-r2j9", - "description": "Prototype Pollution in mixin-deep", - "epss": [ - { - "cve": "CVE-2019-10746", - "date": "2026-06-14", - "epss": 0.00734, - "percentile": 0.73306 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "1.3.2" - } - ], - "fix_state": "fixed", - "fixed_in": "1.3.2", - "fixed_versions": [ - "1.3.2" - ], - "id": "GHSA-fhjf-83wg-r2j9", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-10746", - "Fix available: upgrade to 1.3.2", - "Fix state: fixed", - "https://github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9", - "https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab375fccfd9b926df718243339b4976d50", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC/", - "https://nvd.nist.gov/vuln/detail/CVE-2019-10746", - "https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212", - "https://www.npmjs.com/advisories/1013", - "https://www.oracle.com//security-alerts/cpujul2021.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-fhjf-83wg-r2j9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10746" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-MIXINDEEP-450212" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BFNIVG2XYFPZJY3DYYBJASZ7ZMKBMIJT/" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UXRA365KZCUNXMU3KDH5JN5BEPNIGUKC/" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1013" - }, - { - "type": "advisory", - "url": "https://www.oracle.com//security-alerts/cpujul2021.html" - }, - { - "type": "advisory", - "url": "https://github.com/jonschlinkert/mixin-deep/commit/8f464c8ce9761a8c9c2b3457eaeee9d404fa7af9" - }, - { - "type": "advisory", - "url": "https://github.com/jonschlinkert/mixin-deep/commit/90ee1fab375fccfd9b926df718243339b4976d50" - } - ], - "risk_score": 0.68996, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in mixin-deep" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mixin-object", - "purl": "pkg:npm/mixin-object@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mkdirp", - "purl": "pkg:npm/mkdirp@0.3.5", - "version": "0.3.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "mkdirp", - "purl": "pkg:npm/mkdirp@0.5.1", - "version": "0.5.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mkdirp", - "purl": "pkg:npm/mkdirp@0.5.5", - "version": "0.5.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "module-deps", - "purl": "pkg:npm/module-deps@4.1.1", - "version": "4.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "moment", - "purl": "pkg:npm/moment@2.15.1", - "version": "2.15.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c2.19.3 (semantic)", - "aliases": [ - "CVE-2017-18214" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2017-18214", - "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-446m-mv8f-q348", - "description": "Regular Expression Denial of Service in moment", - "epss": [ - { - "cve": "CVE-2017-18214", - "date": "2026-06-14", - "epss": 0.0023, - "percentile": 0.46143 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "2.19.3" - } - ], - "fix_state": "fixed", - "fixed_in": "2.19.3", - "fixed_versions": [ - "2.19.3" - ], - "id": "GHSA-446m-mv8f-q348", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-18214", - "Fix available: upgrade to 2.19.3", - "Fix state: fixed", - "https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb", - "https://github.com/moment/moment/issues/4163", - "https://github.com/moment/moment/pull/4326", - "https://nvd.nist.gov/vuln/detail/CVE-2017-18214", - "https://www.npmjs.com/advisories/532", - "https://www.tenable.com/security/tns-2019-02" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-446m-mv8f-q348" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18214" - }, - { - "type": "advisory", - "url": "https://github.com/moment/moment/issues/4163" - }, - { - "type": "advisory", - "url": "https://github.com/moment/moment/pull/4326" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/532" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2019-02" - }, - { - "type": "advisory", - "url": "https://github.com/moment/moment/commit/69ed9d44957fa6ab12b73d2ae29d286a857b80eb" - } - ], - "risk_score": 0.1725, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in moment" - }, - { - "affected_version_range": "\u003c2.29.2 (semantic)", - "aliases": [ - "CVE-2022-24785" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-24785", - "id": "CWE-22", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2022-24785", - "id": "CWE-27", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2022-24785", - "id": "CWE-22", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-8hfj-j24r-96c4", - "description": "Path Traversal: 'dir/../../filename' in moment.locale", - "epss": [ - { - "cve": "CVE-2022-24785", - "date": "2026-06-14", - "epss": 0.01673, - "percentile": 0.82615 - } - ], - "fix_available": [ - { - "date": "2022-04-09", - "kind": "first-observed", - "version": "2.29.2" - } - ], - "fix_state": "fixed", - "fixed_in": "2.29.2", - "fixed_versions": [ - "2.29.2" - ], - "id": "GHSA-8hfj-j24r-96c4", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-24785", - "Fix available: upgrade to 2.29.2", - "Fix state: fixed", - "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5", - "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4", - "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5", - "https://nvd.nist.gov/vuln/detail/CVE-2022-24785", - "https://security.netapp.com/advisory/ntap-20220513-0006", - "https://security.netapp.com/advisory/ntap-20241108-0002", - "https://www.tenable.com/security/tns-2022-09" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-8hfj-j24r-96c4" - }, - { - "type": "advisory", - "url": "https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24785" - }, - { - "type": "advisory", - "url": "https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2022-09" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20220513-0006" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241108-0002" - } - ], - "risk_score": 1.25475, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Path Traversal: 'dir/../../filename' in moment.locale" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mongodb-core", - "purl": "pkg:npm/mongodb-core@1.2.19", - "version": "1.2.19", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "mongodb", - "purl": "pkg:npm/mongodb@2.0.46", - "version": "2.0.46", - "vulnerabilities": [ - { - "affected_version_range": "\u003c3.1.13 (semantic)", - "data_source": "https://github.com/advisories/GHSA-mh5c-679w-hh4r", - "description": "Denial of Service in mongodb", - "fix_available": [ - { - "date": "2020-09-04", - "kind": "first-observed", - "version": "3.1.13" - } - ], - "fix_state": "fixed", - "fixed_in": "3.1.13", - "fixed_versions": [ - "3.1.13" - ], - "id": "GHSA-mh5c-679w-hh4r", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 3.1.13", - "Fix state: fixed", - "https://www.npmjs.com/advisories/1203" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-mh5c-679w-hh4r" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1203" - } - ], - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Denial of Service in mongodb" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mongodb", - "purl": "pkg:npm/mongodb@3.5.9", - "version": "3.5.9", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "mongoose", - "purl": "pkg:npm/mongoose@4.2.4", - "version": "4.2.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003c4.13.21 (semantic)", - "aliases": [ - "CVE-2019-17426" - ], - "cvss": [ - { - "score": 9.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-8687-vv9j-hgph", - "description": "Improper Input Validation in Automattic Mongoose", - "epss": [ - { - "cve": "CVE-2019-17426", - "date": "2026-06-14", - "epss": 0.00237, - "percentile": 0.47173 - } - ], - "fix_available": [ - { - "date": "2022-10-21", - "kind": "first-observed", - "version": "4.13.21" - } - ], - "fix_state": "fixed", - "fixed_in": "4.13.21", - "fixed_versions": [ - "4.13.21" - ], - "id": "GHSA-8687-vv9j-hgph", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2019-17426", - "Fix available: upgrade to 4.13.21", - "Fix state: fixed", - "https://github.com/Automattic/mongoose/commit/f3eca5b94d822225c04e96cbeed9f095afb3c31c", - "https://github.com/Automattic/mongoose/commit/f88eb2524b65a68ff893c90a03c04f0913c1913e", - "https://github.com/Automattic/mongoose/commits/4.13.21", - "https://github.com/Automattic/mongoose/issues/8222", - "https://github.com/Automattic/mongoose/releases/tag/4.13.21", - "https://nvd.nist.gov/vuln/detail/CVE-2019-17426" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-8687-vv9j-hgph" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-17426" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/commit/f3eca5b94d822225c04e96cbeed9f095afb3c31c" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/issues/8222" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/commits/4.13.21" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/releases/tag/4.13.21" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/commit/f88eb2524b65a68ff893c90a03c04f0913c1913e" - } - ], - "risk_score": 0.21448500000000004, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Improper Input Validation in Automattic Mongoose" - }, - { - "affected_version_range": "\u003c5.13.20 (semantic)", - "aliases": [ - "CVE-2023-3696" - ], - "cvss": [ - { - "score": 10, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2023-3696", - "id": "CWE-1321", - "source": "security@huntr.dev", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-9m93-w8w6-76hh", - "description": "Mongoose Prototype Pollution vulnerability", - "epss": [ - { - "cve": "CVE-2023-3696", - "date": "2026-06-14", - "epss": 0.00465, - "percentile": 0.64939 - } - ], - "fix_available": [ - { - "date": "2023-07-19", - "kind": "first-observed", - "version": "5.13.20" - } - ], - "fix_state": "fixed", - "fixed_in": "5.13.20", - "fixed_versions": [ - "5.13.20" - ], - "id": "GHSA-9m93-w8w6-76hh", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-3696", - "Fix available: upgrade to 5.13.20", - "Fix state: fixed", - "https://github.com/Automattic/mongoose/commit/e29578d2ec18a68aeb4717d66dd5eb66bae53de1", - "https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2", - "https://github.com/Automattic/mongoose/releases/tag/7.3.3", - "https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d", - "https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467", - "https://nvd.nist.gov/vuln/detail/CVE-2023-3696" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-9m93-w8w6-76hh" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3696" - }, - { - "type": "advisory", - "url": "https://github.com/automattic/mongoose/commit/305ce4ff789261df7e3f6e72363d0703e025f80d" - }, - { - "type": "advisory", - "url": "https://huntr.dev/bounties/1eef5a72-f6ab-4f61-b31d-fc66f5b4b467" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/commit/e29578d2ec18a68aeb4717d66dd5eb66bae53de1" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/commit/f1efabf350522257364aa5c2cb36e441cf08f1a2" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/releases/tag/7.3.3" - } - ], - "risk_score": 0.44175, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Mongoose Prototype Pollution vulnerability" - }, - { - "affected_version_range": "\u003c5.13.15 (semantic)", - "aliases": [ - "CVE-2022-2564" - ], - "cvss": [ - { - "score": 7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-2564", - "id": "CWE-1321", - "source": "security@huntr.dev", - "type": "Secondary" - }, - { - "cve": "CVE-2022-2564", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-f825-f98c-gj3g", - "description": "automattic/mongoose vulnerable to Prototype pollution via Schema.path", - "epss": [ - { - "cve": "CVE-2022-2564", - "date": "2026-06-14", - "epss": 0.02927, - "percentile": 0.86774 - } - ], - "fix_available": [ - { - "date": "2022-08-26", - "kind": "first-observed", - "version": "5.13.15" - } - ], - "fix_state": "fixed", - "fixed_in": "5.13.15", - "fixed_versions": [ - "5.13.15" - ], - "id": "GHSA-f825-f98c-gj3g", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-2564", - "Fix available: upgrade to 5.13.15", - "Fix state: fixed", - "https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141", - "https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md", - "https://github.com/Automattic/mongoose/commit/99b418941e2fc974199b8e5bd9d382bb50bf680a", - "https://github.com/Automattic/mongoose/compare/6.4.5...6.4.6", - "https://github.com/automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8", - "https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd", - "https://nvd.nist.gov/vuln/detail/CVE-2022-2564" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-f825-f98c-gj3g" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2564" - }, - { - "type": "advisory", - "url": "https://github.com/automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8" - }, - { - "type": "advisory", - "url": "https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/compare/6.4.5...6.4.6" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/commit/99b418941e2fc974199b8e5bd9d382bb50bf680a" - } - ], - "risk_score": 2.122075, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "automattic/mongoose vulnerable to Prototype pollution via Schema.path" - }, - { - "affected_version_range": "\u003c5.13.15 (semantic)", - "aliases": [ - "CVE-2022-24304" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-h8hf-x3f4-xwgp", - "description": "Mongoose Vulnerable to Prototype Pollution in Schema Object", - "fix_available": [ - { - "date": "2024-04-23", - "kind": "first-observed", - "version": "5.13.15" - } - ], - "fix_state": "fixed", - "fixed_in": "5.13.15", - "fixed_versions": [ - "5.13.15" - ], - "id": "GHSA-h8hf-x3f4-xwgp", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-24304", - "Fix available: upgrade to 5.13.15", - "Fix state: fixed", - "https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141", - "https://github.com/Automattic/mongoose/commit/6a197316564742c0422309e1b5fecfa4faec126e", - "https://github.com/Automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8", - "https://github.com/Automattic/mongoose/issues/12085", - "https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd/", - "https://nvd.nist.gov/vuln/detail/CVE-2022-24304" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-h8hf-x3f4-xwgp" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24304" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/commit/a45cfb6b0ce0067ae9794cfa80f7917e1fb3c6f8" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/blob/51e758541763b6f14569744ced15cc23ab8b50c6/lib/schema.js#L88-L141" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/issues/12085" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/commit/6a197316564742c0422309e1b5fecfa4faec126e" - }, - { - "type": "advisory", - "url": "https://huntr.dev/bounties/055be524-9296-4b2f-b68d-6d5b810d1ddd/" - } - ], - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Mongoose Vulnerable to Prototype Pollution in Schema Object" - }, - { - "affected_version_range": "\u003e=3.6.0-rc0,\u003c5.13.23 (semantic)", - "aliases": [ - "CVE-2024-53900" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - }, - { - "score": 8.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-53900", - "id": "CWE-89", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-m7xq-9374-9rvx", - "description": "Mongoose search injection vulnerability", - "epss": [ - { - "cve": "CVE-2024-53900", - "date": "2026-06-14", - "epss": 0.64154, - "percentile": 0.98464 - } - ], - "fix_available": [ - { - "date": "2026-02-05", - "kind": "first-observed", - "version": "5.13.23" - } - ], - "fix_state": "fixed", - "fixed_in": "5.13.23", - "fixed_versions": [ - "5.13.23" - ], - "id": "GHSA-m7xq-9374-9rvx", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-53900", - "Fix available: upgrade to 5.13.23", - "Fix state: fixed", - "https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md", - "https://github.com/Automattic/mongoose/commit/33679bcf8ca43d74e3e8ecd4cc224826772d805b", - "https://github.com/Automattic/mongoose/commit/bbb6fa7ecb44bbaf5bea955d886378a1247bce0b", - "https://github.com/Automattic/mongoose/commit/c9e86bff7eef477da75a29af62a06d41a835a156", - "https://github.com/Automattic/mongoose/compare/6.13.4...6.13.5", - "https://github.com/Automattic/mongoose/compare/7.8.2...7.8.3", - "https://github.com/Automattic/mongoose/compare/8.8.2...8.8.3", - "https://github.com/Automattic/mongoose/releases", - "https://github.com/github/advisory-database/pull/6769", - "https://github.com/github/advisory-database/pull/6776", - "https://nvd.nist.gov/vuln/detail/CVE-2024-53900", - "https://www.npmjs.com/package/mongoose?activeTab=versions" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-m7xq-9374-9rvx" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-53900" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/commit/c9e86bff7eef477da75a29af62a06d41a835a156" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/releases" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/mongoose?activeTab=versions" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/commit/33679bcf8ca43d74e3e8ecd4cc224826772d805b" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/compare/6.13.4...6.13.5" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/compare/7.8.2...7.8.3" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/compare/8.8.2...8.8.3" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/6769" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/6776" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/commit/bbb6fa7ecb44bbaf5bea955d886378a1247bce0b" - } - ], - "risk_score": 53.728975, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Mongoose search injection vulnerability" - }, - { - "affected_version_range": "\u003e=4.0.0,\u003c=4.3.5 (semantic)", - "cvss": [ - { - "score": 5.1, - "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-r5xw-q988-826m", - "description": "Remote Memory Exposure in mongoose", - "fix_available": [ - { - "date": "2021-03-30", - "kind": "first-observed", - "version": "4.3.6" - } - ], - "fix_state": "fixed", - "fixed_in": "4.3.6", - "fixed_versions": [ - "4.3.6" - ], - "id": "GHSA-r5xw-q988-826m", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 4.3.6", - "Fix state: fixed", - "https://gist.github.com/ChALkeR/440bc3dfcbd9b6da75c3", - "https://gist.github.com/ChALkeR/d4a8055625221b6e65f0", - "https://github.com/Automattic/mongoose/issues/3764", - "https://www.npmjs.com/advisories/599" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-r5xw-q988-826m" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/issues/3764" - }, - { - "type": "advisory", - "url": "https://gist.github.com/ChALkeR/440bc3dfcbd9b6da75c3" - }, - { - "type": "advisory", - "url": "https://gist.github.com/ChALkeR/d4a8055625221b6e65f0" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/599" - } - ], - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Remote Memory Exposure in mongoose" - }, - { - "affected_version_range": "\u003c6.13.6 (semantic)", - "aliases": [ - "CVE-2025-23061" - ], - "cvss": [ - { - "score": 9, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2025-23061", - "id": "CWE-94", - "source": "cve@mitre.org", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-vg7j-7cwx-8wgw", - "description": "Mongoose search injection vulnerability", - "epss": [ - { - "cve": "CVE-2025-23061", - "date": "2026-06-14", - "epss": 0.71855, - "percentile": 0.98767 - } - ], - "fix_available": [ - { - "date": "2025-01-18", - "kind": "first-observed", - "version": "6.13.6" - } - ], - "fix_state": "fixed", - "fixed_in": "6.13.6", - "fixed_versions": [ - "6.13.6" - ], - "id": "GHSA-vg7j-7cwx-8wgw", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-23061", - "Fix available: upgrade to 6.13.6", - "Fix state: fixed", - "https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md", - "https://github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc", - "https://github.com/Automattic/mongoose/compare/6.13.5...6.13.6", - "https://github.com/Automattic/mongoose/compare/7.8.3...7.8.4", - "https://github.com/Automattic/mongoose/compare/8.9.4...8.9.5", - "https://github.com/Automattic/mongoose/releases/tag/6.13.6", - "https://github.com/Automattic/mongoose/releases/tag/7.8.4", - "https://github.com/Automattic/mongoose/releases/tag/8.9.5", - "https://github.com/advisories/GHSA-m7xq-9374-9rvx", - "https://nvd.nist.gov/vuln/detail/CVE-2025-23061", - "https://www.npmjs.com/package/mongoose?activeTab=versions" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-vg7j-7cwx-8wgw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23061" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/commit/64a9f9706f2428c49e0cfb8e223065acc645f7bc" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/blob/master/CHANGELOG.md" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/releases/tag/8.9.5" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/mongoose?activeTab=versions" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/compare/6.13.5...6.13.6" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/compare/7.8.3...7.8.4" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/compare/8.9.4...8.9.5" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/releases/tag/6.13.6" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/releases/tag/7.8.4" - }, - { - "type": "advisory", - "url": "https://github.com/advisories/GHSA-m7xq-9374-9rvx" - } - ], - "risk_score": 64.6695, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Mongoose search injection vulnerability" - }, - { - "affected_version_range": "\u003c6.13.9 (semantic)", - "aliases": [ - "CVE-2026-42334" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-42334", - "id": "CWE-74", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-wpg9-53fq-2r8h", - "description": "Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection", - "epss": [ - { - "cve": "CVE-2026-42334", - "date": "2026-06-14", - "epss": 0.00047, - "percentile": 0.15006 - } - ], - "fix_available": [ - { - "date": "2026-05-06", - "kind": "first-observed", - "version": "6.13.9" - } - ], - "fix_state": "fixed", - "fixed_in": "6.13.9", - "fixed_versions": [ - "6.13.9" - ], - "id": "GHSA-wpg9-53fq-2r8h", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-42334", - "Fix available: upgrade to 6.13.9", - "Fix state: fixed", - "https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h", - "https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()", - "https://nvd.nist.gov/vuln/detail/CVE-2026-42334", - "https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-wpg9-53fq-2r8h" - }, - { - "type": "advisory", - "url": "https://github.com/Automattic/mongoose/security/advisories/GHSA-wpg9-53fq-2r8h" - }, - { - "type": "advisory", - "url": "https://mongoosejs.com/docs/api/mongoose.html#Mongoose.prototype.sanitizeFilter()" - }, - { - "type": "advisory", - "url": "https://thecodebarbarian.com/whats-new-in-mongoose-6-sanitizefilter.html" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42334" - } - ], - "risk_score": 0.035250000000000004, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "morgan", - "purl": "pkg:npm/morgan@1.10.0", - "version": "1.10.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "mpath", - "purl": "pkg:npm/mpath@0.1.1", - "version": "0.1.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.5.1 (semantic)", - "aliases": [ - "CVE-2018-16490" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2018-16490", - "id": "CWE-400", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2018-16490", - "id": "CWE-74", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-h466-j336-74wx", - "description": "Prototype Pollution in mpath", - "epss": [ - { - "cve": "CVE-2018-16490", - "date": "2026-06-14", - "epss": 0.00186, - "percentile": 0.40414 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "0.5.1" - } - ], - "fix_state": "fixed", - "fixed_in": "0.5.1", - "fixed_versions": [ - "0.5.1" - ], - "id": "GHSA-h466-j336-74wx", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2018-16490", - "Fix available: upgrade to 0.5.1", - "Fix state: fixed", - "https://hackerone.com/reports/390860", - "https://nvd.nist.gov/vuln/detail/CVE-2018-16490", - "https://www.npmjs.com/advisories/779" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-h466-j336-74wx" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16490" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/390860" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/779" - } - ], - "risk_score": 0.13949999999999999, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in mpath" - }, - { - "affected_version_range": "\u003c0.8.4 (semantic)", - "aliases": [ - "CVE-2021-23438" - ], - "cvss": [ - { - "score": 5.6, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-23438", - "id": "CWE-843", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-p92x-r36w-9395", - "description": "Type confusion in mpath", - "epss": [ - { - "cve": "CVE-2021-23438", - "date": "2026-06-14", - "epss": 0.00518, - "percentile": 0.67281 - } - ], - "fix_available": [ - { - "date": "2021-09-03", - "kind": "first-observed", - "version": "0.8.4" - } - ], - "fix_state": "fixed", - "fixed_in": "0.8.4", - "fixed_versions": [ - "0.8.4" - ], - "id": "GHSA-p92x-r36w-9395", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23438", - "Fix available: upgrade to 0.8.4", - "Fix state: fixed", - "https://github.com/aheckmann/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc", - "https://github.com/mongoosejs/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23438", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579548", - "https://snyk.io/vuln/SNYK-JS-MPATH-1577289" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-p92x-r36w-9395" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23438" - }, - { - "type": "advisory", - "url": "https://github.com/aheckmann/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-MPATH-1577289" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1579548" - }, - { - "type": "advisory", - "url": "https://github.com/mongoosejs/mpath/commit/89402d2880d4ea3518480a8c9847c541f2d824fc" - } - ], - "risk_score": 0.27454, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Type confusion in mpath" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mpromise", - "purl": "pkg:npm/mpromise@0.5.4", - "version": "0.5.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "mquery", - "purl": "pkg:npm/mquery@1.6.3", - "version": "1.6.3", - "vulnerabilities": [ - { - "affected_version_range": "\u003c3.2.3 (semantic)", - "aliases": [ - "CVE-2020-35149" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-45q2-34rf-mr94", - "description": "Code Injection in mquery", - "epss": [ - { - "cve": "CVE-2020-35149", - "date": "2026-06-14", - "epss": 0.00259, - "percentile": 0.49696 - } - ], - "fix_available": [ - { - "date": "2020-12-19", - "kind": "first-observed", - "version": "3.2.3" - } - ], - "fix_state": "fixed", - "fixed_in": "3.2.3", - "fixed_versions": [ - "3.2.3" - ], - "id": "GHSA-45q2-34rf-mr94", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-35149", - "Fix available: upgrade to 3.2.3", - "Fix state: fixed", - "https://github.com/aheckmann/mquery/commit/792e69fd0a7281a0300be5cade5a6d7c1d468ad4", - "https://nvd.nist.gov/vuln/detail/CVE-2020-35149" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-45q2-34rf-mr94" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-35149" - }, - { - "type": "advisory", - "url": "https://github.com/aheckmann/mquery/commit/792e69fd0a7281a0300be5cade5a6d7c1d468ad4" - } - ], - "risk_score": 0.133385, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Code Injection in mquery" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "ms", - "purl": "pkg:npm/ms@0.6.2", - "version": "0.6.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.7.1 (semantic)", - "aliases": [ - "CVE-2015-8315" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2015-8315", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2015-8315", - "id": "CWE-1333", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3fx5-fwvr-xrjg", - "description": "Regular Expression Denial of Service in ms", - "epss": [ - { - "cve": "CVE-2015-8315", - "date": "2026-06-14", - "epss": 0.0086, - "percentile": 0.75554 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "0.7.1" - } - ], - "fix_state": "fixed", - "fixed_in": "0.7.1", - "fixed_versions": [ - "0.7.1" - ], - "id": "GHSA-3fx5-fwvr-xrjg", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2015-8315", - "Fix available: upgrade to 0.7.1", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2016/04/20/11", - "http://www.securityfocus.com/bid/96389", - "https://nodesecurity.io/advisories/46", - "https://nvd.nist.gov/vuln/detail/CVE-2015-8315", - "https://support.f5.com/csp/article/K46337613?utm_source=f5support\u0026amp%3Butm_medium=RSS", - "https://support.f5.com/csp/article/K46337613?utm_source=f5support\u0026amp;utm_medium=RSS", - "https://web.archive.org/web/20200227190911/http://www.securityfocus.com/bid/96389" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3fx5-fwvr-xrjg" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8315" - }, - { - "type": "advisory", - "url": "https://support.f5.com/csp/article/K46337613?utm_source=f5support\u0026amp;utm_medium=RSS" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11" - }, - { - "type": "advisory", - "url": "https://web.archive.org/web/20200227190911/http://www.securityfocus.com/bid/96389" - }, - { - "type": "advisory", - "url": "https://nodesecurity.io/advisories/46" - }, - { - "type": "advisory", - "url": "https://support.f5.com/csp/article/K46337613?utm_source=f5support\u0026amp%3Butm_medium=RSS" - }, - { - "type": "advisory", - "url": "http://www.securityfocus.com/bid/96389" - } - ], - "risk_score": 0.645, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in ms" - }, - { - "affected_version_range": "\u003c2.0.0 (semantic)", - "aliases": [ - "CVE-2017-20162" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2017-20162", - "id": "CWE-1333", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2017-20162", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", - "description": "Vercel ms Inefficient Regular Expression Complexity vulnerability", - "epss": [ - { - "cve": "CVE-2017-20162", - "date": "2026-06-14", - "epss": 0.00353, - "percentile": 0.58183 - } - ], - "fix_available": [ - { - "date": "2023-01-11", - "kind": "first-observed", - "version": "2.0.0" - } - ], - "fix_state": "fixed", - "fixed_in": "2.0.0", - "fixed_versions": [ - "2.0.0" - ], - "id": "GHSA-w9mr-4mfr-499f", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-20162", - "Fix available: upgrade to 2.0.0", - "Fix state: fixed", - "https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662", - "https://github.com/vercel/ms/pull/89", - "https://github.com/vercel/ms/releases/tag/2.0.0", - "https://nvd.nist.gov/vuln/detail/CVE-2017-20162", - "https://security.netapp.com/advisory/ntap-20241108-0002", - "https://vuldb.com/?ctiid.217451", - "https://vuldb.com/?id.217451" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20162" - }, - { - "type": "advisory", - "url": "https://github.com/vercel/ms/pull/89" - }, - { - "type": "advisory", - "url": "https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662" - }, - { - "type": "advisory", - "url": "https://github.com/vercel/ms/releases/tag/2.0.0" - }, - { - "type": "advisory", - "url": "https://vuldb.com/?ctiid.217451" - }, - { - "type": "advisory", - "url": "https://vuldb.com/?id.217451" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241108-0002" - } - ], - "risk_score": 0.181795, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "ms", - "purl": "pkg:npm/ms@0.7.1", - "version": "0.7.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c2.0.0 (semantic)", - "aliases": [ - "CVE-2017-20162" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2017-20162", - "id": "CWE-1333", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2017-20162", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", - "description": "Vercel ms Inefficient Regular Expression Complexity vulnerability", - "epss": [ - { - "cve": "CVE-2017-20162", - "date": "2026-06-14", - "epss": 0.00353, - "percentile": 0.58183 - } - ], - "fix_available": [ - { - "date": "2023-01-11", - "kind": "first-observed", - "version": "2.0.0" - } - ], - "fix_state": "fixed", - "fixed_in": "2.0.0", - "fixed_versions": [ - "2.0.0" - ], - "id": "GHSA-w9mr-4mfr-499f", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-20162", - "Fix available: upgrade to 2.0.0", - "Fix state: fixed", - "https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662", - "https://github.com/vercel/ms/pull/89", - "https://github.com/vercel/ms/releases/tag/2.0.0", - "https://nvd.nist.gov/vuln/detail/CVE-2017-20162", - "https://security.netapp.com/advisory/ntap-20241108-0002", - "https://vuldb.com/?ctiid.217451", - "https://vuldb.com/?id.217451" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20162" - }, - { - "type": "advisory", - "url": "https://github.com/vercel/ms/pull/89" - }, - { - "type": "advisory", - "url": "https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662" - }, - { - "type": "advisory", - "url": "https://github.com/vercel/ms/releases/tag/2.0.0" - }, - { - "type": "advisory", - "url": "https://vuldb.com/?ctiid.217451" - }, - { - "type": "advisory", - "url": "https://vuldb.com/?id.217451" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241108-0002" - } - ], - "risk_score": 0.181795, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "ms", - "purl": "pkg:npm/ms@0.7.3", - "version": "0.7.3", - "vulnerabilities": [ - { - "affected_version_range": "\u003c2.0.0 (semantic)", - "aliases": [ - "CVE-2017-20162" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2017-20162", - "id": "CWE-1333", - "source": "cna@vuldb.com", - "type": "Secondary" - }, - { - "cve": "CVE-2017-20162", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-w9mr-4mfr-499f", - "description": "Vercel ms Inefficient Regular Expression Complexity vulnerability", - "epss": [ - { - "cve": "CVE-2017-20162", - "date": "2026-06-14", - "epss": 0.00353, - "percentile": 0.58183 - } - ], - "fix_available": [ - { - "date": "2023-01-11", - "kind": "first-observed", - "version": "2.0.0" - } - ], - "fix_state": "fixed", - "fixed_in": "2.0.0", - "fixed_versions": [ - "2.0.0" - ], - "id": "GHSA-w9mr-4mfr-499f", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-20162", - "Fix available: upgrade to 2.0.0", - "Fix state: fixed", - "https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662", - "https://github.com/vercel/ms/pull/89", - "https://github.com/vercel/ms/releases/tag/2.0.0", - "https://nvd.nist.gov/vuln/detail/CVE-2017-20162", - "https://security.netapp.com/advisory/ntap-20241108-0002", - "https://vuldb.com/?ctiid.217451", - "https://vuldb.com/?id.217451" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-w9mr-4mfr-499f" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-20162" - }, - { - "type": "advisory", - "url": "https://github.com/vercel/ms/pull/89" - }, - { - "type": "advisory", - "url": "https://github.com/vercel/ms/commit/caae2988ba2a37765d055c4eee63d383320ee662" - }, - { - "type": "advisory", - "url": "https://github.com/vercel/ms/releases/tag/2.0.0" - }, - { - "type": "advisory", - "url": "https://vuldb.com/?ctiid.217451" - }, - { - "type": "advisory", - "url": "https://vuldb.com/?id.217451" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241108-0002" - } - ], - "risk_score": 0.181795, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Vercel ms Inefficient Regular Expression Complexity vulnerability" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ms", - "purl": "pkg:npm/ms@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ms", - "purl": "pkg:npm/ms@2.1.1", - "version": "2.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ms", - "purl": "pkg:npm/ms@2.1.2", - "version": "2.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ms", - "purl": "pkg:npm/ms@2.1.3", - "version": "2.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "muri", - "purl": "pkg:npm/muri@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mute-stream", - "purl": "pkg:npm/mute-stream@0.0.7", - "version": "0.0.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mysql", - "purl": "pkg:npm/mysql@2.18.1", - "version": "2.18.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "mz", - "purl": "pkg:npm/mz@2.7.0", - "version": "2.7.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "nan", - "purl": "pkg:npm/nan@2.10.0", - "version": "2.10.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "nanomatch", - "purl": "pkg:npm/nanomatch@1.2.9", - "version": "1.2.9", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "nconf", - "purl": "pkg:npm/nconf@0.10.0", - "version": "0.10.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.11.4 (semantic)", - "aliases": [ - "CVE-2022-21803" - ], - "cvss": [ - { - "score": 7.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-21803", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-6xwr-q98w-rvg7", - "description": "Prototype Pollution in nconf", - "epss": [ - { - "cve": "CVE-2022-21803", - "date": "2026-06-14", - "epss": 0.00636, - "percentile": 0.71007 - } - ], - "fix_available": [ - { - "date": "2022-04-27", - "kind": "first-observed", - "version": "0.11.4" - } - ], - "fix_state": "fixed", - "fixed_in": "0.11.4", - "fixed_versions": [ - "0.11.4" - ], - "id": "GHSA-6xwr-q98w-rvg7", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-21803", - "Fix available: upgrade to 0.11.4", - "Fix state: fixed", - "https://github.com/indexzero/nconf/pull/397", - "https://github.com/indexzero/nconf/releases/tag/v0.11.4", - "https://nvd.nist.gov/vuln/detail/CVE-2022-21803", - "https://snyk.io/vuln/SNYK-JS-NCONF-2395478" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-6xwr-q98w-rvg7" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21803" - }, - { - "type": "advisory", - "url": "https://github.com/indexzero/nconf/pull/397" - }, - { - "type": "advisory", - "url": "https://github.com/indexzero/nconf/releases/tag/v0.11.4" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-NCONF-2395478" - } - ], - "risk_score": 0.47064000000000006, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution in nconf" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "needle", - "purl": "pkg:npm/needle@2.3.0", - "version": "2.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "needle", - "purl": "pkg:npm/needle@2.4.0", - "version": "2.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "negotiator", - "purl": "pkg:npm/negotiator@0.2.8", - "version": "0.2.8", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.6.1 (semantic)", - "aliases": [ - "CVE-2016-10539" - ], - "cwes": [ - { - "cve": "CVE-2016-10539", - "id": "CWE-400", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2016-10539", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-7mc5-chhp-fmc3", - "description": "Regular Expression Denial of Service in negotiator", - "epss": [ - { - "cve": "CVE-2016-10539", - "date": "2026-06-14", - "epss": 0.00328, - "percentile": 0.56221 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "0.6.1" - } - ], - "fix_state": "fixed", - "fixed_in": "0.6.1", - "fixed_versions": [ - "0.6.1" - ], - "id": "GHSA-7mc5-chhp-fmc3", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2016-10539", - "Fix available: upgrade to 0.6.1", - "Fix state: fixed", - "https://nvd.nist.gov/vuln/detail/CVE-2016-10539", - "https://www.npmjs.com/advisories/106" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-7mc5-chhp-fmc3" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10539" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/106" - } - ], - "risk_score": 0.246, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in negotiator" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "negotiator", - "purl": "pkg:npm/negotiator@0.4.9", - "version": "0.4.9", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.6.1 (semantic)", - "aliases": [ - "CVE-2016-10539" - ], - "cwes": [ - { - "cve": "CVE-2016-10539", - "id": "CWE-400", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2016-10539", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-7mc5-chhp-fmc3", - "description": "Regular Expression Denial of Service in negotiator", - "epss": [ - { - "cve": "CVE-2016-10539", - "date": "2026-06-14", - "epss": 0.00328, - "percentile": 0.56221 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "0.6.1" - } - ], - "fix_state": "fixed", - "fixed_in": "0.6.1", - "fixed_versions": [ - "0.6.1" - ], - "id": "GHSA-7mc5-chhp-fmc3", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 2, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2016-10539", - "Fix available: upgrade to 0.6.1", - "Fix state: fixed", - "https://nvd.nist.gov/vuln/detail/CVE-2016-10539", - "https://www.npmjs.com/advisories/106" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-7mc5-chhp-fmc3" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10539" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/106" - } - ], - "risk_score": 0.246, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in negotiator" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "negotiator", - "purl": "pkg:npm/negotiator@0.5.3", - "version": "0.5.3", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.6.1 (semantic)", - "aliases": [ - "CVE-2016-10539" - ], - "cwes": [ - { - "cve": "CVE-2016-10539", - "id": "CWE-400", - "source": "support@hackerone.com", - "type": "Secondary" - }, - { - "cve": "CVE-2016-10539", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-7mc5-chhp-fmc3", - "description": "Regular Expression Denial of Service in negotiator", - "epss": [ - { - "cve": "CVE-2016-10539", - "date": "2026-06-14", - "epss": 0.00328, - "percentile": 0.56221 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "0.6.1" - } - ], - "fix_state": "fixed", - "fixed_in": "0.6.1", - "fixed_versions": [ - "0.6.1" - ], - "id": "GHSA-7mc5-chhp-fmc3", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 2, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2016-10539", - "Fix available: upgrade to 0.6.1", - "Fix state: fixed", - "https://nvd.nist.gov/vuln/detail/CVE-2016-10539", - "https://www.npmjs.com/advisories/106" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-7mc5-chhp-fmc3" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10539" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/106" - } - ], - "risk_score": 0.246, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in negotiator" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "netmask", - "purl": "pkg:npm/netmask@1.0.6", - "version": "1.0.6", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.1.0 (semantic)", - "aliases": [ - "CVE-2021-28918" - ], - "cvss": [ - { - "score": 9.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-28918", - "id": "CWE-704", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-4c7m-wxvm-r7gc", - "description": "Improper parsing of octal bytes in netmask", - "epss": [ - { - "cve": "CVE-2021-28918", - "date": "2026-06-14", - "epss": 0.85896, - "percentile": 0.99409 - } - ], - "fix_available": [ - { - "date": "2021-04-15", - "kind": "first-observed", - "version": "1.1.0" - } - ], - "fix_state": "fixed", - "fixed_in": "1.1.0", - "fixed_versions": [ - "1.1.0" - ], - "id": "GHSA-4c7m-wxvm-r7gc", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-28918", - "Fix available: upgrade to 1.1.0", - "Fix state: fixed", - "https://github.com/advisories/GHSA-pch5-whg9-qr2r", - "https://github.com/rs/node-netmask/blob/98294cb20695f2c6c36219a4fbcd4744fb8d0682/CHANGELOG.md#v110-mar-18-2021", - "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md", - "https://nvd.nist.gov/vuln/detail/CVE-2021-28918", - "https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/", - "https://security.netapp.com/advisory/ntap-20210528-0010/", - "https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/", - "https://www.npmjs.com/package/netmask" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-4c7m-wxvm-r7gc" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28918" - }, - { - "type": "advisory", - "url": "https://github.com/rs/node-netmask/blob/98294cb20695f2c6c36219a4fbcd4744fb8d0682/CHANGELOG.md#v110-mar-18-2021" - }, - { - "type": "advisory", - "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md" - }, - { - "type": "advisory", - "url": "https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/netmask" - }, - { - "type": "advisory", - "url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210528-0010/" - }, - { - "type": "advisory", - "url": "https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/" - } - ], - "risk_score": 77.73588000000001, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Improper parsing of octal bytes in netmask" - }, - { - "affected_version_range": "\u003c2.0.1 (semantic)", - "aliases": [ - "CVE-2021-29418" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2021-29418", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-pch5-whg9-qr2r", - "description": "netmask npm package mishandles octal input data", - "epss": [ - { - "cve": "CVE-2021-29418", - "date": "2026-06-14", - "epss": 0.00023, - "percentile": 0.06623 - } - ], - "fix_available": [ - { - "date": "2021-03-30", - "kind": "first-observed", - "version": "2.0.1" - } - ], - "fix_state": "fixed", - "fixed_in": "2.0.1", - "fixed_versions": [ - "2.0.1" - ], - "id": "GHSA-pch5-whg9-qr2r", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-29418", - "Fix available: upgrade to 2.0.1", - "Fix state: fixed", - "https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4", - "https://nvd.nist.gov/vuln/detail/CVE-2021-29418", - "https://security.netapp.com/advisory/ntap-20210604-0001/", - "https://sick.codes/sick-2021-011", - "https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/", - "https://vuln.ryotak.me/advisories/6", - "https://www.npmjs.com/package/netmask" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r" - }, - { - "type": "advisory", - "url": "https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4" - }, - { - "type": "advisory", - "url": "https://sick.codes/sick-2021-011" - }, - { - "type": "advisory", - "url": "https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/netmask" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29418" - }, - { - "type": "advisory", - "url": "https://vuln.ryotak.me/advisories/6" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20210604-0001/" - } - ], - "risk_score": 0.011845000000000001, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "netmask npm package mishandles octal input data" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "nice-try", - "purl": "pkg:npm/nice-try@1.0.5", - "version": "1.0.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "nodemon", - "purl": "pkg:npm/nodemon@2.0.7", - "version": "2.0.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "nopt", - "purl": "pkg:npm/nopt@1.0.10", - "version": "1.0.10", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "nopt", - "purl": "pkg:npm/nopt@2.2.1", - "version": "2.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "BSD-2-Clause" - } - ], - "name": "normalize-package-data", - "purl": "pkg:npm/normalize-package-data@2.4.0", - "version": "2.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "normalize-path", - "purl": "pkg:npm/normalize-path@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "normalize-url", - "purl": "pkg:npm/normalize-url@3.3.0", - "version": "3.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "normalize-url", - "purl": "pkg:npm/normalize-url@4.5.1", - "version": "4.5.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "npm-run-path", - "purl": "pkg:npm/npm-run-path@2.0.2", - "version": "2.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "npmconf", - "purl": "pkg:npm/npmconf@0.0.24", - "version": "0.0.24", - "vulnerabilities": [ - { - "affected_version_range": "\u003c2.1.3 (semantic)", - "data_source": "https://github.com/advisories/GHSA-57cf-349j-352g", - "description": "Out-of-bounds Read in npmconf", - "fix_available": [ - { - "date": "2020-09-12", - "kind": "first-observed", - "version": "2.1.3" - } - ], - "fix_state": "fixed", - "fixed_in": "2.1.3", - "fixed_versions": [ - "2.1.3" - ], - "id": "GHSA-57cf-349j-352g", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Fix available: upgrade to 2.1.3", - "Fix state: fixed", - "https://hackerone.com/reports/320269", - "https://www.npmjs.com/advisories/653" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-57cf-349j-352g" - }, - { - "type": "advisory", - "url": "https://hackerone.com/reports/320269" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/653" - } - ], - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Out-of-bounds Read in npmconf" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "number-is-nan", - "purl": "pkg:npm/number-is-nan@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "nyc", - "purl": "pkg:npm/nyc@11.9.0", - "version": "11.9.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "oauth-sign", - "purl": "pkg:npm/oauth-sign@0.9.0", - "version": "0.9.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "object-assign", - "purl": "pkg:npm/object-assign@4.1.1", - "version": "4.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "object-copy", - "purl": "pkg:npm/object-copy@0.1.0", - "version": "0.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "object-hash", - "purl": "pkg:npm/object-hash@1.3.1", - "version": "1.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "object-visit", - "purl": "pkg:npm/object-visit@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "object.pick", - "purl": "pkg:npm/object.pick@1.3.0", - "version": "1.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "on-finished", - "purl": "pkg:npm/on-finished@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "on-finished", - "purl": "pkg:npm/on-finished@2.2.1", - "version": "2.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "on-finished", - "purl": "pkg:npm/on-finished@2.3.0", - "version": "2.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "on-headers", - "purl": "pkg:npm/on-headers@1.0.2", - "version": "1.0.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.1.0 (semantic)", - "aliases": [ - "CVE-2025-7339" - ], - "cvss": [ - { - "score": 3.4, - "vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2025-7339", - "id": "CWE-241", - "source": "ce714d77-add3-4f53-aff5-83d477b104bb", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-76c9-3jph-rj3q", - "description": "on-headers is vulnerable to http response header manipulation", - "epss": [ - { - "cve": "CVE-2025-7339", - "date": "2026-06-14", - "epss": 0.00036, - "percentile": 0.11278 - } - ], - "fix_available": [ - { - "date": "2025-07-18", - "kind": "first-observed", - "version": "1.1.0" - } - ], - "fix_state": "fixed", - "fixed_in": "1.1.0", - "fixed_versions": [ - "1.1.0" - ], - "id": "GHSA-76c9-3jph-rj3q", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-7339", - "Fix available: upgrade to 1.1.0", - "Fix state: fixed", - "https://cna.openjsf.org/security-advisories.html", - "https://github.com/expressjs/morgan/issues/315", - "https://github.com/jshttp/on-headers/commit/c6e384908c9c6127d18831d16ab0bd96e1231867", - "https://github.com/jshttp/on-headers/issues/15", - "https://github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3q", - "https://nvd.nist.gov/vuln/detail/CVE-2025-7339" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-76c9-3jph-rj3q" - }, - { - "type": "advisory", - "url": "https://github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3q" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7339" - }, - { - "type": "advisory", - "url": "https://github.com/expressjs/morgan/issues/315" - }, - { - "type": "advisory", - "url": "https://github.com/jshttp/on-headers/issues/15" - }, - { - "type": "advisory", - "url": "https://github.com/jshttp/on-headers/commit/c6e384908c9c6127d18831d16ab0bd96e1231867" - }, - { - "type": "advisory", - "url": "https://cna.openjsf.org/security-advisories.html" - } - ], - "risk_score": 0.011519999999999999, - "severity": "low", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "on-headers is vulnerable to http response header manipulation" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "once", - "purl": "pkg:npm/once@1.1.1", - "version": "1.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "once", - "purl": "pkg:npm/once@1.4.0", - "version": "1.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "onetime", - "purl": "pkg:npm/onetime@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "opener", - "purl": "pkg:npm/opener@1.5.1", - "version": "1.5.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "opn", - "purl": "pkg:npm/opn@5.5.0", - "version": "5.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT/X11" - } - ], - "name": "optimist", - "purl": "pkg:npm/optimist@0.6.1", - "version": "0.6.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "optional", - "purl": "pkg:npm/optional@0.1.4", - "version": "0.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "optionator", - "purl": "pkg:npm/optionator@0.8.3", - "version": "0.8.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "os-browserify", - "purl": "pkg:npm/os-browserify@0.1.2", - "version": "0.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "os-homedir", - "purl": "pkg:npm/os-homedir@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "os-locale", - "purl": "pkg:npm/os-locale@1.4.0", - "version": "1.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "os-locale", - "purl": "pkg:npm/os-locale@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "os-name", - "purl": "pkg:npm/os-name@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "os-tmpdir", - "purl": "pkg:npm/os-tmpdir@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "osenv", - "purl": "pkg:npm/osenv@0.0.3", - "version": "0.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "own-or-env", - "purl": "pkg:npm/own-or-env@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "own-or", - "purl": "pkg:npm/own-or@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "p-cancelable", - "purl": "pkg:npm/p-cancelable@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "p-finally", - "purl": "pkg:npm/p-finally@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "p-limit", - "purl": "pkg:npm/p-limit@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "p-limit", - "purl": "pkg:npm/p-limit@2.3.0", - "version": "2.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "p-locate", - "purl": "pkg:npm/p-locate@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "p-locate", - "purl": "pkg:npm/p-locate@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "p-locate", - "purl": "pkg:npm/p-locate@4.1.0", - "version": "4.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "p-map", - "purl": "pkg:npm/p-map@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "p-try", - "purl": "pkg:npm/p-try@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "p-try", - "purl": "pkg:npm/p-try@2.2.0", - "version": "2.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "pac-proxy-agent", - "purl": "pkg:npm/pac-proxy-agent@3.0.1", - "version": "3.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "pac-resolver", - "purl": "pkg:npm/pac-resolver@3.0.0", - "version": "3.0.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c5.0.0 (semantic)", - "aliases": [ - "CVE-2021-23406" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-9j49-mfvp-vmhm", - "description": "Code Injection in pac-resolver", - "epss": [ - { - "cve": "CVE-2021-23406", - "date": "2026-06-14", - "epss": 0.00999, - "percentile": 0.77481 - } - ], - "fix_available": [ - { - "date": "2021-09-03", - "kind": "first-observed", - "version": "5.0.0" - } - ], - "fix_state": "fixed", - "fixed_in": "5.0.0", - "fixed_versions": [ - "5.0.0" - ], - "id": "GHSA-9j49-mfvp-vmhm", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23406", - "Fix available: upgrade to 5.0.0", - "Fix state: fixed", - "https://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e", - "https://github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5", - "https://github.com/TooTallNate/node-pac-resolver/releases/tag/5.0.0", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23406", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1568506", - "https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-9j49-mfvp-vmhm" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23406" - }, - { - "type": "advisory", - "url": "https://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e" - }, - { - "type": "advisory", - "url": "https://github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5" - }, - { - "type": "advisory", - "url": "https://github.com/TooTallNate/node-pac-resolver/releases/tag/5.0.0" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1568506" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857" - } - ], - "risk_score": 0.7792200000000001, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Code Injection in pac-resolver" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "package-json", - "purl": "pkg:npm/package-json@4.0.1", - "version": "4.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "package-json", - "purl": "pkg:npm/package-json@6.5.0", - "version": "6.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "pako", - "purl": "pkg:npm/pako@0.2.9", - "version": "0.2.9", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "pako", - "purl": "pkg:npm/pako@1.0.10", - "version": "1.0.10", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "parent-require", - "purl": "pkg:npm/parent-require@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "parents", - "purl": "pkg:npm/parents@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "parse-asn1", - "purl": "pkg:npm/parse-asn1@5.1.4", - "version": "5.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "parse-json", - "purl": "pkg:npm/parse-json@2.2.0", - "version": "2.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "parse-path", - "purl": "pkg:npm/parse-path@4.0.1", - "version": "4.0.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c5.0.0 (semantic)", - "aliases": [ - "CVE-2022-0624" - ], - "cvss": [ - { - "score": 7.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-0624", - "id": "CWE-639", - "source": "security@huntr.dev", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3j8f-xvm3-ffx4", - "description": "Authorization Bypass in parse-path", - "epss": [ - { - "cve": "CVE-2022-0624", - "date": "2026-06-14", - "epss": 0.00159, - "percentile": 0.36813 - } - ], - "fix_available": [ - { - "date": "2022-07-06", - "kind": "first-observed", - "version": "5.0.0" - } - ], - "fix_state": "fixed", - "fixed_in": "5.0.0", - "fixed_versions": [ - "5.0.0" - ], - "id": "GHSA-3j8f-xvm3-ffx4", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-0624", - "Fix available: upgrade to 5.0.0", - "Fix state: fixed", - "https://github.com/ionicabizau/parse-path/commit/f9ad8856a3c8ae18e1cf4caef5edbabbc42840e8", - "https://huntr.dev/bounties/afffb2bd-fb06-4144-829e-ecbbcbc85388", - "https://nvd.nist.gov/vuln/detail/CVE-2022-0624" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3j8f-xvm3-ffx4" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0624" - }, - { - "type": "advisory", - "url": "https://github.com/ionicabizau/parse-path/commit/f9ad8856a3c8ae18e1cf4caef5edbabbc42840e8" - }, - { - "type": "advisory", - "url": "https://huntr.dev/bounties/afffb2bd-fb06-4144-829e-ecbbcbc85388" - } - ], - "risk_score": 0.11766000000000001, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Authorization Bypass in parse-path" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "parse-url", - "purl": "pkg:npm/parse-url@5.0.1", - "version": "5.0.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c6.0.1 (semantic)", - "aliases": [ - "CVE-2022-0722" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-0722", - "id": "CWE-200", - "source": "security@huntr.dev", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-4p35-cfcx-8653", - "description": "Hostname confusion in parse-url", - "epss": [ - { - "cve": "CVE-2022-0722", - "date": "2026-06-14", - "epss": 0.00301, - "percentile": 0.53968 - } - ], - "fix_available": [ - { - "date": "2022-07-06", - "kind": "first-observed", - "version": "6.0.1" - } - ], - "fix_state": "fixed", - "fixed_in": "6.0.1", - "fixed_versions": [ - "6.0.1" - ], - "id": "GHSA-4p35-cfcx-8653", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-0722", - "Fix available: upgrade to 6.0.1", - "Fix state: fixed", - "https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3", - "https://huntr.dev/bounties/2490ef6d-5577-4714-a4dd-9608251b4226", - "https://nvd.nist.gov/vuln/detail/CVE-2022-0722" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-4p35-cfcx-8653" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0722" - }, - { - "type": "advisory", - "url": "https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3" - }, - { - "type": "advisory", - "url": "https://huntr.dev/bounties/2490ef6d-5577-4714-a4dd-9608251b4226" - } - ], - "risk_score": 0.22575, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Hostname confusion in parse-url" - }, - { - "affected_version_range": "\u003c6.0.1 (semantic)", - "aliases": [ - "CVE-2022-2216" - ], - "cvss": [ - { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-2216", - "id": "CWE-918", - "source": "security@huntr.dev", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-7f3x-x4pr-wqhj", - "description": "Server-Side Request Forgery in parse-url", - "epss": [ - { - "cve": "CVE-2022-2216", - "date": "2026-06-14", - "epss": 0.00318, - "percentile": 0.55437 - } - ], - "fix_available": [ - { - "date": "2022-07-06", - "kind": "first-observed", - "version": "6.0.1" - } - ], - "fix_state": "fixed", - "fixed_in": "6.0.1", - "fixed_versions": [ - "6.0.1" - ], - "id": "GHSA-7f3x-x4pr-wqhj", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-2216", - "Fix available: upgrade to 6.0.1", - "Fix state: fixed", - "https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3", - "https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1", - "https://nvd.nist.gov/vuln/detail/CVE-2022-2216" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-7f3x-x4pr-wqhj" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2216" - }, - { - "type": "advisory", - "url": "https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3" - }, - { - "type": "advisory", - "url": "https://huntr.dev/bounties/505a3d39-2723-4a06-b1f7-9b2d133c92e1" - } - ], - "risk_score": 0.29892, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Server-Side Request Forgery in parse-url" - }, - { - "affected_version_range": "\u003c8.1.0 (semantic)", - "aliases": [ - "CVE-2022-2900" - ], - "cvss": [ - { - "score": 9.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-2900", - "id": "CWE-918", - "source": "security@huntr.dev", - "type": "Secondary" - }, - { - "cve": "CVE-2022-2900", - "id": "CWE-918", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-j9fq-vwqv-2fm2", - "description": "Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url", - "epss": [ - { - "cve": "CVE-2022-2900", - "date": "2026-06-14", - "epss": 0.00432, - "percentile": 0.63191 - } - ], - "fix_available": [ - { - "date": "2022-09-16", - "kind": "first-observed", - "version": "8.1.0" - } - ], - "fix_state": "fixed", - "fixed_in": "8.1.0", - "fixed_versions": [ - "8.1.0" - ], - "id": "GHSA-j9fq-vwqv-2fm2", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-2900", - "Fix available: upgrade to 8.1.0", - "Fix state: fixed", - "https://github.com/ionicabizau/parse-url/commit/b88c81df8f4c5168af454eaa4f92afa9349e4e13", - "https://huntr.dev/bounties/1b4c972a-abc8-41eb-a2e1-696db746b5fd", - "https://nvd.nist.gov/vuln/detail/CVE-2022-2900" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-j9fq-vwqv-2fm2" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2900" - }, - { - "type": "advisory", - "url": "https://github.com/ionicabizau/parse-url/commit/b88c81df8f4c5168af454eaa4f92afa9349e4e13" - }, - { - "type": "advisory", - "url": "https://huntr.dev/bounties/1b4c972a-abc8-41eb-a2e1-696db746b5fd" - } - ], - "risk_score": 0.39096000000000003, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url" - }, - { - "affected_version_range": "\u003c6.0.1 (semantic)", - "aliases": [ - "CVE-2022-2218" - ], - "cvss": [ - { - "score": 6.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-2218", - "id": "CWE-79", - "source": "security@huntr.dev", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-jpp7-7chh-cf67", - "description": "Cross site scripting in parse-url", - "epss": [ - { - "cve": "CVE-2022-2218", - "date": "2026-06-14", - "epss": 0.00322, - "percentile": 0.55768 - } - ], - "fix_available": [ - { - "date": "2022-07-06", - "kind": "first-observed", - "version": "6.0.1" - } - ], - "fix_state": "fixed", - "fixed_in": "6.0.1", - "fixed_versions": [ - "6.0.1" - ], - "id": "GHSA-jpp7-7chh-cf67", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-2218", - "Fix available: upgrade to 6.0.1", - "Fix state: fixed", - "https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3", - "https://huntr.dev/bounties/024912d3-f103-4daf-a1d0-567f4d9f2bf5", - "https://nvd.nist.gov/vuln/detail/CVE-2022-2218" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-jpp7-7chh-cf67" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2218" - }, - { - "type": "advisory", - "url": "https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3" - }, - { - "type": "advisory", - "url": "https://huntr.dev/bounties/024912d3-f103-4daf-a1d0-567f4d9f2bf5" - } - ], - "risk_score": 0.17871, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Cross site scripting in parse-url" - }, - { - "affected_version_range": "\u003c8.1.0 (semantic)", - "aliases": [ - "CVE-2022-3224" - ], - "cvss": [ - { - "score": 6.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-3224", - "id": "CWE-115", - "source": "security@huntr.dev", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-pqw5-jmp5-px4v", - "description": "parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing", - "epss": [ - { - "cve": "CVE-2022-3224", - "date": "2026-06-14", - "epss": 0.00342, - "percentile": 0.5735 - } - ], - "fix_available": [ - { - "date": "2022-09-18", - "kind": "first-observed", - "version": "8.1.0" - } - ], - "fix_state": "fixed", - "fixed_in": "8.1.0", - "fixed_versions": [ - "8.1.0" - ], - "id": "GHSA-pqw5-jmp5-px4v", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-3224", - "Fix available: upgrade to 8.1.0", - "Fix state: fixed", - "https://github.com/ionicabizau/parse-url/commit/9cacf38de02db0fb1358bd6ec04543e523cd6a8e", - "https://huntr.dev/bounties/3587a567-7fcd-4702-b7c9-d9ca565e3c62", - "https://nvd.nist.gov/vuln/detail/CVE-2022-3224" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-pqw5-jmp5-px4v" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3224" - }, - { - "type": "advisory", - "url": "https://github.com/ionicabizau/parse-url/commit/9cacf38de02db0fb1358bd6ec04543e523cd6a8e" - }, - { - "type": "advisory", - "url": "https://huntr.dev/bounties/3587a567-7fcd-4702-b7c9-d9ca565e3c62" - } - ], - "risk_score": 0.18980999999999998, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing" - }, - { - "affected_version_range": "\u003c6.0.1 (semantic)", - "aliases": [ - "CVE-2022-2217" - ], - "cvss": [ - { - "score": 6.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-2217", - "id": "CWE-79", - "source": "security@huntr.dev", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-q6wq-5p59-983w", - "description": "Cross site scripting in parse-url", - "epss": [ - { - "cve": "CVE-2022-2217", - "date": "2026-06-14", - "epss": 0.00294, - "percentile": 0.53242 - } - ], - "fix_available": [ - { - "date": "2022-07-06", - "kind": "first-observed", - "version": "6.0.1" - } - ], - "fix_state": "fixed", - "fixed_in": "6.0.1", - "fixed_versions": [ - "6.0.1" - ], - "id": "GHSA-q6wq-5p59-983w", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-2217", - "Fix available: upgrade to 6.0.1", - "Fix state: fixed", - "https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3", - "https://huntr.dev/bounties/4e046c63-b1ca-4bcc-b418-29796918a71b", - "https://nvd.nist.gov/vuln/detail/CVE-2022-2217" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-q6wq-5p59-983w" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2217" - }, - { - "type": "advisory", - "url": "https://github.com/ionicabizau/parse-url/commit/21c72ab9412228eea753e2abc48f8962707b1fe3" - }, - { - "type": "advisory", - "url": "https://huntr.dev/bounties/4e046c63-b1ca-4bcc-b418-29796918a71b" - } - ], - "risk_score": 0.16316999999999998, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Cross site scripting in parse-url" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "parse5-htmlparser2-tree-adapter", - "purl": "pkg:npm/parse5-htmlparser2-tree-adapter@5.1.1", - "version": "5.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "parse5", - "purl": "pkg:npm/parse5@5.1.1", - "version": "5.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "parseurl", - "purl": "pkg:npm/parseurl@1.3.3", - "version": "1.3.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "pascalcase", - "purl": "pkg:npm/pascalcase@0.1.1", - "version": "0.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "path-browserify", - "purl": "pkg:npm/path-browserify@0.0.1", - "version": "0.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "path-exists", - "purl": "pkg:npm/path-exists@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "path-exists", - "purl": "pkg:npm/path-exists@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "path-exists", - "purl": "pkg:npm/path-exists@4.0.0", - "version": "4.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "path-is-absolute", - "purl": "pkg:npm/path-is-absolute@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "path-is-inside", - "purl": "pkg:npm/path-is-inside@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "path-key", - "purl": "pkg:npm/path-key@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "matched": true, - "name": "path-parse", - "purl": "pkg:npm/path-parse@1.0.5", - "version": "1.0.5", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.0.7 (semantic)", - "aliases": [ - "CVE-2021-23343" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-hj48-42vr-x3v9", - "description": "Regular Expression Denial of Service in path-parse", - "epss": [ - { - "cve": "CVE-2021-23343", - "date": "2026-06-14", - "epss": 0.00349, - "percentile": 0.57945 - } - ], - "fix_available": [ - { - "date": "2021-08-11", - "kind": "first-observed", - "version": "1.0.7" - } - ], - "fix_state": "fixed", - "fixed_in": "1.0.7", - "fixed_versions": [ - "1.0.7" - ], - "id": "GHSA-hj48-42vr-x3v9", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23343", - "Fix available: upgrade to 1.0.7", - "Fix state: fixed", - "https://github.com/jbgutierrez/path-parse/commit/eca63a7b9a473bf6978a2f5b7b3343662d1506f7", - "https://github.com/jbgutierrez/path-parse/issues/8", - "https://github.com/jbgutierrez/path-parse/pull/10", - "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23343", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028", - "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-hj48-42vr-x3v9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343" - }, - { - "type": "advisory", - "url": "https://github.com/jbgutierrez/path-parse/issues/8" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://github.com/jbgutierrez/path-parse/pull/10" - }, - { - "type": "advisory", - "url": "https://github.com/jbgutierrez/path-parse/commit/eca63a7b9a473bf6978a2f5b7b3343662d1506f7" - } - ], - "risk_score": 0.179735, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in path-parse" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "path-parse", - "purl": "pkg:npm/path-parse@1.0.6", - "version": "1.0.6", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.0.7 (semantic)", - "aliases": [ - "CVE-2021-23343" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "data_source": "https://github.com/advisories/GHSA-hj48-42vr-x3v9", - "description": "Regular Expression Denial of Service in path-parse", - "epss": [ - { - "cve": "CVE-2021-23343", - "date": "2026-06-14", - "epss": 0.00349, - "percentile": 0.57945 - } - ], - "fix_available": [ - { - "date": "2021-08-11", - "kind": "first-observed", - "version": "1.0.7" - } - ], - "fix_state": "fixed", - "fixed_in": "1.0.7", - "fixed_versions": [ - "1.0.7" - ], - "id": "GHSA-hj48-42vr-x3v9", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2021-23343", - "Fix available: upgrade to 1.0.7", - "Fix state: fixed", - "https://github.com/jbgutierrez/path-parse/commit/eca63a7b9a473bf6978a2f5b7b3343662d1506f7", - "https://github.com/jbgutierrez/path-parse/issues/8", - "https://github.com/jbgutierrez/path-parse/pull/10", - "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23343", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028", - "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-hj48-42vr-x3v9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23343" - }, - { - "type": "advisory", - "url": "https://github.com/jbgutierrez/path-parse/issues/8" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1279028" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-PATHPARSE-1077067" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r6a32cb3eda3b19096ad48ef1e7aa8f26e005f2f63765abb69ce08b85@%3Cdev.myfaces.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://github.com/jbgutierrez/path-parse/pull/10" - }, - { - "type": "advisory", - "url": "https://github.com/jbgutierrez/path-parse/commit/eca63a7b9a473bf6978a2f5b7b3343662d1506f7" - } - ], - "risk_score": 0.179735, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Regular Expression Denial of Service in path-parse" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "path-platform", - "purl": "pkg:npm/path-platform@0.11.15", - "version": "0.11.15", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "path-to-regexp", - "purl": "pkg:npm/path-to-regexp@0.1.3", - "version": "0.1.3", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.1.13 (semantic)", - "aliases": [ - "CVE-2026-4867" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-4867", - "id": "CWE-1333", - "source": "ce714d77-add3-4f53-aff5-83d477b104bb", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-37ch-88jc-xwx2", - "description": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters", - "epss": [ - { - "cve": "CVE-2026-4867", - "date": "2026-06-14", - "epss": 0.00018, - "percentile": 0.05025 - } - ], - "fix_available": [ - { - "date": "2026-03-28", - "kind": "first-observed", - "version": "0.1.13" - } - ], - "fix_state": "fixed", - "fixed_in": "0.1.13", - "fixed_versions": [ - "0.1.13" - ], - "id": "GHSA-37ch-88jc-xwx2", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-4867", - "Fix available: upgrade to 0.1.13", - "Fix state: fixed", - "https://blakeembrey.com/posts/2024-09-web-redos", - "https://cna.openjsf.org/security-advisories.html", - "https://github.com/advisories/GHSA-9wv6-86v2-598j", - "https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13", - "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2", - "https://nvd.nist.gov/vuln/detail/CVE-2026-4867" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-37ch-88jc-xwx2" - }, - { - "type": "advisory", - "url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-37ch-88jc-xwx2" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4867" - }, - { - "type": "advisory", - "url": "https://blakeembrey.com/posts/2024-09-web-redos" - }, - { - "type": "advisory", - "url": "https://cna.openjsf.org/security-advisories.html" - }, - { - "type": "advisory", - "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j" - }, - { - "type": "advisory", - "url": "https://github.com/pillarjs/path-to-regexp/releases/tag/v.0.1.13" - } - ], - "risk_score": 0.0135, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters" - }, - { - "affected_version_range": "\u003c0.1.10 (semantic)", - "aliases": [ - "CVE-2024-45296" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - }, - { - "score": 7.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-45296", - "id": "CWE-1333", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-9wv6-86v2-598j", - "description": "path-to-regexp outputs backtracking regular expressions", - "epss": [ - { - "cve": "CVE-2024-45296", - "date": "2026-06-14", - "epss": 0.00064, - "percentile": 0.20309 - } - ], - "fix_available": [ - { - "date": "2024-09-10", - "kind": "first-observed", - "version": "0.1.10" - } - ], - "fix_state": "fixed", - "fixed_in": "0.1.10", - "fixed_versions": [ - "0.1.10" - ], - "id": "GHSA-9wv6-86v2-598j", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-45296", - "Fix available: upgrade to 0.1.10", - "Fix state: fixed", - "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f", - "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6", - "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485", - "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef", - "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894", - "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0", - "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j", - "https://nvd.nist.gov/vuln/detail/CVE-2024-45296", - "https://security.netapp.com/advisory/ntap-20250124-0001" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-9wv6-86v2-598j" - }, - { - "type": "advisory", - "url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j" - }, - { - "type": "advisory", - "url": "https://github.com/pillarjs/path-to-regexp/commit/29b96b4a1de52824e1ca0f49a701183cc4ed476f" - }, - { - "type": "advisory", - "url": "https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45296" - }, - { - "type": "advisory", - "url": "https://github.com/pillarjs/path-to-regexp/commit/925ac8e3c5780b02f58cbd4e52f95da8ad2ac485" - }, - { - "type": "advisory", - "url": "https://github.com/pillarjs/path-to-regexp/commit/d31670ae8f6e69cbfd56e835742195b7d10942ef" - }, - { - "type": "advisory", - "url": "https://github.com/pillarjs/path-to-regexp/commit/f1253b47b347dcb909e3e80b0eb2649109e59894" - }, - { - "type": "advisory", - "url": "https://github.com/pillarjs/path-to-regexp/releases/tag/v6.3.0" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20250124-0001" - } - ], - "risk_score": 0.04832, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "path-to-regexp outputs backtracking regular expressions" - }, - { - "affected_version_range": "\u003c0.1.12 (semantic)", - "aliases": [ - "CVE-2024-52798" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - }, - { - "score": 7.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-52798", - "id": "CWE-1333", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-rhx6-c78j-4q9w", - "description": "path-to-regexp contains a ReDoS", - "epss": [ - { - "cve": "CVE-2024-52798", - "date": "2026-06-14", - "epss": 0.00293, - "percentile": 0.5317 - } - ], - "fix_available": [ - { - "date": "2024-12-06", - "kind": "first-observed", - "version": "0.1.12" - } - ], - "fix_state": "fixed", - "fixed_in": "0.1.12", - "fixed_versions": [ - "0.1.12" - ], - "id": "GHSA-rhx6-c78j-4q9w", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-52798", - "Fix available: upgrade to 0.1.12", - "Fix state: fixed", - "https://blakeembrey.com/posts/2024-09-web-redos", - "https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4", - "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w", - "https://nvd.nist.gov/vuln/detail/CVE-2024-52798", - "https://security.netapp.com/advisory/ntap-20250124-0002" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-rhx6-c78j-4q9w" - }, - { - "type": "advisory", - "url": "https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w" - }, - { - "type": "advisory", - "url": "https://blakeembrey.com/posts/2024-09-web-redos" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52798" - }, - { - "type": "advisory", - "url": "https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20250124-0002" - } - ], - "risk_score": 0.221215, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "path-to-regexp contains a ReDoS" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "path-type", - "purl": "pkg:npm/path-type@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "pbkdf2", - "purl": "pkg:npm/pbkdf2@3.0.17", - "version": "3.0.17", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=3.0.10,\u003c=3.1.2 (semantic)", - "aliases": [ - "CVE-2025-6545" - ], - "cvss": [ - { - "score": 9.1, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-6545", - "id": "CWE-20", - "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-h7cp-r72f-jxh6", - "description": "pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos", - "epss": [ - { - "cve": "CVE-2025-6545", - "date": "2026-06-14", - "epss": 0.00416, - "percentile": 0.62245 - } - ], - "fix_available": [ - { - "date": "2025-06-24", - "kind": "first-observed", - "version": "3.1.3" - } - ], - "fix_state": "fixed", - "fixed_in": "3.1.3", - "fixed_versions": [ - "3.1.3" - ], - "id": "GHSA-h7cp-r72f-jxh6", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-6545", - "Fix available: upgrade to 3.1.3", - "Fix state: fixed", - "https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078", - "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb", - "https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6", - "https://nvd.nist.gov/vuln/detail/CVE-2025-6545" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-h7cp-r72f-jxh6" - }, - { - "type": "advisory", - "url": "https://github.com/browserify/pbkdf2/security/advisories/GHSA-h7cp-r72f-jxh6" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6545" - }, - { - "type": "advisory", - "url": "https://github.com/browserify/pbkdf2/commit/9699045c37a07f8319cfb8d44e2ff4252d7a7078" - }, - { - "type": "advisory", - "url": "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb" - } - ], - "risk_score": 0.37648, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos" - }, - { - "affected_version_range": "\u003e=1.0.0,\u003c=3.1.2 (semantic)", - "aliases": [ - "CVE-2025-6547" - ], - "cvss": [ - { - "score": 9.1, - "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-6547", - "id": "CWE-20", - "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-v62p-rq8g-8h59", - "description": "pbkdf2 silently disregards Uint8Array input, returning static keys", - "epss": [ - { - "cve": "CVE-2025-6547", - "date": "2026-06-14", - "epss": 0.00091, - "percentile": 0.25883 - } - ], - "fix_available": [ - { - "date": "2025-06-24", - "kind": "first-observed", - "version": "3.1.3" - } - ], - "fix_state": "fixed", - "fixed_in": "3.1.3", - "fixed_versions": [ - "3.1.3" - ], - "id": "GHSA-v62p-rq8g-8h59", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-6547", - "Fix available: upgrade to 3.1.3", - "Fix state: fixed", - "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb", - "https://github.com/browserify/pbkdf2/security/advisories/GHSA-v62p-rq8g-8h59", - "https://nvd.nist.gov/vuln/detail/CVE-2025-6547" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-v62p-rq8g-8h59" - }, - { - "type": "advisory", - "url": "https://github.com/browserify/pbkdf2/security/advisories/GHSA-v62p-rq8g-8h59" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6547" - }, - { - "type": "advisory", - "url": "https://github.com/browserify/pbkdf2/commit/e3102a8cd4830a3ac85cd0dd011cc002fdde33bb" - } - ], - "risk_score": 0.082355, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "pbkdf2 silently disregards Uint8Array input, returning static keys" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "performance-now", - "purl": "pkg:npm/performance-now@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "picomatch", - "purl": "pkg:npm/picomatch@2.3.0", - "version": "2.3.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c2.3.2 (semantic)", - "aliases": [ - "CVE-2026-33672" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33672", - "id": "CWE-1321", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", - "description": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", - "epss": [ - { - "cve": "CVE-2026-33672", - "date": "2026-06-14", - "epss": 0.00059, - "percentile": 0.18968 - } - ], - "fix_available": [ - { - "date": "2026-03-26", - "kind": "first-observed", - "version": "2.3.2" - } - ], - "fix_state": "fixed", - "fixed_in": "2.3.2", - "fixed_versions": [ - "2.3.2" - ], - "id": "GHSA-3v7f-55p6-f55p", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33672", - "Fix available: upgrade to 2.3.2", - "Fix state: fixed", - "https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903", - "https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33672" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33672" - } - ], - "risk_score": 0.030385000000000002, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching" - }, - { - "affected_version_range": "\u003c2.3.2 (semantic)", - "aliases": [ - "CVE-2026-33671" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2026-33671", - "id": "CWE-1333", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", - "description": "Picomatch has a ReDoS vulnerability via extglob quantifiers", - "epss": [ - { - "cve": "CVE-2026-33671", - "date": "2026-06-14", - "epss": 0.0002, - "percentile": 0.05839 - } - ], - "fix_available": [ - { - "date": "2026-03-26", - "kind": "first-observed", - "version": "2.3.2" - } - ], - "fix_state": "fixed", - "fixed_in": "2.3.2", - "fixed_versions": [ - "2.3.2" - ], - "id": "GHSA-c2c7-rcm5-vvqj", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-33671", - "Fix available: upgrade to 2.3.2", - "Fix state: fixed", - "https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d", - "https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj", - "https://nvd.nist.gov/vuln/detail/CVE-2026-33671" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj" - }, - { - "type": "advisory", - "url": "https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33671" - } - ], - "risk_score": 0.015000000000000001, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "pify", - "purl": "pkg:npm/pify@2.3.0", - "version": "2.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "pify", - "purl": "pkg:npm/pify@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "pinkie-promise", - "purl": "pkg:npm/pinkie-promise@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "pinkie", - "purl": "pkg:npm/pinkie@2.0.4", - "version": "2.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "pkg-dir", - "purl": "pkg:npm/pkg-dir@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ports", - "purl": "pkg:npm/ports@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "posix-character-classes", - "purl": "pkg:npm/posix-character-classes@0.1.1", - "version": "0.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "prelude-ls", - "purl": "pkg:npm/prelude-ls@1.1.2", - "version": "1.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "prepend-http", - "purl": "pkg:npm/prepend-http@1.0.4", - "version": "1.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "prepend-http", - "purl": "pkg:npm/prepend-http@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "process-nextick-args", - "purl": "pkg:npm/process-nextick-args@1.0.7", - "version": "1.0.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "process-nextick-args", - "purl": "pkg:npm/process-nextick-args@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "process", - "purl": "pkg:npm/process@0.11.10", - "version": "0.11.10", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "promise", - "purl": "pkg:npm/promise@7.3.1", - "version": "7.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "proto-list", - "purl": "pkg:npm/proto-list@1.2.4", - "version": "1.2.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "protocols", - "purl": "pkg:npm/protocols@1.4.7", - "version": "1.4.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "proxy-addr", - "purl": "pkg:npm/proxy-addr@1.0.10", - "version": "1.0.10", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "proxy-agent", - "purl": "pkg:npm/proxy-agent@3.1.1", - "version": "3.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "proxy-from-env", - "purl": "pkg:npm/proxy-from-env@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "pseudomap", - "purl": "pkg:npm/pseudomap@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "psl", - "purl": "pkg:npm/psl@1.7.0", - "version": "1.7.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "pstree.remy", - "purl": "pkg:npm/pstree.remy@1.1.8", - "version": "1.1.8", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "public-encrypt", - "purl": "pkg:npm/public-encrypt@4.0.3", - "version": "4.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "pump", - "purl": "pkg:npm/pump@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "punycode", - "purl": "pkg:npm/punycode@1.3.2", - "version": "1.3.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "punycode", - "purl": "pkg:npm/punycode@1.4.1", - "version": "1.4.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "punycode", - "purl": "pkg:npm/punycode@2.1.1", - "version": "2.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "pupa", - "purl": "pkg:npm/pupa@2.1.1", - "version": "2.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "qs", - "purl": "pkg:npm/qs@2.2.4", - "version": "2.2.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003c6.14.1 (semantic)", - "aliases": [ - "CVE-2025-15284" - ], - "cvss": [ - { - "score": 3.7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - }, - { - "score": 6.3, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-15284", - "id": "CWE-20", - "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-6rw7-vpxm-498p", - "description": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion", - "epss": [ - { - "cve": "CVE-2025-15284", - "date": "2026-06-14", - "epss": 0.00035, - "percentile": 0.10897 - } - ], - "fix_available": [ - { - "date": "2026-01-01", - "kind": "first-observed", - "version": "6.14.1" - } - ], - "fix_state": "fixed", - "fixed_in": "6.14.1", - "fixed_versions": [ - "6.14.1" - ], - "id": "GHSA-6rw7-vpxm-498p", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-15284", - "Fix available: upgrade to 6.14.1", - "Fix state: fixed", - "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9", - "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p", - "https://nvd.nist.gov/vuln/detail/CVE-2025-15284" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9" - } - ], - "risk_score": 0.017499999999999998, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion" - }, - { - "affected_version_range": "\u003c6.0.4 (semantic)", - "aliases": [ - "CVE-2017-1000048" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-1000048", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-gqgv-6jq5-jjj9", - "description": "Prototype Pollution Protection Bypass in qs", - "epss": [ - { - "cve": "CVE-2017-1000048", - "date": "2026-06-14", - "epss": 0.00808, - "percentile": 0.74715 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "6.0.4" - } - ], - "fix_state": "fixed", - "fixed_in": "6.0.4", - "fixed_versions": [ - "6.0.4" - ], - "id": "GHSA-gqgv-6jq5-jjj9", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-1000048", - "Fix available: upgrade to 6.0.4", - "Fix state: fixed", - "https://access.redhat.com/errata/RHSA-2017:2672", - "https://github.com/ljharb/qs/commit/beade029171b8cef9cee0d03ebe577e2dd84976d", - "https://github.com/ljharb/qs/issues/200", - "https://nvd.nist.gov/vuln/detail/CVE-2017-1000048", - "https://snyk.io/vuln/npm:qs:20170213", - "https://www.npmjs.com/advisories/1469" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-gqgv-6jq5-jjj9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000048" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/issues/200" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/beade029171b8cef9cee0d03ebe577e2dd84976d" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2017:2672" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/npm:qs:20170213" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1469" - } - ], - "risk_score": 0.606, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution Protection Bypass in qs" - }, - { - "affected_version_range": "\u003c6.2.4 (semantic)", - "aliases": [ - "CVE-2022-24999" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-24999", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-24999", - "id": "CWE-1321", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", - "description": "qs vulnerable to Prototype Pollution", - "epss": [ - { - "cve": "CVE-2022-24999", - "date": "2026-06-14", - "epss": 0.01543, - "percentile": 0.81846 - } - ], - "fix_available": [ - { - "date": "2022-12-07", - "kind": "first-observed", - "version": "6.2.4" - } - ], - "fix_state": "fixed", - "fixed_in": "6.2.4", - "fixed_versions": [ - "6.2.4" - ], - "id": "GHSA-hrpp-h998-j3pp", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-24999", - "Fix available: upgrade to 6.2.4", - "Fix state: fixed", - "https://github.com/expressjs/express/releases/tag/4.17.3", - "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", - "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", - "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", - "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", - "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", - "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", - "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", - "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", - "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", - "https://github.com/ljharb/qs/pull/428", - "https://github.com/n8tz/CVE-2022-24999", - "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", - "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", - "https://security.netapp.com/advisory/ntap-20230908-0005" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/pull/428" - }, - { - "type": "advisory", - "url": "https://github.com/n8tz/CVE-2022-24999" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda" - }, - { - "type": "advisory", - "url": "https://github.com/expressjs/express/releases/tag/4.17.3" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20230908-0005" - } - ], - "risk_score": 1.15725, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "qs vulnerable to Prototype Pollution" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "qs", - "purl": "pkg:npm/qs@2.4.2", - "version": "2.4.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003c6.14.1 (semantic)", - "aliases": [ - "CVE-2025-15284" - ], - "cvss": [ - { - "score": 3.7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - }, - { - "score": 6.3, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-15284", - "id": "CWE-20", - "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-6rw7-vpxm-498p", - "description": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion", - "epss": [ - { - "cve": "CVE-2025-15284", - "date": "2026-06-14", - "epss": 0.00035, - "percentile": 0.10897 - } - ], - "fix_available": [ - { - "date": "2026-01-01", - "kind": "first-observed", - "version": "6.14.1" - } - ], - "fix_state": "fixed", - "fixed_in": "6.14.1", - "fixed_versions": [ - "6.14.1" - ], - "id": "GHSA-6rw7-vpxm-498p", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-15284", - "Fix available: upgrade to 6.14.1", - "Fix state: fixed", - "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9", - "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p", - "https://nvd.nist.gov/vuln/detail/CVE-2025-15284" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9" - } - ], - "risk_score": 0.017499999999999998, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion" - }, - { - "affected_version_range": "\u003c6.0.4 (semantic)", - "aliases": [ - "CVE-2017-1000048" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2017-1000048", - "id": "CWE-20", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-gqgv-6jq5-jjj9", - "description": "Prototype Pollution Protection Bypass in qs", - "epss": [ - { - "cve": "CVE-2017-1000048", - "date": "2026-06-14", - "epss": 0.00808, - "percentile": 0.74715 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "6.0.4" - } - ], - "fix_state": "fixed", - "fixed_in": "6.0.4", - "fixed_versions": [ - "6.0.4" - ], - "id": "GHSA-gqgv-6jq5-jjj9", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2017-1000048", - "Fix available: upgrade to 6.0.4", - "Fix state: fixed", - "https://access.redhat.com/errata/RHSA-2017:2672", - "https://github.com/ljharb/qs/commit/beade029171b8cef9cee0d03ebe577e2dd84976d", - "https://github.com/ljharb/qs/issues/200", - "https://nvd.nist.gov/vuln/detail/CVE-2017-1000048", - "https://snyk.io/vuln/npm:qs:20170213", - "https://www.npmjs.com/advisories/1469" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-gqgv-6jq5-jjj9" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1000048" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/issues/200" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/beade029171b8cef9cee0d03ebe577e2dd84976d" - }, - { - "type": "advisory", - "url": "https://access.redhat.com/errata/RHSA-2017:2672" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/npm:qs:20170213" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1469" - } - ], - "risk_score": 0.606, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Prototype Pollution Protection Bypass in qs" - }, - { - "affected_version_range": "\u003c6.2.4 (semantic)", - "aliases": [ - "CVE-2022-24999" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-24999", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-24999", - "id": "CWE-1321", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", - "description": "qs vulnerable to Prototype Pollution", - "epss": [ - { - "cve": "CVE-2022-24999", - "date": "2026-06-14", - "epss": 0.01543, - "percentile": 0.81846 - } - ], - "fix_available": [ - { - "date": "2022-12-07", - "kind": "first-observed", - "version": "6.2.4" - } - ], - "fix_state": "fixed", - "fixed_in": "6.2.4", - "fixed_versions": [ - "6.2.4" - ], - "id": "GHSA-hrpp-h998-j3pp", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-24999", - "Fix available: upgrade to 6.2.4", - "Fix state: fixed", - "https://github.com/expressjs/express/releases/tag/4.17.3", - "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", - "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", - "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", - "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", - "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", - "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", - "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", - "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", - "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", - "https://github.com/ljharb/qs/pull/428", - "https://github.com/n8tz/CVE-2022-24999", - "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", - "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", - "https://security.netapp.com/advisory/ntap-20230908-0005" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/pull/428" - }, - { - "type": "advisory", - "url": "https://github.com/n8tz/CVE-2022-24999" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda" - }, - { - "type": "advisory", - "url": "https://github.com/expressjs/express/releases/tag/4.17.3" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20230908-0005" - } - ], - "risk_score": 1.15725, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "qs vulnerable to Prototype Pollution" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "qs", - "purl": "pkg:npm/qs@6.5.2", - "version": "6.5.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003c6.14.1 (semantic)", - "aliases": [ - "CVE-2025-15284" - ], - "cvss": [ - { - "score": 3.7, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - }, - { - "score": 6.3, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-15284", - "id": "CWE-20", - "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-6rw7-vpxm-498p", - "description": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion", - "epss": [ - { - "cve": "CVE-2025-15284", - "date": "2026-06-14", - "epss": 0.00035, - "percentile": 0.10897 - } - ], - "fix_available": [ - { - "date": "2026-01-01", - "kind": "first-observed", - "version": "6.14.1" - } - ], - "fix_state": "fixed", - "fixed_in": "6.14.1", - "fixed_versions": [ - "6.14.1" - ], - "id": "GHSA-6rw7-vpxm-498p", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-15284", - "Fix available: upgrade to 6.14.1", - "Fix state: fixed", - "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9", - "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p", - "https://nvd.nist.gov/vuln/detail/CVE-2025-15284" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9" - } - ], - "risk_score": 0.017499999999999998, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion" - }, - { - "affected_version_range": "\u003e=6.5.0,\u003c6.5.3 (semantic)", - "aliases": [ - "CVE-2022-24999" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-24999", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-24999", - "id": "CWE-1321", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", - "description": "qs vulnerable to Prototype Pollution", - "epss": [ - { - "cve": "CVE-2022-24999", - "date": "2026-06-14", - "epss": 0.01543, - "percentile": 0.81846 - } - ], - "fix_available": [ - { - "date": "2022-12-07", - "kind": "first-observed", - "version": "6.5.3" - } - ], - "fix_state": "fixed", - "fixed_in": "6.5.3", - "fixed_versions": [ - "6.5.3" - ], - "id": "GHSA-hrpp-h998-j3pp", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-24999", - "Fix available: upgrade to 6.5.3", - "Fix state: fixed", - "https://github.com/expressjs/express/releases/tag/4.17.3", - "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", - "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", - "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", - "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", - "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", - "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", - "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", - "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", - "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", - "https://github.com/ljharb/qs/pull/428", - "https://github.com/n8tz/CVE-2022-24999", - "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", - "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", - "https://security.netapp.com/advisory/ntap-20230908-0005" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/pull/428" - }, - { - "type": "advisory", - "url": "https://github.com/n8tz/CVE-2022-24999" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda" - }, - { - "type": "advisory", - "url": "https://github.com/expressjs/express/releases/tag/4.17.3" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20230908-0005" - } - ], - "risk_score": 1.15725, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "qs vulnerable to Prototype Pollution" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "querystring-es3", - "purl": "pkg:npm/querystring-es3@0.2.1", - "version": "0.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "querystring", - "purl": "pkg:npm/querystring@0.2.0", - "version": "0.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "random-bytes", - "purl": "pkg:npm/random-bytes@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "randombytes", - "purl": "pkg:npm/randombytes@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "randomfill", - "purl": "pkg:npm/randomfill@1.0.4", - "version": "1.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "range-parser", - "purl": "pkg:npm/range-parser@1.0.3", - "version": "1.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "raw-body", - "purl": "pkg:npm/raw-body@1.3.0", - "version": "1.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "raw-body", - "purl": "pkg:npm/raw-body@2.4.1", - "version": "2.4.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "rc", - "purl": "pkg:npm/rc@1.2.8", - "version": "1.2.8", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "read-only-stream", - "purl": "pkg:npm/read-only-stream@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "read-pkg-up", - "purl": "pkg:npm/read-pkg-up@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "read-pkg", - "purl": "pkg:npm/read-pkg@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "readable-stream", - "purl": "pkg:npm/readable-stream@1.0.31", - "version": "1.0.31", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "readable-stream", - "purl": "pkg:npm/readable-stream@1.1.14", - "version": "1.1.14", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "readable-stream", - "purl": "pkg:npm/readable-stream@2.0.6", - "version": "2.0.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "readable-stream", - "purl": "pkg:npm/readable-stream@2.3.6", - "version": "2.3.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "readable-stream", - "purl": "pkg:npm/readable-stream@2.3.7", - "version": "2.3.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "readable-stream", - "purl": "pkg:npm/readable-stream@3.4.0", - "version": "3.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "readdirp", - "purl": "pkg:npm/readdirp@3.5.0", - "version": "3.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "reflect-metadata", - "purl": "pkg:npm/reflect-metadata@0.1.13", - "version": "0.1.13", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "regenerator-runtime", - "purl": "pkg:npm/regenerator-runtime@0.11.1", - "version": "0.11.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "regex-not", - "purl": "pkg:npm/regex-not@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "regexp-clone", - "purl": "pkg:npm/regexp-clone@0.0.1", - "version": "0.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "registry-auth-token", - "purl": "pkg:npm/registry-auth-token@3.4.0", - "version": "3.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "registry-auth-token", - "purl": "pkg:npm/registry-auth-token@4.2.1", - "version": "4.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "registry-url", - "purl": "pkg:npm/registry-url@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "registry-url", - "purl": "pkg:npm/registry-url@5.1.0", - "version": "5.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "repeat-element", - "purl": "pkg:npm/repeat-element@1.1.2", - "version": "1.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "repeat-string", - "purl": "pkg:npm/repeat-string@1.6.1", - "version": "1.6.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "repeating", - "purl": "pkg:npm/repeating@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "request", - "purl": "pkg:npm/request@2.88.0", - "version": "2.88.0", - "vulnerabilities": [ - { - "affected_version_range": "\u003c=2.88.2 (semantic)", - "aliases": [ - "CVE-2023-28155" - ], - "cvss": [ - { - "score": 6.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2023-28155", - "id": "CWE-918", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-p8p7-x288-28g6", - "description": "Server-Side Request Forgery in Request", - "epss": [ - { - "cve": "CVE-2023-28155", - "date": "2026-06-14", - "epss": 0.00557, - "percentile": 0.68733 - } - ], - "fix_state": "not-fixed", - "id": "GHSA-p8p7-x288-28g6", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-28155", - "Fix state: not-fixed", - "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf", - "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116", - "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f", - "https://github.com/cypress-io/request/pull/28", - "https://github.com/cypress-io/request/releases/tag/v3.0.0", - "https://github.com/github/advisory-database/pull/2500", - "https://github.com/request/request/blob/master/lib/redirect.js#L111", - "https://github.com/request/request/issues/3442", - "https://github.com/request/request/pull/3444", - "https://nvd.nist.gov/vuln/detail/CVE-2023-28155", - "https://security.netapp.com/advisory/ntap-20230413-0007" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-p8p7-x288-28g6" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28155" - }, - { - "type": "advisory", - "url": "https://github.com/request/request/issues/3442" - }, - { - "type": "advisory", - "url": "https://github.com/request/request/pull/3444" - }, - { - "type": "advisory", - "url": "https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/2500" - }, - { - "type": "advisory", - "url": "https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116" - }, - { - "type": "advisory", - "url": "https://github.com/request/request/blob/master/lib/redirect.js#L111" - }, - { - "type": "advisory", - "url": "https://github.com/cypress-io/request/pull/28" - }, - { - "type": "advisory", - "url": "https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f" - }, - { - "type": "advisory", - "url": "https://github.com/cypress-io/request/releases/tag/v3.0.0" - }, - { - "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20230413-0007" - } - ], - "risk_score": 0.30913499999999994, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Server-Side Request Forgery in Request" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "require-directory", - "purl": "pkg:npm/require-directory@2.1.1", - "version": "2.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "require-main-filename", - "purl": "pkg:npm/require-main-filename@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "require-main-filename", - "purl": "pkg:npm/require-main-filename@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "require_optional", - "purl": "pkg:npm/require_optional@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "resolve-from", - "purl": "pkg:npm/resolve-from@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "resolve-url", - "purl": "pkg:npm/resolve-url@0.2.1", - "version": "0.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "resolve", - "purl": "pkg:npm/resolve@1.1.7", - "version": "1.1.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "resolve", - "purl": "pkg:npm/resolve@1.10.0", - "version": "1.10.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "responselike", - "purl": "pkg:npm/responselike@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "restore-cursor", - "purl": "pkg:npm/restore-cursor@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "ret", - "purl": "pkg:npm/ret@0.1.15", - "version": "0.1.15", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "right-align", - "purl": "pkg:npm/right-align@0.1.3", - "version": "0.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "rimraf", - "purl": "pkg:npm/rimraf@2.6.2", - "version": "2.6.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "rimraf", - "purl": "pkg:npm/rimraf@2.6.3", - "version": "2.6.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "ripemd160", - "purl": "pkg:npm/ripemd160@2.0.2", - "version": "2.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "run-async", - "purl": "pkg:npm/run-async@2.3.0", - "version": "2.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "rxjs", - "purl": "pkg:npm/rxjs@6.5.4", - "version": "6.5.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "safe-buffer", - "purl": "pkg:npm/safe-buffer@5.1.2", - "version": "5.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "safe-buffer", - "purl": "pkg:npm/safe-buffer@5.2.0", - "version": "5.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "safe-buffer", - "purl": "pkg:npm/safe-buffer@5.2.1", - "version": "5.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "safe-regex", - "purl": "pkg:npm/safe-regex@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "safer-buffer", - "purl": "pkg:npm/safer-buffer@2.1.2", - "version": "2.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "saslprep", - "purl": "pkg:npm/saslprep@1.0.3", - "version": "1.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "sax", - "purl": "pkg:npm/sax@1.2.4", - "version": "1.2.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "secure-keys", - "purl": "pkg:npm/secure-keys@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "semver-diff", - "purl": "pkg:npm/semver-diff@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "semver-diff", - "purl": "pkg:npm/semver-diff@3.1.1", - "version": "3.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "semver", - "purl": "pkg:npm/semver@1.1.4", - "version": "1.1.4", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=1.0.4,\u003c4.3.2 (semantic)", - "aliases": [ - "CVE-2015-8855" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.0" - } - ], - "cwes": [ - { - "cve": "CVE-2015-8855", - "id": "CWE-399", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-x6fg-f45m-jf5q", - "description": "Regular Expression Denial of Service in semver", - "epss": [ - { - "cve": "CVE-2015-8855", - "date": "2026-06-14", - "epss": 0.01092, - "percentile": 0.78442 - } - ], - "fix_available": [ - { - "date": "2020-07-28", - "kind": "first-observed", - "version": "4.3.2" - } - ], - "fix_state": "fixed", - "fixed_in": "4.3.2", - "fixed_versions": [ - "4.3.2" - ], - "id": "GHSA-x6fg-f45m-jf5q", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2015-8855", - "Fix available: upgrade to 4.3.2", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2016/04/20/11", - "http://www.securityfocus.com/bid/86957", - "https://github.com/github/advisory-database/pull/7102", - "https://github.com/npm/node-semver/commit/5c4c9f6e26c7052a42b5ced2a7481c5c9b4363a0", - "https://github.com/npm/node-semver/commit/c80180d8341a8ada0236815c29a2be59864afd70", - "https://nvd.nist.gov/vuln/detail/CVE-2015-8855", - "https://www.npmjs.com/advisories/31", - "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-x6fg-f45m-jf5q" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-8855" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/31" - }, - { - "type": "advisory", - "url": "https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2016/04/20/11" - }, - { - "type": "advisory", - "url": "http://www.securityfocus.com/bid/86957" - }, - { - "type": "advisory", - "url": "https://github.com/github/advisory-database/pull/7102" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/5c4c9f6e26c7052a42b5ced2a7481c5c9b4363a0" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/c80180d8341a8ada0236815c29a2be59864afd70" - } - ], - "risk_score": 0.819, "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "Regular Expression Denial of Service in semver" + "title": "Path Traversal in algo-httpserv" } ] }, @@ -56046,19 +3498,35 @@ "ecosystem": "npm", "licenses": [ { - "type": "declared", - "value": "ISC" + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" } ], "matched": true, - "name": "semver", - "purl": "pkg:npm/semver@5.5.0", - "version": "5.5.0", + "name": "ansi-colors", + "purl": "pkg:npm/ansi-colors@3.2.3", + "version": "3.2.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "ansi-regex", + "purl": "pkg:npm/ansi-regex@3.0.0", + "version": "3.0.0", "vulnerabilities": [ { - "affected_version_range": "\u003e=2.0.0-alpha,\u003c5.7.2 (semantic)", + "affected_version_range": "\u003e=3.0.0,\u003c3.0.1 (semantic)", "aliases": [ - "CVE-2022-25883" + "CVE-2021-3807" ], "cvss": [ { @@ -56069,161 +3537,147 @@ ], "cwes": [ { - "cve": "CVE-2022-25883", + "cve": "CVE-2021-3807", "id": "CWE-1333", - "source": "report@snyk.io", + "source": "security@huntr.dev", "type": "Secondary" }, { - "cve": "CVE-2022-25883", + "cve": "CVE-2021-3807", "id": "CWE-1333", "source": "nvd@nist.gov", "type": "Primary" - }, - { - "cve": "CVE-2022-25883", - "id": "CWE-1333", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", - "description": "semver vulnerable to Regular Expression Denial of Service", + "data_source": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", + "description": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "epss": [ { - "cve": "CVE-2022-25883", - "date": "2026-06-14", - "epss": 0.00581, - "percentile": 0.69508 + "cve": "CVE-2021-3807", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2023-07-11", + "date": "2022-03-29", "kind": "first-observed", - "version": "5.7.2" + "version": "3.0.1" } ], "fix_state": "fixed", - "fixed_in": "5.7.2", + "fixed_in": "3.0.1", "fixed_versions": [ - "5.7.2" + "3.0.1" ], - "id": "GHSA-c2qf-rxjj-qqgw", + "id": "GHSA-93q8-gq69-wqmw", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", + "dynamic_imports_detected": true, "reason": "package-not-imported", "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-25883", - "Fix available: upgrade to 5.7.2", + "Also known as: CVE-2021-3807", + "Fix available: upgrade to 3.0.1", "Fix state: fixed", - "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", - "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", - "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", - "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", - "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", - "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", - "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", - "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", - "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", - "https://github.com/npm/node-semver/pull/564", - "https://github.com/npm/node-semver/pull/585", - "https://github.com/npm/node-semver/pull/593", - "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", - "https://security.netapp.com/advisory/ntap-20241025-0004", - "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795" + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.oracle.com/security-alerts/cpuapr2022.html" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/564" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441" + "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104" + "url": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138" + "url": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160" + "url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/585" + "url": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c" + "url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/593" + "url": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0" + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104" + "url": "https://security.netapp.com/advisory/ntap-20221014-0002/" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138" + "url": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160" + "url": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241025-0004" + "url": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8" } ], - "risk_score": 0.43575, + "risk_score": 2.478, "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "semver vulnerable to Regular Expression Denial of Service" + "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex" } ] }, { "ecosystem": "npm", - "licenses": [], + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], "matched": true, - "name": "semver", - "purl": "pkg:npm/semver@5.7.0", - "version": "5.7.0", + "name": "ansi-regex", + "purl": "pkg:npm/ansi-regex@4.1.0", + "version": "4.1.0", "vulnerabilities": [ { - "affected_version_range": "\u003e=2.0.0-alpha,\u003c5.7.2 (semantic)", + "affected_version_range": "\u003e=4.0.0,\u003c4.1.1 (semantic)", "aliases": [ - "CVE-2022-25883" + "CVE-2021-3807" ], "cvss": [ { @@ -56234,946 +3688,1155 @@ ], "cwes": [ { - "cve": "CVE-2022-25883", + "cve": "CVE-2021-3807", "id": "CWE-1333", - "source": "report@snyk.io", + "source": "security@huntr.dev", "type": "Secondary" }, { - "cve": "CVE-2022-25883", + "cve": "CVE-2021-3807", "id": "CWE-1333", "source": "nvd@nist.gov", "type": "Primary" - }, - { - "cve": "CVE-2022-25883", - "id": "CWE-1333", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", - "description": "semver vulnerable to Regular Expression Denial of Service", + "data_source": "https://github.com/advisories/GHSA-93q8-gq69-wqmw", + "description": "Inefficient Regular Expression Complexity in chalk/ansi-regex", "epss": [ { - "cve": "CVE-2022-25883", - "date": "2026-06-14", - "epss": 0.00581, - "percentile": 0.69508 + "cve": "CVE-2021-3807", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2023-07-11", + "date": "2022-03-26", "kind": "first-observed", - "version": "5.7.2" + "version": "4.1.1" } ], "fix_state": "fixed", - "fixed_in": "5.7.2", + "fixed_in": "4.1.1", "fixed_versions": [ - "5.7.2" + "4.1.1" ], - "id": "GHSA-c2qf-rxjj-qqgw", + "id": "GHSA-93q8-gq69-wqmw", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", + "dynamic_imports_detected": true, "reason": "package-not-imported", "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-25883", - "Fix available: upgrade to 5.7.2", + "Also known as: CVE-2021-3807", + "Fix available: upgrade to 4.1.1", "Fix state: fixed", - "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", - "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", - "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", - "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", - "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", - "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", - "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", - "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", - "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", - "https://github.com/npm/node-semver/pull/564", - "https://github.com/npm/node-semver/pull/585", - "https://github.com/npm/node-semver/pull/593", - "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", - "https://security.netapp.com/advisory/ntap-20241025-0004", - "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795" + "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908", + "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1", + "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a", + "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9", + "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311", + "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774", + "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1", + "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994", + "https://nvd.nist.gov/vuln/detail/CVE-2021-3807", + "https://security.netapp.com/advisory/ntap-20221014-0002/", + "https://www.oracle.com/security-alerts/cpuapr2022.html" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/564" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441" + "url": "https://github.com/advisories/GHSA-93q8-gq69-wqmw" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3807" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104" + "url": "https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138" + "url": "https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160" + "url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-924086311" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/585" + "url": "https://app.snyk.io/vuln/SNYK-JS-ANSIREGEX-1583908" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c" + "url": "https://github.com/chalk/ansi-regex/issues/38#issuecomment-925924774" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/593" + "url": "https://github.com/chalk/ansi-regex/releases/tag/v6.0.1" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0" + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104" + "url": "https://security.netapp.com/advisory/ntap-20221014-0002/" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138" + "url": "https://github.com/chalk/ansi-regex/commit/419250fa510bf31b4cc672e76537a64f9332e1f1" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160" + "url": "https://github.com/chalk/ansi-regex/commit/75a657da7af875b2e2724fd6331bf0a4b23d3c9a" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241025-0004" + "url": "https://github.com/chalk/ansi-regex/commit/c3c0b3f2736b9c01feec0fef33980c43720dcde8" } ], - "risk_score": 0.43575, + "risk_score": 2.478, "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "semver vulnerable to Regular Expression Denial of Service" + "title": "Inefficient Regular Expression Complexity in chalk/ansi-regex" } ] }, { "ecosystem": "npm", - "licenses": [], + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], "matched": true, - "name": "semver", - "purl": "pkg:npm/semver@5.7.1", - "version": "5.7.1", + "name": "ansi-styles", + "purl": "pkg:npm/ansi-styles@3.2.1", + "version": "3.2.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "anymatch", + "purl": "pkg:npm/anymatch@3.1.1", + "version": "3.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "argparse", + "purl": "pkg:npm/argparse@1.0.10", + "version": "1.0.10", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "async", + "purl": "pkg:npm/async@2.6.3", + "version": "2.6.3", "vulnerabilities": [ { - "affected_version_range": "\u003e=2.0.0-alpha,\u003c5.7.2 (semantic)", + "affected_version_range": "\u003e=2.0.0,\u003c2.6.4 (semantic)", "aliases": [ - "CVE-2022-25883" + "CVE-2021-43138" ], "cvss": [ { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "score": 7.8, + "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2022-25883", - "id": "CWE-1333", - "source": "report@snyk.io", - "type": "Secondary" - }, - { - "cve": "CVE-2022-25883", - "id": "CWE-1333", + "cve": "CVE-2021-43138", + "id": "CWE-1321", "source": "nvd@nist.gov", "type": "Primary" - }, - { - "cve": "CVE-2022-25883", - "id": "CWE-1333", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", - "description": "semver vulnerable to Regular Expression Denial of Service", + "data_source": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25", + "description": "Prototype Pollution in async", "epss": [ { - "cve": "CVE-2022-25883", - "date": "2026-06-14", - "epss": 0.00581, - "percentile": 0.69508 + "cve": "CVE-2021-43138", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2023-07-11", + "date": "2022-04-15", "kind": "first-observed", - "version": "5.7.2" + "version": "2.6.4" } ], "fix_state": "fixed", - "fixed_in": "5.7.2", + "fixed_in": "2.6.4", "fixed_versions": [ - "5.7.2" + "2.6.4" ], - "id": "GHSA-c2qf-rxjj-qqgw", + "id": "GHSA-fwr7-v2mv-hh25", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", + "dynamic_imports_detected": true, "reason": "package-not-imported", "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-25883", - "Fix available: upgrade to 5.7.2", + "Also known as: CVE-2021-43138", + "Fix available: upgrade to 2.6.4", "Fix state: fixed", - "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", - "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", - "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", - "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", - "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", - "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", - "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", - "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", - "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", - "https://github.com/npm/node-semver/pull/564", - "https://github.com/npm/node-semver/pull/585", - "https://github.com/npm/node-semver/pull/593", - "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", - "https://security.netapp.com/advisory/ntap-20241025-0004", - "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795" + "https://github.com/caolan/async/blob/master/lib/internal/iterator.js", + "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js", + "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264", + "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2", + "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d", + "https://github.com/caolan/async/compare/v2.6.3...v2.6.4", + "https://github.com/caolan/async/pull/1828", + "https://jsfiddle.net/oz5twjd9", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2021-43138", + "https://security.netapp.com/advisory/ntap-20240621-0006" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883" + "url": "https://github.com/advisories/GHSA-fwr7-v2mv-hh25" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/564" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43138" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441" + "url": "https://github.com/caolan/async/commit/e1ecdbf79264f9ab488c7799f4c76996d5dca66d" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795" + "url": "https://github.com/caolan/async/blob/master/lib/internal/iterator.js" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104" + "url": "https://github.com/caolan/async/blob/master/lib/mapValuesLimit.js" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138" + "url": "https://github.com/caolan/async/pull/1828" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160" + "url": "https://github.com/caolan/async/commit/8f7f90342a6571ba1c197d747ebed30c368096d2" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/585" + "url": "https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md#v264" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c" + "url": "https://github.com/caolan/async/compare/v2.6.3...v2.6.4" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/593" + "url": "https://jsfiddle.net/oz5twjd9" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138" + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160" + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241025-0004" + "url": "https://security.netapp.com/advisory/ntap-20240621-0006" } ], - "risk_score": 0.43575, + "risk_score": 2.57958, "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "semver vulnerable to Regular Expression Denial of Service" + "title": "Prototype Pollution in async" } ] }, { "ecosystem": "npm", - "licenses": [], + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], "matched": true, - "name": "semver", - "purl": "pkg:npm/semver@6.3.0", - "version": "6.3.0", + "name": "balanced-match", + "purl": "pkg:npm/balanced-match@1.0.0", + "version": "1.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "binary-extensions", + "purl": "pkg:npm/binary-extensions@2.1.0", + "version": "2.1.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "brace-expansion", + "purl": "pkg:npm/brace-expansion@1.1.11", + "version": "1.1.11", "vulnerabilities": [ { - "affected_version_range": "\u003e=6.0.0,\u003c6.3.1 (semantic)", + "affected_version_range": "\u003c1.1.13 (semantic)", "aliases": [ - "CVE-2022-25883" + "CVE-2026-33750" ], "cvss": [ { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "score": 6.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2022-25883", - "id": "CWE-1333", - "source": "report@snyk.io", - "type": "Secondary" - }, - { - "cve": "CVE-2022-25883", - "id": "CWE-1333", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-25883", - "id": "CWE-1333", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "cve": "CVE-2026-33750", + "id": "CWE-400", + "source": "security-advisories@github.com", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", - "description": "semver vulnerable to Regular Expression Denial of Service", + "data_source": "https://github.com/advisories/GHSA-f886-m6hf-6m8v", + "description": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion", "epss": [ { - "cve": "CVE-2022-25883", - "date": "2026-06-14", - "epss": 0.00581, - "percentile": 0.69508 + "cve": "CVE-2026-33750", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2023-07-11", + "date": "2026-03-27", "kind": "first-observed", - "version": "6.3.1" + "version": "1.1.13" } ], "fix_state": "fixed", - "fixed_in": "6.3.1", + "fixed_in": "1.1.13", "fixed_versions": [ - "6.3.1" + "1.1.13" ], - "id": "GHSA-c2qf-rxjj-qqgw", + "id": "GHSA-f886-m6hf-6m8v", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", + "dynamic_imports_detected": true, "reason": "package-not-imported", "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-25883", - "Fix available: upgrade to 6.3.1", + "Also known as: CVE-2026-33750", + "Fix available: upgrade to 1.1.13", "Fix state: fixed", - "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", - "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", - "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", - "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", - "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", - "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", - "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", - "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", - "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", - "https://github.com/npm/node-semver/pull/564", - "https://github.com/npm/node-semver/pull/585", - "https://github.com/npm/node-semver/pull/593", - "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", - "https://security.netapp.com/advisory/ntap-20241025-0004", - "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795" + "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113", + "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184", + "https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5", + "https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2", + "https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a", + "https://github.com/juliangruber/brace-expansion/issues/98", + "https://github.com/juliangruber/brace-expansion/pull/95", + "https://github.com/juliangruber/brace-expansion/pull/96", + "https://github.com/juliangruber/brace-expansion/pull/97", + "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v", + "https://nvd.nist.gov/vuln/detail/CVE-2026-33750" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/564" - }, - { - "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795" + "url": "https://github.com/advisories/GHSA-f886-m6hf-6m8v" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104" + "url": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138" + "url": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160" + "url": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/585" + "url": "https://github.com/juliangruber/brace-expansion/issues/98" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c" + "url": "https://github.com/juliangruber/brace-expansion/pull/95" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/pull/593" + "url": "https://github.com/juliangruber/brace-expansion/pull/96" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0" + "url": "https://github.com/juliangruber/brace-expansion/pull/97" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104" + "url": "https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138" + "url": "https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2" }, { "type": "advisory", - "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160" + "url": "https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241025-0004" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750" } ], - "risk_score": 0.43575, - "severity": "high", + "risk_score": 0.24725, + "severity": "medium", "severity_source": "github:language:javascript", "source": "grype", - "title": "semver vulnerable to Regular Expression Denial of Service" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "send", - "purl": "pkg:npm/send@0.12.3", - "version": "0.12.3", - "vulnerabilities": [ + "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion" + }, { - "affected_version_range": "\u003c0.19.0 (semantic)", + "affected_version_range": "\u003e=1.0.0,\u003c=1.1.11 (semantic)", "aliases": [ - "CVE-2024-43799" + "CVE-2025-5889" ], "cvss": [ { - "score": 5, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "score": 3.1, + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" }, { - "score": 2.3, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L", + "score": 1.3, + "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0" } ], "cwes": [ { - "cve": "CVE-2024-43799", - "id": "CWE-79", - "source": "security-advisories@github.com", + "cve": "CVE-2025-5889", + "id": "CWE-400", + "source": "cna@vuldb.com", + "type": "Secondary" + }, + { + "cve": "CVE-2025-5889", + "id": "CWE-1333", + "source": "cna@vuldb.com", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg", - "description": "send vulnerable to template injection that can lead to XSS", + "data_source": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw", + "description": "brace-expansion Regular Expression Denial of Service vulnerability", "epss": [ { - "cve": "CVE-2024-43799", - "date": "2026-06-14", - "epss": 0.00175, - "percentile": 0.38967 + "cve": "CVE-2025-5889", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2024-09-11", + "date": "2025-06-12", "kind": "first-observed", - "version": "0.19.0" + "version": "1.1.12" } ], "fix_state": "fixed", - "fixed_in": "0.19.0", + "fixed_in": "1.1.12", "fixed_versions": [ - "0.19.0" + "1.1.12" ], - "id": "GHSA-m6fv-jmcg-4jfg", + "id": "GHSA-v6h2-p8h4-qcjw", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", + "dynamic_imports_detected": true, + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2024-43799", - "Fix available: upgrade to 0.19.0", + "Also known as: CVE-2025-5889", + "Fix available: upgrade to 1.1.12", "Fix state: fixed", - "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35", - "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg", - "https://lists.debian.org/debian-lts-announce/2025/06/msg00022.html", - "https://nvd.nist.gov/vuln/detail/CVE-2024-43799" + "https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466", + "https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2", + "https://github.com/juliangruber/brace-expansion/commit/15f9b3c75ebf5988198241fecaebdc45eff28a9f", + "https://github.com/juliangruber/brace-expansion/commit/36603d5f3599a37af9e85eda30acd7d28599c36e", + "https://github.com/juliangruber/brace-expansion/commit/c3c73c8b088defc70851843be88ccc3af08e7217", + "https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5", + "https://nvd.nist.gov/vuln/detail/CVE-2025-5889", + "https://vuldb.com/?ctiid.311660", + "https://vuldb.com/?id.311660", + "https://vuldb.com/?submit.585717" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-m6fv-jmcg-4jfg" + "url": "https://github.com/advisories/GHSA-v6h2-p8h4-qcjw" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5889" + }, + { + "type": "advisory", + "url": "https://github.com/juliangruber/brace-expansion/pull/65/commits/a5b98a4f30d7813266b221435e1eaaf25a1b0ac5" + }, + { + "type": "advisory", + "url": "https://gist.github.com/mmmsssttt404/37a40ce7d6e5ca604858fe30814d9466" + }, + { + "type": "advisory", + "url": "https://vuldb.com/?ctiid.311660" + }, + { + "type": "advisory", + "url": "https://vuldb.com/?id.311660" + }, + { + "type": "advisory", + "url": "https://vuldb.com/?submit.585717" }, { "type": "advisory", - "url": "https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg" + "url": "https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43799" + "url": "https://github.com/juliangruber/brace-expansion/commit/15f9b3c75ebf5988198241fecaebdc45eff28a9f" }, { "type": "advisory", - "url": "https://github.com/pillarjs/send/commit/ae4f2989491b392ae2ef3b0015a019770ae65d35" + "url": "https://github.com/juliangruber/brace-expansion/commit/36603d5f3599a37af9e85eda30acd7d28599c36e" }, { "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2025/06/msg00022.html" + "url": "https://github.com/juliangruber/brace-expansion/commit/c3c73c8b088defc70851843be88ccc3af08e7217" } ], - "risk_score": 0.0581875, + "risk_score": 0.11674000000000001, "severity": "low", "severity_source": "github:language:javascript", "source": "grype", - "title": "send vulnerable to template injection that can lead to XSS" + "title": "brace-expansion Regular Expression Denial of Service vulnerability" } ] }, { "ecosystem": "npm", - "licenses": [], + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], "matched": true, - "name": "serve-static", - "purl": "pkg:npm/serve-static@1.9.3", - "version": "1.9.3", + "name": "braces", + "purl": "pkg:npm/braces@3.0.2", + "version": "3.0.2", "vulnerabilities": [ { - "affected_version_range": "\u003c1.16.0 (semantic)", + "affected_version_range": "\u003c3.0.3 (semantic)", "aliases": [ - "CVE-2024-43800" + "CVE-2024-4068" ], "cvss": [ { - "score": 5, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" - }, - { - "score": 2.3, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L", - "version": "4.0" } ], "cwes": [ { - "cve": "CVE-2024-43800", - "id": "CWE-79", - "source": "security-advisories@github.com", + "cve": "CVE-2024-4068", + "id": "CWE-1050", + "source": "596c5446-0ce5-4ba2-aa66-48b3b757a647", + "type": "Secondary" + }, + { + "cve": "CVE-2024-4068", + "id": "CWE-400", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-cm22-4g7w-348p", - "description": "serve-static vulnerable to template injection that can lead to XSS", + "data_source": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg", + "description": "Uncontrolled resource consumption in braces", "epss": [ { - "cve": "CVE-2024-43800", - "date": "2026-06-14", - "epss": 0.00919, - "percentile": 0.76494 + "cve": "CVE-2024-4068", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2024-09-11", + "date": "2024-06-11", "kind": "first-observed", - "version": "1.16.0" + "version": "3.0.3" } ], "fix_state": "fixed", - "fixed_in": "1.16.0", + "fixed_in": "3.0.3", "fixed_versions": [ - "1.16.0" + "3.0.3" ], - "id": "GHSA-cm22-4g7w-348p", + "id": "GHSA-grv7-fg5c-xmjg", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", + "dynamic_imports_detected": true, + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2024-43800", - "Fix available: upgrade to 1.16.0", + "Also known as: CVE-2024-4068", + "Fix available: upgrade to 3.0.3", "Fix state: fixed", - "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b", - "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa", - "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p", - "https://nvd.nist.gov/vuln/detail/CVE-2024-43800" + "https://devhub.checkmarx.com/cve-details/CVE-2024-4068", + "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308", + "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff", + "https://github.com/micromatch/braces/issues/35", + "https://github.com/micromatch/braces/pull/37", + "https://github.com/micromatch/braces/pull/40", + "https://nvd.nist.gov/vuln/detail/CVE-2024-4068" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-cm22-4g7w-348p" + "url": "https://github.com/advisories/GHSA-grv7-fg5c-xmjg" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4068" + }, + { + "type": "advisory", + "url": "https://github.com/micromatch/braces/issues/35" + }, + { + "type": "advisory", + "url": "https://devhub.checkmarx.com/cve-details/CVE-2024-4068" }, { "type": "advisory", - "url": "https://github.com/expressjs/serve-static/security/advisories/GHSA-cm22-4g7w-348p" + "url": "https://github.com/micromatch/braces/blob/98414f9f1fabe021736e26836d8306d5de747e0d/lib/parse.js#L308" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43800" + "url": "https://github.com/micromatch/braces/pull/37" }, { "type": "advisory", - "url": "https://github.com/expressjs/serve-static/commit/0c11fad159898cdc69fd9ab63269b72468ecaf6b" + "url": "https://github.com/micromatch/braces/pull/40" }, { "type": "advisory", - "url": "https://github.com/expressjs/serve-static/commit/ce730896fddce1588111d9ef6fdf20896de5c6fa" + "url": "https://github.com/micromatch/braces/commit/415d660c3002d1ab7e63dbf490c9851da80596ff" } ], - "risk_score": 0.30556750000000005, - "severity": "low", + "risk_score": 1.10325, + "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "serve-static vulnerable to template injection that can lead to XSS" + "title": "Uncontrolled resource consumption in braces" + } + ] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "browser-stdout", + "purl": "pkg:npm/browser-stdout@1.3.1", + "version": "1.3.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "busboy", + "purl": "pkg:npm/busboy@0.2.14", + "version": "0.2.14", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "camelcase", + "purl": "pkg:npm/camelcase@5.3.1", + "version": "5.3.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" } - ] + ], + "matched": true, + "name": "chalk", + "purl": "pkg:npm/chalk@2.4.2", + "version": "2.4.2", + "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "chokidar", + "purl": "pkg:npm/chokidar@3.3.0", + "version": "3.3.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", "value": "ISC" } ], - "name": "set-blocking", - "purl": "pkg:npm/set-blocking@2.0.0", - "version": "2.0.0", + "matched": true, + "name": "cliui", + "purl": "pkg:npm/cliui@5.0.0", + "version": "5.0.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "set-immediate-shim", - "purl": "pkg:npm/set-immediate-shim@1.0.1", - "version": "1.0.1", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "color-convert", + "purl": "pkg:npm/color-convert@1.9.3", + "version": "1.9.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "color-name", + "purl": "pkg:npm/color-name@1.1.3", + "version": "1.1.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "concat-map", + "purl": "pkg:npm/concat-map@0.0.1", + "version": "0.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "core-util-is", + "purl": "pkg:npm/core-util-is@1.0.2", + "version": "1.0.2", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "MIT", + "type": "external-depsdev", "value": "MIT" } ], "matched": true, - "name": "set-value", - "purl": "pkg:npm/set-value@0.4.3", - "version": "0.4.3", + "name": "debug", + "purl": "pkg:npm/debug@3.2.6", + "version": "3.2.6", "vulnerabilities": [ { - "affected_version_range": "\u003c2.0.1 (semantic)", + "affected_version_range": "\u003e=3.2.0,\u003c3.2.7 (semantic)", "aliases": [ - "CVE-2019-10747" + "CVE-2017-16137" ], "cvss": [ { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "score": 3.7, + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2019-10747", + "cve": "CVE-2017-16137", + "id": "CWE-400", + "source": "support@hackerone.com", + "type": "Secondary" + }, + { + "cve": "CVE-2017-16137", "id": "CWE-400", "source": "nvd@nist.gov", "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-4g88-fppr-53pp", - "description": "Prototype Pollution in set-value", + "data_source": "https://github.com/advisories/GHSA-gxpj-cx7g-858c", + "description": "Regular Expression Denial of Service in debug", "epss": [ { - "cve": "CVE-2019-10747", - "date": "2026-06-14", - "epss": 0.00493, - "percentile": 0.66264 + "cve": "CVE-2017-16137", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2020-07-28", + "date": "2023-10-03", "kind": "first-observed", - "version": "2.0.1" + "version": "3.2.7" } ], "fix_state": "fixed", - "fixed_in": "2.0.1", + "fixed_in": "3.2.7", "fixed_versions": [ - "2.0.1" + "3.2.7" ], - "id": "GHSA-4g88-fppr-53pp", + "id": "GHSA-gxpj-cx7g-858c", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", + "dynamic_imports_detected": true, "reason": "package-not-imported", "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2019-10747", - "Fix available: upgrade to 2.0.1", + "Also known as: CVE-2017-16137", + "Fix available: upgrade to 3.2.7", "Fix state: fixed", - "https://github.com/jonschlinkert/set-value/commit/95e9d9923f8a8b4a01da1ea138fcc39ec7b6b15f", - "https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad", - "https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292@%3Cdev.drat.apache.org%3E", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT/", - "https://nvd.nist.gov/vuln/detail/CVE-2019-10747", - "https://snyk.io/vuln/SNYK-JS-SETVALUE-450213", - "https://www.npmjs.com/advisories/1012" + "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020", + "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290", + "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac", + "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a", + "https://github.com/debug-js/debug/issues/797", + "https://github.com/visionmedia/debug/issues/501", + "https://github.com/visionmedia/debug/pull/504", + "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E", + "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E", + "https://nvd.nist.gov/vuln/detail/CVE-2017-16137" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-4g88-fppr-53pp" + "url": "https://github.com/advisories/GHSA-gxpj-cx7g-858c" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16137" + }, + { + "type": "advisory", + "url": "https://github.com/visionmedia/debug/issues/501" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10747" + "url": "https://github.com/visionmedia/debug/pull/504" }, { "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-SETVALUE-450213" + "url": "https://lists.apache.org/thread.html/r8ba4c628fba7181af58817d452119481adce4ba92e889c643e4c7dd3@%3Ccommits.netbeans.apache.org%3E" }, { "type": "advisory", - "url": "https://www.npmjs.com/advisories/1012" + "url": "https://lists.apache.org/thread.html/rb5ac16fad337d1f3bb7079549f97d8166d0ef3082629417c39f12d63@%3Cnotifications.netbeans.apache.org%3E" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292@%3Cdev.drat.apache.org%3E" + "url": "https://github.com/debug-js/debug/issues/797" }, { "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/" + "url": "https://github.com/debug-js/debug/commit/4e2150207c568adb9ead8f4c4528016081c88020" }, { "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT/" + "url": "https://github.com/debug-js/debug/commit/71169065b5262f9858ac78cc0b688c84a438f290" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/set-value/commit/95e9d9923f8a8b4a01da1ea138fcc39ec7b6b15f" + "url": "https://github.com/debug-js/debug/commit/b6d12fdbc63b483e5c969da33ea6adc09946b5ac" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad" + "url": "https://github.com/debug-js/debug/commit/f53962e944a87e6ca9bb622a2a12dffc22a9bb5a" } ], - "risk_score": 0.46342000000000005, - "severity": "critical", + "risk_score": 0.9296249999999999, + "severity": "low", "severity_source": "github:language:javascript", "source": "grype", - "title": "Prototype Pollution in set-value" - }, + "title": "Regular Expression Denial of Service in debug" + } + ] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "decamelize", + "purl": "pkg:npm/decamelize@1.2.0", + "version": "1.2.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "define-properties", + "purl": "pkg:npm/define-properties@1.1.3", + "version": "1.1.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "matched": true, + "name": "dicer", + "purl": "pkg:npm/dicer@0.2.5", + "version": "0.2.5", + "vulnerabilities": [ { - "affected_version_range": "\u003c2.0.1 (semantic)", + "affected_version_range": "\u003c=0.3.1 (semantic)", "aliases": [ - "CVE-2021-23440" + "CVE-2022-24434" ], "cvss": [ { - "score": 7.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } ], - "cwes": [ - { - "cve": "CVE-2021-23440", - "id": "CWE-843", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr", - "description": "Prototype Pollution in set-value", + "data_source": "https://github.com/advisories/GHSA-wm7h-9275-46v2", + "description": "Crash in HeaderParser in dicer", "epss": [ { - "cve": "CVE-2021-23440", - "date": "2026-06-14", - "epss": 0.00211, - "percentile": 0.43834 - } - ], - "fix_available": [ - { - "date": "2021-11-13", - "kind": "first-observed", - "version": "2.0.1" + "cve": "CVE-2022-24434", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], - "fix_state": "fixed", - "fixed_in": "2.0.1", - "fixed_versions": [ - "2.0.1" - ], - "id": "GHSA-4jqc-8m5r-9rpr", + "fix_state": "not-fixed", + "id": "GHSA-wm7h-9275-46v2", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", + "dynamic_imports_detected": true, "reason": "package-not-imported", "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2021-23440", - "Fix available: upgrade to 2.0.1", - "Fix state: fixed", - "https://github.com/jonschlinkert/set-value/commit/09c4b108fea3c0260008590053ff13da64913245", - "https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452", - "https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad", - "https://github.com/jonschlinkert/set-value/pull/33", - "https://github.com/jonschlinkert/set-value/pull/33/commits/383b72d47c74a55ae8b6e231da548f9280a4296a", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23440", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212", - "https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541", - "https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/", - "https://www.oracle.com/security-alerts/cpujan2022.html" + "Also known as: CVE-2022-24434", + "Fix state: not-fixed", + "https://github.com/mscdex/busboy/issues/250", + "https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac", + "https://github.com/mscdex/dicer/pull/22", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24434", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865", + "https://snyk.io/vuln/SNYK-JS-DICER-2311764" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23440" - }, - { - "type": "advisory", - "url": "https://github.com/jonschlinkert/set-value/pull/33" - }, - { - "type": "advisory", - "url": "https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212" + "url": "https://github.com/advisories/GHSA-wm7h-9275-46v2" }, { "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24434" }, { "type": "advisory", - "url": "https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/" + "url": "https://github.com/mscdex/busboy/issues/250" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + "url": "https://github.com/mscdex/dicer/pull/22" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/set-value/pull/33/commits/383b72d47c74a55ae8b6e231da548f9280a4296a" + "url": "https://snyk.io/vuln/SNYK-JS-DICER-2311764" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad" + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/set-value/commit/09c4b108fea3c0260008590053ff13da64913245" + "url": "https://github.com/mscdex/dicer/commit/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac" } ], - "risk_score": 0.15614, + "risk_score": 2.2762499999999997, "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "Prototype Pollution in set-value" + "title": "Crash in HeaderParser in dicer" } ] }, @@ -57181,586 +4844,679 @@ "ecosystem": "npm", "licenses": [ { - "type": "declared", - "value": "MIT" + "spdxExpression": "BSD-3-Clause", + "type": "external-depsdev", + "value": "BSD-3-Clause" } ], "matched": true, - "name": "set-value", - "purl": "pkg:npm/set-value@2.0.0", - "version": "2.0.0", + "name": "diff", + "purl": "pkg:npm/diff@3.5.0", + "version": "3.5.0", "vulnerabilities": [ { - "affected_version_range": "\u003c2.0.1 (semantic)", + "affected_version_range": "\u003c3.5.1 (semantic)", "aliases": [ - "CVE-2019-10747" + "CVE-2026-24001" ], "cvss": [ { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" + "score": 2.7, + "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U", + "version": "4.0" } ], "cwes": [ { - "cve": "CVE-2019-10747", + "cve": "CVE-2026-24001", "id": "CWE-400", - "source": "nvd@nist.gov", - "type": "Primary" + "source": "security-advisories@github.com", + "type": "Secondary" + }, + { + "cve": "CVE-2026-24001", + "id": "CWE-1333", + "source": "security-advisories@github.com", + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-4g88-fppr-53pp", - "description": "Prototype Pollution in set-value", + "data_source": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx", + "description": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch", "epss": [ { - "cve": "CVE-2019-10747", - "date": "2026-06-14", - "epss": 0.00493, - "percentile": 0.66264 + "cve": "CVE-2026-24001", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2020-07-28", + "date": "2026-01-31", "kind": "first-observed", - "version": "2.0.1" + "version": "3.5.1" } ], "fix_state": "fixed", - "fixed_in": "2.0.1", + "fixed_in": "3.5.1", "fixed_versions": [ - "2.0.1" + "3.5.1" ], - "id": "GHSA-4g88-fppr-53pp", + "id": "GHSA-73rr-hh4g-fpgx", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", + "dynamic_imports_detected": true, "reason": "package-not-imported", "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2019-10747", - "Fix available: upgrade to 2.0.1", + "Also known as: CVE-2026-24001", + "Fix available: upgrade to 3.5.1", "Fix state: fixed", - "https://github.com/jonschlinkert/set-value/commit/95e9d9923f8a8b4a01da1ea138fcc39ec7b6b15f", - "https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad", - "https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292@%3Cdev.drat.apache.org%3E", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT/", - "https://nvd.nist.gov/vuln/detail/CVE-2019-10747", - "https://snyk.io/vuln/SNYK-JS-SETVALUE-450213", - "https://www.npmjs.com/advisories/1012" + "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5", + "https://github.com/kpdecker/jsdiff/issues/653", + "https://github.com/kpdecker/jsdiff/pull/649", + "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx", + "https://nvd.nist.gov/vuln/detail/CVE-2026-24001" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-4g88-fppr-53pp" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10747" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-SETVALUE-450213" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/1012" + "url": "https://github.com/advisories/GHSA-73rr-hh4g-fpgx" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/b46f35559c4a97cf74d2dd7fe5a48f8abf2ff37f879083920af9b292@%3Cdev.drat.apache.org%3E" + "url": "https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx" }, { "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3EJ36KV6MXQPUYTFCCTDY54E5Y7QP3AV/" + "url": "https://github.com/kpdecker/jsdiff/pull/649" }, { "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E3HNLQZQINMZK6GYB2UTKK4VU7WBV2OT/" + "url": "https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/set-value/commit/95e9d9923f8a8b4a01da1ea138fcc39ec7b6b15f" + "url": "https://github.com/kpdecker/jsdiff/issues/653" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24001" } ], - "risk_score": 0.46342000000000005, - "severity": "critical", + "risk_score": 0.14592000000000002, + "severity": "low", "severity_source": "github:language:javascript", "source": "grype", - "title": "Prototype Pollution in set-value" - }, + "title": "jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch" + } + ] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "emoji-regex", + "purl": "pkg:npm/emoji-regex@7.0.3", + "version": "7.0.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "es-abstract", + "purl": "pkg:npm/es-abstract@1.17.6", + "version": "1.17.6", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "es-to-primitive", + "purl": "pkg:npm/es-to-primitive@1.2.1", + "version": "1.2.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "escape-string-regexp", + "purl": "pkg:npm/escape-string-regexp@1.0.5", + "version": "1.0.5", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "BSD-2-Clause", + "type": "external-depsdev", + "value": "BSD-2-Clause" + } + ], + "matched": true, + "name": "esprima", + "purl": "pkg:npm/esprima@4.0.1", + "version": "4.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "example-javascript-vulnerable-methods", + "purl": "pkg:npm/example-javascript-vulnerable-methods@0.0.1", + "version": "0.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "fill-range", + "purl": "pkg:npm/fill-range@7.0.1", + "version": "7.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "find-up", + "purl": "pkg:npm/find-up@3.0.0", + "version": "3.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "BSD-3-Clause", + "type": "external-depsdev", + "value": "BSD-3-Clause" + } + ], + "matched": true, + "name": "flat", + "purl": "pkg:npm/flat@4.1.0", + "version": "4.1.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "fs-extra", + "purl": "pkg:npm/fs-extra@7.0.1", + "version": "7.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "fs.realpath", + "purl": "pkg:npm/fs.realpath@1.0.0", + "version": "1.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "fsevents", + "purl": "pkg:npm/fsevents@2.1.3", + "version": "2.1.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "function-bind", + "purl": "pkg:npm/function-bind@1.1.1", + "version": "1.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "get-caller-file", + "purl": "pkg:npm/get-caller-file@2.0.5", + "version": "2.0.5", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "glob-parent", + "purl": "pkg:npm/glob-parent@5.1.1", + "version": "5.1.1", + "vulnerabilities": [ { - "affected_version_range": "\u003c2.0.1 (semantic)", + "affected_version_range": "\u003e=4.0.0,\u003c5.1.2 (semantic)", "aliases": [ - "CVE-2021-23440" + "CVE-2020-28469" ], "cvss": [ { - "score": 7.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2021-23440", - "id": "CWE-843", + "cve": "CVE-2020-28469", + "id": "CWE-400", "source": "nvd@nist.gov", "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr", - "description": "Prototype Pollution in set-value", + "data_source": "https://github.com/advisories/GHSA-ww39-953v-wcq6", + "description": "glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex", "epss": [ { - "cve": "CVE-2021-23440", - "date": "2026-06-14", - "epss": 0.00211, - "percentile": 0.43834 + "cve": "CVE-2020-28469", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2021-11-13", + "date": "2021-06-08", "kind": "first-observed", - "version": "2.0.1" + "version": "5.1.2" } ], "fix_state": "fixed", - "fixed_in": "2.0.1", + "fixed_in": "5.1.2", "fixed_versions": [ - "2.0.1" + "5.1.2" ], - "id": "GHSA-4jqc-8m5r-9rpr", + "id": "GHSA-ww39-953v-wcq6", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", + "dynamic_imports_detected": true, "reason": "package-not-imported", "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2021-23440", - "Fix available: upgrade to 2.0.1", + "Also known as: CVE-2020-28469", + "Fix available: upgrade to 5.1.2", "Fix state: fixed", - "https://github.com/jonschlinkert/set-value/commit/09c4b108fea3c0260008590053ff13da64913245", - "https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452", - "https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad", - "https://github.com/jonschlinkert/set-value/pull/33", - "https://github.com/jonschlinkert/set-value/pull/33/commits/383b72d47c74a55ae8b6e231da548f9280a4296a", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23440", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212", - "https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541", - "https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/", + "https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9", + "https://github.com/gulpjs/glob-parent/commit/4a80667c69355c76a572a5892b0f133c8e1f457e", + "https://github.com/gulpjs/glob-parent/pull/36", + "https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46", + "https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28469", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092", + "https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905", "https://www.oracle.com/security-alerts/cpujan2022.html" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-4jqc-8m5r-9rpr" + "url": "https://github.com/advisories/GHSA-ww39-953v-wcq6" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23440" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28469" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/set-value/pull/33" + "url": "https://github.com/gulpjs/glob-parent/pull/36" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452" + "url": "https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9" }, { "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1584212" + "url": "https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2" }, { "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541" + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093" }, { "type": "advisory", - "url": "https://www.huntr.dev/bounties/2eae1159-01de-4f82-a177-7478a408c4a2/" + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpujan2022.html" + "url": "https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/set-value/pull/33/commits/383b72d47c74a55ae8b6e231da548f9280a4296a" + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/set-value/commit/cb12f14955dde6e61829d70d1851bfea6a3c31ad" + "url": "https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/set-value/commit/09c4b108fea3c0260008590053ff13da64913245" + "url": "https://github.com/gulpjs/glob-parent/commit/4a80667c69355c76a572a5892b0f133c8e1f457e" } ], - "risk_score": 0.15614, + "risk_score": 3.3420000000000005, "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "Prototype Pollution in set-value" + "title": "glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex" } ] }, { "ecosystem": "npm", - "licenses": [], - "name": "setprototypeof", - "purl": "pkg:npm/setprototypeof@1.1.1", - "version": "1.1.1", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "glob", + "purl": "pkg:npm/glob@7.1.3", + "version": "7.1.3", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], "matched": true, - "name": "sha.js", - "purl": "pkg:npm/sha.js@2.4.11", - "version": "2.4.11", - "vulnerabilities": [ + "name": "graceful-fs", + "purl": "pkg:npm/graceful-fs@4.2.3", + "version": "4.2.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ { - "affected_version_range": "\u003c=2.4.11 (semantic)", - "aliases": [ - "CVE-2025-9288" - ], - "cvss": [ - { - "score": 9.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", - "version": "3.1" - }, - { - "score": 9.1, - "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2025-9288", - "id": "CWE-20", - "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-95m3-7q98-8xr5", - "description": "sha.js is missing type checks leading to hash rewind and passing on crafted data", - "epss": [ - { - "cve": "CVE-2025-9288", - "date": "2026-06-14", - "epss": 0.0006, - "percentile": 0.19217 - } - ], - "fix_available": [ - { - "date": "2025-08-22", - "kind": "first-observed", - "version": "2.4.12" - } - ], - "fix_state": "fixed", - "fixed_in": "2.4.12", - "fixed_versions": [ - "2.4.12" - ], - "id": "GHSA-95m3-7q98-8xr5", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-9288", - "Fix available: upgrade to 2.4.12", - "Fix state: fixed", - "https://github.com/browserify/sha.js/commit/f2a258e9f2d0fcd113bfbaa49706e1ac0d979ba5", - "https://github.com/browserify/sha.js/pull/78", - "https://github.com/browserify/sha.js/security/advisories/GHSA-95m3-7q98-8xr5", - "https://lists.debian.org/debian-lts-announce/2025/09/msg00016.html", - "https://nvd.nist.gov/vuln/detail/CVE-2025-9288", - "https://www.cve.org/CVERecord?id=CVE-2025-9287" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-95m3-7q98-8xr5" - }, - { - "type": "advisory", - "url": "https://github.com/browserify/sha.js/security/advisories/GHSA-95m3-7q98-8xr5" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9288" - }, - { - "type": "advisory", - "url": "https://github.com/browserify/sha.js/pull/78" - }, - { - "type": "advisory", - "url": "https://github.com/browserify/sha.js/commit/f2a258e9f2d0fcd113bfbaa49706e1ac0d979ba5" - }, - { - "type": "advisory", - "url": "https://www.cve.org/CVERecord?id=CVE-2025-9287" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00016.html" - } - ], - "risk_score": 0.054299999999999994, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "sha.js is missing type checks leading to hash rewind and passing on crafted data" + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" } - ] + ], + "matched": true, + "name": "growl", + "purl": "pkg:npm/growl@1.10.5", + "version": "1.10.5", + "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [], - "name": "shallow-clone", - "purl": "pkg:npm/shallow-clone@0.1.2", - "version": "0.1.2", + "name": "handy", + "purl": "pkg:npm/handy@0.0.13", + "version": "0.0.13", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "shasum", - "purl": "pkg:npm/shasum@1.0.2", - "version": "1.0.2", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "has-flag", + "purl": "pkg:npm/has-flag@3.0.0", + "version": "3.0.0", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "MIT", + "type": "external-depsdev", "value": "MIT" } ], - "name": "shebang-command", - "purl": "pkg:npm/shebang-command@1.2.0", - "version": "1.2.0", + "matched": true, + "name": "has-symbols", + "purl": "pkg:npm/has-symbols@1.0.1", + "version": "1.0.1", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "MIT", + "type": "external-depsdev", "value": "MIT" } ], - "name": "shebang-regex", - "purl": "pkg:npm/shebang-regex@1.0.0", - "version": "1.0.0", + "matched": true, + "name": "has", + "purl": "pkg:npm/has@1.0.3", + "version": "1.0.3", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], "matched": true, - "name": "shell-quote", - "purl": "pkg:npm/shell-quote@1.6.1", - "version": "1.6.1", - "vulnerabilities": [ + "name": "he", + "purl": "pkg:npm/he@1.2.0", + "version": "1.2.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "htmlparser", + "purl": "pkg:npm/htmlparser@1.7.7", + "version": "1.7.7", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ { - "affected_version_range": "\u003e=1.1.0,\u003c=1.8.3 (semantic)", - "aliases": [ - "CVE-2026-9277" - ], - "cvss": [ - { - "score": 8.1, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - }, - { - "score": 9.2, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2026-9277", - "id": "CWE-77", - "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", - "type": "Secondary" - }, - { - "cve": "CVE-2026-9277", - "id": "CWE-78", - "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-w7jw-789q-3m8p", - "description": "shell-quote quote() does not escape newlines in object .op values", - "epss": [ - { - "cve": "CVE-2026-9277", - "date": "2026-06-14", - "epss": 0.00068, - "percentile": 0.21207 - } - ], - "fix_available": [ - { - "date": "2026-06-09", - "kind": "first-observed", - "version": "1.8.4" - } - ], - "fix_state": "fixed", - "fixed_in": "1.8.4", - "fixed_versions": [ - "1.8.4" - ], - "id": "GHSA-w7jw-789q-3m8p", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-9277", - "Fix available: upgrade to 1.8.4", - "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2026/05/23/2", - "https://github.com/ljharb/shell-quote", - "https://github.com/ljharb/shell-quote/commit/1518179", - "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p", - "https://nvd.nist.gov/vuln/detail/CVE-2026-9277", - "https://www.npmjs.com/package/shell-quote" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-w7jw-789q-3m8p" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9277" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/shell-quote/commit/1518179" - }, - { - "type": "advisory", - "url": "https://github.com/ljharb/shell-quote" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/shell-quote" - }, - { - "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2026/05/23/2" - } - ], - "risk_score": 0.06001, - "severity": "critical", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "shell-quote quote() does not escape newlines in object .op values" + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" } - ] + ], + "matched": true, + "name": "inflight", + "purl": "pkg:npm/inflight@1.0.6", + "version": "1.0.6", + "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "ISC", + "type": "external-depsdev", "value": "ISC" } ], - "name": "signal-exit", - "purl": "pkg:npm/signal-exit@3.0.2", - "version": "3.0.2", + "matched": true, + "name": "inherits", + "purl": "pkg:npm/inherits@2.0.4", + "version": "2.0.4", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "simple-concat", - "purl": "pkg:npm/simple-concat@1.0.0", - "version": "1.0.0", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "is-binary-path", + "purl": "pkg:npm/is-binary-path@2.1.0", + "version": "2.1.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "sliced", - "purl": "pkg:npm/sliced@0.0.5", - "version": "0.0.5", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "is-buffer", + "purl": "pkg:npm/is-buffer@2.0.4", + "version": "2.0.4", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", - "value": "ISC" + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" } ], - "name": "slide", - "purl": "pkg:npm/slide@1.1.6", - "version": "1.1.6", + "matched": true, + "name": "is-callable", + "purl": "pkg:npm/is-callable@1.2.2", + "version": "1.2.2", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "smart-buffer", - "purl": "pkg:npm/smart-buffer@4.1.0", - "version": "4.1.0", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "is-date-object", + "purl": "pkg:npm/is-date-object@1.0.2", + "version": "1.0.2", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "MIT", + "type": "external-depsdev", "value": "MIT" } ], - "name": "snapdragon-node", - "purl": "pkg:npm/snapdragon-node@2.1.1", + "matched": true, + "name": "is-extglob", + "purl": "pkg:npm/is-extglob@2.1.1", "version": "2.1.1", "vulnerabilities": [] }, @@ -57768,3735 +5524,2184 @@ "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "MIT", + "type": "external-depsdev", "value": "MIT" } ], - "name": "snapdragon-util", - "purl": "pkg:npm/snapdragon-util@3.0.1", - "version": "3.0.1", + "matched": true, + "name": "is-fullwidth-code-point", + "purl": "pkg:npm/is-fullwidth-code-point@2.0.0", + "version": "2.0.0", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "MIT", + "type": "external-depsdev", "value": "MIT" } ], - "name": "snapdragon", - "purl": "pkg:npm/snapdragon@0.8.2", - "version": "0.8.2", + "matched": true, + "name": "is-glob", + "purl": "pkg:npm/is-glob@4.0.1", + "version": "4.0.1", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "snyk-config", - "purl": "pkg:npm/snyk-config@2.2.3", - "version": "2.2.3", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "is-number", + "purl": "pkg:npm/is-number@7.0.0", + "version": "7.0.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "snyk-docker-plugin", - "purl": "pkg:npm/snyk-docker-plugin@1.33.1", - "version": "1.33.1", - "vulnerabilities": [ + "licenses": [ { - "affected_version_range": "\u003c5.6.5 (semantic)", - "aliases": [ - "CVE-2022-22984" - ], - "cvss": [ - { - "score": 6.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-22984", - "id": "CWE-78", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-22984", - "id": "CWE-78", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-4x6g-3cmx-w76r", - "description": "Snyk plugins vulnerable to Command Injection", - "epss": [ - { - "cve": "CVE-2022-22984", - "date": "2026-06-14", - "epss": 0.04668, - "percentile": 0.896 - } - ], - "fix_available": [ - { - "date": "2022-12-16", - "kind": "first-observed", - "version": "5.6.5" - } - ], - "fix_state": "fixed", - "fixed_in": "5.6.5", - "fixed_versions": [ - "5.6.5" - ], - "id": "GHSA-4x6g-3cmx-w76r", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-22984", - "Fix available: upgrade to 5.6.5", - "Fix state: fixed", - "https://github.com/snyk/cli/commit/80d97a93326406e09776156daf72e3caa03ae25a", - "https://github.com/snyk/snyk-cocoapods-plugin/commit/c73e049c5200772babde61c40aab57296bf91381", - "https://github.com/snyk/snyk-docker-plugin/commit/d730d7630691a61587b120bb11daaaf4b58a8357", - "https://github.com/snyk/snyk-gradle-plugin/commit/bb1c1c72a75e97723a76b14d2d73f70744ed5009", - "https://github.com/snyk/snyk-hex-plugin/commit/e8dd2a330b40d7fc0ab47e34413e80a0146d7ac3", - "https://github.com/snyk/snyk-mvn-plugin/commit/02cda9ba1ea36b00ead3f6ec2de0f97397ebec50", - "https://github.com/snyk/snyk-python-plugin/commit/8591abdd9236108ac3e30c70c09238d6bb6aabf4", - "https://github.com/snyk/snyk-sbt-plugin/commit/99c09eb12c9f8f2b237aea9627aab1ae3cab6437", - "https://nvd.nist.gov/vuln/detail/CVE-2022-22984", - "https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622", - "https://security.snyk.io/vuln/SNYK-JS-SNYKDOCKERPLUGIN-3039679", - "https://security.snyk.io/vuln/SNYK-JS-SNYKGRADLEPLUGIN-3038624", - "https://security.snyk.io/vuln/SNYK-JS-SNYKMVNPLUGIN-3038623", - "https://security.snyk.io/vuln/SNYK-JS-SNYKPYTHONPLUGIN-3039677", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSBTPLUGIN-3038626", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKHEXPLUGIN-3039680", - "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-4x6g-3cmx-w76r" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22984" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/cli/commit/80d97a93326406e09776156daf72e3caa03ae25a" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-cocoapods-plugin/commit/c73e049c5200772babde61c40aab57296bf91381" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-docker-plugin/commit/d730d7630691a61587b120bb11daaaf4b58a8357" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-gradle-plugin/commit/bb1c1c72a75e97723a76b14d2d73f70744ed5009" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-hex-plugin/commit/e8dd2a330b40d7fc0ab47e34413e80a0146d7ac3" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-mvn-plugin/commit/02cda9ba1ea36b00ead3f6ec2de0f97397ebec50" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-python-plugin/commit/8591abdd9236108ac3e30c70c09238d6bb6aabf4" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-sbt-plugin/commit/99c09eb12c9f8f2b237aea9627aab1ae3cab6437" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKDOCKERPLUGIN-3039679" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKGRADLEPLUGIN-3038624" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKMVNPLUGIN-3038623" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKPYTHONPLUGIN-3039677" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSBTPLUGIN-3038626" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKHEXPLUGIN-3039680" - }, - { - "type": "advisory", - "url": "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" - } - ], - "risk_score": 2.6374199999999997, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Snyk plugins vulnerable to Command Injection" + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" } - ] + ], + "matched": true, + "name": "is-regex", + "purl": "pkg:npm/is-regex@1.1.1", + "version": "1.1.1", + "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "snyk-go-parser", - "purl": "pkg:npm/snyk-go-parser@1.3.1", - "version": "1.3.1", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "is-symbol", + "purl": "pkg:npm/is-symbol@1.0.3", + "version": "1.0.3", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "snyk-go-plugin", - "purl": "pkg:npm/snyk-go-plugin@1.11.1", - "version": "1.11.1", - "vulnerabilities": [ + "licenses": [ { - "affected_version_range": "\u003c1.19.1 (semantic)", - "aliases": [ - "CVE-2022-40764" - ], - "cvss": [ - { - "score": 7.8, - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-40764", - "id": "CWE-78", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-hpqj-7cj6-hfj8", - "description": "Snyk CLI affected by Command Injection vulnerability", - "epss": [ - { - "cve": "CVE-2022-40764", - "date": "2026-06-14", - "epss": 0.01429, - "percentile": 0.81125 - } - ], - "fix_available": [ - { - "date": "2022-10-07", - "kind": "first-observed", - "version": "1.19.1" - } - ], - "fix_state": "fixed", - "fixed_in": "1.19.1", - "fixed_versions": [ - "1.19.1" - ], - "id": "GHSA-hpqj-7cj6-hfj8", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-40764", - "Fix available: upgrade to 1.19.1", - "Fix state: fixed", - "https://github.com/snyk/cli/releases/tag/v1.996.0", - "https://github.com/snyk/snyk-go-plugin/releases/tag/v1.19.1", - "https://nvd.nist.gov/vuln/detail/CVE-2022-40764", - "https://support.snyk.io/hc/en-us/articles/7015908293789-CVE-2022-40764-Command-Injection-vulnerability-affecting-Snyk-CLI-versions-prior-to-1-996-0", - "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-hpqj-7cj6-hfj8" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40764" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/cli/releases/tag/v1.996.0" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-go-plugin/releases/tag/v1.19.1" - }, - { - "type": "advisory", - "url": "https://support.snyk.io/hc/en-us/articles/7015908293789-CVE-2022-40764-Command-Injection-vulnerability-affecting-Snyk-CLI-versions-prior-to-1-996-0" - }, - { - "type": "advisory", - "url": "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" - } - ], - "risk_score": 1.093185, - "severity": "high", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Snyk CLI affected by Command Injection vulnerability" + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" } - ] + ], + "matched": true, + "name": "is", + "purl": "pkg:npm/is@3.3.0", + "version": "3.3.0", + "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "isarray", + "purl": "pkg:npm/isarray@0.0.1", + "version": "0.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "isexe", + "purl": "pkg:npm/isexe@2.0.0", + "version": "2.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], "matched": true, - "name": "snyk-gradle-plugin", - "purl": "pkg:npm/snyk-gradle-plugin@3.2.2", - "version": "3.2.2", + "name": "js-yaml", + "purl": "pkg:npm/js-yaml@3.13.0", + "version": "3.13.0", "vulnerabilities": [ { - "affected_version_range": "\u003c3.24.5 (semantic)", - "aliases": [ - "CVE-2022-22984" - ], - "cvss": [ - { - "score": 6.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-22984", - "id": "CWE-78", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-22984", - "id": "CWE-78", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-4x6g-3cmx-w76r", - "description": "Snyk plugins vulnerable to Command Injection", - "epss": [ - { - "cve": "CVE-2022-22984", - "date": "2026-06-14", - "epss": 0.04668, - "percentile": 0.896 - } - ], + "affected_version_range": "\u003c3.13.1 (semantic)", + "data_source": "https://github.com/advisories/GHSA-8j8c-7jfh-h6hx", + "description": "Code Injection in js-yaml", "fix_available": [ { - "date": "2022-12-16", + "date": "2020-09-12", "kind": "first-observed", - "version": "3.24.5" + "version": "3.13.1" } ], "fix_state": "fixed", - "fixed_in": "3.24.5", + "fixed_in": "3.13.1", "fixed_versions": [ - "3.24.5" + "3.13.1" ], - "id": "GHSA-4x6g-3cmx-w76r", + "id": "GHSA-8j8c-7jfh-h6hx", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-22984", - "Fix available: upgrade to 3.24.5", + "Fix available: upgrade to 3.13.1", "Fix state: fixed", - "https://github.com/snyk/cli/commit/80d97a93326406e09776156daf72e3caa03ae25a", - "https://github.com/snyk/snyk-cocoapods-plugin/commit/c73e049c5200772babde61c40aab57296bf91381", - "https://github.com/snyk/snyk-docker-plugin/commit/d730d7630691a61587b120bb11daaaf4b58a8357", - "https://github.com/snyk/snyk-gradle-plugin/commit/bb1c1c72a75e97723a76b14d2d73f70744ed5009", - "https://github.com/snyk/snyk-hex-plugin/commit/e8dd2a330b40d7fc0ab47e34413e80a0146d7ac3", - "https://github.com/snyk/snyk-mvn-plugin/commit/02cda9ba1ea36b00ead3f6ec2de0f97397ebec50", - "https://github.com/snyk/snyk-python-plugin/commit/8591abdd9236108ac3e30c70c09238d6bb6aabf4", - "https://github.com/snyk/snyk-sbt-plugin/commit/99c09eb12c9f8f2b237aea9627aab1ae3cab6437", - "https://nvd.nist.gov/vuln/detail/CVE-2022-22984", - "https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622", - "https://security.snyk.io/vuln/SNYK-JS-SNYKDOCKERPLUGIN-3039679", - "https://security.snyk.io/vuln/SNYK-JS-SNYKGRADLEPLUGIN-3038624", - "https://security.snyk.io/vuln/SNYK-JS-SNYKMVNPLUGIN-3038623", - "https://security.snyk.io/vuln/SNYK-JS-SNYKPYTHONPLUGIN-3039677", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSBTPLUGIN-3038626", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKHEXPLUGIN-3039680", - "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" + "https://github.com/nodeca/js-yaml/pull/480", + "https://github.com/nodeca/js-yaml/pull/480/commits/e18afbf1edcafb7add2c4c7b22abc8d6ebc2fa61", + "https://www.npmjs.com/advisories/813" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-4x6g-3cmx-w76r" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22984" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/cli/commit/80d97a93326406e09776156daf72e3caa03ae25a" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-cocoapods-plugin/commit/c73e049c5200772babde61c40aab57296bf91381" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-docker-plugin/commit/d730d7630691a61587b120bb11daaaf4b58a8357" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-gradle-plugin/commit/bb1c1c72a75e97723a76b14d2d73f70744ed5009" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-hex-plugin/commit/e8dd2a330b40d7fc0ab47e34413e80a0146d7ac3" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-mvn-plugin/commit/02cda9ba1ea36b00ead3f6ec2de0f97397ebec50" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-python-plugin/commit/8591abdd9236108ac3e30c70c09238d6bb6aabf4" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-sbt-plugin/commit/99c09eb12c9f8f2b237aea9627aab1ae3cab6437" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKDOCKERPLUGIN-3039679" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKGRADLEPLUGIN-3038624" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKMVNPLUGIN-3038623" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKPYTHONPLUGIN-3039677" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSBTPLUGIN-3038626" + "url": "https://github.com/advisories/GHSA-8j8c-7jfh-h6hx" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625" + "url": "https://github.com/nodeca/js-yaml/pull/480" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKHEXPLUGIN-3039680" + "url": "https://www.npmjs.com/advisories/813" }, { "type": "advisory", - "url": "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" + "url": "https://github.com/nodeca/js-yaml/pull/480/commits/e18afbf1edcafb7add2c4c7b22abc8d6ebc2fa61" } ], - "risk_score": 2.6374199999999997, - "severity": "medium", + "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "Snyk plugins vulnerable to Command Injection" + "title": "Code Injection in js-yaml" }, { - "affected_version_range": "\u003c4.5.0 (semantic)", + "affected_version_range": "\u003c=4.1.1 (semantic)", "aliases": [ - "CVE-2024-48964" + "CVE-2026-53550" ], "cvss": [ { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "score": 5.3, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" - }, - { - "score": 7.5, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-48964", - "id": "CWE-78", - "source": "report@snyk.io", - "type": "Secondary" - }, - { - "cve": "CVE-2024-48964", - "id": "CWE-94", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-qqqw-gm93-qf6m", - "description": "OS Command Injection in Snyk gradle plugin", - "epss": [ - { - "cve": "CVE-2024-48964", - "date": "2026-06-14", - "epss": 0.00137, - "percentile": 0.33624 } ], + "data_source": "https://github.com/advisories/GHSA-h67p-54hq-rp68", + "description": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases", "fix_available": [ { - "date": "2024-10-24", + "date": "2026-06-15", "kind": "first-observed", - "version": "4.5.0" + "version": "4.2.0" } ], "fix_state": "fixed", - "fixed_in": "4.5.0", + "fixed_in": "4.2.0", "fixed_versions": [ - "4.5.0" + "4.2.0" ], - "id": "GHSA-qqqw-gm93-qf6m", + "id": "GHSA-h67p-54hq-rp68", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2024-48964", - "Fix available: upgrade to 4.5.0", + "Also known as: CVE-2026-53550", + "Fix available: upgrade to 4.2.0", "Fix state: fixed", - "https://github.com/snyk/snyk-gradle-plugin/commit/2f5ee7579f00660282dd161a0b79690f4a9c865d", - "https://nvd.nist.gov/vuln/detail/CVE-2024-48964" + "https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-qqqw-gm93-qf6m" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48964" + "url": "https://github.com/advisories/GHSA-h67p-54hq-rp68" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-gradle-plugin/commit/2f5ee7579f00660282dd161a0b79690f4a9c865d" + "url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68" } ], - "risk_score": 0.10275, - "severity": "high", + "severity": "medium", "severity_source": "github:language:javascript", "source": "grype", - "title": "OS Command Injection in Snyk gradle plugin" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "snyk-module", - "purl": "pkg:npm/snyk-module@1.9.1", - "version": "1.9.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "snyk-mvn-plugin", - "purl": "pkg:npm/snyk-mvn-plugin@2.7.0", - "version": "2.7.0", - "vulnerabilities": [ + "title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases" + }, { - "affected_version_range": "\u003c2.31.3 (semantic)", + "affected_version_range": "\u003c3.14.2 (semantic)", "aliases": [ - "CVE-2022-22984" + "CVE-2025-64718" ], "cvss": [ { - "score": 6.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "score": 5.3, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2022-22984", - "id": "CWE-78", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-22984", - "id": "CWE-78", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "cve": "CVE-2025-64718", + "id": "CWE-1321", + "source": "security-advisories@github.com", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-4x6g-3cmx-w76r", - "description": "Snyk plugins vulnerable to Command Injection", + "data_source": "https://github.com/advisories/GHSA-mh29-5h37-fv8m", + "description": "js-yaml has prototype pollution in merge (\u003c\u003c)", "epss": [ { - "cve": "CVE-2022-22984", - "date": "2026-06-14", - "epss": 0.04668, - "percentile": 0.896 + "cve": "CVE-2025-64718", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2022-12-16", + "date": "2025-11-18", "kind": "first-observed", - "version": "2.31.3" + "version": "3.14.2" } ], "fix_state": "fixed", - "fixed_in": "2.31.3", + "fixed_in": "3.14.2", "fixed_versions": [ - "2.31.3" + "3.14.2" ], - "id": "GHSA-4x6g-3cmx-w76r", + "id": "GHSA-mh29-5h37-fv8m", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-22984", - "Fix available: upgrade to 2.31.3", + "Also known as: CVE-2025-64718", + "Fix available: upgrade to 3.14.2", "Fix state: fixed", - "https://github.com/snyk/cli/commit/80d97a93326406e09776156daf72e3caa03ae25a", - "https://github.com/snyk/snyk-cocoapods-plugin/commit/c73e049c5200772babde61c40aab57296bf91381", - "https://github.com/snyk/snyk-docker-plugin/commit/d730d7630691a61587b120bb11daaaf4b58a8357", - "https://github.com/snyk/snyk-gradle-plugin/commit/bb1c1c72a75e97723a76b14d2d73f70744ed5009", - "https://github.com/snyk/snyk-hex-plugin/commit/e8dd2a330b40d7fc0ab47e34413e80a0146d7ac3", - "https://github.com/snyk/snyk-mvn-plugin/commit/02cda9ba1ea36b00ead3f6ec2de0f97397ebec50", - "https://github.com/snyk/snyk-python-plugin/commit/8591abdd9236108ac3e30c70c09238d6bb6aabf4", - "https://github.com/snyk/snyk-sbt-plugin/commit/99c09eb12c9f8f2b237aea9627aab1ae3cab6437", - "https://nvd.nist.gov/vuln/detail/CVE-2022-22984", - "https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622", - "https://security.snyk.io/vuln/SNYK-JS-SNYKDOCKERPLUGIN-3039679", - "https://security.snyk.io/vuln/SNYK-JS-SNYKGRADLEPLUGIN-3038624", - "https://security.snyk.io/vuln/SNYK-JS-SNYKMVNPLUGIN-3038623", - "https://security.snyk.io/vuln/SNYK-JS-SNYKPYTHONPLUGIN-3039677", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSBTPLUGIN-3038626", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKHEXPLUGIN-3039680", - "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-4x6g-3cmx-w76r" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22984" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/cli/commit/80d97a93326406e09776156daf72e3caa03ae25a" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-cocoapods-plugin/commit/c73e049c5200772babde61c40aab57296bf91381" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-docker-plugin/commit/d730d7630691a61587b120bb11daaaf4b58a8357" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-gradle-plugin/commit/bb1c1c72a75e97723a76b14d2d73f70744ed5009" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-hex-plugin/commit/e8dd2a330b40d7fc0ab47e34413e80a0146d7ac3" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-mvn-plugin/commit/02cda9ba1ea36b00ead3f6ec2de0f97397ebec50" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-python-plugin/commit/8591abdd9236108ac3e30c70c09238d6bb6aabf4" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-sbt-plugin/commit/99c09eb12c9f8f2b237aea9627aab1ae3cab6437" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKDOCKERPLUGIN-3039679" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKGRADLEPLUGIN-3038624" - }, + "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879", + "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266", + "https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876", + "https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m", + "https://nvd.nist.gov/vuln/detail/CVE-2025-64718" + ], + "references": [ { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKMVNPLUGIN-3038623" + "type": "data_source", + "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKPYTHONPLUGIN-3039677" + "url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSBTPLUGIN-3038626" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64718" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625" + "url": "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKHEXPLUGIN-3039680" + "url": "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266" }, { "type": "advisory", - "url": "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" + "url": "https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876" } ], - "risk_score": 2.6374199999999997, + "risk_score": 0.19055, "severity": "medium", "severity_source": "github:language:javascript", "source": "grype", - "title": "Snyk plugins vulnerable to Command Injection" + "title": "js-yaml has prototype pollution in merge (\u003c\u003c)" } ] }, { "ecosystem": "npm", - "licenses": [], - "name": "snyk-nodejs-lockfile-parser", - "purl": "pkg:npm/snyk-nodejs-lockfile-parser@1.17.0", - "version": "1.17.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "snyk-nuget-plugin", - "purl": "pkg:npm/snyk-nuget-plugin@1.16.0", - "version": "1.16.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "snyk-paket-parser", - "purl": "pkg:npm/snyk-paket-parser@1.5.0", - "version": "1.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], "matched": true, - "name": "snyk-php-plugin", - "purl": "pkg:npm/snyk-php-plugin@1.7.0", - "version": "1.7.0", + "name": "js-yaml", + "purl": "pkg:npm/js-yaml@3.13.1", + "version": "3.13.1", "vulnerabilities": [ { - "affected_version_range": "\u003c1.10.0 (semantic)", + "affected_version_range": "\u003c=4.1.1 (semantic)", "aliases": [ - "CVE-2024-48963" + "CVE-2026-53550" ], "cvss": [ { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", + "score": 5.3, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" - }, - { - "score": 7.5, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2024-48963", - "id": "CWE-78", - "source": "report@snyk.io", - "type": "Secondary" - }, - { - "cve": "CVE-2024-48963", - "id": "CWE-78", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-69f9-h8f9-7vjf", - "description": "OS Command Injection in Snyk php plugin", - "epss": [ - { - "cve": "CVE-2024-48963", - "date": "2026-06-14", - "epss": 0.00137, - "percentile": 0.33624 } ], + "data_source": "https://github.com/advisories/GHSA-h67p-54hq-rp68", + "description": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases", "fix_available": [ { - "date": "2024-10-24", + "date": "2026-06-15", "kind": "first-observed", - "version": "1.10.0" + "version": "4.2.0" } ], "fix_state": "fixed", - "fixed_in": "1.10.0", + "fixed_in": "4.2.0", "fixed_versions": [ - "1.10.0" + "4.2.0" ], - "id": "GHSA-69f9-h8f9-7vjf", + "id": "GHSA-h67p-54hq-rp68", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2024-48963", - "Fix available: upgrade to 1.10.0", + "Also known as: CVE-2026-53550", + "Fix available: upgrade to 4.2.0", "Fix state: fixed", - "https://github.com/snyk/snyk-php-plugin/commit/9189f093b94f9ce51672f6919ffbc98171fd66d4", - "https://github.com/snyk/snyk-php-plugin/releases/tag/v1.10.0", - "https://nvd.nist.gov/vuln/detail/CVE-2024-48963" + "https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-69f9-h8f9-7vjf" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-48963" + "url": "https://github.com/advisories/GHSA-h67p-54hq-rp68" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-php-plugin/releases/tag/v1.10.0" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-php-plugin/commit/9189f093b94f9ce51672f6919ffbc98171fd66d4" + "url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68" } ], - "risk_score": 0.10275, - "severity": "high", + "severity": "medium", "severity_source": "github:language:javascript", "source": "grype", - "title": "OS Command Injection in Snyk php plugin" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "snyk-policy", - "purl": "pkg:npm/snyk-policy@1.13.5", - "version": "1.13.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "snyk-python-plugin", - "purl": "pkg:npm/snyk-python-plugin@1.16.0", - "version": "1.16.0", - "vulnerabilities": [ + "title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases" + }, { - "affected_version_range": "\u003c1.24.2 (semantic)", + "affected_version_range": "\u003c3.14.2 (semantic)", "aliases": [ - "CVE-2022-22984" + "CVE-2025-64718" ], "cvss": [ { - "score": 6.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "score": 5.3, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2022-22984", - "id": "CWE-78", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-22984", - "id": "CWE-78", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "cve": "CVE-2025-64718", + "id": "CWE-1321", + "source": "security-advisories@github.com", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-4x6g-3cmx-w76r", - "description": "Snyk plugins vulnerable to Command Injection", + "data_source": "https://github.com/advisories/GHSA-mh29-5h37-fv8m", + "description": "js-yaml has prototype pollution in merge (\u003c\u003c)", "epss": [ { - "cve": "CVE-2022-22984", - "date": "2026-06-14", - "epss": 0.04668, - "percentile": 0.896 + "cve": "CVE-2025-64718", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2022-12-16", + "date": "2025-11-18", "kind": "first-observed", - "version": "1.24.2" + "version": "3.14.2" } ], "fix_state": "fixed", - "fixed_in": "1.24.2", + "fixed_in": "3.14.2", "fixed_versions": [ - "1.24.2" + "3.14.2" ], - "id": "GHSA-4x6g-3cmx-w76r", + "id": "GHSA-mh29-5h37-fv8m", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-22984", - "Fix available: upgrade to 1.24.2", + "Also known as: CVE-2025-64718", + "Fix available: upgrade to 3.14.2", "Fix state: fixed", - "https://github.com/snyk/cli/commit/80d97a93326406e09776156daf72e3caa03ae25a", - "https://github.com/snyk/snyk-cocoapods-plugin/commit/c73e049c5200772babde61c40aab57296bf91381", - "https://github.com/snyk/snyk-docker-plugin/commit/d730d7630691a61587b120bb11daaaf4b58a8357", - "https://github.com/snyk/snyk-gradle-plugin/commit/bb1c1c72a75e97723a76b14d2d73f70744ed5009", - "https://github.com/snyk/snyk-hex-plugin/commit/e8dd2a330b40d7fc0ab47e34413e80a0146d7ac3", - "https://github.com/snyk/snyk-mvn-plugin/commit/02cda9ba1ea36b00ead3f6ec2de0f97397ebec50", - "https://github.com/snyk/snyk-python-plugin/commit/8591abdd9236108ac3e30c70c09238d6bb6aabf4", - "https://github.com/snyk/snyk-sbt-plugin/commit/99c09eb12c9f8f2b237aea9627aab1ae3cab6437", - "https://nvd.nist.gov/vuln/detail/CVE-2022-22984", - "https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622", - "https://security.snyk.io/vuln/SNYK-JS-SNYKDOCKERPLUGIN-3039679", - "https://security.snyk.io/vuln/SNYK-JS-SNYKGRADLEPLUGIN-3038624", - "https://security.snyk.io/vuln/SNYK-JS-SNYKMVNPLUGIN-3038623", - "https://security.snyk.io/vuln/SNYK-JS-SNYKPYTHONPLUGIN-3039677", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSBTPLUGIN-3038626", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKHEXPLUGIN-3039680", - "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" + "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879", + "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266", + "https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876", + "https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m", + "https://nvd.nist.gov/vuln/detail/CVE-2025-64718" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-4x6g-3cmx-w76r" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22984" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/cli/commit/80d97a93326406e09776156daf72e3caa03ae25a" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-cocoapods-plugin/commit/c73e049c5200772babde61c40aab57296bf91381" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-docker-plugin/commit/d730d7630691a61587b120bb11daaaf4b58a8357" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-gradle-plugin/commit/bb1c1c72a75e97723a76b14d2d73f70744ed5009" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-hex-plugin/commit/e8dd2a330b40d7fc0ab47e34413e80a0146d7ac3" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-mvn-plugin/commit/02cda9ba1ea36b00ead3f6ec2de0f97397ebec50" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-python-plugin/commit/8591abdd9236108ac3e30c70c09238d6bb6aabf4" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-sbt-plugin/commit/99c09eb12c9f8f2b237aea9627aab1ae3cab6437" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKDOCKERPLUGIN-3039679" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKGRADLEPLUGIN-3038624" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKMVNPLUGIN-3038623" + "url": "https://github.com/advisories/GHSA-mh29-5h37-fv8m" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKPYTHONPLUGIN-3039677" + "url": "https://github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSBTPLUGIN-3038626" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64718" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625" + "url": "https://github.com/nodeca/js-yaml/commit/383665ff4248ec2192d1274e934462bb30426879" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKHEXPLUGIN-3039680" + "url": "https://github.com/nodeca/js-yaml/commit/5278870a17454fe8621dbd8c445c412529525266" }, { "type": "advisory", - "url": "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" + "url": "https://github.com/nodeca/js-yaml/issues/730#issuecomment-3549635876" } ], - "risk_score": 2.6374199999999997, + "risk_score": 0.19055, "severity": "medium", "severity_source": "github:language:javascript", "source": "grype", - "title": "Snyk plugins vulnerable to Command Injection" + "title": "js-yaml has prototype pollution in merge (\u003c\u003c)" } ] }, { "ecosystem": "npm", - "licenses": [], - "name": "snyk-resolve-deps", - "purl": "pkg:npm/snyk-resolve-deps@4.4.0", - "version": "4.4.0", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "jsonfile", + "purl": "pkg:npm/jsonfile@4.0.0", + "version": "4.0.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "snyk-resolve", - "purl": "pkg:npm/snyk-resolve@1.0.1", - "version": "1.0.1", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "larvitbase", + "purl": "pkg:npm/larvitbase@3.1.3", + "version": "3.1.3", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "larvitfs", + "purl": "pkg:npm/larvitfs@2.3.1", + "version": "2.3.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "larvitreqparser", + "purl": "pkg:npm/larvitreqparser@0.2.1", + "version": "0.2.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "larvitrouter", + "purl": "pkg:npm/larvitrouter@3.0.2", + "version": "3.0.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "larvitutils", + "purl": "pkg:npm/larvitutils@2.3.0", + "version": "2.3.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "locate-path", + "purl": "pkg:npm/locate-path@3.0.0", + "version": "3.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], "matched": true, - "name": "snyk-sbt-plugin", - "purl": "pkg:npm/snyk-sbt-plugin@2.11.0", - "version": "2.11.0", + "name": "lodash", + "purl": "pkg:npm/lodash@4.17.15", + "version": "4.17.15", "vulnerabilities": [ { - "affected_version_range": "\u003c2.16.2 (semantic)", + "affected_version_range": "\u003e=4.0.0,\u003c4.17.21 (semantic)", "aliases": [ - "CVE-2022-22984" + "CVE-2020-28500" ], "cvss": [ { - "score": 6.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "score": 5.3, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2022-22984", - "id": "CWE-78", + "cve": "CVE-2020-28500", + "id": "NVD-CWE-Other", "source": "nvd@nist.gov", "type": "Primary" - }, - { - "cve": "CVE-2022-22984", - "id": "CWE-78", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-4x6g-3cmx-w76r", - "description": "Snyk plugins vulnerable to Command Injection", + "data_source": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9", + "description": "Regular Expression Denial of Service (ReDoS) in lodash", "epss": [ { - "cve": "CVE-2022-22984", - "date": "2026-06-14", - "epss": 0.04668, - "percentile": 0.896 + "cve": "CVE-2020-28500", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2022-12-16", + "date": "2022-01-07", "kind": "first-observed", - "version": "2.16.2" + "version": "4.17.21" } ], "fix_state": "fixed", - "fixed_in": "2.16.2", + "fixed_in": "4.17.21", "fixed_versions": [ - "2.16.2" + "4.17.21" ], - "id": "GHSA-4x6g-3cmx-w76r", + "id": "GHSA-29mw-wpgm-hmr9", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-22984", - "Fix available: upgrade to 2.16.2", + "Also known as: CVE-2020-28500", + "Fix available: upgrade to 4.17.21", "Fix state: fixed", - "https://github.com/snyk/cli/commit/80d97a93326406e09776156daf72e3caa03ae25a", - "https://github.com/snyk/snyk-cocoapods-plugin/commit/c73e049c5200772babde61c40aab57296bf91381", - "https://github.com/snyk/snyk-docker-plugin/commit/d730d7630691a61587b120bb11daaaf4b58a8357", - "https://github.com/snyk/snyk-gradle-plugin/commit/bb1c1c72a75e97723a76b14d2d73f70744ed5009", - "https://github.com/snyk/snyk-hex-plugin/commit/e8dd2a330b40d7fc0ab47e34413e80a0146d7ac3", - "https://github.com/snyk/snyk-mvn-plugin/commit/02cda9ba1ea36b00ead3f6ec2de0f97397ebec50", - "https://github.com/snyk/snyk-python-plugin/commit/8591abdd9236108ac3e30c70c09238d6bb6aabf4", - "https://github.com/snyk/snyk-sbt-plugin/commit/99c09eb12c9f8f2b237aea9627aab1ae3cab6437", - "https://nvd.nist.gov/vuln/detail/CVE-2022-22984", - "https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622", - "https://security.snyk.io/vuln/SNYK-JS-SNYKDOCKERPLUGIN-3039679", - "https://security.snyk.io/vuln/SNYK-JS-SNYKGRADLEPLUGIN-3038624", - "https://security.snyk.io/vuln/SNYK-JS-SNYKMVNPLUGIN-3038623", - "https://security.snyk.io/vuln/SNYK-JS-SNYKPYTHONPLUGIN-3039677", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSBTPLUGIN-3038626", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKHEXPLUGIN-3039680", - "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/github/advisory-database/pull/6139", + "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8", + "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a", + "https://github.com/lodash/lodash/pull/5065", + "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7", + "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml", + "https://nvd.nist.gov/vuln/detail/CVE-2020-28500", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893", + "https://snyk.io/vuln/SNYK-JS-LODASH-1018905", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-4x6g-3cmx-w76r" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22984" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/cli/commit/80d97a93326406e09776156daf72e3caa03ae25a" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-cocoapods-plugin/commit/c73e049c5200772babde61c40aab57296bf91381" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-docker-plugin/commit/d730d7630691a61587b120bb11daaaf4b58a8357" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-gradle-plugin/commit/bb1c1c72a75e97723a76b14d2d73f70744ed5009" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-hex-plugin/commit/e8dd2a330b40d7fc0ab47e34413e80a0146d7ac3" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/snyk-mvn-plugin/commit/02cda9ba1ea36b00ead3f6ec2de0f97397ebec50" + "url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-python-plugin/commit/8591abdd9236108ac3e30c70c09238d6bb6aabf4" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28500" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-sbt-plugin/commit/99c09eb12c9f8f2b237aea9627aab1ae3cab6437" + "url": "https://github.com/lodash/lodash/pull/5065" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622" + "url": "https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKDOCKERPLUGIN-3039679" + "url": "https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKGRADLEPLUGIN-3038624" + "url": "https://snyk.io/vuln/SNYK-JS-LODASH-1018905" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKMVNPLUGIN-3038623" + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKPYTHONPLUGIN-3039677" + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSBTPLUGIN-3038626" + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625" + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKHEXPLUGIN-3039680" + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893" }, { "type": "advisory", - "url": "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" - } - ], - "risk_score": 2.6374199999999997, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Snyk plugins vulnerable to Command Injection" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "snyk-tree", - "purl": "pkg:npm/snyk-tree@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "snyk-try-require", - "purl": "pkg:npm/snyk-try-require@1.3.1", - "version": "1.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "snyk", - "purl": "pkg:npm/snyk@1.278.1", - "version": "1.278.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c1.1064.0 (semantic)", - "aliases": [ - "CVE-2022-24441" - ], - "cvss": [ - { - "score": 8.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2022-24441", - "id": "CWE-78", - "source": "nvd@nist.gov", - "type": "Primary" - }, - { - "cve": "CVE-2022-24441", - "id": "CWE-78", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-4vrv-93c7-m92j", - "description": "snyk Code Injection vulnerability", - "epss": [ - { - "cve": "CVE-2022-24441", - "date": "2026-06-14", - "epss": 0.02656, - "percentile": 0.86166 - } - ], - "fix_available": [ - { - "date": "2023-07-07", - "kind": "first-observed", - "version": "1.1064.0" - } - ], - "fix_state": "fixed", - "fixed_in": "1.1064.0", - "fixed_versions": [ - "1.1064.0" - ], - "id": "GHSA-4vrv-93c7-m92j", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2022-24441", - "Fix available: upgrade to 1.1064.0", - "Fix state: fixed", - "https://github.com/snyk/snyk-eclipse-plugin/commit/b5a8bce25a359ced75f83a729fc6b2393fc9a495", - "https://github.com/snyk/snyk-intellij-plugin/commit/56682f4ba6081ce1d95cb980cbfacd3809a826f4", - "https://github.com/snyk/snyk-ls/commit/b3229f0142f782871aa72d1a7dcf417546d568ed", - "https://github.com/snyk/snyk-visual-studio-plugin/commit/0b53dbbd4a3153c3ef9aaf797af3b5caad0f731a", - "https://github.com/snyk/vscode-extension/commit/0db3b4240be0db6a0a5c6d02c0d4231a2c4ba708", - "https://nvd.nist.gov/vuln/detail/CVE-2022-24441", - "https://security.snyk.io/vuln/SNYK-JS-SNYK-3111871", - "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-4vrv-93c7-m92j" + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24441" + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-eclipse-plugin/commit/b5a8bce25a359ced75f83a729fc6b2393fc9a495" + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-intellij-plugin/commit/56682f4ba6081ce1d95cb980cbfacd3809a826f4" + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-ls/commit/b3229f0142f782871aa72d1a7dcf417546d568ed" + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-visual-studio-plugin/commit/0b53dbbd4a3153c3ef9aaf797af3b5caad0f731a" + "url": "https://github.com/lodash/lodash/commit/c4847ebe7d14540bb28a8b932a9ce1b9ecbfee1a" }, { "type": "advisory", - "url": "https://github.com/snyk/vscode-extension/commit/0db3b4240be0db6a0a5c6d02c0d4231a2c4ba708" + "url": "https://security.netapp.com/advisory/ntap-20210312-0006" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYK-3111871" + "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-28500.yml" }, { "type": "advisory", - "url": "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution" + "url": "https://github.com/github/advisory-database/pull/6139" } ], - "risk_score": 2.1646400000000003, - "severity": "high", + "risk_score": 3.77804, + "severity": "medium", "severity_source": "github:language:javascript", "source": "grype", - "title": "snyk Code Injection vulnerability" + "title": "Regular Expression Denial of Service (ReDoS) in lodash" }, { - "affected_version_range": "\u003c1.1064.0 (semantic)", + "affected_version_range": "\u003c4.17.21 (semantic)", "aliases": [ - "CVE-2022-22984" + "CVE-2021-23337" ], "cvss": [ { - "score": 6.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "score": 7.2, + "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2022-22984", - "id": "CWE-78", + "cve": "CVE-2021-23337", + "id": "CWE-94", "source": "nvd@nist.gov", "type": "Primary" - }, - { - "cve": "CVE-2022-22984", - "id": "CWE-78", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-4x6g-3cmx-w76r", - "description": "Snyk plugins vulnerable to Command Injection", + "data_source": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", + "description": "Command Injection in lodash", "epss": [ { - "cve": "CVE-2022-22984", - "date": "2026-06-14", - "epss": 0.04668, - "percentile": 0.896 + "cve": "CVE-2021-23337", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2022-12-16", + "date": "2021-05-07", "kind": "first-observed", - "version": "1.1064.0" + "version": "4.17.21" } ], "fix_state": "fixed", - "fixed_in": "1.1064.0", + "fixed_in": "4.17.21", "fixed_versions": [ - "1.1064.0" + "4.17.21" ], - "id": "GHSA-4x6g-3cmx-w76r", + "id": "GHSA-35jh-r3h4-6jhm", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-22984", - "Fix available: upgrade to 1.1064.0", + "Also known as: CVE-2021-23337", + "Fix available: upgrade to 4.17.21", "Fix state: fixed", - "https://github.com/snyk/cli/commit/80d97a93326406e09776156daf72e3caa03ae25a", - "https://github.com/snyk/snyk-cocoapods-plugin/commit/c73e049c5200772babde61c40aab57296bf91381", - "https://github.com/snyk/snyk-docker-plugin/commit/d730d7630691a61587b120bb11daaaf4b58a8357", - "https://github.com/snyk/snyk-gradle-plugin/commit/bb1c1c72a75e97723a76b14d2d73f70744ed5009", - "https://github.com/snyk/snyk-hex-plugin/commit/e8dd2a330b40d7fc0ab47e34413e80a0146d7ac3", - "https://github.com/snyk/snyk-mvn-plugin/commit/02cda9ba1ea36b00ead3f6ec2de0f97397ebec50", - "https://github.com/snyk/snyk-python-plugin/commit/8591abdd9236108ac3e30c70c09238d6bb6aabf4", - "https://github.com/snyk/snyk-sbt-plugin/commit/99c09eb12c9f8f2b237aea9627aab1ae3cab6437", - "https://nvd.nist.gov/vuln/detail/CVE-2022-22984", - "https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622", - "https://security.snyk.io/vuln/SNYK-JS-SNYKDOCKERPLUGIN-3039679", - "https://security.snyk.io/vuln/SNYK-JS-SNYKGRADLEPLUGIN-3038624", - "https://security.snyk.io/vuln/SNYK-JS-SNYKMVNPLUGIN-3038623", - "https://security.snyk.io/vuln/SNYK-JS-SNYKPYTHONPLUGIN-3039677", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSBTPLUGIN-3038626", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625", - "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKHEXPLUGIN-3039680", - "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" + "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf", + "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851", + "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23337", + "https://security.netapp.com/advisory/ntap-20210312-0006", + "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929", + "https://snyk.io/vuln/SNYK-JS-LODASH-1040724", + "https://www.oracle.com//security-alerts/cpujul2021.html", + "https://www.oracle.com/security-alerts/cpujan2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-4x6g-3cmx-w76r" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-22984" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/cli/commit/80d97a93326406e09776156daf72e3caa03ae25a" + "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-cocoapods-plugin/commit/c73e049c5200772babde61c40aab57296bf91381" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23337" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-docker-plugin/commit/d730d7630691a61587b120bb11daaaf4b58a8357" + "url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-gradle-plugin/commit/bb1c1c72a75e97723a76b14d2d73f70744ed5009" + "url": "https://snyk.io/vuln/SNYK-JS-LODASH-1040724" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-hex-plugin/commit/e8dd2a330b40d7fc0ab47e34413e80a0146d7ac3" + "url": "https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-mvn-plugin/commit/02cda9ba1ea36b00ead3f6ec2de0f97397ebec50" + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-python-plugin/commit/8591abdd9236108ac3e30c70c09238d6bb6aabf4" + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-sbt-plugin/commit/99c09eb12c9f8f2b237aea9627aab1ae3cab6437" + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYK-3038622" + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKDOCKERPLUGIN-3039679" + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKGRADLEPLUGIN-3038624" + "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKMVNPLUGIN-3038623" + "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKPYTHONPLUGIN-3039677" + "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSBTPLUGIN-3038626" + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKCOCOAPODSPLUGIN-3038625" + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYKSNYKHEXPLUGIN-3039680" + "url": "https://security.netapp.com/advisory/ntap-20210312-0006" }, { "type": "advisory", - "url": "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" + "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2021-23337.yml" } ], - "risk_score": 2.6374199999999997, - "severity": "medium", + "risk_score": 16.471349999999997, + "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "Snyk plugins vulnerable to Command Injection" + "title": "Command Injection in lodash" }, { - "affected_version_range": "\u003c1.1297.3 (semantic)", + "affected_version_range": "\u003c=4.17.23 (semantic)", "aliases": [ - "CVE-2025-6624" + "CVE-2026-2950" ], "cvss": [ { - "score": 7.2, - "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H", + "score": 6.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1" - }, - { - "score": 1.2, - "vector": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:H/SI:H/SA:H/E:P", - "version": "4.0" } ], "cwes": [ { - "cve": "CVE-2025-6624", - "id": "CWE-532", - "source": "report@snyk.io", - "type": "Secondary" - }, - { - "cve": "CVE-2025-6624", - "id": "CWE-532", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "cve": "CVE-2026-2950", + "id": "CWE-1321", + "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-6hwc-9h8r-3vmf", - "description": "Snyk CLI Insertion of Sensitive Information into Log File allowed in DEBUG or DEBUG/TRACE mode", + "data_source": "https://github.com/advisories/GHSA-f23m-r3pf-42rh", + "description": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`", "epss": [ { - "cve": "CVE-2025-6624", - "date": "2026-06-14", - "epss": 0.00115, - "percentile": 0.29976 + "cve": "CVE-2026-2950", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2025-06-30", + "date": "2026-04-02", "kind": "first-observed", - "version": "1.1297.3" + "version": "4.18.0" } ], "fix_state": "fixed", - "fixed_in": "1.1297.3", + "fixed_in": "4.18.0", "fixed_versions": [ - "1.1297.3" + "4.18.0" ], - "id": "GHSA-6hwc-9h8r-3vmf", + "id": "GHSA-f23m-r3pf-42rh", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2025-6624", - "Fix available: upgrade to 1.1297.3", + "Also known as: CVE-2026-2950", + "Fix available: upgrade to 4.18.0", "Fix state: fixed", - "https://docs.snyk.io/snyk-cli/debugging-the-snyk-cli", - "https://github.com/snyk/cli/commit/38322f377da7e5f1391e1f641710be50989fa4df", - "https://github.com/snyk/cli/releases/tag/v1.1297.3", - "https://github.com/snyk/go-application-framework/commit/ca7ba7d72e68455afb466a7a47bb2c9aece86c18", - "https://nvd.nist.gov/vuln/detail/CVE-2025-6624", - "https://security.snyk.io/vuln/SNYK-JS-SNYK-10497607" + "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh", + "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg", + "https://nvd.nist.gov/vuln/detail/CVE-2026-2950" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-6hwc-9h8r-3vmf" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6624" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/cli/commit/38322f377da7e5f1391e1f641710be50989fa4df" - }, - { - "type": "advisory", - "url": "https://github.com/snyk/go-application-framework/commit/ca7ba7d72e68455afb466a7a47bb2c9aece86c18" + "url": "https://github.com/advisories/GHSA-f23m-r3pf-42rh" }, { "type": "advisory", - "url": "https://docs.snyk.io/snyk-cli/debugging-the-snyk-cli" + "url": "https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh" }, { "type": "advisory", - "url": "https://github.com/snyk/cli/releases/tag/v1.1297.3" + "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-SNYK-10497607" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950" } ], - "risk_score": 0.0414, - "severity": "low", + "risk_score": 0.17077499999999998, + "severity": "medium", "severity_source": "github:language:javascript", "source": "grype", - "title": "Snyk CLI Insertion of Sensitive Information into Log File allowed in DEBUG or DEBUG/TRACE mode" + "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`" }, { - "affected_version_range": "\u003c1.996.0 (semantic)", + "affected_version_range": "\u003e=3.7.0,\u003c4.17.19 (semantic)", "aliases": [ - "CVE-2022-40764" + "CVE-2020-8203" ], "cvss": [ { - "score": 7.8, - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "score": 7.4, + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2022-40764", - "id": "CWE-78", + "cve": "CVE-2020-8203", + "id": "CWE-770", + "source": "support@hackerone.com", + "type": "Secondary" + }, + { + "cve": "CVE-2020-8203", + "id": "CWE-1321", "source": "nvd@nist.gov", "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-hpqj-7cj6-hfj8", - "description": "Snyk CLI affected by Command Injection vulnerability", + "data_source": "https://github.com/advisories/GHSA-p6mc-m468-83gw", + "description": "Prototype Pollution in lodash", "epss": [ { - "cve": "CVE-2022-40764", - "date": "2026-06-14", - "epss": 0.01429, - "percentile": 0.81125 + "cve": "CVE-2020-8203", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2022-10-07", + "date": "2020-07-28", "kind": "first-observed", - "version": "1.996.0" + "version": "4.17.19" } ], "fix_state": "fixed", - "fixed_in": "1.996.0", + "fixed_in": "4.17.19", "fixed_versions": [ - "1.996.0" + "4.17.19" ], - "id": "GHSA-hpqj-7cj6-hfj8", + "id": "GHSA-p6mc-m468-83gw", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-40764", - "Fix available: upgrade to 1.996.0", + "Also known as: CVE-2020-8203", + "Fix available: upgrade to 4.17.19", "Fix state: fixed", - "https://github.com/snyk/cli/releases/tag/v1.996.0", - "https://github.com/snyk/snyk-go-plugin/releases/tag/v1.19.1", - "https://nvd.nist.gov/vuln/detail/CVE-2022-40764", - "https://support.snyk.io/hc/en-us/articles/7015908293789-CVE-2022-40764-Command-Injection-vulnerability-affecting-Snyk-CLI-versions-prior-to-1-996-0", - "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" + "https://github.com/github/advisory-database/pull/2884", + "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12", + "https://github.com/lodash/lodash/issues/4744", + "https://github.com/lodash/lodash/issues/4874", + "https://github.com/lodash/lodash/wiki/Changelog#v41719", + "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml", + "https://hackerone.com/reports/712065", + "https://hackerone.com/reports/864701", + "https://nvd.nist.gov/vuln/detail/CVE-2020-8203", + "https://security.netapp.com/advisory/ntap-20200724-0006", + "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-hpqj-7cj6-hfj8" + "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw" + }, + { + "type": "advisory", + "url": "https://github.com/lodash/lodash/issues/4744" + }, + { + "type": "advisory", + "url": "https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8203" + }, + { + "type": "advisory", + "url": "https://hackerone.com/reports/712065" + }, + { + "type": "advisory", + "url": "https://github.com/lodash/lodash/issues/4874" + }, + { + "type": "advisory", + "url": "https://github.com/github/advisory-database/pull/2884" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-40764" + "url": "https://hackerone.com/reports/864701" }, { "type": "advisory", - "url": "https://github.com/snyk/cli/releases/tag/v1.996.0" + "url": "https://github.com/lodash/lodash/wiki/Changelog#v41719" }, { "type": "advisory", - "url": "https://github.com/snyk/snyk-go-plugin/releases/tag/v1.19.1" + "url": "https://web.archive.org/web/20210914001339/https://github.com/lodash/lodash/issues/4744" }, { "type": "advisory", - "url": "https://support.snyk.io/hc/en-us/articles/7015908293789-CVE-2022-40764-Command-Injection-vulnerability-affecting-Snyk-CLI-versions-prior-to-1-996-0" + "url": "https://security.netapp.com/advisory/ntap-20200724-0006" }, { "type": "advisory", - "url": "https://www.imperva.com/blog/how-scanning-your-projects-for-security-issues-can-lead-to-remote-code-execution/" + "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/lodash-rails/CVE-2020-8203.yml" } ], - "risk_score": 1.093185, + "risk_score": 3.883685, "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "Snyk CLI affected by Command Injection vulnerability" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "socks-proxy-agent", - "purl": "pkg:npm/socks-proxy-agent@4.0.2", - "version": "4.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "socks", - "purl": "pkg:npm/socks@2.3.3", - "version": "2.3.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "source-map-resolve", - "purl": "pkg:npm/source-map-resolve@0.5.1", - "version": "0.5.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "source-map-support", - "purl": "pkg:npm/source-map-support@0.5.16", - "version": "0.5.16", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "source-map-url", - "purl": "pkg:npm/source-map-url@0.4.0", - "version": "0.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "name": "source-map", - "purl": "pkg:npm/source-map@0.4.4", - "version": "0.4.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "BSD-3-Clause" - } - ], - "name": "source-map", - "purl": "pkg:npm/source-map@0.5.7", - "version": "0.5.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "source-map", - "purl": "pkg:npm/source-map@0.6.1", - "version": "0.6.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "sparse-bitfield", - "purl": "pkg:npm/sparse-bitfield@3.0.3", - "version": "3.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "spawn-wrap", - "purl": "pkg:npm/spawn-wrap@1.4.2", - "version": "1.4.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "Apache-2.0" - } - ], - "name": "spdx-correct", - "purl": "pkg:npm/spdx-correct@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "CC-BY-3.0" - } - ], - "name": "spdx-exceptions", - "purl": "pkg:npm/spdx-exceptions@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "spdx-expression-parse", - "purl": "pkg:npm/spdx-expression-parse@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "CC0-1.0" - } - ], - "name": "spdx-license-ids", - "purl": "pkg:npm/spdx-license-ids@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "split-string", - "purl": "pkg:npm/split-string@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "sprintf-js", - "purl": "pkg:npm/sprintf-js@1.0.3", - "version": "1.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "sqlstring", - "purl": "pkg:npm/sqlstring@2.3.1", - "version": "2.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "sshpk", - "purl": "pkg:npm/sshpk@1.16.1", - "version": "1.16.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "st", - "purl": "pkg:npm/st@0.2.4", - "version": "0.2.4", - "vulnerabilities": [ + "title": "Prototype Pollution in lodash" + }, { - "affected_version_range": "\u003c0.2.5 (semantic)", + "affected_version_range": "\u003e=4.0.0,\u003c=4.17.23 (semantic)", "aliases": [ - "CVE-2014-3744" + "CVE-2026-4800" ], "cvss": [ { - "score": 7.5, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", - "version": "3.0" + "score": 8.1, + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2014-3744", - "id": "CWE-22", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2026-4800", + "id": "CWE-94", + "source": "ce714d77-add3-4f53-aff5-83d477b104bb", + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-69rr-wvh9-6c4q", - "description": "Directory Traversal in st", + "data_source": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc", + "description": "lodash vulnerable to Code Injection via `_.template` imports key names", "epss": [ { - "cve": "CVE-2014-3744", - "date": "2026-06-14", - "epss": 0.7817, - "percentile": 0.99046 + "cve": "CVE-2026-4800", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2020-09-01", + "date": "2026-04-02", "kind": "first-observed", - "version": "0.2.5" + "version": "4.18.0" } ], "fix_state": "fixed", - "fixed_in": "0.2.5", + "fixed_in": "4.18.0", "fixed_versions": [ - "0.2.5" + "4.18.0" ], - "id": "GHSA-69rr-wvh9-6c4q", + "id": "GHSA-r5fr-rjxr-66jc", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "confidence": "high", + "confidence": "low", + "dynamic_imports_detected": true, "hops": 0, "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2014-3744", - "Fix available: upgrade to 0.2.5", + "Also known as: CVE-2026-4800", + "Fix available: upgrade to 4.18.0", "Fix state: fixed", - "http://www.openwall.com/lists/oss-security/2014/05/13/1", - "http://www.openwall.com/lists/oss-security/2014/05/15/2", - "http://www.securityfocus.com/bid/67389", - "https://github.com/isaacs/st", - "https://github.com/isaacs/st#security-status", - "https://nvd.nist.gov/vuln/detail/CVE-2014-3744", - "https://www.npmjs.com/advisories/36" + "https://cna.openjsf.org/security-advisories.html", + "https://github.com/advisories/GHSA-35jh-r3h4-6jhm", + "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c", + "https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc", + "https://nvd.nist.gov/vuln/detail/CVE-2026-4800" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-69rr-wvh9-6c4q" - }, - { - "type": "advisory", - "url": "https://github.com/isaacs/st#security-status" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/36" + "url": "https://github.com/advisories/GHSA-r5fr-rjxr-66jc" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3744" + "url": "https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc" }, { "type": "advisory", - "url": "https://github.com/isaacs/st" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800" }, { "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2014/05/13/1" + "url": "https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c" }, { "type": "advisory", - "url": "http://www.openwall.com/lists/oss-security/2014/05/15/2" + "url": "https://cna.openjsf.org/security-advisories.html" }, { "type": "advisory", - "url": "http://www.securityfocus.com/bid/67389" + "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" } ], - "risk_score": 58.6275, + "risk_score": 0.8002800000000001, "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "Directory Traversal in st" + "title": "lodash vulnerable to Code Injection via `_.template` imports key names" }, { - "affected_version_range": "\u003c=1.2.1 (semantic)", + "affected_version_range": "\u003e=4.0.0,\u003c=4.17.22 (semantic)", "aliases": [ - "CVE-2017-16224" + "CVE-2025-13465" ], "cvss": [ { - "score": 6.1, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", - "version": "3.0" + "score": 6.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", + "version": "3.1" + }, + { + "score": 6.9, + "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P", + "version": "4.0" } ], "cwes": [ { - "cve": "CVE-2017-16224", - "id": "CWE-601", - "source": "support@hackerone.com", + "cve": "CVE-2025-13465", + "id": "CWE-1321", + "source": "ce714d77-add3-4f53-aff5-83d477b104bb", "type": "Secondary" - }, - { - "cve": "CVE-2017-16224", - "id": "CWE-601", - "source": "nvd@nist.gov", - "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-72fg-jqhx-c68p", - "description": "Open Redirect in st", + "data_source": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg", + "description": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions", "epss": [ { - "cve": "CVE-2017-16224", - "date": "2026-06-14", - "epss": 0.00215, - "percentile": 0.44295 + "cve": "CVE-2025-13465", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2021-03-30", + "date": "2026-01-22", "kind": "first-observed", - "version": "1.2.2" + "version": "4.17.23" } ], "fix_state": "fixed", - "fixed_in": "1.2.2", + "fixed_in": "4.17.23", "fixed_versions": [ - "1.2.2" + "4.17.23" ], - "id": "GHSA-72fg-jqhx-c68p", + "id": "GHSA-xxjr-mmjv-4gpg", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "confidence": "high", + "confidence": "low", + "dynamic_imports_detected": true, "hops": 0, "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2017-16224", - "Fix available: upgrade to 1.2.2", + "Also known as: CVE-2025-13465", + "Fix available: upgrade to 4.17.23", "Fix state: fixed", - "https://nvd.nist.gov/vuln/detail/CVE-2017-16224", - "https://www.npmjs.com/advisories/547" + "https://cert-portal.siemens.com/productcert/html/ssa-253495.html", + "https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81", + "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg", + "https://nvd.nist.gov/vuln/detail/CVE-2025-13465" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-72fg-jqhx-c68p" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16224" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/advisories/547" - } - ], - "risk_score": 0.11932499999999999, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Open Redirect in st" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "stack-utils", - "purl": "pkg:npm/stack-utils@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "static-extend", - "purl": "pkg:npm/static-extend@0.1.2", - "version": "0.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "statuses", - "purl": "pkg:npm/statuses@1.5.0", - "version": "1.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "stream-browserify", - "purl": "pkg:npm/stream-browserify@2.0.2", - "version": "2.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "stream-buffers", - "purl": "pkg:npm/stream-buffers@3.0.2", - "version": "3.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "stream-combiner2", - "purl": "pkg:npm/stream-combiner2@1.1.1", - "version": "1.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "stream-http", - "purl": "pkg:npm/stream-http@2.8.3", - "version": "2.8.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "stream-splicer", - "purl": "pkg:npm/stream-splicer@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "streamifier", - "purl": "pkg:npm/streamifier@0.1.1", - "version": "0.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "streamsearch", - "purl": "pkg:npm/streamsearch@0.1.2", - "version": "0.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "string-width", - "purl": "pkg:npm/string-width@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "string-width", - "purl": "pkg:npm/string-width@2.1.1", - "version": "2.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "string-width", - "purl": "pkg:npm/string-width@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "string-width", - "purl": "pkg:npm/string-width@4.2.0", - "version": "4.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "string-width", - "purl": "pkg:npm/string-width@4.2.2", - "version": "4.2.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "string_decoder", - "purl": "pkg:npm/string_decoder@0.10.31", - "version": "0.10.31", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "string_decoder", - "purl": "pkg:npm/string_decoder@1.1.1", - "version": "1.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "string_decoder", - "purl": "pkg:npm/string_decoder@1.3.0", - "version": "1.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "strip-ansi", - "purl": "pkg:npm/strip-ansi@3.0.1", - "version": "3.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "strip-ansi", - "purl": "pkg:npm/strip-ansi@4.0.0", - "version": "4.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "strip-ansi", - "purl": "pkg:npm/strip-ansi@5.2.0", - "version": "5.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "strip-ansi", - "purl": "pkg:npm/strip-ansi@6.0.0", - "version": "6.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "strip-bom", - "purl": "pkg:npm/strip-bom@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" + "url": "https://github.com/advisories/GHSA-xxjr-mmjv-4gpg" + }, + { + "type": "advisory", + "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465" + }, + { + "type": "advisory", + "url": "https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81" + }, + { + "type": "advisory", + "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html" + } + ], + "risk_score": 0.185445, + "severity": "medium", + "severity_source": "github:language:javascript", + "source": "grype", + "title": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions" } - ], - "name": "strip-eof", - "purl": "pkg:npm/strip-eof@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "strip-json-comments", - "purl": "pkg:npm/strip-json-comments@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "subarg", - "purl": "pkg:npm/subarg@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] + ] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "MIT", + "type": "external-depsdev", "value": "MIT" } ], - "name": "supports-color", - "purl": "pkg:npm/supports-color@2.0.0", - "version": "2.0.0", + "matched": true, + "name": "log-symbols", + "purl": "pkg:npm/log-symbols@3.0.0", + "version": "3.0.0", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "MIT", + "type": "external-depsdev", "value": "MIT" } ], - "name": "supports-color", - "purl": "pkg:npm/supports-color@3.2.3", - "version": "3.2.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "supports-color", - "purl": "pkg:npm/supports-color@5.5.0", - "version": "5.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "supports-color", - "purl": "pkg:npm/supports-color@7.1.0", - "version": "7.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "supports-color", - "purl": "pkg:npm/supports-color@7.2.0", - "version": "7.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "syntax-error", - "purl": "pkg:npm/syntax-error@1.4.0", - "version": "1.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "tap-mocha-reporter", - "purl": "pkg:npm/tap-mocha-reporter@3.0.9", - "version": "3.0.9", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "tap-parser", - "purl": "pkg:npm/tap-parser@5.4.0", - "version": "5.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "tap-parser", - "purl": "pkg:npm/tap-parser@7.0.0", - "version": "7.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "tap", - "purl": "pkg:npm/tap@11.1.5", - "version": "11.1.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "tar-stream", - "purl": "pkg:npm/tar-stream@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "temp-dir", - "purl": "pkg:npm/temp-dir@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "tempfile", - "purl": "pkg:npm/tempfile@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "term-size", - "purl": "pkg:npm/term-size@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "term-size", - "purl": "pkg:npm/term-size@2.2.1", - "version": "2.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "name": "test-exclude", - "purl": "pkg:npm/test-exclude@4.2.1", - "version": "4.2.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "then-fs", - "purl": "pkg:npm/then-fs@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "thenify-all", - "purl": "pkg:npm/thenify-all@1.6.0", - "version": "1.6.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "thenify", - "purl": "pkg:npm/thenify@3.3.1", - "version": "3.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "through2", - "purl": "pkg:npm/through2@2.0.5", - "version": "2.0.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "through", - "purl": "pkg:npm/through@2.3.8", - "version": "2.3.8", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "thunkify", - "purl": "pkg:npm/thunkify@2.1.2", - "version": "2.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "timed-out", - "purl": "pkg:npm/timed-out@4.0.1", - "version": "4.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "timers-browserify", - "purl": "pkg:npm/timers-browserify@1.4.2", - "version": "1.4.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "tmatch", - "purl": "pkg:npm/tmatch@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], "matched": true, - "name": "tmp", - "purl": "pkg:npm/tmp@0.0.33", - "version": "0.0.33", + "name": "marked", + "purl": "pkg:npm/marked@0.3.19", + "version": "0.3.19", "vulnerabilities": [ { - "affected_version_range": "\u003c=0.2.3 (semantic)", + "affected_version_range": "\u003c4.0.10 (semantic)", "aliases": [ - "CVE-2025-54798" + "CVE-2022-21681" ], "cvss": [ { - "score": 2.5, - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2025-54798", - "id": "CWE-59", + "cve": "CVE-2022-21681", + "id": "CWE-400", + "source": "security-advisories@github.com", + "type": "Secondary" + }, + { + "cve": "CVE-2022-21681", + "id": "CWE-1333", "source": "security-advisories@github.com", "type": "Secondary" + }, + { + "cve": "CVE-2022-21681", + "id": "CWE-1333", + "source": "nvd@nist.gov", + "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-52f5-9888-hmc6", - "description": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter", + "data_source": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj", + "description": "Inefficient Regular Expression Complexity in marked", "epss": [ { - "cve": "CVE-2025-54798", - "date": "2026-06-14", - "epss": 0.00469, - "percentile": 0.65098 + "cve": "CVE-2022-21681", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2025-08-07", + "date": "2022-01-16", "kind": "first-observed", - "version": "0.2.4" + "version": "4.0.10" } ], "fix_state": "fixed", - "fixed_in": "0.2.4", + "fixed_in": "4.0.10", "fixed_versions": [ - "0.2.4" + "4.0.10" ], - "id": "GHSA-52f5-9888-hmc6", + "id": "GHSA-5v2h-r2cx-5xgj", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2025-54798", - "Fix available: upgrade to 0.2.4", + "Also known as: CVE-2022-21681", + "Fix available: upgrade to 4.0.10", "Fix state: fixed", - "https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b", - "https://github.com/raszi/node-tmp/issues/207", - "https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6", - "https://lists.debian.org/debian-lts-announce/2025/08/msg00007.html", - "https://nvd.nist.gov/vuln/detail/CVE-2025-54798" + "https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5", + "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0", + "https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/", + "https://nvd.nist.gov/vuln/detail/CVE-2022-21681" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-52f5-9888-hmc6" + "url": "https://github.com/advisories/GHSA-5v2h-r2cx-5xgj" }, { "type": "advisory", - "url": "https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6" + "url": "https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj" }, { "type": "advisory", - "url": "https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21681" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54798" + "url": "https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5" }, { "type": "advisory", - "url": "https://github.com/raszi/node-tmp/issues/207" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/" }, { "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00007.html" + "url": "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0" } ], - "risk_score": 0.128975, - "severity": "low", + "risk_score": 2.0572500000000002, + "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter" + "title": "Inefficient Regular Expression Complexity in marked" }, { - "affected_version_range": "\u003c0.2.6 (semantic)", + "affected_version_range": "\u003c4.0.10 (semantic)", "aliases": [ - "CVE-2026-44705" + "CVE-2022-21680" ], "cvss": [ { - "score": 7.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", - "version": "4.0" + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2026-44705", - "id": "CWE-22", + "cve": "CVE-2022-21680", + "id": "CWE-400", + "source": "security-advisories@github.com", + "type": "Secondary" + }, + { + "cve": "CVE-2022-21680", + "id": "CWE-1333", "source": "security-advisories@github.com", "type": "Secondary" + }, + { + "cve": "CVE-2022-21680", + "id": "CWE-1333", + "source": "nvd@nist.gov", + "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-ph9p-34f9-6g65", - "description": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape", + "data_source": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf", + "description": "Inefficient Regular Expression Complexity in marked", "epss": [ { - "cve": "CVE-2026-44705", - "date": "2026-06-14", - "epss": 0.00063, - "percentile": 0.19897 + "cve": "CVE-2022-21680", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2026-05-27", + "date": "2022-01-16", "kind": "first-observed", - "version": "0.2.6" + "version": "4.0.10" } ], "fix_state": "fixed", - "fixed_in": "0.2.6", + "fixed_in": "4.0.10", "fixed_versions": [ - "0.2.6" + "4.0.10" ], - "id": "GHSA-ph9p-34f9-6g65", + "id": "GHSA-rrrm-qjm4-v8hf", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2026-44705", - "Fix available: upgrade to 0.2.6", + "Also known as: CVE-2022-21680", + "Fix available: upgrade to 4.0.10", "Fix state: fixed", - "https://github.com/raszi/node-tmp/commit/efa4a06f24374797ae32ab2b6ae39b7a611ae429", - "https://github.com/raszi/node-tmp/security/advisories/GHSA-ph9p-34f9-6g65", - "https://nvd.nist.gov/vuln/detail/CVE-2026-44705" + "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0", + "https://github.com/markedjs/marked/releases/tag/v4.0.10", + "https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/", + "https://nvd.nist.gov/vuln/detail/CVE-2022-21680" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-ph9p-34f9-6g65" + "url": "https://github.com/advisories/GHSA-rrrm-qjm4-v8hf" + }, + { + "type": "advisory", + "url": "https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf" }, { "type": "advisory", - "url": "https://github.com/raszi/node-tmp/security/advisories/GHSA-ph9p-34f9-6g65" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21680" + }, + { + "type": "advisory", + "url": "https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0" }, { "type": "advisory", - "url": "https://github.com/raszi/node-tmp/commit/efa4a06f24374797ae32ab2b6ae39b7a611ae429" + "url": "https://github.com/markedjs/marked/releases/tag/v4.0.10" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44705" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/" } ], - "risk_score": 0.047880000000000006, + "risk_score": 2.121, "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "tmp", - "purl": "pkg:npm/tmp@0.1.0", - "version": "0.1.0", - "vulnerabilities": [ + "title": "Inefficient Regular Expression Complexity in marked" + }, { - "affected_version_range": "\u003c=0.2.3 (semantic)", - "aliases": [ - "CVE-2025-54798" - ], + "affected_version_range": "\u003e=0.3.14,\u003c0.6.2 (semantic)", "cvss": [ { - "score": 2.5, - "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", + "score": 5.3, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } ], - "cwes": [ - { - "cve": "CVE-2025-54798", - "id": "CWE-59", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-52f5-9888-hmc6", - "description": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter", - "epss": [ - { - "cve": "CVE-2025-54798", - "date": "2026-06-14", - "epss": 0.00469, - "percentile": 0.65098 - } - ], + "data_source": "https://github.com/advisories/GHSA-xf5p-87ch-gxw2", + "description": "Marked ReDoS due to email addresses being evaluated in quadratic time", "fix_available": [ { - "date": "2025-08-07", + "date": "2022-08-03", "kind": "first-observed", - "version": "0.2.4" + "version": "0.6.2" } ], "fix_state": "fixed", - "fixed_in": "0.2.4", + "fixed_in": "0.6.2", "fixed_versions": [ - "0.2.4" + "0.6.2" ], - "id": "GHSA-52f5-9888-hmc6", + "id": "GHSA-xf5p-87ch-gxw2", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 0, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2025-54798", - "Fix available: upgrade to 0.2.4", + "Fix available: upgrade to 0.6.2", "Fix state: fixed", - "https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b", - "https://github.com/raszi/node-tmp/issues/207", - "https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6", - "https://lists.debian.org/debian-lts-announce/2025/08/msg00007.html", - "https://nvd.nist.gov/vuln/detail/CVE-2025-54798" + "https://github.com/markedjs/marked/commit/b15e42b67cec9ded8505e9d68bb8741ad7a9590d", + "https://github.com/markedjs/marked/pull/1460", + "https://github.com/markedjs/marked/releases/tag/v0.6.2", + "https://snyk.io/vuln/SNYK-JS-MARKED-174116", + "https://www.npmjs.com/advisories/812" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-52f5-9888-hmc6" + "url": "https://github.com/advisories/GHSA-xf5p-87ch-gxw2" }, { "type": "advisory", - "url": "https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6" + "url": "https://github.com/markedjs/marked/commit/b15e42b67cec9ded8505e9d68bb8741ad7a9590d" }, { "type": "advisory", - "url": "https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b" + "url": "https://github.com/markedjs/marked/pull/1460" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-54798" + "url": "https://snyk.io/vuln/SNYK-JS-MARKED-174116" }, { "type": "advisory", - "url": "https://github.com/raszi/node-tmp/issues/207" + "url": "https://www.npmjs.com/advisories/812" }, { "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00007.html" + "url": "https://github.com/markedjs/marked/releases/tag/v0.6.2" } ], - "risk_score": 0.128975, - "severity": "low", + "severity": "medium", "severity_source": "github:language:javascript", "source": "grype", - "title": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter" - }, + "title": "Marked ReDoS due to email addresses being evaluated in quadratic time" + } + ] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "minimatch", + "purl": "pkg:npm/minimatch@3.0.4", + "version": "3.0.4", + "vulnerabilities": [ { - "affected_version_range": "\u003c0.2.6 (semantic)", + "affected_version_range": "\u003c3.1.4 (semantic)", "aliases": [ - "CVE-2026-44705" + "CVE-2026-27904" ], "cvss": [ { - "score": 7.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", - "version": "4.0" + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2026-44705", - "id": "CWE-22", + "cve": "CVE-2026-27904", + "id": "CWE-1333", "source": "security-advisories@github.com", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-ph9p-34f9-6g65", - "description": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape", + "data_source": "https://github.com/advisories/GHSA-23c5-xmqv-rm74", + "description": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions", "epss": [ { - "cve": "CVE-2026-44705", - "date": "2026-06-14", - "epss": 0.00063, - "percentile": 0.19897 + "cve": "CVE-2026-27904", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2026-05-27", + "date": "2026-02-27", "kind": "first-observed", - "version": "0.2.6" + "version": "3.1.4" } ], "fix_state": "fixed", - "fixed_in": "0.2.6", + "fixed_in": "3.1.4", "fixed_versions": [ - "0.2.6" + "3.1.4" ], - "id": "GHSA-ph9p-34f9-6g65", + "id": "GHSA-23c5-xmqv-rm74", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", + "dynamic_imports_detected": true, "reason": "package-not-imported", "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2026-44705", - "Fix available: upgrade to 0.2.6", + "Also known as: CVE-2026-27904", + "Fix available: upgrade to 3.1.4", "Fix state: fixed", - "https://github.com/raszi/node-tmp/commit/efa4a06f24374797ae32ab2b6ae39b7a611ae429", - "https://github.com/raszi/node-tmp/security/advisories/GHSA-ph9p-34f9-6g65", - "https://nvd.nist.gov/vuln/detail/CVE-2026-44705" + "https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce", + "https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74", + "https://nvd.nist.gov/vuln/detail/CVE-2026-27904" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-ph9p-34f9-6g65" + "url": "https://github.com/advisories/GHSA-23c5-xmqv-rm74" }, { "type": "advisory", - "url": "https://github.com/raszi/node-tmp/security/advisories/GHSA-ph9p-34f9-6g65" + "url": "https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74" }, { "type": "advisory", - "url": "https://github.com/raszi/node-tmp/commit/efa4a06f24374797ae32ab2b6ae39b7a611ae429" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44705" + "url": "https://github.com/isaacs/minimatch/commit/11d0df6165d15a955462316b26d52e5efae06fce" } ], - "risk_score": 0.047880000000000006, + "risk_score": 0.34125, "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "to-arraybuffer", - "purl": "pkg:npm/to-arraybuffer@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "to-fast-properties", - "purl": "pkg:npm/to-fast-properties@1.0.3", - "version": "1.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "to-object-path", - "purl": "pkg:npm/to-object-path@0.3.0", - "version": "0.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "to-readable-stream", - "purl": "pkg:npm/to-readable-stream@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "to-regex-range", - "purl": "pkg:npm/to-regex-range@2.1.1", - "version": "2.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "to-regex-range", - "purl": "pkg:npm/to-regex-range@5.0.1", - "version": "5.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "to-regex", - "purl": "pkg:npm/to-regex@3.0.2", - "version": "3.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "toidentifier", - "purl": "pkg:npm/toidentifier@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "toml", - "purl": "pkg:npm/toml@3.0.0", - "version": "3.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "touch", - "purl": "pkg:npm/touch@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "tough-cookie", - "purl": "pkg:npm/tough-cookie@2.4.3", - "version": "2.4.3", - "vulnerabilities": [ + "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions" + }, { - "affected_version_range": "\u003c4.1.3 (semantic)", + "affected_version_range": "\u003c3.1.3 (semantic)", "aliases": [ - "CVE-2023-26136" + "CVE-2026-26996" ], "cvss": [ { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", - "version": "3.1" + "score": 8.7, + "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", + "version": "4.0" } ], "cwes": [ { - "cve": "CVE-2023-26136", - "id": "CWE-1321", - "source": "report@snyk.io", + "cve": "CVE-2026-26996", + "id": "CWE-1333", + "source": "security-advisories@github.com", "type": "Secondary" - }, - { - "cve": "CVE-2023-26136", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3", - "description": "tough-cookie Prototype Pollution vulnerability", + "data_source": "https://github.com/advisories/GHSA-3ppc-4f35-3m26", + "description": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern", "epss": [ { - "cve": "CVE-2023-26136", - "date": "2026-06-14", - "epss": 0.06248, - "percentile": 0.91143 + "cve": "CVE-2026-26996", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2023-07-08", + "date": "2026-03-04", "kind": "first-observed", - "version": "4.1.3" + "version": "3.1.3" } ], "fix_state": "fixed", - "fixed_in": "4.1.3", + "fixed_in": "3.1.3", "fixed_versions": [ - "4.1.3" + "3.1.3" ], - "id": "GHSA-72xf-g2v4-qvf3", + "id": "GHSA-3ppc-4f35-3m26", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", + "dynamic_imports_detected": true, "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-26136", - "Fix available: upgrade to 4.1.3", - "Fix state: fixed", - "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e", - "https://github.com/salesforce/tough-cookie/issues/282", - "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3", - "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ", - "https://nvd.nist.gov/vuln/detail/CVE-2023-26136", - "https://security.netapp.com/advisory/ntap-20240621-0006", - "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-72xf-g2v4-qvf3" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26136" - }, - { - "type": "advisory", - "url": "https://github.com/salesforce/tough-cookie/issues/282" - }, - { - "type": "advisory", - "url": "https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e" - }, - { - "type": "advisory", - "url": "https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873" - }, + "status": "unreachable", + "tier": "package" + }, + "reasons": [ + "Also known as: CVE-2026-26996", + "Fix available: upgrade to 3.1.3", + "Fix state: fixed", + "https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5", + "https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26", + "https://nvd.nist.gov/vuln/detail/CVE-2026-26996" + ], + "references": [ { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html" + "type": "data_source", + "url": "https://github.com/advisories/GHSA-3ppc-4f35-3m26" }, { "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3HUE6ZR5SL73KHL7XUPAOEL6SB7HUDT2" + "url": "https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26" }, { "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6PVVPNSAGSDS63HQ74PJ7MZ3MU5IYNVZ" + "url": "https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240621-0006" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26996" } ], - "risk_score": 3.5926, - "severity": "medium", + "risk_score": 0.40499999999999997, + "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "tough-cookie Prototype Pollution vulnerability" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "tree-kill", - "purl": "pkg:npm/tree-kill@1.2.2", - "version": "1.2.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "trim-right", - "purl": "pkg:npm/trim-right@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "trivial-deferred", - "purl": "pkg:npm/trivial-deferred@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "tsame", - "purl": "pkg:npm/tsame@1.1.2", - "version": "1.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "tslib", - "purl": "pkg:npm/tslib@1.10.0", - "version": "1.10.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "tslib", - "purl": "pkg:npm/tslib@1.9.3", - "version": "1.9.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "tty-browserify", - "purl": "pkg:npm/tty-browserify@0.0.1", - "version": "0.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "tunnel-agent", - "purl": "pkg:npm/tunnel-agent@0.6.0", - "version": "0.6.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "tweetnacl", - "purl": "pkg:npm/tweetnacl@0.14.5", - "version": "0.14.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "type-check", - "purl": "pkg:npm/type-check@0.3.2", - "version": "0.3.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "type-fest", - "purl": "pkg:npm/type-fest@0.8.1", - "version": "0.8.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "type-is", - "purl": "pkg:npm/type-is@1.5.7", - "version": "1.5.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "type-is", - "purl": "pkg:npm/type-is@1.6.16", - "version": "1.6.16", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "typedarray-to-buffer", - "purl": "pkg:npm/typedarray-to-buffer@3.1.5", - "version": "3.1.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "typedarray", - "purl": "pkg:npm/typedarray@0.0.6", - "version": "0.0.6", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "typeorm", - "purl": "pkg:npm/typeorm@0.2.24", - "version": "0.2.24", - "vulnerabilities": [ + "title": "minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern" + }, { - "affected_version_range": "\u003c0.3.0 (semantic)", + "affected_version_range": "\u003c3.1.3 (semantic)", "aliases": [ - "CVE-2022-33171" + "CVE-2026-27903" ], "cvss": [ { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2022-33171", - "id": "CWE-89", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2026-27903", + "id": "CWE-407", + "source": "security-advisories@github.com", + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-fx4w-v43j-vc45", - "description": "SQL injection in typeORM", + "data_source": "https://github.com/advisories/GHSA-7r86-cg39-jmmj", + "description": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments", "epss": [ { - "cve": "CVE-2022-33171", - "date": "2026-06-14", - "epss": 0.05298, - "percentile": 0.90274 + "cve": "CVE-2026-27903", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2024-03-22", + "date": "2026-02-27", "kind": "first-observed", - "version": "0.3.0" + "version": "3.1.3" } ], "fix_state": "fixed", - "fixed_in": "0.3.0", + "fixed_in": "3.1.3", "fixed_versions": [ - "0.3.0" + "3.1.3" ], - "id": "GHSA-fx4w-v43j-vc45", + "id": "GHSA-7r86-cg39-jmmj", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", + "dynamic_imports_detected": true, + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2022-33171", - "Fix available: upgrade to 0.3.0", + "Also known as: CVE-2026-27903", + "Fix available: upgrade to 3.1.3", "Fix state: fixed", - "http://packetstormsecurity.com/files/168096/TypeORM-0.3.7-Information-Disclosure.html", - "http://seclists.org/fulldisclosure/2022/Aug/7", - "https://github.com/typeorm/typeorm/compare/0.2.45...0.3.0", - "https://nvd.nist.gov/vuln/detail/CVE-2022-33171", - "https://seclists.org/fulldisclosure/2022/Jun/51" + "https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748", + "https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj", + "https://nvd.nist.gov/vuln/detail/CVE-2026-27903" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-fx4w-v43j-vc45" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33171" - }, - { - "type": "advisory", - "url": "https://github.com/typeorm/typeorm/compare/0.2.45...0.3.0" + "url": "https://github.com/advisories/GHSA-7r86-cg39-jmmj" }, { "type": "advisory", - "url": "https://seclists.org/fulldisclosure/2022/Jun/51" + "url": "https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj" }, { "type": "advisory", - "url": "http://packetstormsecurity.com/files/168096/TypeORM-0.3.7-Information-Disclosure.html" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903" }, { "type": "advisory", - "url": "http://seclists.org/fulldisclosure/2022/Aug/7" + "url": "https://github.com/isaacs/minimatch/commit/0bf499aa45f5059b56809cc3b75ff3eafeb8d748" } ], - "risk_score": 4.98012, - "severity": "critical", + "risk_score": 0.37424999999999997, + "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "SQL injection in typeORM" + "title": "minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments" }, { - "affected_version_range": "\u003c0.2.25 (semantic)", + "affected_version_range": "\u003c3.0.5 (semantic)", "aliases": [ - "CVE-2020-8158" + "CVE-2022-3517" ], "cvss": [ { - "score": 9.8, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2020-8158", - "id": "CWE-471", - "source": "support@hackerone.com", + "cve": "CVE-2022-3517", + "id": "CWE-400", + "source": "secalert@redhat.com", "type": "Secondary" }, { - "cve": "CVE-2020-8158", - "id": "CWE-1321", + "cve": "CVE-2022-3517", + "id": "CWE-1333", "source": "nvd@nist.gov", "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-pf2j-9qmp-jqr2", - "description": "TypeORM vulnerable to MAID and Prototype Pollution", + "data_source": "https://github.com/advisories/GHSA-f8q6-p94x-37v3", + "description": "minimatch ReDoS vulnerability", "epss": [ { - "cve": "CVE-2020-8158", - "date": "2026-06-14", - "epss": 0.00284, - "percentile": 0.5222 + "cve": "CVE-2022-3517", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2021-05-08", + "date": "2022-10-21", "kind": "first-observed", - "version": "0.2.25" + "version": "3.0.5" } ], "fix_state": "fixed", - "fixed_in": "0.2.25", + "fixed_in": "3.0.5", "fixed_versions": [ - "0.2.25" + "3.0.5" ], - "id": "GHSA-pf2j-9qmp-jqr2", + "id": "GHSA-f8q6-p94x-37v3", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", + "dynamic_imports_detected": true, + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2020-8158", - "Fix available: upgrade to 0.2.25", + "Also known as: CVE-2022-3517", + "Fix available: upgrade to 3.0.5", "Fix state: fixed", - "https://hackerone.com/reports/869574", - "https://nvd.nist.gov/vuln/detail/CVE-2020-8158" + "https://github.com/grafana/grafana-image-renderer/issues/329", + "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6", + "https://github.com/nodejs/node/issues/42510", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK", + "https://nvd.nist.gov/vuln/detail/CVE-2022-3517" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-pf2j-9qmp-jqr2" + "url": "https://github.com/advisories/GHSA-f8q6-p94x-37v3" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8158" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3517" + }, + { + "type": "advisory", + "url": "https://github.com/grafana/grafana-image-renderer/issues/329" + }, + { + "type": "advisory", + "url": "https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6" + }, + { + "type": "advisory", + "url": "https://github.com/nodejs/node/issues/42510" + }, + { + "type": "advisory", + "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html" + }, + { + "type": "advisory", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3" }, { "type": "advisory", - "url": "https://hackerone.com/reports/869574" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK" } ], - "risk_score": 0.26696000000000003, - "severity": "critical", + "risk_score": 1.2555, + "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "TypeORM vulnerable to MAID and Prototype Pollution" - }, + "title": "minimatch ReDoS vulnerability" + } + ] + }, + { + "ecosystem": "npm", + "licenses": [ { - "affected_version_range": "\u003c0.3.26 (semantic)", + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "minimist", + "purl": "pkg:npm/minimist@0.0.10", + "version": "0.0.10", + "vulnerabilities": [ + { + "affected_version_range": "\u003c0.2.1 (semantic)", "aliases": [ - "CVE-2025-60542" + "CVE-2020-7598" ], "cvss": [ { - "score": 6.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "score": 5.6, + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" - }, - { - "score": 8.9, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:L/SI:H/SA:L/E:P", - "version": "4.0" } ], "cwes": [ { - "cve": "CVE-2025-60542", - "id": "CWE-89", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" + "cve": "CVE-2020-7598", + "id": "CWE-1321", + "source": "nvd@nist.gov", + "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-q2pj-6v73-8rgj", - "description": "TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update", + "data_source": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m", + "description": "Prototype Pollution in minimist", "epss": [ { - "cve": "CVE-2025-60542", - "date": "2026-06-14", - "epss": 0.00042, - "percentile": 0.13265 + "cve": "CVE-2020-7598", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2025-11-01", + "date": "2020-07-28", "kind": "first-observed", - "version": "0.3.26" + "version": "0.2.1" } ], "fix_state": "fixed", - "fixed_in": "0.3.26", + "fixed_in": "0.2.1", "fixed_versions": [ - "0.3.26" + "0.2.1" ], - "id": "GHSA-q2pj-6v73-8rgj", + "id": "GHSA-vh95-rmgr-6w4m", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "confidence": "high", - "hops": 0, + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 2, "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2025-60542", - "Fix available: upgrade to 0.3.26", + "Also known as: CVE-2020-7598", + "Fix available: upgrade to 0.2.1", "Fix state: fixed", - "https://github.com/mysqljs/sqlstring/blob/cd528556b4b6bcf300c3db515026935dedf7cfa1/lib/SqlString.js#L54", - "https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/base/connection.js#L524", - "https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection_config.js#L124", - "https://github.com/typeorm/typeorm/blob/0.3.25/src/driver/mysql/MysqlConnectionOptions.ts", - "https://github.com/typeorm/typeorm/commit/d57fe3bd8578b0b8f9847647fd046bccf825a7ef", - "https://github.com/typeorm/typeorm/pull/11574", - "https://github.com/typeorm/typeorm/releases/tag/0.3.26", - "https://github.com/typeorm/typeorm/releases?q=security\u0026expanded=true", - "https://medium.com/@alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453", - "https://nvd.nist.gov/vuln/detail/CVE-2025-60542" + "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html", + "https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68", + "https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab", + "https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95", + "https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7598", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://www.npmjs.com/advisories/1179" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-q2pj-6v73-8rgj" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60542" - }, - { - "type": "advisory", - "url": "https://github.com/typeorm/typeorm/pull/11574" + "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m" }, { "type": "advisory", - "url": "https://github.com/typeorm/typeorm/releases/tag/0.3.26" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7598" }, { "type": "advisory", - "url": "https://github.com/typeorm/typeorm/releases?q=security\u0026expanded=true" + "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764" }, { "type": "advisory", - "url": "https://medium.com/@alizada.cavad/cve-2025-60542-typeorm-mysql-sqli-0-3-25-a1b32bc60453" + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html" }, { "type": "advisory", - "url": "https://github.com/typeorm/typeorm/commit/d57fe3bd8578b0b8f9847647fd046bccf825a7ef" + "url": "https://www.npmjs.com/advisories/1179" }, { "type": "advisory", - "url": "https://github.com/mysqljs/sqlstring/blob/cd528556b4b6bcf300c3db515026935dedf7cfa1/lib/SqlString.js#L54" + "url": "https://github.com/minimistjs/minimist/commit/10bd4cdf49d9686d48214be9d579a9cdfda37c68" }, { "type": "advisory", - "url": "https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/base/connection.js#L524" + "url": "https://github.com/minimistjs/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab" }, { "type": "advisory", - "url": "https://github.com/sidorares/node-mysql2/blob/e359f454a76ba5dc31b91adf7bdb4099ca317bb5/lib/connection_config.js#L124" + "url": "https://github.com/minimistjs/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95" }, { "type": "advisory", - "url": "https://github.com/typeorm/typeorm/blob/0.3.25/src/driver/mysql/MysqlConnectionOptions.ts" + "url": "https://github.com/minimistjs/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94" } ], - "risk_score": 0.031920000000000004, - "severity": "high", + "risk_score": 0.99375, + "severity": "medium", "severity_source": "github:language:javascript", "source": "grype", - "title": "TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "BSD-2-Clause" - } - ], - "name": "uglify-js", - "purl": "pkg:npm/uglify-js@2.8.29", - "version": "2.8.29", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "uglify-js", - "purl": "pkg:npm/uglify-js@3.13.9", - "version": "3.13.9", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "MIT" - } - ], - "name": "uglify-to-browserify", - "purl": "pkg:npm/uglify-to-browserify@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "uid-safe", - "purl": "pkg:npm/uid-safe@2.1.5", - "version": "2.1.5", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "umd", - "purl": "pkg:npm/umd@3.0.3", - "version": "3.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "undeclared-identifiers", - "purl": "pkg:npm/undeclared-identifiers@1.1.3", - "version": "1.1.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "undefsafe", - "purl": "pkg:npm/undefsafe@2.0.3", - "version": "2.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "underscore", - "purl": "pkg:npm/underscore@1.9.1", - "version": "1.9.1", - "vulnerabilities": [ + "title": "Prototype Pollution in minimist" + }, { - "affected_version_range": "\u003e=1.3.2,\u003c1.12.1 (semantic)", + "affected_version_range": "\u003c0.2.4 (semantic)", "aliases": [ - "CVE-2021-23358" + "CVE-2021-44906" ], "cvss": [ { @@ -61507,635 +7712,740 @@ ], "cwes": [ { - "cve": "CVE-2021-23358", - "id": "CWE-94", + "cve": "CVE-2021-44906", + "id": "CWE-1321", "source": "nvd@nist.gov", "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", - "description": "Arbitrary Code Execution in underscore", + "data_source": "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "description": "Prototype Pollution in minimist", "epss": [ { - "cve": "CVE-2021-23358", - "date": "2026-06-14", - "epss": 0.01413, - "percentile": 0.81021 + "cve": "CVE-2021-44906", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2021-05-07", + "date": "2023-03-01", "kind": "first-observed", - "version": "1.12.1" + "version": "0.2.4" } ], "fix_state": "fixed", - "fixed_in": "1.12.1", + "fixed_in": "0.2.4", "fixed_versions": [ - "1.12.1" + "0.2.4" ], - "id": "GHSA-cf4h-3jhx-xvhq", + "id": "GHSA-xvch-5gv4-984h", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 2, "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2021-23358", - "Fix available: upgrade to 1.12.1", + "Also known as: CVE-2021-44906", + "Fix available: upgrade to 0.2.4", "Fix state: fixed", - "http://seclists.org/fulldisclosure/2025/Apr/14", - "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71", - "https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66", - "https://github.com/jashkenas/underscore/pull/2917", - "https://github.com/jashkenas/underscore/releases/tag/1.12.1", - "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E", - "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E", - "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E", - "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E", - "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E", - "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E", - "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E", - "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E", - "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E", - "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E", - "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z", - "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV", - "https://nvd.nist.gov/vuln/detail/CVE-2021-23358", - "https://security.netapp.com/advisory/ntap-20240808-0003", - "https://security.netapp.com/advisory/ntap-20241108-0002", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503", - "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984", - "https://www.debian.org/security/2021/dsa-4883", - "https://www.npmjs.com/package/underscore", - "https://www.tenable.com/security/tns-2021-14" + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23358" - }, - { - "type": "advisory", - "url": "https://github.com/jashkenas/underscore/pull/2917" - }, - { - "type": "advisory", - "url": "https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66" - }, - { - "type": "advisory", - "url": "https://github.com/jashkenas/underscore/releases/tag/1.12.1" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984" - }, - { - "type": "advisory", - "url": "https://www.npmjs.com/package/underscore" - }, - { - "type": "advisory", - "url": "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html" - }, - { - "type": "advisory", - "url": "https://www.debian.org/security/2021/dsa-4883" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E" - }, - { - "type": "advisory", - "url": "https://www.tenable.com/security/tns-2021-14" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504" + "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" }, { "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906" }, { "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503" + "url": "https://github.com/substack/minimist/issues/164" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20241108-0002" + "url": "https://github.com/substack/minimist/blob/master/index.js#L69" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240808-0003" + "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764" }, { "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV" + "url": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" }, { "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z" + "url": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip" }, { "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV" + "url": "https://github.com/minimistjs/minimist/issues/11" }, { "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z" + "url": "https://github.com/minimistjs/minimist/pull/24" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E" + "url": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E" + "url": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E" + "url": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E" + "url": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11" }, { "type": "advisory", - "url": "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E" + "url": "https://github.com/minimistjs/minimist/commits/v0.2.4" }, { "type": "advisory", - "url": "http://seclists.org/fulldisclosure/2025/Apr/14" + "url": "https://security.netapp.com/advisory/ntap-20240621-0006" } ], - "risk_score": 1.3282200000000002, + "risk_score": 4.30614, "severity": "critical", "severity_source": "github:language:javascript", "source": "grype", - "title": "Arbitrary Code Execution in underscore" - }, + "title": "Prototype Pollution in minimist" + } + ] + }, + { + "ecosystem": "npm", + "licenses": [ { - "affected_version_range": "\u003c=1.13.7 (semantic)", + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "minimist", + "purl": "pkg:npm/minimist@1.2.5", + "version": "1.2.5", + "vulnerabilities": [ + { + "affected_version_range": "\u003e=1.0.0,\u003c1.2.6 (semantic)", "aliases": [ - "CVE-2026-27601" + "CVE-2021-44906" ], "cvss": [ { - "score": 5.9, - "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "score": 9.8, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" - }, - { - "score": 8.2, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", - "version": "4.0" } ], "cwes": [ { - "cve": "CVE-2026-27601", - "id": "CWE-770", - "source": "security-advisories@github.com", + "cve": "CVE-2021-44906", + "id": "CWE-1321", + "source": "nvd@nist.gov", "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-qpx9-hpmf-5gmw", - "description": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack", + "data_source": "https://github.com/advisories/GHSA-xvch-5gv4-984h", + "description": "Prototype Pollution in minimist", "epss": [ { - "cve": "CVE-2026-27601", - "date": "2026-06-14", - "epss": 0.00022, - "percentile": 0.06382 + "cve": "CVE-2021-44906", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2026-03-04", + "date": "2022-03-24", "kind": "first-observed", - "version": "1.13.8" + "version": "1.2.6" } ], "fix_state": "fixed", - "fixed_in": "1.13.8", + "fixed_in": "1.2.6", "fixed_versions": [ - "1.13.8" + "1.2.6" ], - "id": "GHSA-qpx9-hpmf-5gmw", + "id": "GHSA-xvch-5gv4-984h", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", + "dynamic_imports_detected": true, + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2026-27601", - "Fix available: upgrade to 1.13.8", + "Also known as: CVE-2021-44906", + "Fix available: upgrade to 1.2.6", "Fix state: fixed", - "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4", - "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84", - "https://github.com/jashkenas/underscore/issues/3011", - "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw", - "https://nvd.nist.gov/vuln/detail/CVE-2026-27601", - "https://underscorejs.org/#1.13.8", - "https://underscorejs.org/#flatten", - "https://underscorejs.org/#isEqual" + "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip", + "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703", + "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb", + "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d", + "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11", + "https://github.com/minimistjs/minimist/commits/v0.2.4", + "https://github.com/minimistjs/minimist/issues/11", + "https://github.com/minimistjs/minimist/pull/24", + "https://github.com/substack/minimist/blob/master/index.js#L69", + "https://github.com/substack/minimist/issues/164", + "https://nvd.nist.gov/vuln/detail/CVE-2021-44906", + "https://security.netapp.com/advisory/ntap-20240621-0006", + "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764", + "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-qpx9-hpmf-5gmw" + "url": "https://github.com/advisories/GHSA-xvch-5gv4-984h" }, { "type": "advisory", - "url": "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44906" }, { "type": "advisory", - "url": "https://github.com/jashkenas/underscore/issues/3011" + "url": "https://github.com/substack/minimist/issues/164" }, { "type": "advisory", - "url": "https://underscorejs.org/#1.13.8" + "url": "https://github.com/substack/minimist/blob/master/index.js#L69" }, { "type": "advisory", - "url": "https://underscorejs.org/#flatten" + "url": "https://snyk.io/vuln/SNYK-JS-MINIMIST-559764" }, { "type": "advisory", - "url": "https://underscorejs.org/#isEqual" + "url": "https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601" + "url": "https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip" }, { "type": "advisory", - "url": "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4" + "url": "https://github.com/minimistjs/minimist/issues/11" }, { "type": "advisory", - "url": "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84" + "url": "https://github.com/minimistjs/minimist/pull/24" + }, + { + "type": "advisory", + "url": "https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703" + }, + { + "type": "advisory", + "url": "https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb" + }, + { + "type": "advisory", + "url": "https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d" + }, + { + "type": "advisory", + "url": "https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11" + }, + { + "type": "advisory", + "url": "https://github.com/minimistjs/minimist/commits/v0.2.4" + }, + { + "type": "advisory", + "url": "https://security.netapp.com/advisory/ntap-20240621-0006" } ], - "risk_score": 0.016005000000000002, - "severity": "high", + "risk_score": 4.30614, + "severity": "critical", "severity_source": "github:language:javascript", "source": "grype", - "title": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack" + "title": "Prototype Pollution in minimist" } ] }, { "ecosystem": "npm", - "licenses": [], - "name": "unicode-length", - "purl": "pkg:npm/unicode-length@1.0.3", - "version": "1.0.3", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "mkdirp", + "purl": "pkg:npm/mkdirp@0.5.5", + "version": "0.5.5", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "MIT", + "type": "external-depsdev", "value": "MIT" } ], - "name": "union-value", - "purl": "pkg:npm/union-value@1.0.0", - "version": "1.0.0", + "matched": true, + "name": "mocha", + "purl": "pkg:npm/mocha@7.2.0", + "version": "7.2.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "unique-string", - "purl": "pkg:npm/unique-string@1.0.0", - "version": "1.0.0", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "ms", + "purl": "pkg:npm/ms@2.1.1", + "version": "2.1.1", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "unique-string", - "purl": "pkg:npm/unique-string@2.0.0", - "version": "2.0.0", + "licenses": [ + { + "spdxExpression": "Apache-2.0", + "type": "external-depsdev", + "value": "Apache-2.0" + } + ], + "matched": true, + "name": "node-environment-flags", + "purl": "pkg:npm/node-environment-flags@1.0.6", + "version": "1.0.6", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "unpipe", - "purl": "pkg:npm/unpipe@1.0.0", - "version": "1.0.0", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "node-yaml-config", + "purl": "pkg:npm/node-yaml-config@0.0.5", + "version": "0.0.5", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "GPL-2.0 OR MIT", + "type": "external-depsdev", + "value": "GPL-2.0 OR MIT" + } + ], + "matched": true, + "name": "node.extend", + "purl": "pkg:npm/node.extend@2.0.2", + "version": "2.0.2", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "MIT", + "type": "external-depsdev", "value": "MIT" } ], - "name": "unset-value", - "purl": "pkg:npm/unset-value@1.0.0", - "version": "1.0.0", + "matched": true, + "name": "normalize-path", + "purl": "pkg:npm/normalize-path@3.0.0", + "version": "3.0.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "unzip-response", - "purl": "pkg:npm/unzip-response@2.0.1", - "version": "2.0.1", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "object-inspect", + "purl": "pkg:npm/object-inspect@1.8.0", + "version": "1.8.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "update-notifier", - "purl": "pkg:npm/update-notifier@2.5.0", - "version": "2.5.0", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "object-keys", + "purl": "pkg:npm/object-keys@1.1.1", + "version": "1.1.1", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "update-notifier", - "purl": "pkg:npm/update-notifier@4.1.3", - "version": "4.1.3", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "object.assign", + "purl": "pkg:npm/object.assign@4.1.0", + "version": "4.1.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "uri-js", - "purl": "pkg:npm/uri-js@4.2.2", - "version": "4.2.2", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "object.getownpropertydescriptors", + "purl": "pkg:npm/object.getownpropertydescriptors@2.1.0", + "version": "2.1.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "once", + "purl": "pkg:npm/once@1.4.0", + "version": "1.4.0", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", - "value": "MIT" + "spdxExpression": "MIT OR X11", + "type": "external-depsdev", + "value": "MIT OR X11" } ], - "name": "urix", - "purl": "pkg:npm/urix@0.1.0", - "version": "0.1.0", + "matched": true, + "name": "optimist", + "purl": "pkg:npm/optimist@0.6.1", + "version": "0.6.1", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "url-parse-lax", - "purl": "pkg:npm/url-parse-lax@1.0.0", - "version": "1.0.0", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "p-limit", + "purl": "pkg:npm/p-limit@2.3.0", + "version": "2.3.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "url-parse-lax", - "purl": "pkg:npm/url-parse-lax@3.0.0", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "p-locate", + "purl": "pkg:npm/p-locate@3.0.0", "version": "3.0.0", "vulnerabilities": [] }, - { - "ecosystem": "npm", - "licenses": [], - "name": "url", - "purl": "pkg:npm/url@0.11.0", - "version": "0.11.0", - "vulnerabilities": [] - }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "MIT", + "type": "external-depsdev", "value": "MIT" } ], - "name": "use", - "purl": "pkg:npm/use@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "util-deprecate", - "purl": "pkg:npm/util-deprecate@1.0.2", - "version": "1.0.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "util", - "purl": "pkg:npm/util@0.10.3", - "version": "0.10.3", + "matched": true, + "name": "p-try", + "purl": "pkg:npm/p-try@2.2.0", + "version": "2.2.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "util", - "purl": "pkg:npm/util@0.10.4", - "version": "0.10.4", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "path-exists", + "purl": "pkg:npm/path-exists@3.0.0", + "version": "3.0.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "utils-merge", - "purl": "pkg:npm/utils-merge@1.0.0", - "version": "1.0.0", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "path-is-absolute", + "purl": "pkg:npm/path-is-absolute@1.0.1", + "version": "1.0.1", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], "matched": true, - "name": "uuid", - "purl": "pkg:npm/uuid@3.3.2", - "version": "3.3.2", + "name": "picomatch", + "purl": "pkg:npm/picomatch@2.2.2", + "version": "2.2.2", "vulnerabilities": [ { - "affected_version_range": "\u003c11.1.1 (semantic)", + "affected_version_range": "\u003c2.3.2 (semantic)", "aliases": [ - "CVE-2026-41907" + "CVE-2026-33672" ], "cvss": [ { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "score": 5.3, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1" - }, - { - "score": 6.3, - "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", - "version": "4.0" } ], "cwes": [ { - "cve": "CVE-2026-41907", - "id": "CWE-787", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2026-41907", - "id": "CWE-823", + "cve": "CVE-2026-33672", + "id": "CWE-1321", "source": "security-advisories@github.com", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-w5hq-g745-h8pq", - "description": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided", + "data_source": "https://github.com/advisories/GHSA-3v7f-55p6-f55p", + "description": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching", "epss": [ { - "cve": "CVE-2026-41907", - "date": "2026-06-14", - "epss": 0.00019, - "percentile": 0.05398 + "cve": "CVE-2026-33672", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2026-05-05", + "date": "2026-03-26", "kind": "first-observed", - "version": "11.1.1" + "version": "2.3.2" } ], "fix_state": "fixed", - "fixed_in": "11.1.1", + "fixed_in": "2.3.2", "fixed_versions": [ - "11.1.1" + "2.3.2" ], - "id": "GHSA-w5hq-g745-h8pq", + "id": "GHSA-3v7f-55p6-f55p", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", + "dynamic_imports_detected": true, "reason": "package-not-imported", "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2026-41907", - "Fix available: upgrade to 11.1.1", + "Also known as: CVE-2026-33672", + "Fix available: upgrade to 2.3.2", "Fix state: fixed", - "https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e", - "https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34", - "https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d", - "https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a", - "https://github.com/uuidjs/uuid/releases/tag/v11.1.1", - "https://github.com/uuidjs/uuid/releases/tag/v12.0.1", - "https://github.com/uuidjs/uuid/releases/tag/v13.0.1", - "https://github.com/uuidjs/uuid/releases/tag/v14.0.0", - "https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq", - "https://nvd.nist.gov/vuln/detail/CVE-2026-41907" + "https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903", + "https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p", + "https://nvd.nist.gov/vuln/detail/CVE-2026-33672" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-w5hq-g745-h8pq" + "url": "https://github.com/advisories/GHSA-3v7f-55p6-f55p" }, { "type": "advisory", - "url": "https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq" + "url": "https://github.com/micromatch/picomatch/security/advisories/GHSA-3v7f-55p6-f55p" }, { "type": "advisory", - "url": "https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34" + "url": "https://github.com/micromatch/picomatch/commit/4516eb521f13a46b2fe1a1d2c9ef6b20ddc0e903" }, { "type": "advisory", - "url": "https://github.com/uuidjs/uuid/releases/tag/v14.0.0" - }, + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33672" + } + ], + "risk_score": 0.21115, + "severity": "medium", + "severity_source": "github:language:javascript", + "source": "grype", + "title": "Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching" + }, + { + "affected_version_range": "\u003c2.3.2 (semantic)", + "aliases": [ + "CVE-2026-33671" + ], + "cvss": [ { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41907" - }, + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" + } + ], + "cwes": [ { - "type": "advisory", - "url": "https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e" - }, + "cve": "CVE-2026-33671", + "id": "CWE-1333", + "source": "security-advisories@github.com", + "type": "Secondary" + } + ], + "data_source": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj", + "description": "Picomatch has a ReDoS vulnerability via extglob quantifiers", + "epss": [ { - "type": "advisory", - "url": "https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d" - }, + "cve": "CVE-2026-33671", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 + } + ], + "fix_available": [ { - "type": "advisory", - "url": "https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a" + "date": "2026-03-26", + "kind": "first-observed", + "version": "2.3.2" + } + ], + "fix_state": "fixed", + "fixed_in": "2.3.2", + "fixed_versions": [ + "2.3.2" + ], + "id": "GHSA-c2c7-rcm5-vvqj", + "namespace": "github:language:javascript", + "reachability": { + "analyzed_at": "\u003ctimestamp\u003e", + "analyzer": "jsreach", + "dynamic_imports_detected": true, + "reason": "package-not-imported", + "status": "unreachable", + "tier": "package" + }, + "reasons": [ + "Also known as: CVE-2026-33671", + "Fix available: upgrade to 2.3.2", + "Fix state: fixed", + "https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d", + "https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj", + "https://nvd.nist.gov/vuln/detail/CVE-2026-33671" + ], + "references": [ + { + "type": "data_source", + "url": "https://github.com/advisories/GHSA-c2c7-rcm5-vvqj" }, { "type": "advisory", - "url": "https://github.com/uuidjs/uuid/releases/tag/v11.1.1" + "url": "https://github.com/micromatch/picomatch/security/advisories/GHSA-c2c7-rcm5-vvqj" }, { "type": "advisory", - "url": "https://github.com/uuidjs/uuid/releases/tag/v12.0.1" + "url": "https://github.com/micromatch/picomatch/commit/5eceecd27543b8e056b9307d69e105ea03618a7d" }, { "type": "advisory", - "url": "https://github.com/uuidjs/uuid/releases/tag/v13.0.1" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33671" } ], - "risk_score": 0.011304999999999999, - "severity": "medium", + "risk_score": 0.30900000000000005, + "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided" + "title": "Picomatch has a ReDoS vulnerability via extglob quantifiers" } ] }, @@ -62143,470 +8453,428 @@ "ecosystem": "npm", "licenses": [ { - "type": "declared", - "value": "Apache-2.0" + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "punycode", + "purl": "pkg:npm/punycode@1.3.2", + "version": "1.3.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "BSD-3-Clause", + "type": "external-depsdev", + "value": "BSD-3-Clause" } ], - "name": "validate-npm-package-license", - "purl": "pkg:npm/validate-npm-package-license@3.0.3", - "version": "3.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], "matched": true, - "name": "validator", - "purl": "pkg:npm/validator@13.5.2", - "version": "13.5.2", + "name": "qs", + "purl": "pkg:npm/qs@6.9.1", + "version": "6.9.1", "vulnerabilities": [ { - "affected_version_range": "\u003c13.15.20 (semantic)", + "affected_version_range": "\u003c6.14.1 (semantic)", "aliases": [ - "CVE-2025-56200" + "CVE-2025-15284" ], "cvss": [ { - "score": 6.1, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "score": 3.7, + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" + }, + { + "score": 6.3, + "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L", + "version": "4.0" } ], "cwes": [ { - "cve": "CVE-2025-56200", - "id": "CWE-79", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "cve": "CVE-2025-15284", + "id": "CWE-20", + "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-9965-vmph-33xx", - "description": "validator.js has a URL validation bypass vulnerability in its isURL function", + "data_source": "https://github.com/advisories/GHSA-6rw7-vpxm-498p", + "description": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion", "epss": [ { - "cve": "CVE-2025-56200", - "date": "2026-06-14", - "epss": 0.00054, - "percentile": 0.17334 + "cve": "CVE-2025-15284", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2025-10-28", + "date": "2026-01-01", "kind": "first-observed", - "version": "13.15.20" + "version": "6.14.1" } ], "fix_state": "fixed", - "fixed_in": "13.15.20", + "fixed_in": "6.14.1", "fixed_versions": [ - "13.15.20" + "6.14.1" ], - "id": "GHSA-9965-vmph-33xx", + "id": "GHSA-6rw7-vpxm-498p", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", + "dynamic_imports_detected": true, + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2025-56200", - "Fix available: upgrade to 13.15.20", + "Also known as: CVE-2025-15284", + "Fix available: upgrade to 6.14.1", "Fix state: fixed", - "http://validatorjs.com", - "https://gist.github.com/junan-98/27ae092aa40e2a057d41a0f95148f666", - "https://gist.github.com/junan-98/a93130505b258b9e4ec9f393e7533596", - "https://github.com/validatorjs/validator.js", - "https://github.com/validatorjs/validator.js/commit/cbef5088f02d36caf978f378bb845fe49bdc0809", - "https://github.com/validatorjs/validator.js/issues/2600", - "https://github.com/validatorjs/validator.js/pull/2608", - "https://github.com/validatorjs/validator.js/releases/tag/13.15.20", - "https://nvd.nist.gov/vuln/detail/CVE-2025-56200" + "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9", + "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p", + "https://nvd.nist.gov/vuln/detail/CVE-2025-15284" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-9965-vmph-33xx" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56200" - }, - { - "type": "advisory", - "url": "https://gist.github.com/junan-98/27ae092aa40e2a057d41a0f95148f666" - }, - { - "type": "advisory", - "url": "https://gist.github.com/junan-98/a93130505b258b9e4ec9f393e7533596" - }, - { - "type": "advisory", - "url": "https://github.com/validatorjs/validator.js" - }, - { - "type": "advisory", - "url": "http://validatorjs.com" - }, - { - "type": "advisory", - "url": "https://github.com/validatorjs/validator.js/issues/2600" + "url": "https://github.com/advisories/GHSA-6rw7-vpxm-498p" }, { "type": "advisory", - "url": "https://github.com/validatorjs/validator.js/pull/2608" + "url": "https://github.com/ljharb/qs/security/advisories/GHSA-6rw7-vpxm-498p" }, { "type": "advisory", - "url": "https://github.com/validatorjs/validator.js/commit/cbef5088f02d36caf978f378bb845fe49bdc0809" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15284" }, { "type": "advisory", - "url": "https://github.com/validatorjs/validator.js/releases/tag/13.15.20" + "url": "https://github.com/ljharb/qs/commit/3086902ecf7f088d0d1803887643ac6c03d415b9" } ], - "risk_score": 0.029969999999999997, + "risk_score": 0.20500000000000002, "severity": "medium", "severity_source": "github:language:javascript", "source": "grype", - "title": "validator.js has a URL validation bypass vulnerability in its isURL function" + "title": "qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion" }, { - "affected_version_range": "\u003c13.7.0 (semantic)", + "affected_version_range": "\u003e=6.9.0,\u003c6.9.7 (semantic)", "aliases": [ - "CVE-2021-3765" + "CVE-2022-24999" ], "cvss": [ { - "score": 5.3, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.0" + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2021-3765", - "id": "CWE-1333", - "source": "security@huntr.dev", - "type": "Secondary" - }, - { - "cve": "CVE-2021-3765", - "id": "CWE-1333", + "cve": "CVE-2022-24999", + "id": "CWE-1321", "source": "nvd@nist.gov", "type": "Primary" + }, + { + "cve": "CVE-2022-24999", + "id": "CWE-1321", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-qgmg-gppg-76g5", - "description": "Inefficient Regular Expression Complexity in validator.js", + "data_source": "https://github.com/advisories/GHSA-hrpp-h998-j3pp", + "description": "qs vulnerable to Prototype Pollution", "epss": [ { - "cve": "CVE-2021-3765", - "date": "2026-06-14", - "epss": 0.00058, - "percentile": 0.1872 + "cve": "CVE-2022-24999", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2021-11-04", + "date": "2022-12-07", "kind": "first-observed", - "version": "13.7.0" + "version": "6.9.7" } ], "fix_state": "fixed", - "fixed_in": "13.7.0", + "fixed_in": "6.9.7", "fixed_versions": [ - "13.7.0" + "6.9.7" ], - "id": "GHSA-qgmg-gppg-76g5", + "id": "GHSA-hrpp-h998-j3pp", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", + "dynamic_imports_detected": true, + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2021-3765", - "Fix available: upgrade to 13.7.0", + "Also known as: CVE-2022-24999", + "Fix available: upgrade to 6.9.7", "Fix state: fixed", - "https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1", - "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3765" + "https://github.com/expressjs/express/releases/tag/4.17.3", + "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec", + "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68", + "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b", + "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d", + "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1", + "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105", + "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f", + "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee", + "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda", + "https://github.com/ljharb/qs/pull/428", + "https://github.com/n8tz/CVE-2022-24999", + "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html", + "https://nvd.nist.gov/vuln/detail/CVE-2022-24999", + "https://security.netapp.com/advisory/ntap-20230908-0005" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-qgmg-gppg-76g5" + "url": "https://github.com/advisories/GHSA-hrpp-h998-j3pp" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3765" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24999" }, { "type": "advisory", - "url": "https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1" + "url": "https://github.com/ljharb/qs/pull/428" }, { "type": "advisory", - "url": "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9" - } - ], - "risk_score": 0.02987, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "Inefficient Regular Expression Complexity in validator.js" - }, - { - "affected_version_range": "\u003c13.15.22 (semantic)", - "aliases": [ - "CVE-2025-12758" - ], - "cvss": [ - { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", - "version": "3.1" + "url": "https://github.com/n8tz/CVE-2022-24999" }, { - "score": 7.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", - "version": "4.0" - } - ], - "cwes": [ + "type": "advisory", + "url": "https://github.com/ljharb/qs/commit/4310742efbd8c03f6495f07906b45213da0a32ec" + }, { - "cve": "CVE-2025-12758", - "id": "CWE-792", - "source": "report@snyk.io", - "type": "Secondary" + "type": "advisory", + "url": "https://github.com/ljharb/qs/commit/727ef5d34605108acb3513f72d5435972ed15b68" }, { - "cve": "CVE-2025-12758", - "id": "CWE-172", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-vghf-hv5q-vc2g", - "description": "Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements", - "epss": [ + "type": "advisory", + "url": "https://github.com/ljharb/qs/commit/73205259936317b40f447c5cdb71c5b341848e1b" + }, { - "cve": "CVE-2025-12758", - "date": "2026-06-14", - "epss": 0.00112, - "percentile": 0.2953 - } - ], - "fix_available": [ + "type": "advisory", + "url": "https://github.com/ljharb/qs/commit/8b4cc14cda94a5c89341b77e5fe435ec6c41be2d" + }, { - "date": "2025-12-03", - "kind": "first-observed", - "version": "13.15.22" - } - ], - "fix_state": "fixed", - "fixed_in": "13.15.22", - "fixed_versions": [ - "13.15.22" - ], - "id": "GHSA-vghf-hv5q-vc2g", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2025-12758", - "Fix available: upgrade to 13.15.22", - "Fix state: fixed", - "http://seclists.org/fulldisclosure/2026/Jan/27", - "https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e", - "https://github.com/validatorjs/validator.js/commit/d457ecaf55b0f3d8bd379d82757425d0d13dd382", - "https://github.com/validatorjs/validator.js/pull/2616", - "https://nvd.nist.gov/vuln/detail/CVE-2025-12758", - "https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476" - ], - "references": [ + "type": "advisory", + "url": "https://github.com/ljharb/qs/commit/ba24e74dd17931f825adb52f5633e48293b584e1" + }, { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-vghf-hv5q-vc2g" + "type": "advisory", + "url": "https://github.com/ljharb/qs/commit/e799ba57e573a30c14b67c1889c7c04d508b9105" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12758" + "url": "https://github.com/ljharb/qs/commit/ed0f5dcbef4b168a8ae299d78b1e4a2e9b1baf1f" }, { "type": "advisory", - "url": "https://github.com/validatorjs/validator.js/pull/2616" + "url": "https://github.com/ljharb/qs/commit/f945393cfe442fe8c6e62b4156fd35452c0686ee" }, { "type": "advisory", - "url": "https://gist.github.com/koral--/ad31208b25b9e3d1e2e35f1d4d72572e" + "url": "https://github.com/ljharb/qs/commit/fc3682776670524a42e19709ec4a8138d0d7afda" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-VALIDATOR-13653476" + "url": "https://github.com/expressjs/express/releases/tag/4.17.3" }, { "type": "advisory", - "url": "https://github.com/validatorjs/validator.js/commit/d457ecaf55b0f3d8bd379d82757425d0d13dd382" + "url": "https://lists.debian.org/debian-lts-announce/2023/01/msg00039.html" }, { "type": "advisory", - "url": "http://seclists.org/fulldisclosure/2026/Jan/27" + "url": "https://security.netapp.com/advisory/ntap-20230908-0005" } ], - "risk_score": 0.08456, + "risk_score": 10.99725, "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements" + "title": "qs vulnerable to Prototype Pollution" }, { - "affected_version_range": "\u003e=11.1.0,\u003c13.7.0 (semantic)", + "affected_version_range": "\u003e=6.7.0,\u003c=6.14.1 (semantic)", + "aliases": [ + "CVE-2026-2391" + ], "cvss": [ { - "score": 5.3, - "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.0" + "score": 3.7, + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", + "version": "3.1" + } + ], + "cwes": [ + { + "cve": "CVE-2026-2391", + "id": "CWE-20", + "source": "7ffcee3d-2c14-4c3e-b844-86c6a321a158", + "type": "Secondary" + } + ], + "data_source": "https://github.com/advisories/GHSA-w7fw-mjwx-w883", + "description": "qs's arrayLimit bypass in comma parsing allows denial of service", + "epss": [ + { + "cve": "CVE-2026-2391", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], - "data_source": "https://github.com/advisories/GHSA-xx4c-jj58-r7x6", - "description": "Inefficient Regular Expression Complexity in Validator.js", "fix_available": [ { - "date": "2021-11-30", + "date": "2026-03-04", "kind": "first-observed", - "version": "13.7.0" + "version": "6.14.2" } ], "fix_state": "fixed", - "fixed_in": "13.7.0", + "fixed_in": "6.14.2", "fixed_versions": [ - "13.7.0" + "6.14.2" ], - "id": "GHSA-xx4c-jj58-r7x6", + "id": "GHSA-w7fw-mjwx-w883", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "confidence": "high", - "hops": 0, - "status": "reachable", + "dynamic_imports_detected": true, + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Fix available: upgrade to 13.7.0", + "Also known as: CVE-2026-2391", + "Fix available: upgrade to 6.14.2", "Fix state: fixed", - "https://github.com/validatorjs/validator.js/issues/1599", - "https://github.com/validatorjs/validator.js/pull/1738", - "https://github.com/validatorjs/validator.js/security/advisories/GHSA-xx4c-jj58-r7x6", - "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9/", - "https://nvd.nist.gov/vuln/detail/CVE-2021-3765" + "https://github.com/ljharb/qs/commit/f6a7abff1f13d644db9b05fe4f2c98ada6bf8482", + "https://github.com/ljharb/qs/security/advisories/GHSA-w7fw-mjwx-w883", + "https://nvd.nist.gov/vuln/detail/CVE-2026-2391" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-xx4c-jj58-r7x6" - }, - { - "type": "advisory", - "url": "https://github.com/validatorjs/validator.js/security/advisories/GHSA-xx4c-jj58-r7x6" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3765" + "url": "https://github.com/advisories/GHSA-w7fw-mjwx-w883" }, { "type": "advisory", - "url": "https://github.com/validatorjs/validator.js/issues/1599" + "url": "https://github.com/ljharb/qs/security/advisories/GHSA-w7fw-mjwx-w883" }, { "type": "advisory", - "url": "https://github.com/validatorjs/validator.js/pull/1738" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391" }, { "type": "advisory", - "url": "https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9/" + "url": "https://github.com/ljharb/qs/commit/f6a7abff1f13d644db9b05fe4f2c98ada6bf8482" } ], - "severity": "medium", + "risk_score": 0.16013, + "severity": "low", "severity_source": "github:language:javascript", "source": "grype", - "title": "Inefficient Regular Expression Complexity in Validator.js" + "title": "qs's arrayLimit bypass in comma parsing allows denial of service" } ] }, { "ecosystem": "npm", - "licenses": [], - "name": "vary", - "purl": "pkg:npm/vary@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "vary", - "purl": "pkg:npm/vary@1.1.2", - "version": "1.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "verror", - "purl": "pkg:npm/verror@1.10.0", - "version": "1.10.0", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "querystring", + "purl": "pkg:npm/querystring@0.2.0", + "version": "0.2.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "vm-browserify", - "purl": "pkg:npm/vm-browserify@0.0.4", - "version": "0.0.4", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "readable-stream", + "purl": "pkg:npm/readable-stream@1.1.14", + "version": "1.1.14", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "vscode-languageserver-types", - "purl": "pkg:npm/vscode-languageserver-types@3.15.0", - "version": "3.15.0", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "readdirp", + "purl": "pkg:npm/readdirp@3.2.0", + "version": "3.2.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "walk", - "purl": "pkg:npm/walk@2.3.9", - "version": "2.3.9", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "require-directory", + "purl": "pkg:npm/require-directory@2.1.1", + "version": "2.1.1", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "ISC", + "type": "external-depsdev", "value": "ISC" } ], - "name": "which-module", - "purl": "pkg:npm/which-module@2.0.0", + "matched": true, + "name": "require-main-filename", + "purl": "pkg:npm/require-main-filename@2.0.0", "version": "2.0.0", "vulnerabilities": [] }, @@ -62614,184 +8882,171 @@ "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "ISC", + "type": "external-depsdev", "value": "ISC" } ], - "name": "which", - "purl": "pkg:npm/which@1.3.0", - "version": "1.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "which", - "purl": "pkg:npm/which@1.3.1", - "version": "1.3.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "widest-line", - "purl": "pkg:npm/widest-line@2.0.1", - "version": "2.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "widest-line", - "purl": "pkg:npm/widest-line@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "window-size", - "purl": "pkg:npm/window-size@0.1.0", - "version": "0.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "window-size", - "purl": "pkg:npm/window-size@0.1.4", - "version": "0.1.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "windows-release", - "purl": "pkg:npm/windows-release@3.2.0", - "version": "3.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], "matched": true, - "name": "word-wrap", - "purl": "pkg:npm/word-wrap@1.2.3", - "version": "1.2.3", + "name": "semver", + "purl": "pkg:npm/semver@5.7.1", + "version": "5.7.1", "vulnerabilities": [ { - "affected_version_range": "\u003c1.2.4 (semantic)", + "affected_version_range": "\u003e=2.0.0-alpha,\u003c5.7.2 (semantic)", "aliases": [ - "CVE-2023-26115" + "CVE-2022-25883" ], "cvss": [ { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2023-26115", + "cve": "CVE-2022-25883", "id": "CWE-1333", "source": "report@snyk.io", "type": "Secondary" }, { - "cve": "CVE-2023-26115", + "cve": "CVE-2022-25883", "id": "CWE-1333", "source": "nvd@nist.gov", "type": "Primary" + }, + { + "cve": "CVE-2022-25883", + "id": "CWE-1333", + "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7", - "description": "word-wrap vulnerable to Regular Expression Denial of Service", + "data_source": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw", + "description": "semver vulnerable to Regular Expression Denial of Service", "epss": [ { - "cve": "CVE-2023-26115", - "date": "2026-06-14", - "epss": 0.00028, - "percentile": 0.08635 + "cve": "CVE-2022-25883", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2023-07-19", + "date": "2023-07-11", "kind": "first-observed", - "version": "1.2.4" + "version": "5.7.2" } ], "fix_state": "fixed", - "fixed_in": "1.2.4", + "fixed_in": "5.7.2", "fixed_versions": [ - "1.2.4" + "5.7.2" ], - "id": "GHSA-j8xg-fqg3-53r7", + "id": "GHSA-c2qf-rxjj-qqgw", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", + "dynamic_imports_detected": true, "reason": "package-not-imported", "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2023-26115", - "Fix available: upgrade to 1.2.4", + "Also known as: CVE-2022-25883", + "Fix available: upgrade to 5.7.2", "Fix state: fixed", - "https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39", - "https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39", - "https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e", - "https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4", - "https://nvd.nist.gov/vuln/detail/CVE-2023-26115", - "https://security.netapp.com/advisory/ntap-20240621-0006", - "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657", - "https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973" + "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104", + "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js#L160", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138", + "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160", + "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0", + "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441", + "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c", + "https://github.com/npm/node-semver/pull/564", + "https://github.com/npm/node-semver/pull/585", + "https://github.com/npm/node-semver/pull/593", + "https://nvd.nist.gov/vuln/detail/CVE-2022-25883", + "https://security.netapp.com/advisory/ntap-20241025-0004", + "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-j8xg-fqg3-53r7" + "url": "https://github.com/advisories/GHSA-c2qf-rxjj-qqgw" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25883" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-26115" + "url": "https://github.com/npm/node-semver/pull/564" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-4058657" + "url": "https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441" }, { "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-JS-WORDWRAP-3149973" + "url": "https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/word-wrap/blob/master/index.js#L39" + "url": "https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/word-wrap/releases/tag/1.2.4" + "url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L138" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/word-wrap/commit/420dce9a2412b21881202b73a3c34f0edc53cb2e" + "url": "https://github.com/npm/node-semver/blob/main/internal/re.js#L160" }, { "type": "advisory", - "url": "https://github.com/jonschlinkert/word-wrap/blob/master/index.js%23L39" + "url": "https://github.com/npm/node-semver/pull/585" }, { "type": "advisory", - "url": "https://security.netapp.com/advisory/ntap-20240621-0006" + "url": "https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c" + }, + { + "type": "advisory", + "url": "https://github.com/npm/node-semver/pull/593" + }, + { + "type": "advisory", + "url": "https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0" + }, + { + "type": "advisory", + "url": "https://github.com/npm/node-semver/blob/main/classes/range.js%23L97-L104" + }, + { + "type": "advisory", + "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L138" + }, + { + "type": "advisory", + "url": "https://github.com/npm/node-semver/blob/main/internal/re.js%23L160" + }, + { + "type": "advisory", + "url": "https://security.netapp.com/advisory/ntap-20241025-0004" } ], - "risk_score": 0.014419999999999999, - "severity": "medium", + "risk_score": 1.8562500000000002, + "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "word-wrap vulnerable to Regular Expression Denial of Service" + "title": "semver vulnerable to Regular Expression Denial of Service" } ] }, @@ -62799,620 +9054,737 @@ "ecosystem": "npm", "licenses": [ { - "type": "declared", - "value": "MIT/X11" + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "set-blocking", + "purl": "pkg:npm/set-blocking@2.0.0", + "version": "2.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "BSD-3-Clause", + "type": "external-depsdev", + "value": "BSD-3-Clause" + } + ], + "matched": true, + "name": "sprintf-js", + "purl": "pkg:npm/sprintf-js@1.0.3", + "version": "1.0.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "streamsearch", + "purl": "pkg:npm/streamsearch@0.1.2", + "version": "0.1.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "string-width", + "purl": "pkg:npm/string-width@2.1.1", + "version": "2.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "string-width", + "purl": "pkg:npm/string-width@3.1.0", + "version": "3.1.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "string.prototype.trimend", + "purl": "pkg:npm/string.prototype.trimend@1.0.1", + "version": "1.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "string.prototype.trimstart", + "purl": "pkg:npm/string.prototype.trimstart@1.0.1", + "version": "1.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "string_decoder", + "purl": "pkg:npm/string_decoder@0.10.31", + "version": "0.10.31", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" } ], - "name": "wordwrap", - "purl": "pkg:npm/wordwrap@0.0.2", - "version": "0.0.2", + "matched": true, + "name": "strip-ansi", + "purl": "pkg:npm/strip-ansi@4.0.0", + "version": "4.0.0", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "MIT", + "type": "external-depsdev", "value": "MIT" } ], - "name": "wordwrap", - "purl": "pkg:npm/wordwrap@0.0.3", - "version": "0.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "wrap-ansi", - "purl": "pkg:npm/wrap-ansi@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "wrap-ansi", - "purl": "pkg:npm/wrap-ansi@5.1.0", - "version": "5.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "wrap-ansi", - "purl": "pkg:npm/wrap-ansi@6.2.0", - "version": "6.2.0", + "matched": true, + "name": "strip-ansi", + "purl": "pkg:npm/strip-ansi@5.2.0", + "version": "5.2.0", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", - "value": "ISC" + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" } ], - "name": "wrappy", - "purl": "pkg:npm/wrappy@1.0.2", - "version": "1.0.2", + "matched": true, + "name": "strip-json-comments", + "purl": "pkg:npm/strip-json-comments@2.0.1", + "version": "2.0.1", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", - "value": "ISC" + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" } ], - "name": "write-file-atomic", - "purl": "pkg:npm/write-file-atomic@1.3.4", - "version": "1.3.4", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "write-file-atomic", - "purl": "pkg:npm/write-file-atomic@2.4.3", - "version": "2.4.3", + "matched": true, + "name": "supports-color", + "purl": "pkg:npm/supports-color@5.5.0", + "version": "5.5.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "write-file-atomic", - "purl": "pkg:npm/write-file-atomic@3.0.3", - "version": "3.0.3", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "supports-color", + "purl": "pkg:npm/supports-color@6.0.0", + "version": "6.0.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "xdg-basedir", - "purl": "pkg:npm/xdg-basedir@3.0.0", - "version": "3.0.0", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "to-regex-range", + "purl": "pkg:npm/to-regex-range@5.0.1", + "version": "5.0.1", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [], - "name": "xdg-basedir", - "purl": "pkg:npm/xdg-basedir@4.0.0", - "version": "4.0.0", + "name": "to", + "purl": "pkg:npm/to@0.2.9", + "version": "0.2.9", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], "matched": true, - "name": "xml2js", - "purl": "pkg:npm/xml2js@0.4.19", - "version": "0.4.19", + "name": "underscore", + "purl": "pkg:npm/underscore@1.9.2", + "version": "1.9.2", "vulnerabilities": [ { - "affected_version_range": "\u003c0.5.0 (semantic)", + "affected_version_range": "\u003e=1.3.2,\u003c1.12.1 (semantic)", "aliases": [ - "CVE-2023-0842" + "CVE-2021-23358" ], "cvss": [ { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", + "score": 9.8, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2023-0842", - "id": "CWE-1321", + "cve": "CVE-2021-23358", + "id": "CWE-94", "source": "nvd@nist.gov", "type": "Primary" - }, - { - "cve": "CVE-2023-0842", - "id": "CWE-1321", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-776f-qx25-q3cc", - "description": "xml2js is vulnerable to prototype pollution", + "data_source": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", + "description": "Arbitrary Code Execution in underscore", "epss": [ { - "cve": "CVE-2023-0842", - "date": "2026-06-14", - "epss": 0.00291, - "percentile": 0.53005 + "cve": "CVE-2021-23358", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2023-04-11", + "date": "2021-05-07", "kind": "first-observed", - "version": "0.5.0" + "version": "1.12.1" } ], "fix_state": "fixed", - "fixed_in": "0.5.0", + "fixed_in": "1.12.1", "fixed_versions": [ - "0.5.0" + "1.12.1" ], - "id": "GHSA-776f-qx25-q3cc", + "id": "GHSA-cf4h-3jhx-xvhq", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 1, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2023-0842", - "Fix available: upgrade to 0.5.0", + "Also known as: CVE-2021-23358", + "Fix available: upgrade to 1.12.1", "Fix state: fixed", - "https://fluidattacks.com/advisories/myers", - "https://github.com/Leonidas-from-XIV/node-xml2js", - "https://github.com/Leonidas-from-XIV/node-xml2js/issues/663", - "https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5", - "https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-0842" + "http://seclists.org/fulldisclosure/2025/Apr/14", + "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71", + "https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66", + "https://github.com/jashkenas/underscore/pull/2917", + "https://github.com/jashkenas/underscore/releases/tag/1.12.1", + "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E", + "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E", + "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z", + "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV", + "https://nvd.nist.gov/vuln/detail/CVE-2021-23358", + "https://security.netapp.com/advisory/ntap-20240808-0003", + "https://security.netapp.com/advisory/ntap-20241108-0002", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503", + "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984", + "https://www.debian.org/security/2021/dsa-4883", + "https://www.npmjs.com/package/underscore", + "https://www.tenable.com/security/tns-2021-14" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-776f-qx25-q3cc" + "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0842" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23358" }, { "type": "advisory", - "url": "https://github.com/Leonidas-from-XIV/node-xml2js/issues/663" + "url": "https://github.com/jashkenas/underscore/pull/2917" }, { "type": "advisory", - "url": "https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5" + "url": "https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66" }, { "type": "advisory", - "url": "https://fluidattacks.com/advisories/myers" + "url": "https://github.com/jashkenas/underscore/releases/tag/1.12.1" }, { "type": "advisory", - "url": "https://github.com/Leonidas-from-XIV/node-xml2js" + "url": "https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984" }, { "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html" - } - ], - "risk_score": 0.149865, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "xml2js is vulnerable to prototype pollution" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "matched": true, - "name": "xml2js", - "purl": "pkg:npm/xml2js@0.4.23", - "version": "0.4.23", - "vulnerabilities": [ - { - "affected_version_range": "\u003c0.5.0 (semantic)", - "aliases": [ - "CVE-2023-0842" - ], - "cvss": [ + "url": "https://www.npmjs.com/package/underscore" + }, { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ + "type": "advisory", + "url": "https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71" + }, { - "cve": "CVE-2023-0842", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" + "type": "advisory", + "url": "https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html" }, { - "cve": "CVE-2023-0842", - "id": "CWE-1321", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-776f-qx25-q3cc", - "description": "xml2js is vulnerable to prototype pollution", - "epss": [ + "type": "advisory", + "url": "https://www.debian.org/security/2021/dsa-4883" + }, { - "cve": "CVE-2023-0842", - "date": "2026-06-14", - "epss": 0.00291, - "percentile": 0.53005 - } - ], - "fix_available": [ + "type": "advisory", + "url": "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E" + }, + { + "type": "advisory", + "url": "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E" + }, + { + "type": "advisory", + "url": "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E" + }, + { + "type": "advisory", + "url": "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E" + }, + { + "type": "advisory", + "url": "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E" + }, + { + "type": "advisory", + "url": "https://www.tenable.com/security/tns-2021-14" + }, + { + "type": "advisory", + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504" + }, + { + "type": "advisory", + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505" + }, + { + "type": "advisory", + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503" + }, + { + "type": "advisory", + "url": "https://security.netapp.com/advisory/ntap-20241108-0002" + }, + { + "type": "advisory", + "url": "https://security.netapp.com/advisory/ntap-20240808-0003" + }, + { + "type": "advisory", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV" + }, + { + "type": "advisory", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z" + }, { - "date": "2023-04-11", - "kind": "first-observed", - "version": "0.5.0" - } - ], - "fix_state": "fixed", - "fixed_in": "0.5.0", - "fixed_versions": [ - "0.5.0" - ], - "id": "GHSA-776f-qx25-q3cc", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "confidence": "medium", - "hops": 1, - "status": "reachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2023-0842", - "Fix available: upgrade to 0.5.0", - "Fix state: fixed", - "https://fluidattacks.com/advisories/myers", - "https://github.com/Leonidas-from-XIV/node-xml2js", - "https://github.com/Leonidas-from-XIV/node-xml2js/issues/663", - "https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5", - "https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html", - "https://nvd.nist.gov/vuln/detail/CVE-2023-0842" - ], - "references": [ + "type": "advisory", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV" + }, { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-776f-qx25-q3cc" + "type": "advisory", + "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0842" + "url": "https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf%40%3Cissues.cordova.apache.org%3E" }, { "type": "advisory", - "url": "https://github.com/Leonidas-from-XIV/node-xml2js/issues/663" + "url": "https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039%40%3Cissues.cordova.apache.org%3E" }, { "type": "advisory", - "url": "https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5" + "url": "https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba%40%3Cissues.cordova.apache.org%3E" }, { "type": "advisory", - "url": "https://fluidattacks.com/advisories/myers" + "url": "https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306%40%3Cissues.cordova.apache.org%3E" }, { "type": "advisory", - "url": "https://github.com/Leonidas-from-XIV/node-xml2js" + "url": "https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1%40%3Cissues.cordova.apache.org%3E" }, { "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00013.html" + "url": "http://seclists.org/fulldisclosure/2025/Apr/14" } ], - "risk_score": 0.149865, - "severity": "medium", + "risk_score": 3.84178, + "severity": "critical", "severity_source": "github:language:javascript", "source": "grype", - "title": "xml2js is vulnerable to prototype pollution" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "xmlbuilder", - "purl": "pkg:npm/xmlbuilder@11.0.1", - "version": "11.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "xmlbuilder", - "purl": "pkg:npm/xmlbuilder@9.0.7", - "version": "9.0.7", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "xregexp", - "purl": "pkg:npm/xregexp@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "xtend", - "purl": "pkg:npm/xtend@4.0.1", - "version": "4.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "matched": true, - "name": "y18n", - "purl": "pkg:npm/y18n@3.2.1", - "version": "3.2.1", - "vulnerabilities": [ + "title": "Arbitrary Code Execution in underscore" + }, { - "affected_version_range": "\u003c3.2.2 (semantic)", + "affected_version_range": "\u003c=1.13.7 (semantic)", "aliases": [ - "CVE-2020-7774" + "CVE-2026-27601" ], "cvss": [ { - "score": 7.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "score": 5.9, + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" + }, + { + "score": 8.2, + "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", + "version": "4.0" } ], "cwes": [ { - "cve": "CVE-2020-7774", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2026-27601", + "id": "CWE-770", + "source": "security-advisories@github.com", + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-c4w7-xm78-47vh", - "description": "Prototype Pollution in y18n", + "data_source": "https://github.com/advisories/GHSA-qpx9-hpmf-5gmw", + "description": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack", "epss": [ { - "cve": "CVE-2020-7774", - "date": "2026-06-14", - "epss": 0.00469, - "percentile": 0.65105 + "cve": "CVE-2026-27601", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2021-03-30", + "date": "2026-03-04", "kind": "first-observed", - "version": "3.2.2" + "version": "1.13.8" } ], "fix_state": "fixed", - "fixed_in": "3.2.2", + "fixed_in": "1.13.8", "fixed_versions": [ - "3.2.2" + "1.13.8" ], - "id": "GHSA-c4w7-xm78-47vh", + "id": "GHSA-qpx9-hpmf-5gmw", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", + "confidence": "low", + "dynamic_imports_detected": true, + "hops": 1, + "status": "reachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2020-7774", - "Fix available: upgrade to 3.2.2", + "Also known as: CVE-2026-27601", + "Fix available: upgrade to 1.13.8", "Fix state: fixed", - "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", - "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3", - "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25", - "https://github.com/yargs/y18n/issues/96", - "https://github.com/yargs/y18n/pull/108", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", - "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", - "https://www.oracle.com/security-alerts/cpuApr2021.html" + "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4", + "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84", + "https://github.com/jashkenas/underscore/issues/3011", + "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw", + "https://nvd.nist.gov/vuln/detail/CVE-2026-27601", + "https://underscorejs.org/#1.13.8", + "https://underscorejs.org/#flatten", + "https://underscorejs.org/#isEqual" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-c4w7-xm78-47vh" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774" + "url": "https://github.com/advisories/GHSA-qpx9-hpmf-5gmw" }, { "type": "advisory", - "url": "https://github.com/yargs/y18n/issues/96" + "url": "https://github.com/jashkenas/underscore/security/advisories/GHSA-qpx9-hpmf-5gmw" }, { "type": "advisory", - "url": "https://github.com/yargs/y18n/pull/108" + "url": "https://github.com/jashkenas/underscore/issues/3011" }, { "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306" + "url": "https://underscorejs.org/#1.13.8" }, { "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887" + "url": "https://underscorejs.org/#flatten" }, { "type": "advisory", - "url": "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25" + "url": "https://underscorejs.org/#isEqual" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601" }, { "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + "url": "https://github.com/jashkenas/underscore/commit/411e222eb0ca5d570cc4f6315c02c05b830ed2b4" }, { "type": "advisory", - "url": "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3" + "url": "https://github.com/jashkenas/underscore/commit/a6e23ae9647461ec33ad9f92a2ecfc220eea0a84" } ], - "risk_score": 0.34706, + "risk_score": 0.44523, "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "Prototype Pollution in y18n" + "title": "Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack" } ] }, { "ecosystem": "npm", - "licenses": [], + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], "matched": true, - "name": "y18n", - "purl": "pkg:npm/y18n@4.0.0", - "version": "4.0.0", + "name": "universalify", + "purl": "pkg:npm/universalify@0.1.2", + "version": "0.1.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "url", + "purl": "pkg:npm/url@0.11.0", + "version": "0.11.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "uuid", + "purl": "pkg:npm/uuid@3.4.0", + "version": "3.4.0", "vulnerabilities": [ { - "affected_version_range": "=4.0.0 (semantic)", + "affected_version_range": "\u003c11.1.1 (semantic)", "aliases": [ - "CVE-2020-7774" + "CVE-2026-41907" ], "cvss": [ { - "score": 7.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" + }, + { + "score": 6.3, + "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", + "version": "4.0" } ], "cwes": [ { - "cve": "CVE-2020-7774", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" + "cve": "CVE-2026-41907", + "id": "CWE-787", + "source": "security-advisories@github.com", + "type": "Secondary" + }, + { + "cve": "CVE-2026-41907", + "id": "CWE-823", + "source": "security-advisories@github.com", + "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-c4w7-xm78-47vh", - "description": "Prototype Pollution in y18n", + "data_source": "https://github.com/advisories/GHSA-w5hq-g745-h8pq", + "description": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided", "epss": [ { - "cve": "CVE-2020-7774", - "date": "2026-06-14", - "epss": 0.00469, - "percentile": 0.65105 + "cve": "CVE-2026-41907", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2021-03-30", + "date": "2026-05-05", "kind": "first-observed", - "version": "4.0.1" + "version": "11.1.1" } ], "fix_state": "fixed", - "fixed_in": "4.0.1", + "fixed_in": "11.1.1", "fixed_versions": [ - "4.0.1" + "11.1.1" ], - "id": "GHSA-c4w7-xm78-47vh", + "id": "GHSA-w5hq-g745-h8pq", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", - "confidence": "medium", - "hops": 2, - "status": "reachable", + "dynamic_imports_detected": true, + "reason": "package-not-imported", + "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2020-7774", - "Fix available: upgrade to 4.0.1", - "Fix state: fixed", - "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", - "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3", - "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25", - "https://github.com/yargs/y18n/issues/96", - "https://github.com/yargs/y18n/pull/108", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", - "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", - "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", - "https://www.oracle.com/security-alerts/cpuApr2021.html" + "Also known as: CVE-2026-41907", + "Fix available: upgrade to 11.1.1", + "Fix state: fixed", + "https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e", + "https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34", + "https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d", + "https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a", + "https://github.com/uuidjs/uuid/releases/tag/v11.1.1", + "https://github.com/uuidjs/uuid/releases/tag/v12.0.1", + "https://github.com/uuidjs/uuid/releases/tag/v13.0.1", + "https://github.com/uuidjs/uuid/releases/tag/v14.0.0", + "https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq", + "https://nvd.nist.gov/vuln/detail/CVE-2026-41907" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-c4w7-xm78-47vh" + "url": "https://github.com/advisories/GHSA-w5hq-g745-h8pq" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774" + "url": "https://github.com/uuidjs/uuid/security/advisories/GHSA-w5hq-g745-h8pq" }, { "type": "advisory", - "url": "https://github.com/yargs/y18n/issues/96" + "url": "https://github.com/uuidjs/uuid/commit/3d2c5b0342f0fcb52a5ac681c3d47c13e7444b34" }, { "type": "advisory", - "url": "https://github.com/yargs/y18n/pull/108" + "url": "https://github.com/uuidjs/uuid/releases/tag/v14.0.0" }, { "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41907" }, { "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887" + "url": "https://github.com/uuidjs/uuid/commit/32389c887c9e75f90442ee4cc95bbab0c4e8346e" }, { "type": "advisory", - "url": "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25" + "url": "https://github.com/uuidjs/uuid/commit/3d61d6ac1f782cf6b1dd8661c60f11722cd49a0d" }, { "type": "advisory", - "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" + "url": "https://github.com/uuidjs/uuid/commit/9d27ddf7046ce496ef39569ff84d948eeff9cb2a" }, { "type": "advisory", - "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" + "url": "https://github.com/uuidjs/uuid/releases/tag/v11.1.1" }, { "type": "advisory", - "url": "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3" + "url": "https://github.com/uuidjs/uuid/releases/tag/v12.0.1" + }, + { + "type": "advisory", + "url": "https://github.com/uuidjs/uuid/releases/tag/v13.0.1" } ], - "risk_score": 0.34706, - "severity": "high", + "risk_score": 0.185045, + "severity": "medium", "severity_source": "github:language:javascript", "source": "grype", - "title": "Prototype Pollution in y18n" + "title": "uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided" } ] }, @@ -63420,268 +9792,219 @@ "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "ISC", + "type": "external-depsdev", "value": "ISC" } ], - "name": "yallist", - "purl": "pkg:npm/yallist@2.1.2", - "version": "2.1.2", + "matched": true, + "name": "which-module", + "purl": "pkg:npm/which-module@2.0.0", + "version": "2.0.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "yallist", - "purl": "pkg:npm/yallist@3.1.1", - "version": "3.1.1", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "which", + "purl": "pkg:npm/which@1.3.1", + "version": "1.3.1", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "yapool", - "purl": "pkg:npm/yapool@1.0.0", - "version": "1.0.0", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "wide-align", + "purl": "pkg:npm/wide-align@1.1.3", + "version": "1.1.3", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "yargonaut", - "purl": "pkg:npm/yargonaut@1.1.4", - "version": "1.1.4", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "wordwrap", + "purl": "pkg:npm/wordwrap@0.0.3", + "version": "0.0.3", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "yargs-parser", - "purl": "pkg:npm/yargs-parser@13.1.2", - "version": "13.1.2", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "wrap-ansi", + "purl": "pkg:npm/wrap-ansi@5.1.0", + "version": "5.1.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], - "name": "yargs-parser", - "purl": "pkg:npm/yargs-parser@18.1.3", - "version": "18.1.3", + "licenses": [ + { + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" + } + ], + "matched": true, + "name": "wrappy", + "purl": "pkg:npm/wrappy@1.0.2", + "version": "1.0.2", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "ISC", + "type": "external-depsdev", "value": "ISC" } ], "matched": true, - "name": "yargs-parser", - "purl": "pkg:npm/yargs-parser@8.1.0", - "version": "8.1.0", + "name": "y18n", + "purl": "pkg:npm/y18n@4.0.0", + "version": "4.0.0", "vulnerabilities": [ { - "affected_version_range": "\u003e=6.0.0,\u003c13.1.2 (semantic)", + "affected_version_range": "=4.0.0 (semantic)", "aliases": [ - "CVE-2020-7608" + "CVE-2020-7774" ], "cvss": [ { - "score": 5.3, - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", + "score": 7.3, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2020-7608", + "cve": "CVE-2020-7774", "id": "CWE-1321", "source": "nvd@nist.gov", "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-p9pc-299p-vxgp", - "description": "yargs-parser Vulnerable to Prototype Pollution", + "data_source": "https://github.com/advisories/GHSA-c4w7-xm78-47vh", + "description": "Prototype Pollution in y18n", "epss": [ { - "cve": "CVE-2020-7608", - "date": "2026-06-14", - "epss": 0.00126, - "percentile": 0.31676 + "cve": "CVE-2020-7774", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2020-09-05", + "date": "2021-03-30", "kind": "first-observed", - "version": "13.1.2" + "version": "4.0.1" } ], "fix_state": "fixed", - "fixed_in": "13.1.2", + "fixed_in": "4.0.1", "fixed_versions": [ - "13.1.2" + "4.0.1" ], - "id": "GHSA-p9pc-299p-vxgp", + "id": "GHSA-c4w7-xm78-47vh", "namespace": "github:language:javascript", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", "analyzer": "jsreach", + "dynamic_imports_detected": true, "reason": "package-not-imported", "status": "unreachable", "tier": "package" }, "reasons": [ - "Also known as: CVE-2020-7608", - "Fix available: upgrade to 13.1.2", + "Also known as: CVE-2020-7774", + "Fix available: upgrade to 4.0.1", "Fix state: fixed", - "https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36", - "https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", - "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381", - "https://www.npmjs.com/advisories/1500" + "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf", + "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3", + "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25", + "https://github.com/yargs/y18n/issues/96", + "https://github.com/yargs/y18n/pull/108", + "https://nvd.nist.gov/vuln/detail/CVE-2020-7774", + "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306", + "https://snyk.io/vuln/SNYK-JS-Y18N-1021887", + "https://www.oracle.com/security-alerts/cpuApr2021.html" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-p9pc-299p-vxgp" - }, - { - "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381" + "url": "https://github.com/advisories/GHSA-c4w7-xm78-47vh" }, { "type": "advisory", - "url": "https://www.npmjs.com/advisories/1500" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7774" }, { "type": "advisory", - "url": "https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2" + "url": "https://github.com/yargs/y18n/issues/96" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608" + "url": "https://github.com/yargs/y18n/pull/108" }, { "type": "advisory", - "url": "https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36" - } - ], - "risk_score": 0.06489, - "severity": "medium", - "severity_source": "github:language:javascript", - "source": "grype", - "title": "yargs-parser Vulnerable to Prototype Pollution" - } - ] - }, - { - "ecosystem": "npm", - "licenses": [ - { - "type": "declared", - "value": "ISC" - } - ], - "matched": true, - "name": "yargs-parser", - "purl": "pkg:npm/yargs-parser@9.0.2", - "version": "9.0.2", - "vulnerabilities": [ - { - "affected_version_range": "\u003e=6.0.0,\u003c13.1.2 (semantic)", - "aliases": [ - "CVE-2020-7608" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2020-7608", - "id": "CWE-1321", - "source": "nvd@nist.gov", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-p9pc-299p-vxgp", - "description": "yargs-parser Vulnerable to Prototype Pollution", - "epss": [ - { - "cve": "CVE-2020-7608", - "date": "2026-06-14", - "epss": 0.00126, - "percentile": 0.31676 - } - ], - "fix_available": [ - { - "date": "2020-09-05", - "kind": "first-observed", - "version": "13.1.2" - } - ], - "fix_state": "fixed", - "fixed_in": "13.1.2", - "fixed_versions": [ - "13.1.2" - ], - "id": "GHSA-p9pc-299p-vxgp", - "namespace": "github:language:javascript", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "jsreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2020-7608", - "Fix available: upgrade to 13.1.2", - "Fix state: fixed", - "https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36", - "https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2", - "https://nvd.nist.gov/vuln/detail/CVE-2020-7608", - "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381", - "https://www.npmjs.com/advisories/1500" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-p9pc-299p-vxgp" + "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1038306" }, { "type": "advisory", - "url": "https://snyk.io/vuln/SNYK-JS-YARGSPARSER-560381" + "url": "https://snyk.io/vuln/SNYK-JS-Y18N-1021887" }, { "type": "advisory", - "url": "https://www.npmjs.com/advisories/1500" + "url": "https://github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25" }, { "type": "advisory", - "url": "https://github.com/yargs/yargs-parser/commit/63810ca1ae1a24b08293a4d971e70e058c7a41e2" + "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7608" + "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf" }, { "type": "advisory", - "url": "https://github.com/yargs/yargs-parser/commit/1c417bd0b42b09c475ee881e36d292af4fa2cc36" + "url": "https://github.com/yargs/y18n/commit/90401eea9062ad498f4f792e3fff8008c4c193a3" } ], - "risk_score": 0.06489, - "severity": "medium", + "risk_score": 50.73291999999999, + "severity": "high", "severity_source": "github:language:javascript", "source": "grype", - "title": "yargs-parser Vulnerable to Prototype Pollution" + "title": "Prototype Pollution in y18n" } ] }, @@ -63689,59 +10012,54 @@ "ecosystem": "npm", "licenses": [ { - "type": "declared", - "value": "MIT" + "spdxExpression": "ISC", + "type": "external-depsdev", + "value": "ISC" } ], - "name": "yargs", - "purl": "pkg:npm/yargs@11.1.0", - "version": "11.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "yargs", - "purl": "pkg:npm/yargs@13.3.2", - "version": "13.3.2", - "vulnerabilities": [] - }, - { - "ecosystem": "npm", - "licenses": [], - "name": "yargs", - "purl": "pkg:npm/yargs@15.4.1", - "version": "15.4.1", + "matched": true, + "name": "yargs-parser", + "purl": "pkg:npm/yargs-parser@13.1.2", + "version": "13.1.2", "vulnerabilities": [] }, { "ecosystem": "npm", "licenses": [ { - "type": "declared", + "spdxExpression": "MIT", + "type": "external-depsdev", "value": "MIT" } ], - "name": "yargs", - "purl": "pkg:npm/yargs@3.10.0", - "version": "3.10.0", + "matched": true, + "name": "yargs-unparser", + "purl": "pkg:npm/yargs-unparser@1.6.0", + "version": "1.6.0", "vulnerabilities": [] }, { "ecosystem": "npm", - "licenses": [], + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, "name": "yargs", - "purl": "pkg:npm/yargs@3.32.0", - "version": "3.32.0", + "purl": "pkg:npm/yargs@13.3.2", + "version": "13.3.2", "vulnerabilities": [] } ], "project": { - "ecosystem": "other", + "ecosystem": "npm", "name": "\u003cnormalized\u003e", - "package_manager": "multiple", + "package_manager": "npm", "path": "\u003cnormalized\u003e", - "target_ref": "add14ba59e98240d9e00a235dd7d42cd61ae9912", + "target_ref": "v1.0.0", "target_type": "git repository" }, "schema_version": "1.0" diff --git a/test/smoke/testdata/golden/scan-npm-scope-runtime.golden.json b/test/smoke/testdata/golden/scan-npm-scope-runtime.golden.json index 647dd40b..df344e84 100644 --- a/test/smoke/testdata/golden/scan-npm-scope-runtime.golden.json +++ b/test/smoke/testdata/golden/scan-npm-scope-runtime.golden.json @@ -3,195 +3,1042 @@ "manifests": [ { "dependencies": [ + { + "depends_on": [], + "id": "pkg:npm/algo-httpserv@1.1.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "algo-httpserv", + "package_ref": "pkg:npm/algo-httpserv@1.1.1", + "purl": "pkg:npm/algo-httpserv@1.1.1", + "scopes": [ + "runtime" + ], + "version": "1.1.1" + }, { "depends_on": [ - "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main" + "pkg:npm/sprintf-js@1.0.3" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Fnode-aught.yml@local", + "id": "pkg:npm/argparse@1.0.10", "licenses": [], - "name": ".github/workflows/node-aught.yml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Fnode-aught.yml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fnode-aught.yml@local", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "argparse", + "package_ref": "pkg:npm/argparse@1.0.10", + "purl": "pkg:npm/argparse@1.0.10", "scopes": [ "runtime" ], - "version": "local" + "version": "1.0.10" + }, + { + "depends_on": [ + "pkg:npm/lodash@4.17.15" + ], + "id": "pkg:npm/async@2.6.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "async", + "package_ref": "pkg:npm/async@2.6.3", + "purl": "pkg:npm/async@2.6.3", + "scopes": [ + "runtime" + ], + "version": "2.6.3" + }, + { + "depends_on": [ + "pkg:npm/dicer@0.2.5", + "pkg:npm/readable-stream@1.1.14" + ], + "id": "pkg:npm/busboy@0.2.14", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "busboy", + "package_ref": "pkg:npm/busboy@0.2.14", + "purl": "pkg:npm/busboy@0.2.14", + "scopes": [ + "runtime" + ], + "version": "0.2.14" }, { "depends_on": [], - "id": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main", + "id": "pkg:npm/core-util-is@1.0.2", "licenses": [], - "name": "ljharb:actions/.github/workflows/node.yml", - "package_ref": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main", - "purl": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "core-util-is", + "package_ref": "pkg:npm/core-util-is@1.0.2", + "purl": "pkg:npm/core-util-is@1.0.2", "scopes": [ "runtime" ], - "version": "main" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/node-aught.yml", - "subproject": "." - }, - { - "dependencies": [ + "version": "1.0.2" + }, { "depends_on": [ - "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fpretest.yml@main" + "pkg:npm/readable-stream@1.1.14", + "pkg:npm/streamsearch@0.1.2" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Fnode-pretest.yml@local", + "id": "pkg:npm/dicer@0.2.5", "licenses": [], - "name": ".github/workflows/node-pretest.yml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Fnode-pretest.yml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fnode-pretest.yml@local", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "dicer", + "package_ref": "pkg:npm/dicer@0.2.5", + "purl": "pkg:npm/dicer@0.2.5", "scopes": [ "runtime" ], - "version": "local" + "version": "0.2.5" }, { "depends_on": [], - "id": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fpretest.yml@main", + "id": "pkg:npm/esprima@4.0.1", "licenses": [], - "name": "ljharb:actions/.github/workflows/pretest.yml", - "package_ref": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fpretest.yml@main", - "purl": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fpretest.yml@main", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "esprima", + "package_ref": "pkg:npm/esprima@4.0.1", + "purl": "pkg:npm/esprima@4.0.1", "scopes": [ "runtime" ], - "version": "main" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/node-pretest.yml", - "subproject": "." - }, - { - "dependencies": [ + "version": "4.0.1" + }, { "depends_on": [ - "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main" + "pkg:npm/algo-httpserv@1.1.1", + "pkg:npm/js-yaml@3.13.0", + "pkg:npm/larvitbase@3.1.3", + "pkg:npm/larvitfs@2.3.1", + "pkg:npm/larvitreqparser@0.2.1", + "pkg:npm/larvitrouter@3.0.2", + "pkg:npm/larvitutils@2.3.0", + "pkg:npm/lodash@4.17.15", + "pkg:npm/marked@0.3.19", + "pkg:npm/node-yaml-config@0.0.5", + "pkg:npm/semver@5.7.1", + "pkg:npm/to@0.2.9", + "pkg:npm/url@0.11.0" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Fnode-tens.yml@local", + "id": "pkg:npm/example-javascript-vulnerable-methods@0.0.1", "licenses": [], - "name": ".github/workflows/node-tens.yml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Fnode-tens.yml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fnode-tens.yml@local", + "name": "example-javascript-vulnerable-methods", + "package_ref": "pkg:npm/example-javascript-vulnerable-methods@0.0.1", + "purl": "pkg:npm/example-javascript-vulnerable-methods@0.0.1", + "version": "0.0.1" + }, + { + "depends_on": [ + "pkg:npm/graceful-fs@4.2.3", + "pkg:npm/jsonfile@4.0.0", + "pkg:npm/universalify@0.1.2" + ], + "id": "pkg:npm/fs-extra@7.0.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "fs-extra", + "package_ref": "pkg:npm/fs-extra@7.0.1", + "purl": "pkg:npm/fs-extra@7.0.1", "scopes": [ "runtime" ], - "version": "local" + "version": "7.0.1" }, { "depends_on": [], - "id": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main", + "id": "pkg:npm/function-bind@1.1.1", "licenses": [], - "name": "ljharb:actions/.github/workflows/node.yml", - "package_ref": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main", - "purl": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "function-bind", + "package_ref": "pkg:npm/function-bind@1.1.1", + "purl": "pkg:npm/function-bind@1.1.1", "scopes": [ + "development", "runtime" ], - "version": "main" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/node-tens.yml", - "subproject": "." - }, - { - "dependencies": [ + "version": "1.1.1" + }, + { + "depends_on": [], + "id": "pkg:npm/graceful-fs@4.2.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "graceful-fs", + "package_ref": "pkg:npm/graceful-fs@4.2.3", + "purl": "pkg:npm/graceful-fs@4.2.3", + "scopes": [ + "runtime" + ], + "version": "4.2.3" + }, + { + "depends_on": [], + "id": "pkg:npm/handy@0.0.13", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "handy", + "package_ref": "pkg:npm/handy@0.0.13", + "purl": "pkg:npm/handy@0.0.13", + "scopes": [ + "runtime" + ], + "version": "0.0.13" + }, { "depends_on": [ - "pkg:githubactions/actions/checkout@v3", - "pkg:githubactions/ljharb/rebase@master" + "pkg:npm/function-bind@1.1.1" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Frebase.yml@local", + "id": "pkg:npm/has@1.0.3", "licenses": [], - "name": ".github/workflows/rebase.yml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Frebase.yml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Frebase.yml@local", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "has", + "package_ref": "pkg:npm/has@1.0.3", + "purl": "pkg:npm/has@1.0.3", "scopes": [ "runtime" ], - "version": "local" + "version": "1.0.3" }, { "depends_on": [], - "id": "pkg:githubactions/actions/checkout@v3", + "id": "pkg:npm/htmlparser@1.7.7", "licenses": [], - "name": "actions:checkout", - "package_ref": "pkg:githubactions/actions/checkout@v3", - "purl": "pkg:githubactions/actions/checkout@v3", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "htmlparser", + "package_ref": "pkg:npm/htmlparser@1.7.7", + "purl": "pkg:npm/htmlparser@1.7.7", "scopes": [ "runtime" ], - "version": "v3" + "version": "1.7.7" }, { "depends_on": [], - "id": "pkg:githubactions/ljharb/rebase@master", + "id": "pkg:npm/inherits@2.0.4", "licenses": [], - "name": "ljharb:rebase", - "package_ref": "pkg:githubactions/ljharb/rebase@master", - "purl": "pkg:githubactions/ljharb/rebase@master", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "inherits", + "package_ref": "pkg:npm/inherits@2.0.4", + "purl": "pkg:npm/inherits@2.0.4", "scopes": [ + "development", "runtime" ], - "version": "master" - } - ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/rebase.yml", - "subproject": "." - }, - { - "dependencies": [ + "version": "2.0.4" + }, + { + "depends_on": [], + "id": "pkg:npm/is@3.3.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "is", + "package_ref": "pkg:npm/is@3.3.0", + "purl": "pkg:npm/is@3.3.0", + "scopes": [ + "runtime" + ], + "version": "3.3.0" + }, + { + "depends_on": [], + "id": "pkg:npm/isarray@0.0.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "isarray", + "package_ref": "pkg:npm/isarray@0.0.1", + "purl": "pkg:npm/isarray@0.0.1", + "scopes": [ + "runtime" + ], + "version": "0.0.1" + }, + { + "depends_on": [ + "pkg:npm/argparse@1.0.10", + "pkg:npm/esprima@4.0.1" + ], + "id": "pkg:npm/js-yaml@3.13.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "js-yaml", + "package_ref": "pkg:npm/js-yaml@3.13.0", + "purl": "pkg:npm/js-yaml@3.13.0", + "scopes": [ + "runtime" + ], + "version": "3.13.0" + }, { "depends_on": [ - "pkg:githubactions/ljharb/require-allow-edits@main" + "pkg:npm/graceful-fs@4.2.3" ], - "id": "pkg:githubactions/.github%2Fworkflows%2Frequire-allow-edits.yml@local", + "id": "pkg:npm/jsonfile@4.0.0", "licenses": [], - "name": ".github/workflows/require-allow-edits.yml", - "package_ref": "pkg:githubactions/.github%2Fworkflows%2Frequire-allow-edits.yml@local", - "purl": "pkg:githubactions/.github%2Fworkflows%2Frequire-allow-edits.yml@local", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "jsonfile", + "package_ref": "pkg:npm/jsonfile@4.0.0", + "purl": "pkg:npm/jsonfile@4.0.0", "scopes": [ "runtime" ], - "version": "local" + "version": "4.0.0" + }, + { + "depends_on": [ + "pkg:npm/larvitutils@2.3.0", + "pkg:npm/uuid@3.4.0" + ], + "id": "pkg:npm/larvitbase@3.1.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "larvitbase", + "package_ref": "pkg:npm/larvitbase@3.1.3", + "purl": "pkg:npm/larvitbase@3.1.3", + "scopes": [ + "runtime" + ], + "version": "3.1.3" + }, + { + "depends_on": [ + "pkg:npm/larvitutils@2.3.0" + ], + "id": "pkg:npm/larvitfs@2.3.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "larvitfs", + "package_ref": "pkg:npm/larvitfs@2.3.1", + "purl": "pkg:npm/larvitfs@2.3.1", + "scopes": [ + "runtime" + ], + "version": "2.3.1" + }, + { + "depends_on": [ + "pkg:npm/async@2.6.3", + "pkg:npm/busboy@0.2.14", + "pkg:npm/fs-extra@7.0.1", + "pkg:npm/larvitutils@2.3.0", + "pkg:npm/qs@6.9.1", + "pkg:npm/uuid@3.4.0" + ], + "id": "pkg:npm/larvitreqparser@0.2.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "larvitreqparser", + "package_ref": "pkg:npm/larvitreqparser@0.2.1", + "purl": "pkg:npm/larvitreqparser@0.2.1", + "scopes": [ + "runtime" + ], + "version": "0.2.1" + }, + { + "depends_on": [ + "pkg:npm/larvitfs@2.3.1", + "pkg:npm/larvitutils@2.3.0" + ], + "id": "pkg:npm/larvitrouter@3.0.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "larvitrouter", + "package_ref": "pkg:npm/larvitrouter@3.0.2", + "purl": "pkg:npm/larvitrouter@3.0.2", + "scopes": [ + "runtime" + ], + "version": "3.0.2" + }, + { + "depends_on": [], + "id": "pkg:npm/larvitutils@2.3.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "larvitutils", + "package_ref": "pkg:npm/larvitutils@2.3.0", + "purl": "pkg:npm/larvitutils@2.3.0", + "scopes": [ + "runtime" + ], + "version": "2.3.0" + }, + { + "depends_on": [], + "id": "pkg:npm/lodash@4.17.15", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "lodash", + "package_ref": "pkg:npm/lodash@4.17.15", + "purl": "pkg:npm/lodash@4.17.15", + "scopes": [ + "runtime" + ], + "version": "4.17.15" + }, + { + "depends_on": [], + "id": "pkg:npm/marked@0.3.19", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "marked", + "package_ref": "pkg:npm/marked@0.3.19", + "purl": "pkg:npm/marked@0.3.19", + "scopes": [ + "runtime" + ], + "version": "0.3.19" + }, + { + "depends_on": [], + "id": "pkg:npm/minimist@0.0.10", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "minimist", + "package_ref": "pkg:npm/minimist@0.0.10", + "purl": "pkg:npm/minimist@0.0.10", + "scopes": [ + "runtime" + ], + "version": "0.0.10" + }, + { + "depends_on": [ + "pkg:npm/js-yaml@3.13.0", + "pkg:npm/node.extend@2.0.2" + ], + "id": "pkg:npm/node-yaml-config@0.0.5", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "node-yaml-config", + "package_ref": "pkg:npm/node-yaml-config@0.0.5", + "purl": "pkg:npm/node-yaml-config@0.0.5", + "scopes": [ + "runtime" + ], + "version": "0.0.5" + }, + { + "depends_on": [ + "pkg:npm/has@1.0.3", + "pkg:npm/is@3.3.0" + ], + "id": "pkg:npm/node.extend@2.0.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "node.extend", + "package_ref": "pkg:npm/node.extend@2.0.2", + "purl": "pkg:npm/node.extend@2.0.2", + "scopes": [ + "runtime" + ], + "version": "2.0.2" + }, + { + "depends_on": [ + "pkg:npm/minimist@0.0.10", + "pkg:npm/wordwrap@0.0.3" + ], + "id": "pkg:npm/optimist@0.6.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "optimist", + "package_ref": "pkg:npm/optimist@0.6.1", + "purl": "pkg:npm/optimist@0.6.1", + "scopes": [ + "runtime" + ], + "version": "0.6.1" + }, + { + "depends_on": [], + "id": "pkg:npm/punycode@1.3.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "punycode", + "package_ref": "pkg:npm/punycode@1.3.2", + "purl": "pkg:npm/punycode@1.3.2", + "scopes": [ + "runtime" + ], + "version": "1.3.2" + }, + { + "depends_on": [], + "id": "pkg:npm/qs@6.9.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "qs", + "package_ref": "pkg:npm/qs@6.9.1", + "purl": "pkg:npm/qs@6.9.1", + "scopes": [ + "runtime" + ], + "version": "6.9.1" }, { "depends_on": [], - "id": "pkg:githubactions/ljharb/require-allow-edits@main", + "id": "pkg:npm/querystring@0.2.0", "licenses": [], - "name": "ljharb:require-allow-edits", - "package_ref": "pkg:githubactions/ljharb/require-allow-edits@main", - "purl": "pkg:githubactions/ljharb/require-allow-edits@main", + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "querystring", + "package_ref": "pkg:npm/querystring@0.2.0", + "purl": "pkg:npm/querystring@0.2.0", "scopes": [ "runtime" ], - "version": "main" + "version": "0.2.0" + }, + { + "depends_on": [ + "pkg:npm/core-util-is@1.0.2", + "pkg:npm/inherits@2.0.4", + "pkg:npm/isarray@0.0.1", + "pkg:npm/string_decoder@0.10.31" + ], + "id": "pkg:npm/readable-stream@1.1.14", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "readable-stream", + "package_ref": "pkg:npm/readable-stream@1.1.14", + "purl": "pkg:npm/readable-stream@1.1.14", + "scopes": [ + "runtime" + ], + "version": "1.1.14" + }, + { + "depends_on": [], + "id": "pkg:npm/semver@5.7.1", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "semver", + "package_ref": "pkg:npm/semver@5.7.1", + "purl": "pkg:npm/semver@5.7.1", + "scopes": [ + "runtime" + ], + "version": "5.7.1" + }, + { + "depends_on": [], + "id": "pkg:npm/sprintf-js@1.0.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "sprintf-js", + "package_ref": "pkg:npm/sprintf-js@1.0.3", + "purl": "pkg:npm/sprintf-js@1.0.3", + "scopes": [ + "runtime" + ], + "version": "1.0.3" + }, + { + "depends_on": [], + "id": "pkg:npm/streamsearch@0.1.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "streamsearch", + "package_ref": "pkg:npm/streamsearch@0.1.2", + "purl": "pkg:npm/streamsearch@0.1.2", + "scopes": [ + "runtime" + ], + "version": "0.1.2" + }, + { + "depends_on": [], + "id": "pkg:npm/string_decoder@0.10.31", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "string_decoder", + "package_ref": "pkg:npm/string_decoder@0.10.31", + "purl": "pkg:npm/string_decoder@0.10.31", + "scopes": [ + "runtime" + ], + "version": "0.10.31" + }, + { + "depends_on": [ + "pkg:npm/handy@0.0.13", + "pkg:npm/htmlparser@1.7.7", + "pkg:npm/js-yaml@3.13.0", + "pkg:npm/optimist@0.6.1", + "pkg:npm/underscore@1.9.2" + ], + "id": "pkg:npm/to@0.2.9", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "to", + "package_ref": "pkg:npm/to@0.2.9", + "purl": "pkg:npm/to@0.2.9", + "scopes": [ + "runtime" + ], + "version": "0.2.9" + }, + { + "depends_on": [], + "id": "pkg:npm/underscore@1.9.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "underscore", + "package_ref": "pkg:npm/underscore@1.9.2", + "purl": "pkg:npm/underscore@1.9.2", + "scopes": [ + "runtime" + ], + "version": "1.9.2" + }, + { + "depends_on": [], + "id": "pkg:npm/universalify@0.1.2", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "universalify", + "package_ref": "pkg:npm/universalify@0.1.2", + "purl": "pkg:npm/universalify@0.1.2", + "scopes": [ + "runtime" + ], + "version": "0.1.2" + }, + { + "depends_on": [ + "pkg:npm/punycode@1.3.2", + "pkg:npm/querystring@0.2.0" + ], + "id": "pkg:npm/url@0.11.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "url", + "package_ref": "pkg:npm/url@0.11.0", + "purl": "pkg:npm/url@0.11.0", + "scopes": [ + "runtime" + ], + "version": "0.11.0" + }, + { + "depends_on": [], + "id": "pkg:npm/uuid@3.4.0", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "uuid", + "package_ref": "pkg:npm/uuid@3.4.0", + "purl": "pkg:npm/uuid@3.4.0", + "scopes": [ + "runtime" + ], + "version": "3.4.0" + }, + { + "depends_on": [], + "id": "pkg:npm/wordwrap@0.0.3", + "licenses": [], + "locations": [ + { + "access_path": "package-lock.json", + "position": { + "file": "package-lock.json", + "line": 0 + }, + "real_path": "package-lock.json" + } + ], + "name": "wordwrap", + "package_ref": "pkg:npm/wordwrap@0.0.3", + "purl": "pkg:npm/wordwrap@0.0.3", + "scopes": [ + "runtime" + ], + "version": "0.0.3" } ], - "detector": "github-actions-detector", - "ecosystem": "github-actions", - "kind": "github-actions-workflow", - "package_manager": "github-actions", - "path": ".github/workflows/require-allow-edits.yml", + "detector": "npm-detector", + "ecosystem": "npm", + "kind": "package-lock.json", + "package_manager": "npm", + "path": "package-lock.json", "subproject": "." } ], @@ -200,92 +1047,364 @@ }, "packages": [ { - "ecosystem": "github-actions", + "ecosystem": "npm", + "licenses": [], + "name": "algo-httpserv", + "purl": "pkg:npm/algo-httpserv@1.1.1", + "version": "1.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "argparse", + "purl": "pkg:npm/argparse@1.0.10", + "version": "1.0.10", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "async", + "purl": "pkg:npm/async@2.6.3", + "version": "2.6.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "busboy", + "purl": "pkg:npm/busboy@0.2.14", + "version": "0.2.14", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "core-util-is", + "purl": "pkg:npm/core-util-is@1.0.2", + "version": "1.0.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "dicer", + "purl": "pkg:npm/dicer@0.2.5", + "version": "0.2.5", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "esprima", + "purl": "pkg:npm/esprima@4.0.1", + "version": "4.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "example-javascript-vulnerable-methods", + "purl": "pkg:npm/example-javascript-vulnerable-methods@0.0.1", + "version": "0.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "fs-extra", + "purl": "pkg:npm/fs-extra@7.0.1", + "version": "7.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "function-bind", + "purl": "pkg:npm/function-bind@1.1.1", + "version": "1.1.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "graceful-fs", + "purl": "pkg:npm/graceful-fs@4.2.3", + "version": "4.2.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "handy", + "purl": "pkg:npm/handy@0.0.13", + "version": "0.0.13", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "has", + "purl": "pkg:npm/has@1.0.3", + "version": "1.0.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "htmlparser", + "purl": "pkg:npm/htmlparser@1.7.7", + "version": "1.7.7", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "inherits", + "purl": "pkg:npm/inherits@2.0.4", + "version": "2.0.4", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "is", + "purl": "pkg:npm/is@3.3.0", + "version": "3.3.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "isarray", + "purl": "pkg:npm/isarray@0.0.1", + "version": "0.0.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "js-yaml", + "purl": "pkg:npm/js-yaml@3.13.0", + "version": "3.13.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "jsonfile", + "purl": "pkg:npm/jsonfile@4.0.0", + "version": "4.0.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "larvitbase", + "purl": "pkg:npm/larvitbase@3.1.3", + "version": "3.1.3", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "larvitfs", + "purl": "pkg:npm/larvitfs@2.3.1", + "version": "2.3.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "larvitreqparser", + "purl": "pkg:npm/larvitreqparser@0.2.1", + "version": "0.2.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "larvitrouter", + "purl": "pkg:npm/larvitrouter@3.0.2", + "version": "3.0.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "larvitutils", + "purl": "pkg:npm/larvitutils@2.3.0", + "version": "2.3.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "lodash", + "purl": "pkg:npm/lodash@4.17.15", + "version": "4.17.15", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "marked", + "purl": "pkg:npm/marked@0.3.19", + "version": "0.3.19", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "minimist", + "purl": "pkg:npm/minimist@0.0.10", + "version": "0.0.10", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "node-yaml-config", + "purl": "pkg:npm/node-yaml-config@0.0.5", + "version": "0.0.5", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "node.extend", + "purl": "pkg:npm/node.extend@2.0.2", + "version": "2.0.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "optimist", + "purl": "pkg:npm/optimist@0.6.1", + "version": "0.6.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "punycode", + "purl": "pkg:npm/punycode@1.3.2", + "version": "1.3.2", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "qs", + "purl": "pkg:npm/qs@6.9.1", + "version": "6.9.1", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "querystring", + "purl": "pkg:npm/querystring@0.2.0", + "version": "0.2.0", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", + "licenses": [], + "name": "readable-stream", + "purl": "pkg:npm/readable-stream@1.1.14", + "version": "1.1.14", + "vulnerabilities": [] + }, + { + "ecosystem": "npm", "licenses": [], - "name": ".github/workflows/node-aught.yml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fnode-aught.yml@local", - "version": "local", + "name": "semver", + "purl": "pkg:npm/semver@5.7.1", + "version": "5.7.1", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": ".github/workflows/node-pretest.yml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fnode-pretest.yml@local", - "version": "local", + "name": "sprintf-js", + "purl": "pkg:npm/sprintf-js@1.0.3", + "version": "1.0.3", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": ".github/workflows/node-tens.yml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Fnode-tens.yml@local", - "version": "local", + "name": "streamsearch", + "purl": "pkg:npm/streamsearch@0.1.2", + "version": "0.1.2", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": ".github/workflows/rebase.yml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Frebase.yml@local", - "version": "local", + "name": "string_decoder", + "purl": "pkg:npm/string_decoder@0.10.31", + "version": "0.10.31", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": ".github/workflows/require-allow-edits.yml", - "purl": "pkg:githubactions/.github%2Fworkflows%2Frequire-allow-edits.yml@local", - "version": "local", + "name": "to", + "purl": "pkg:npm/to@0.2.9", + "version": "0.2.9", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": "checkout", - "purl": "pkg:githubactions/actions/checkout@v3", - "version": "v3", + "name": "underscore", + "purl": "pkg:npm/underscore@1.9.2", + "version": "1.9.2", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": "actions/.github/workflows/node.yml", - "purl": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fnode.yml@main", - "version": "main", + "name": "universalify", + "purl": "pkg:npm/universalify@0.1.2", + "version": "0.1.2", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": "actions/.github/workflows/pretest.yml", - "purl": "pkg:githubactions/ljharb/actions%2F.github%2Fworkflows%2Fpretest.yml@main", - "version": "main", + "name": "url", + "purl": "pkg:npm/url@0.11.0", + "version": "0.11.0", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": "rebase", - "purl": "pkg:githubactions/ljharb/rebase@master", - "version": "master", + "name": "uuid", + "purl": "pkg:npm/uuid@3.4.0", + "version": "3.4.0", "vulnerabilities": [] }, { - "ecosystem": "github-actions", + "ecosystem": "npm", "licenses": [], - "name": "require-allow-edits", - "purl": "pkg:githubactions/ljharb/require-allow-edits@main", - "version": "main", + "name": "wordwrap", + "purl": "pkg:npm/wordwrap@0.0.3", + "version": "0.0.3", "vulnerabilities": [] } ], "project": { - "ecosystem": "other", + "ecosystem": "npm", "name": "\u003cnormalized\u003e", - "package_manager": "multiple", + "package_manager": "npm", "path": "\u003cnormalized\u003e", - "target_ref": "v6.13.0", + "target_ref": "v1.0.0", "target_type": "git repository" }, "schema_version": "1.0" diff --git a/test/smoke/testdata/golden/scan-python-pip-reachability.golden.json b/test/smoke/testdata/golden/scan-python-pip-reachability.golden.json index a38b3c37..98bdcc49 100644 --- a/test/smoke/testdata/golden/scan-python-pip-reachability.golden.json +++ b/test/smoke/testdata/golden/scan-python-pip-reachability.golden.json @@ -3,172 +3,23 @@ "manifests": [ { "dependencies": [ - { - "depends_on": [ - "pkg:pypi/idna@2.8", - "pkg:pypi/typing-extensions@4.15.0" - ], - "id": "pkg:pypi/anyio@4.14.0", - "licenses": [], - "matched": true, - "name": "anyio", - "package_ref": "pkg:pypi/anyio@4.14.0", - "purl": "pkg:pypi/anyio@4.14.0", - "scopes": [ - "runtime" - ], - "version": "4.14.0" - }, - { - "depends_on": [ - "pkg:pypi/typing-extensions@4.15.0" - ], - "id": "pkg:pypi/astroid@3.1.0", - "licenses": [], - "matched": true, - "name": "astroid", - "package_ref": "pkg:pypi/astroid@3.1.0", - "purl": "pkg:pypi/astroid@3.1.0", - "scopes": [ - "runtime" - ], - "version": "3.1.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/backports-zstd@1.6.0", - "licenses": [], - "matched": true, - "name": "backports-zstd", - "package_ref": "pkg:pypi/backports-zstd@1.6.0", - "purl": "pkg:pypi/backports-zstd@1.6.0", - "scopes": [ - "runtime" - ], - "version": "1.6.0" - }, - { - "depends_on": [ - "pkg:pypi/gitpython@3.1.50", - "pkg:pypi/pyyaml@6.0.3", - "pkg:pypi/rich@15.0.0", - "pkg:pypi/stevedore@5.8.0" - ], - "id": "pkg:pypi/bandit@1.7.5", - "licenses": [], - "matched": true, - "name": "bandit", - "package_ref": "pkg:pypi/bandit@1.7.5", - "purl": "pkg:pypi/bandit@1.7.5", - "scopes": [ - "runtime" - ], - "version": "1.7.5" - }, - { - "depends_on": [ - "pkg:pypi/click@8.4.1", - "pkg:pypi/mypy-extensions@1.1.0", - "pkg:pypi/packaging@26.2", - "pkg:pypi/pathspec@1.1.1", - "pkg:pypi/platformdirs@4.10.0", - "pkg:pypi/typing-extensions@4.15.0" - ], - "id": "pkg:pypi/black@23.12.1", - "licenses": [], - "matched": true, - "name": "black", - "package_ref": "pkg:pypi/black@23.12.1", - "purl": "pkg:pypi/black@23.12.1", - "scopes": [ - "runtime" - ], - "version": "23.12.1" - }, - { - "depends_on": [ - "pkg:pypi/packaging@26.2", - "pkg:pypi/pyproject-hooks@1.2.0" - ], - "id": "pkg:pypi/build@1.5.0", - "licenses": [], - "matched": true, - "name": "build", - "package_ref": "pkg:pypi/build@1.5.0", - "purl": "pkg:pypi/build@1.5.0", - "scopes": [ - "runtime" - ], - "version": "1.5.0" - }, - { - "depends_on": [ - "pkg:pypi/msgpack@1.2.0", - "pkg:pypi/requests@2.21.0" - ], - "id": "pkg:pypi/cachecontrol@0.14.4", - "licenses": [], - "matched": true, - "name": "cachecontrol", - "package_ref": "pkg:pypi/cachecontrol@0.14.4", - "purl": "pkg:pypi/cachecontrol@0.14.4", - "scopes": [ - "runtime" - ], - "version": "0.14.4" - }, { "depends_on": [], - "id": "pkg:pypi/certifi@2026.5.20", + "id": "pkg:pypi/certifi@2026.6.17", "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], "matched": true, "name": "certifi", - "package_ref": "pkg:pypi/certifi@2026.5.20", - "purl": "pkg:pypi/certifi@2026.5.20", - "scopes": [ - "runtime" - ], - "version": "2026.5.20" - }, - { - "depends_on": [ - "pkg:pypi/pycparser@3.0" - ], - "id": "pkg:pypi/cffi@2.0.0", - "licenses": [], - "matched": true, - "name": "cffi", - "package_ref": "pkg:pypi/cffi@2.0.0", - "purl": "pkg:pypi/cffi@2.0.0", + "package_ref": "pkg:pypi/certifi@2026.6.17", + "purl": "pkg:pypi/certifi@2026.6.17", "scopes": [ "runtime" ], - "version": "2.0.0" + "version": "2026.6.17" }, { "depends_on": [], "id": "pkg:pypi/chardet@3.0.4", "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], "matched": true, "name": "chardet", "package_ref": "pkg:pypi/chardet@3.0.4", @@ -178,132 +29,12 @@ ], "version": "3.0.4" }, - { - "depends_on": [], - "id": "pkg:pypi/charset-normalizer@3.4.7", - "licenses": [], - "matched": true, - "name": "charset-normalizer", - "package_ref": "pkg:pypi/charset-normalizer@3.4.7", - "purl": "pkg:pypi/charset-normalizer@3.4.7", - "scopes": [ - "runtime" - ], - "version": "3.4.7" - }, - { - "depends_on": [ - "pkg:pypi/crashtest@0.4.1", - "pkg:pypi/rapidfuzz@3.14.5" - ], - "id": "pkg:pypi/cleo@2.1.0", - "licenses": [], - "matched": true, - "name": "cleo", - "package_ref": "pkg:pypi/cleo@2.1.0", - "purl": "pkg:pypi/cleo@2.1.0", - "scopes": [ - "runtime" - ], - "version": "2.1.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/click@8.4.1", - "licenses": [], - "matched": true, - "name": "click", - "package_ref": "pkg:pypi/click@8.4.1", - "purl": "pkg:pypi/click@8.4.1", - "scopes": [ - "runtime" - ], - "version": "8.4.1" - }, - { - "depends_on": [], - "id": "pkg:pypi/coverage@7.4.0", - "licenses": [], - "matched": true, - "name": "coverage", - "package_ref": "pkg:pypi/coverage@7.4.0", - "purl": "pkg:pypi/coverage@7.4.0", - "scopes": [ - "runtime" - ], - "version": "7.4.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/crashtest@0.4.1", - "licenses": [], - "matched": true, - "name": "crashtest", - "package_ref": "pkg:pypi/crashtest@0.4.1", - "purl": "pkg:pypi/crashtest@0.4.1", - "scopes": [ - "runtime" - ], - "version": "0.4.1" - }, - { - "depends_on": [ - "pkg:pypi/cffi@2.0.0", - "pkg:pypi/typing-extensions@4.15.0" - ], - "id": "pkg:pypi/cryptography@49.0.0", - "licenses": [], - "matched": true, - "name": "cryptography", - "package_ref": "pkg:pypi/cryptography@49.0.0", - "purl": "pkg:pypi/cryptography@49.0.0", - "scopes": [ - "runtime" - ], - "version": "49.0.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/dill@0.4.1", - "licenses": [], - "matched": true, - "name": "dill", - "package_ref": "pkg:pypi/dill@0.4.1", - "purl": "pkg:pypi/dill@0.4.1", - "scopes": [ - "runtime" - ], - "version": "0.4.1" - }, - { - "depends_on": [], - "id": "pkg:pypi/distlib@0.4.3", - "licenses": [], - "matched": true, - "name": "distlib", - "package_ref": "pkg:pypi/distlib@0.4.3", - "purl": "pkg:pypi/distlib@0.4.3", - "scopes": [ - "runtime" - ], - "version": "0.4.3" - }, { "depends_on": [ "pkg:pypi/pytz@2026.2" ], "id": "pkg:pypi/django@1.11.29", "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], "matched": true, "name": "django", "package_ref": "pkg:pypi/django@1.11.29", @@ -315,1550 +46,253 @@ }, { "depends_on": [ - "pkg:pypi/typing-extensions@4.15.0", - "pkg:pypi/urllib3@1.24.1" + "pkg:pypi/sgmllib3k@1.0.0" ], - "id": "pkg:pypi/dulwich@1.2.6", + "id": "pkg:pypi/feedparser@6.0.8", "licenses": [], "matched": true, - "name": "dulwich", - "package_ref": "pkg:pypi/dulwich@1.2.6", - "purl": "pkg:pypi/dulwich@1.2.6", + "name": "feedparser", + "package_ref": "pkg:pypi/feedparser@6.0.8", + "purl": "pkg:pypi/feedparser@6.0.8", "scopes": [ "runtime" ], - "version": "1.2.6" + "version": "6.0.8" }, { "depends_on": [], - "id": "pkg:pypi/fastjsonschema@2.21.2", + "id": "pkg:pypi/idna@2.8", "licenses": [], "matched": true, - "name": "fastjsonschema", - "package_ref": "pkg:pypi/fastjsonschema@2.21.2", - "purl": "pkg:pypi/fastjsonschema@2.21.2", + "name": "idna", + "package_ref": "pkg:pypi/idna@2.8", + "purl": "pkg:pypi/idna@2.8", "scopes": [ "runtime" ], - "version": "2.21.2" + "version": "2.8" }, { "depends_on": [ - "pkg:pypi/sgmllib3k@1.0.0" + "pkg:pypi/markupsafe@3.0.3" ], - "id": "pkg:pypi/feedparser@6.0.8", + "id": "pkg:pypi/jinja2@2.10.1", "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], "matched": true, - "name": "feedparser", - "package_ref": "pkg:pypi/feedparser@6.0.8", - "purl": "pkg:pypi/feedparser@6.0.8", + "name": "jinja2", + "package_ref": "pkg:pypi/jinja2@2.10.1", + "purl": "pkg:pypi/jinja2@2.10.1", "scopes": [ "runtime" ], - "version": "6.0.8" + "version": "2.10.1" }, { "depends_on": [], - "id": "pkg:pypi/filelock@3.29.4", + "id": "pkg:pypi/markupsafe@3.0.3", "licenses": [], "matched": true, - "name": "filelock", - "package_ref": "pkg:pypi/filelock@3.29.4", - "purl": "pkg:pypi/filelock@3.29.4", + "name": "markupsafe", + "package_ref": "pkg:pypi/markupsafe@3.0.3", + "purl": "pkg:pypi/markupsafe@3.0.3", "scopes": [ "runtime" ], - "version": "3.29.4" + "version": "3.0.3" }, { - "depends_on": [ - "pkg:pypi/packaging@26.2", - "pkg:pypi/platformdirs@4.10.0" - ], - "id": "pkg:pypi/findpython@0.8.0", + "depends_on": [], + "id": "pkg:pypi/pyasn1@0.6.3", "licenses": [], "matched": true, - "name": "findpython", - "package_ref": "pkg:pypi/findpython@0.8.0", - "purl": "pkg:pypi/findpython@0.8.0", + "name": "pyasn1", + "package_ref": "pkg:pypi/pyasn1@0.6.3", + "purl": "pkg:pypi/pyasn1@0.6.3", "scopes": [ "runtime" ], - "version": "0.8.0" + "version": "0.6.3" }, { - "depends_on": [ - "pkg:pypi/smmap@5.0.3" - ], - "id": "pkg:pypi/gitdb@4.0.12", + "depends_on": [], + "id": "pkg:pypi/pyjwt@0.4.2", "licenses": [], "matched": true, - "name": "gitdb", - "package_ref": "pkg:pypi/gitdb@4.0.12", - "purl": "pkg:pypi/gitdb@4.0.12", + "name": "pyjwt", + "package_ref": "pkg:pypi/pyjwt@0.4.2", + "purl": "pkg:pypi/pyjwt@0.4.2", "scopes": [ "runtime" ], - "version": "4.0.12" + "version": "0.4.2" }, { - "depends_on": [ - "pkg:pypi/gitdb@4.0.12", - "pkg:pypi/typing-extensions@4.15.0" - ], - "id": "pkg:pypi/gitpython@3.1.50", + "depends_on": [], + "id": "pkg:pypi/pytz@2026.2", "licenses": [], "matched": true, - "name": "gitpython", - "package_ref": "pkg:pypi/gitpython@3.1.50", - "purl": "pkg:pypi/gitpython@3.1.50", + "name": "pytz", + "package_ref": "pkg:pypi/pytz@2026.2", + "purl": "pkg:pypi/pytz@2026.2", "scopes": [ "runtime" ], - "version": "3.1.50" + "version": "2026.2" }, { "depends_on": [], - "id": "pkg:pypi/greenlet@3.5.1", + "id": "pkg:pypi/pyyaml@5.3", "licenses": [], "matched": true, - "name": "greenlet", - "package_ref": "pkg:pypi/greenlet@3.5.1", - "purl": "pkg:pypi/greenlet@3.5.1", + "name": "pyyaml", + "package_ref": "pkg:pypi/pyyaml@5.3", + "purl": "pkg:pypi/pyyaml@5.3", "scopes": [ "runtime" ], - "version": "3.5.1" + "version": "5.3" }, { - "depends_on": [], - "id": "pkg:pypi/h11@0.16.0", + "depends_on": [ + "pkg:pypi/certifi@2026.6.17", + "pkg:pypi/chardet@3.0.4", + "pkg:pypi/idna@2.8", + "pkg:pypi/urllib3@1.24.1" + ], + "id": "pkg:pypi/requests@2.21.0", "licenses": [], "matched": true, - "name": "h11", - "package_ref": "pkg:pypi/h11@0.16.0", - "purl": "pkg:pypi/h11@0.16.0", + "name": "requests", + "package_ref": "pkg:pypi/requests@2.21.0", + "purl": "pkg:pypi/requests@2.21.0", "scopes": [ "runtime" ], - "version": "0.16.0" + "version": "2.21.0" }, { "depends_on": [ - "pkg:pypi/certifi@2026.5.20", - "pkg:pypi/h11@0.16.0" + "pkg:pypi/django@1.11.29", + "pkg:pypi/feedparser@6.0.8", + "pkg:pypi/jinja2@2.10.1", + "pkg:pypi/pyjwt@0.4.2", + "pkg:pypi/pyyaml@5.3", + "pkg:pypi/requests@2.21.0", + "pkg:pypi/rsa@3.4", + "pkg:pypi/sqlalchemy@1.4.46", + "pkg:pypi/urllib3@1.24.1" ], - "id": "pkg:pypi/httpcore@1.0.9", + "id": "pkg:pypi/root", "licenses": [], - "matched": true, - "name": "httpcore", - "package_ref": "pkg:pypi/httpcore@1.0.9", - "purl": "pkg:pypi/httpcore@1.0.9", - "scopes": [ - "runtime" - ], - "version": "1.0.9" + "name": "root", + "package_ref": "pkg:pypi/root", + "purl": "pkg:pypi/root" }, { "depends_on": [ - "pkg:pypi/anyio@4.14.0", - "pkg:pypi/certifi@2026.5.20", - "pkg:pypi/httpcore@1.0.9", - "pkg:pypi/idna@2.8" + "pkg:pypi/pyasn1@0.6.3" ], - "id": "pkg:pypi/httpx@0.28.1", + "id": "pkg:pypi/rsa@3.4", "licenses": [], "matched": true, - "name": "httpx", - "package_ref": "pkg:pypi/httpx@0.28.1", - "purl": "pkg:pypi/httpx@0.28.1", + "name": "rsa", + "package_ref": "pkg:pypi/rsa@3.4", + "purl": "pkg:pypi/rsa@3.4", "scopes": [ "runtime" ], - "version": "0.28.1" + "version": "3.4" }, { "depends_on": [], - "id": "pkg:pypi/idna@2.8", + "id": "pkg:pypi/sgmllib3k@1.0.0", "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], "matched": true, - "name": "idna", - "package_ref": "pkg:pypi/idna@2.8", - "purl": "pkg:pypi/idna@2.8", + "name": "sgmllib3k", + "package_ref": "pkg:pypi/sgmllib3k@1.0.0", + "purl": "pkg:pypi/sgmllib3k@1.0.0", "scopes": [ "runtime" ], - "version": "2.8" + "version": "1.0.0" }, { "depends_on": [], - "id": "pkg:pypi/iniconfig@2.3.0", + "id": "pkg:pypi/sqlalchemy@1.4.46", "licenses": [], "matched": true, - "name": "iniconfig", - "package_ref": "pkg:pypi/iniconfig@2.3.0", - "purl": "pkg:pypi/iniconfig@2.3.0", + "name": "sqlalchemy", + "package_ref": "pkg:pypi/sqlalchemy@1.4.46", + "purl": "pkg:pypi/sqlalchemy@1.4.46", "scopes": [ "runtime" ], - "version": "2.3.0" + "version": "1.4.46" }, { "depends_on": [], - "id": "pkg:pypi/installer@1.0.1", + "id": "pkg:pypi/urllib3@1.24.1", "licenses": [], "matched": true, - "name": "installer", - "package_ref": "pkg:pypi/installer@1.0.1", - "purl": "pkg:pypi/installer@1.0.1", - "scopes": [ - "runtime" - ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:pypi/isort@5.13.2", - "licenses": [], - "matched": true, - "name": "isort", - "package_ref": "pkg:pypi/isort@5.13.2", - "purl": "pkg:pypi/isort@5.13.2", - "scopes": [ - "runtime" - ], - "version": "5.13.2" - }, - { - "depends_on": [ - "pkg:pypi/more-itertools@11.1.0" - ], - "id": "pkg:pypi/jaraco-classes@3.4.0", - "licenses": [], - "matched": true, - "name": "jaraco-classes", - "package_ref": "pkg:pypi/jaraco-classes@3.4.0", - "purl": "pkg:pypi/jaraco-classes@3.4.0", - "scopes": [ - "runtime" - ], - "version": "3.4.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/jaraco-context@6.1.2", - "licenses": [], - "matched": true, - "name": "jaraco-context", - "package_ref": "pkg:pypi/jaraco-context@6.1.2", - "purl": "pkg:pypi/jaraco-context@6.1.2", - "scopes": [ - "runtime" - ], - "version": "6.1.2" - }, - { - "depends_on": [ - "pkg:pypi/more-itertools@11.1.0" - ], - "id": "pkg:pypi/jaraco-functools@4.5.0", - "licenses": [], - "matched": true, - "name": "jaraco-functools", - "package_ref": "pkg:pypi/jaraco-functools@4.5.0", - "purl": "pkg:pypi/jaraco-functools@4.5.0", - "scopes": [ - "runtime" - ], - "version": "4.5.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/jeepney@0.9.0", - "licenses": [], - "matched": true, - "name": "jeepney", - "package_ref": "pkg:pypi/jeepney@0.9.0", - "purl": "pkg:pypi/jeepney@0.9.0", - "scopes": [ - "runtime" - ], - "version": "0.9.0" - }, - { - "depends_on": [ - "pkg:pypi/markupsafe@3.0.3" - ], - "id": "pkg:pypi/jinja2@2.10.1", - "licenses": [], - "matched": true, - "name": "jinja2", - "package_ref": "pkg:pypi/jinja2@2.10.1", - "purl": "pkg:pypi/jinja2@2.10.1", - "scopes": [ - "runtime" - ], - "version": "2.10.1" - }, - { - "depends_on": [ - "pkg:pypi/jaraco-classes@3.4.0", - "pkg:pypi/jaraco-context@6.1.2", - "pkg:pypi/jaraco-functools@4.5.0", - "pkg:pypi/jeepney@0.9.0", - "pkg:pypi/secretstorage@3.5.0" - ], - "id": "pkg:pypi/keyring@25.7.0", - "licenses": [], - "matched": true, - "name": "keyring", - "package_ref": "pkg:pypi/keyring@25.7.0", - "purl": "pkg:pypi/keyring@25.7.0", - "scopes": [ - "runtime" - ], - "version": "25.7.0" - }, - { - "depends_on": [ - "pkg:pypi/mdurl@0.1.2" - ], - "id": "pkg:pypi/markdown-it-py@4.2.0", - "licenses": [], - "matched": true, - "name": "markdown-it-py", - "package_ref": "pkg:pypi/markdown-it-py@4.2.0", - "purl": "pkg:pypi/markdown-it-py@4.2.0", - "scopes": [ - "runtime" - ], - "version": "4.2.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/markupsafe@3.0.3", - "licenses": [], - "matched": true, - "name": "markupsafe", - "package_ref": "pkg:pypi/markupsafe@3.0.3", - "purl": "pkg:pypi/markupsafe@3.0.3", - "scopes": [ - "runtime" - ], - "version": "3.0.3" - }, - { - "depends_on": [], - "id": "pkg:pypi/mccabe@0.7.0", - "licenses": [], - "matched": true, - "name": "mccabe", - "package_ref": "pkg:pypi/mccabe@0.7.0", - "purl": "pkg:pypi/mccabe@0.7.0", - "scopes": [ - "runtime" - ], - "version": "0.7.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/mdurl@0.1.2", - "licenses": [], - "matched": true, - "name": "mdurl", - "package_ref": "pkg:pypi/mdurl@0.1.2", - "purl": "pkg:pypi/mdurl@0.1.2", - "scopes": [ - "runtime" - ], - "version": "0.1.2" - }, - { - "depends_on": [], - "id": "pkg:pypi/more-itertools@11.1.0", - "licenses": [], - "matched": true, - "name": "more-itertools", - "package_ref": "pkg:pypi/more-itertools@11.1.0", - "purl": "pkg:pypi/more-itertools@11.1.0", - "scopes": [ - "runtime" - ], - "version": "11.1.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/msgpack@1.2.0", - "licenses": [], - "matched": true, - "name": "msgpack", - "package_ref": "pkg:pypi/msgpack@1.2.0", - "purl": "pkg:pypi/msgpack@1.2.0", - "scopes": [ - "runtime" - ], - "version": "1.2.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/mypy-extensions@1.1.0", - "licenses": [], - "matched": true, - "name": "mypy-extensions", - "package_ref": "pkg:pypi/mypy-extensions@1.1.0", - "purl": "pkg:pypi/mypy-extensions@1.1.0", - "scopes": [ - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/packaging@26.2", - "licenses": [], - "matched": true, - "name": "packaging", - "package_ref": "pkg:pypi/packaging@26.2", - "purl": "pkg:pypi/packaging@26.2", - "scopes": [ - "runtime" - ], - "version": "26.2" - }, - { - "depends_on": [], - "id": "pkg:pypi/pathspec@1.1.1", - "licenses": [], - "matched": true, - "name": "pathspec", - "package_ref": "pkg:pypi/pathspec@1.1.1", - "purl": "pkg:pypi/pathspec@1.1.1", - "scopes": [ - "runtime" - ], - "version": "1.1.1" - }, - { - "depends_on": [], - "id": "pkg:pypi/pbs-installer@2026.6.10", - "licenses": [], - "matched": true, - "name": "pbs-installer", - "package_ref": "pkg:pypi/pbs-installer@2026.6.10", - "purl": "pkg:pypi/pbs-installer@2026.6.10", - "scopes": [ - "runtime" - ], - "version": "2026.6.10" - }, - { - "depends_on": [], - "id": "pkg:pypi/pkginfo@1.12.1.2", - "licenses": [], - "matched": true, - "name": "pkginfo", - "package_ref": "pkg:pypi/pkginfo@1.12.1.2", - "purl": "pkg:pypi/pkginfo@1.12.1.2", - "scopes": [ - "runtime" - ], - "version": "1.12.1.2" - }, - { - "depends_on": [], - "id": "pkg:pypi/platformdirs@4.10.0", - "licenses": [], - "matched": true, - "name": "platformdirs", - "package_ref": "pkg:pypi/platformdirs@4.10.0", - "purl": "pkg:pypi/platformdirs@4.10.0", - "scopes": [ - "runtime" - ], - "version": "4.10.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/pluggy@1.6.0", - "licenses": [], - "matched": true, - "name": "pluggy", - "package_ref": "pkg:pypi/pluggy@1.6.0", - "purl": "pkg:pypi/pluggy@1.6.0", - "scopes": [ - "runtime" - ], - "version": "1.6.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/poetry-core@2.4.0", - "licenses": [], - "matched": true, - "name": "poetry-core", - "package_ref": "pkg:pypi/poetry-core@2.4.0", - "purl": "pkg:pypi/poetry-core@2.4.0", - "scopes": [ - "runtime" - ], - "version": "2.4.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/pyasn1@0.6.3", - "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], - "matched": true, - "name": "pyasn1", - "package_ref": "pkg:pypi/pyasn1@0.6.3", - "purl": "pkg:pypi/pyasn1@0.6.3", - "scopes": [ - "runtime" - ], - "version": "0.6.3" - }, - { - "depends_on": [], - "id": "pkg:pypi/pycparser@3.0", - "licenses": [], - "matched": true, - "name": "pycparser", - "package_ref": "pkg:pypi/pycparser@3.0", - "purl": "pkg:pypi/pycparser@3.0", - "scopes": [ - "runtime" - ], - "version": "3.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/pygments@2.20.0", - "licenses": [], - "matched": true, - "name": "pygments", - "package_ref": "pkg:pypi/pygments@2.20.0", - "purl": "pkg:pypi/pygments@2.20.0", - "scopes": [ - "runtime" - ], - "version": "2.20.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/pyjwt@0.4.2", - "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], - "matched": true, - "name": "pyjwt", - "package_ref": "pkg:pypi/pyjwt@0.4.2", - "purl": "pkg:pypi/pyjwt@0.4.2", - "scopes": [ - "runtime" - ], - "version": "0.4.2" - }, - { - "depends_on": [ - "pkg:pypi/astroid@3.1.0", - "pkg:pypi/dill@0.4.1", - "pkg:pypi/isort@5.13.2", - "pkg:pypi/mccabe@0.7.0", - "pkg:pypi/platformdirs@4.10.0", - "pkg:pypi/tomlkit@0.15.0", - "pkg:pypi/typing-extensions@4.15.0" - ], - "id": "pkg:pypi/pylint@3.1.0", - "licenses": [], - "matched": true, - "name": "pylint", - "package_ref": "pkg:pypi/pylint@3.1.0", - "purl": "pkg:pypi/pylint@3.1.0", - "scopes": [ - "runtime" - ], - "version": "3.1.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/pyproject-hooks@1.2.0", - "licenses": [], - "matched": true, - "name": "pyproject-hooks", - "package_ref": "pkg:pypi/pyproject-hooks@1.2.0", - "purl": "pkg:pypi/pyproject-hooks@1.2.0", - "scopes": [ - "runtime" - ], - "version": "1.2.0" - }, - { - "depends_on": [ - "pkg:pypi/coverage@7.4.0", - "pkg:pypi/pytest@7.4.3" - ], - "id": "pkg:pypi/pytest-cov@4.1.0", - "licenses": [], - "matched": true, - "name": "pytest-cov", - "package_ref": "pkg:pypi/pytest-cov@4.1.0", - "purl": "pkg:pypi/pytest-cov@4.1.0", - "scopes": [ - "runtime" - ], - "version": "4.1.0" - }, - { - "depends_on": [ - "pkg:pypi/iniconfig@2.3.0", - "pkg:pypi/packaging@26.2", - "pkg:pypi/pluggy@1.6.0" - ], - "id": "pkg:pypi/pytest@7.4.3", - "licenses": [], - "matched": true, - "name": "pytest", - "package_ref": "pkg:pypi/pytest@7.4.3", - "purl": "pkg:pypi/pytest@7.4.3", - "scopes": [ - "runtime" - ], - "version": "7.4.3" - }, - { - "depends_on": [ - "pkg:pypi/filelock@3.29.4", - "pkg:pypi/platformdirs@4.10.0" - ], - "id": "pkg:pypi/python-discovery@1.4.2", - "licenses": [], - "matched": true, - "name": "python-discovery", - "package_ref": "pkg:pypi/python-discovery@1.4.2", - "purl": "pkg:pypi/python-discovery@1.4.2", - "scopes": [ - "runtime" - ], - "version": "1.4.2" - }, - { - "depends_on": [], - "id": "pkg:pypi/pytz@2026.2", - "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], - "matched": true, - "name": "pytz", - "package_ref": "pkg:pypi/pytz@2026.2", - "purl": "pkg:pypi/pytz@2026.2", - "scopes": [ - "runtime" - ], - "version": "2026.2" - }, - { - "depends_on": [], - "id": "pkg:pypi/pyyaml@6.0.3", - "licenses": [], - "matched": true, - "name": "pyyaml", - "package_ref": "pkg:pypi/pyyaml@6.0.3", - "purl": "pkg:pypi/pyyaml@6.0.3", - "scopes": [ - "runtime" - ], - "version": "6.0.3" - }, - { - "depends_on": [], - "id": "pkg:pypi/rapidfuzz@3.14.5", - "licenses": [], - "matched": true, - "name": "rapidfuzz", - "package_ref": "pkg:pypi/rapidfuzz@3.14.5", - "purl": "pkg:pypi/rapidfuzz@3.14.5", - "scopes": [ - "runtime" - ], - "version": "3.14.5" - }, - { - "depends_on": [ - "pkg:pypi/requests@2.21.0" - ], - "id": "pkg:pypi/requests-toolbelt@1.0.0", - "licenses": [], - "matched": true, - "name": "requests-toolbelt", - "package_ref": "pkg:pypi/requests-toolbelt@1.0.0", - "purl": "pkg:pypi/requests-toolbelt@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:pypi/certifi@2026.5.20", - "pkg:pypi/chardet@3.0.4", - "pkg:pypi/idna@2.8", - "pkg:pypi/urllib3@1.24.1" - ], - "id": "pkg:pypi/requests@2.21.0", - "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], - "matched": true, - "name": "requests", - "package_ref": "pkg:pypi/requests@2.21.0", - "purl": "pkg:pypi/requests@2.21.0", - "scopes": [ - "runtime" - ], - "version": "2.21.0" - }, - { - "depends_on": [ - "pkg:pypi/markdown-it-py@4.2.0", - "pkg:pypi/pygments@2.20.0" - ], - "id": "pkg:pypi/rich@15.0.0", - "licenses": [], - "matched": true, - "name": "rich", - "package_ref": "pkg:pypi/rich@15.0.0", - "purl": "pkg:pypi/rich@15.0.0", - "scopes": [ - "runtime" - ], - "version": "15.0.0" - }, - { - "depends_on": [ - "pkg:pypi/anyio@4.14.0", - "pkg:pypi/astroid@3.1.0", - "pkg:pypi/backports-zstd@1.6.0", - "pkg:pypi/bandit@1.7.5", - "pkg:pypi/black@23.12.1", - "pkg:pypi/build@1.5.0", - "pkg:pypi/cachecontrol@0.14.4", - "pkg:pypi/certifi@2026.5.20", - "pkg:pypi/cffi@2.0.0", - "pkg:pypi/chardet@3.0.4", - "pkg:pypi/charset-normalizer@3.4.7", - "pkg:pypi/cleo@2.1.0", - "pkg:pypi/click@8.4.1", - "pkg:pypi/coverage@7.4.0", - "pkg:pypi/crashtest@0.4.1", - "pkg:pypi/cryptography@49.0.0", - "pkg:pypi/dill@0.4.1", - "pkg:pypi/distlib@0.4.3", - "pkg:pypi/django@1.11.29", - "pkg:pypi/dulwich@1.2.6", - "pkg:pypi/fastjsonschema@2.21.2", - "pkg:pypi/feedparser@6.0.8", - "pkg:pypi/filelock@3.29.4", - "pkg:pypi/findpython@0.8.0", - "pkg:pypi/gitdb@4.0.12", - "pkg:pypi/gitpython@3.1.50", - "pkg:pypi/greenlet@3.5.1", - "pkg:pypi/h11@0.16.0", - "pkg:pypi/httpcore@1.0.9", - "pkg:pypi/httpx@0.28.1", - "pkg:pypi/idna@2.8", - "pkg:pypi/iniconfig@2.3.0", - "pkg:pypi/installer@1.0.1", - "pkg:pypi/isort@5.13.2", - "pkg:pypi/jaraco-classes@3.4.0", - "pkg:pypi/jaraco-context@6.1.2", - "pkg:pypi/jaraco-functools@4.5.0", - "pkg:pypi/jeepney@0.9.0", - "pkg:pypi/jinja2@2.10.1", - "pkg:pypi/keyring@25.7.0", - "pkg:pypi/markdown-it-py@4.2.0", - "pkg:pypi/markupsafe@3.0.3", - "pkg:pypi/mccabe@0.7.0", - "pkg:pypi/mdurl@0.1.2", - "pkg:pypi/more-itertools@11.1.0", - "pkg:pypi/msgpack@1.2.0", - "pkg:pypi/mypy-extensions@1.1.0", - "pkg:pypi/packaging@26.2", - "pkg:pypi/pathspec@1.1.1", - "pkg:pypi/pbs-installer@2026.6.10", - "pkg:pypi/pkginfo@1.12.1.2", - "pkg:pypi/platformdirs@4.10.0", - "pkg:pypi/pluggy@1.6.0", - "pkg:pypi/poetry-core@2.4.0", - "pkg:pypi/pyasn1@0.6.3", - "pkg:pypi/pycparser@3.0", - "pkg:pypi/pygments@2.20.0", - "pkg:pypi/pyjwt@0.4.2", - "pkg:pypi/pylint@3.1.0", - "pkg:pypi/pyproject-hooks@1.2.0", - "pkg:pypi/pytest-cov@4.1.0", - "pkg:pypi/pytest@7.4.3", - "pkg:pypi/python-discovery@1.4.2", - "pkg:pypi/pytz@2026.2", - "pkg:pypi/pyyaml@6.0.3", - "pkg:pypi/rapidfuzz@3.14.5", - "pkg:pypi/requests-toolbelt@1.0.0", - "pkg:pypi/requests@2.21.0", - "pkg:pypi/rich@15.0.0", - "pkg:pypi/rsa@3.4", - "pkg:pypi/secretstorage@3.5.0", - "pkg:pypi/sgmllib3k@1.0.0", - "pkg:pypi/shellingham@1.5.4", - "pkg:pypi/smmap@5.0.3", - "pkg:pypi/sqlalchemy@1.4.46", - "pkg:pypi/stevedore@5.8.0", - "pkg:pypi/tomlkit@0.15.0", - "pkg:pypi/trove-classifiers@2026.6.1.19", - "pkg:pypi/typing-extensions@4.15.0", - "pkg:pypi/urllib3@1.24.1", - "pkg:pypi/virtualenv@21.5.0" - ], - "id": "pkg:pypi/root", - "licenses": [], - "name": "root", - "package_ref": "pkg:pypi/root", - "purl": "pkg:pypi/root" - }, - { - "depends_on": [ - "pkg:pypi/pyasn1@0.6.3" - ], - "id": "pkg:pypi/rsa@3.4", - "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], - "matched": true, - "name": "rsa", - "package_ref": "pkg:pypi/rsa@3.4", - "purl": "pkg:pypi/rsa@3.4", - "scopes": [ - "runtime" - ], - "version": "3.4" - }, - { - "depends_on": [ - "pkg:pypi/cryptography@49.0.0", - "pkg:pypi/jeepney@0.9.0" - ], - "id": "pkg:pypi/secretstorage@3.5.0", - "licenses": [], - "matched": true, - "name": "secretstorage", - "package_ref": "pkg:pypi/secretstorage@3.5.0", - "purl": "pkg:pypi/secretstorage@3.5.0", - "scopes": [ - "runtime" - ], - "version": "3.5.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/sgmllib3k@1.0.0", - "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], - "matched": true, - "name": "sgmllib3k", - "package_ref": "pkg:pypi/sgmllib3k@1.0.0", - "purl": "pkg:pypi/sgmllib3k@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/shellingham@1.5.4", - "licenses": [], - "matched": true, - "name": "shellingham", - "package_ref": "pkg:pypi/shellingham@1.5.4", - "purl": "pkg:pypi/shellingham@1.5.4", - "scopes": [ - "runtime" - ], - "version": "1.5.4" - }, - { - "depends_on": [], - "id": "pkg:pypi/smmap@5.0.3", - "licenses": [], - "matched": true, - "name": "smmap", - "package_ref": "pkg:pypi/smmap@5.0.3", - "purl": "pkg:pypi/smmap@5.0.3", - "scopes": [ - "runtime" - ], - "version": "5.0.3" - }, - { - "depends_on": [ - "pkg:pypi/greenlet@3.5.1" - ], - "id": "pkg:pypi/sqlalchemy@1.4.46", - "licenses": [], - "matched": true, - "name": "sqlalchemy", - "package_ref": "pkg:pypi/sqlalchemy@1.4.46", - "purl": "pkg:pypi/sqlalchemy@1.4.46", - "scopes": [ - "runtime" - ], - "version": "1.4.46" - }, - { - "depends_on": [], - "id": "pkg:pypi/stevedore@5.8.0", - "licenses": [], - "matched": true, - "name": "stevedore", - "package_ref": "pkg:pypi/stevedore@5.8.0", - "purl": "pkg:pypi/stevedore@5.8.0", - "scopes": [ - "runtime" - ], - "version": "5.8.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/tomlkit@0.15.0", - "licenses": [], - "matched": true, - "name": "tomlkit", - "package_ref": "pkg:pypi/tomlkit@0.15.0", - "purl": "pkg:pypi/tomlkit@0.15.0", - "scopes": [ - "runtime" - ], - "version": "0.15.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/trove-classifiers@2026.6.1.19", - "licenses": [], - "matched": true, - "name": "trove-classifiers", - "package_ref": "pkg:pypi/trove-classifiers@2026.6.1.19", - "purl": "pkg:pypi/trove-classifiers@2026.6.1.19", - "scopes": [ - "runtime" - ], - "version": "2026.6.1.19" - }, - { - "depends_on": [], - "id": "pkg:pypi/typing-extensions@4.15.0", - "licenses": [], - "matched": true, - "name": "typing-extensions", - "package_ref": "pkg:pypi/typing-extensions@4.15.0", - "purl": "pkg:pypi/typing-extensions@4.15.0", - "scopes": [ - "runtime" - ], - "version": "4.15.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/urllib3@1.24.1", - "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], - "matched": true, - "name": "urllib3", - "package_ref": "pkg:pypi/urllib3@1.24.1", - "purl": "pkg:pypi/urllib3@1.24.1", - "scopes": [ - "runtime" - ], - "version": "1.24.1" - }, - { - "depends_on": [ - "pkg:pypi/distlib@0.4.3", - "pkg:pypi/filelock@3.29.4", - "pkg:pypi/platformdirs@4.10.0", - "pkg:pypi/python-discovery@1.4.2", - "pkg:pypi/typing-extensions@4.15.0" - ], - "id": "pkg:pypi/virtualenv@21.5.0", - "licenses": [], - "matched": true, - "name": "virtualenv", - "package_ref": "pkg:pypi/virtualenv@21.5.0", - "purl": "pkg:pypi/virtualenv@21.5.0", - "scopes": [ - "runtime" - ], - "version": "21.5.0" - } - ], - "detector": "pip-detector", - "ecosystem": "python", - "kind": "requirements.txt", - "package_manager": "pip", - "path": "requirements.txt", - "subproject": "." - } - ], - "metadata": { - "analyzer_runs": [ - "Python Reachability" - ], - "analyzer_stats": { - "pyreach": { - "reachable": 29, - "unreachable": 8 - } - }, - "duration_ms": 0, - "reachability_enabled": true - }, - "packages": [ - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "anyio", - "purl": "pkg:pypi/anyio@4.14.0", - "version": "4.14.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "LGPL-2.1-or-later", - "type": "external-depsdev", - "value": "LGPL-2.1-or-later" - } - ], - "matched": true, - "name": "astroid", - "purl": "pkg:pypi/astroid@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "PSF-2.0", - "type": "external-depsdev", - "value": "PSF-2.0" - } - ], - "matched": true, - "name": "backports-zstd", - "purl": "pkg:pypi/backports-zstd@1.6.0", - "version": "1.6.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "bandit", - "purl": "pkg:pypi/bandit@1.7.5", - "version": "1.7.5", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "black", - "purl": "pkg:pypi/black@23.12.1", - "version": "23.12.1", - "vulnerabilities": [ - { - "affected_version_range": "\u003c26.3.1 (python)", - "aliases": [ - "CVE-2026-32274" - ], - "cvss": [ - { - "score": 8.7, - "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", - "version": "4.0" - } - ], - "cwes": [ - { - "cve": "CVE-2026-32274", - "id": "CWE-22", - "source": "security-advisories@github.com", - "type": "Primary" - } - ], - "data_source": "https://github.com/advisories/GHSA-3936-cmfr-pm3m", - "description": "Black: Arbitrary file writes from unsanitized user input in cache file name", - "epss": [ - { - "cve": "CVE-2026-32274", - "date": "2026-06-14", - "epss": 0.00023, - "percentile": 0.06856 - } - ], - "fix_available": [ - { - "date": "2026-03-13", - "kind": "first-observed", - "version": "26.3.1" - } - ], - "fix_state": "fixed", - "fixed_in": "26.3.1", - "fixed_versions": [ - "26.3.1" - ], - "id": "GHSA-3936-cmfr-pm3m", - "namespace": "github:language:python", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "pyreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2026-32274", - "Fix available: upgrade to 26.3.1", - "Fix state: fixed", - "https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d", - "https://github.com/psf/black/pull/5038", - "https://github.com/psf/black/releases/tag/26.3.1", - "https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m", - "https://nvd.nist.gov/vuln/detail/CVE-2026-32274" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-3936-cmfr-pm3m" - }, - { - "type": "advisory", - "url": "https://github.com/psf/black/security/advisories/GHSA-3936-cmfr-pm3m" - }, - { - "type": "advisory", - "url": "https://github.com/psf/black/pull/5038" - }, - { - "type": "advisory", - "url": "https://github.com/psf/black/commit/4937fe6cf241139ddbfc16b0bdbb5b422798909d" - }, - { - "type": "advisory", - "url": "https://github.com/psf/black/releases/tag/26.3.1" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32274" - } - ], - "risk_score": 0.01863, - "severity": "high", - "severity_source": "github:language:python", - "source": "grype", - "title": "Black: Arbitrary file writes from unsanitized user input in cache file name" - }, - { - "affected_version_range": "\u003e=0,\u003c24.3.0 (python)", - "aliases": [ - "CVE-2024-21503" - ], - "cvss": [ - { - "score": 5.3, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2024-21503", - "id": "CWE-1333", - "source": "report@snyk.io", - "type": "Secondary" - }, - { - "cve": "CVE-2024-21503", - "id": "CWE-75", - "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-fj7x-q9j7-g6q6", - "description": "Black vulnerable to Regular Expression Denial of Service (ReDoS)", - "epss": [ - { - "cve": "CVE-2024-21503", - "date": "2026-06-14", - "epss": 0.00081, - "percentile": 0.24084 - } - ], - "fix_available": [ - { - "date": "2024-03-21", - "kind": "first-observed", - "version": "24.3.0" - } - ], - "fix_state": "fixed", - "fixed_in": "24.3.0", - "fixed_versions": [ - "24.3.0" - ], - "id": "GHSA-fj7x-q9j7-g6q6", - "namespace": "github:language:python", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "pyreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-21503", - "Fix available: upgrade to 24.3.0", - "Fix state: fixed", - "https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8", - "https://github.com/psf/black/releases/tag/24.3.0", - "https://github.com/pypa/advisory-database/tree/main/vulns/black/PYSEC-2024-48.yaml", - "https://nvd.nist.gov/vuln/detail/CVE-2024-21503", - "https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-fj7x-q9j7-g6q6" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-21503" - }, - { - "type": "advisory", - "url": "https://github.com/psf/black/commit/f00093672628d212b8965a8993cee8bedf5fe9b8" - }, - { - "type": "advisory", - "url": "https://github.com/psf/black/releases/tag/24.3.0" - }, - { - "type": "advisory", - "url": "https://security.snyk.io/vuln/SNYK-PYTHON-BLACK-6256273" - }, - { - "type": "advisory", - "url": "https://github.com/pypa/advisory-database/tree/main/vulns/black/PYSEC-2024-48.yaml" - } - ], - "risk_score": 0.041714999999999995, - "severity": "medium", - "severity_source": "github:language:python", - "source": "grype", - "title": "Black vulnerable to Regular Expression Denial of Service (ReDoS)" - } - ] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "build", - "purl": "pkg:pypi/build@1.5.0", - "version": "1.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "cachecontrol", - "purl": "pkg:pypi/cachecontrol@0.14.4", - "version": "0.14.4", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MPL-2.0", - "type": "external-depsdev", - "value": "MPL-2.0" - } - ], - "matched": true, - "name": "certifi", - "purl": "pkg:pypi/certifi@2026.5.20", - "version": "2026.5.20", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "cffi", - "purl": "pkg:pypi/cffi@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "chardet", - "purl": "pkg:pypi/chardet@3.0.4", - "version": "3.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "charset-normalizer", - "purl": "pkg:pypi/charset-normalizer@3.4.7", - "version": "3.4.7", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "cleo", - "purl": "pkg:pypi/cleo@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "BSD-3-Clause", - "type": "external-depsdev", - "value": "BSD-3-Clause" - } - ], - "matched": true, - "name": "click", - "purl": "pkg:pypi/click@8.4.1", - "version": "8.4.1", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "coverage", - "purl": "pkg:pypi/coverage@7.4.0", - "version": "7.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" + "name": "urllib3", + "package_ref": "pkg:pypi/urllib3@1.24.1", + "purl": "pkg:pypi/urllib3@1.24.1", + "scopes": [ + "runtime" + ], + "version": "1.24.1" } ], - "matched": true, - "name": "crashtest", - "purl": "pkg:pypi/crashtest@0.4.1", - "version": "0.4.1", - "vulnerabilities": [] - }, - { + "detector": "pip-detector", "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "Apache-2.0 OR BSD-3-Clause", - "type": "external-depsdev", - "value": "Apache-2.0 OR BSD-3-Clause" - } - ], - "matched": true, - "name": "cryptography", - "purl": "pkg:pypi/cryptography@49.0.0", - "version": "49.0.0", - "vulnerabilities": [] + "kind": "requirements.txt", + "package_manager": "pip", + "path": "requirements.txt", + "subproject": "." + } + ], + "metadata": { + "analyzer_runs": [ + "Python Reachability" + ], + "analyzer_stats": { + "pyreach": { + "reachable": 32, + "unreachable": 7 + } }, + "duration_ms": 0, + "reachability_enabled": true + }, + "packages": [ { "ecosystem": "python", "licenses": [ { - "spdxExpression": "BSD-3-Clause", + "spdxExpression": "MPL-2.0", "type": "external-depsdev", - "value": "BSD-3-Clause" + "value": "MPL-2.0" } ], "matched": true, - "name": "dill", - "purl": "pkg:pypi/dill@0.4.1", - "version": "0.4.1", + "name": "certifi", + "purl": "pkg:pypi/certifi@2026.6.17", + "version": "2026.6.17", "vulnerabilities": [] }, { "ecosystem": "python", "licenses": [ { - "spdxExpression": "PSF-2.0", + "spdxExpression": "non-standard", "type": "external-depsdev", - "value": "PSF-2.0" + "value": "non-standard" } ], "matched": true, - "name": "distlib", - "purl": "pkg:pypi/distlib@0.4.3", - "version": "0.4.3", + "name": "chardet", + "purl": "pkg:pypi/chardet@3.0.4", + "version": "3.0.4", "vulnerabilities": [] }, { @@ -1905,9 +339,9 @@ "epss": [ { "cve": "CVE-2021-33203", - "date": "2026-06-14", - "epss": 0.00143, - "percentile": 0.34408 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -1993,7 +427,7 @@ "url": "https://www.djangoproject.com/weblog/2021/jun/02/security-releases" } ], - "risk_score": 0.077935, + "risk_score": 1.491665, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -2024,9 +458,9 @@ "epss": [ { "cve": "CVE-2025-57833", - "date": "2026-06-14", - "epss": 0.00074, - "percentile": 0.22641 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -2117,7 +551,7 @@ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-105.yaml" } ], - "risk_score": 0.05402, + "risk_score": 11.389459999999998, "severity": "high", "severity_source": "github:language:python", "source": "grype", @@ -2148,9 +582,9 @@ "epss": [ { "cve": "CVE-2025-48432", - "date": "2026-06-14", - "epss": 0.00411, - "percentile": 0.6197 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -2236,7 +670,7 @@ "url": "http://www.openwall.com/lists/oss-security/2025/06/10/4" } ], - "risk_score": 0.18495, + "risk_score": 0.27, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -2267,9 +701,9 @@ "epss": [ { "cve": "CVE-2022-36359", - "date": "2026-06-14", - "epss": 0.0113, - "percentile": 0.78811 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -2370,7 +804,7 @@ "url": "https://www.djangoproject.com/weblog/2022/aug/03/security-releases" } ], - "risk_score": 0.92095, + "risk_score": 0.53301, "severity": "high", "severity_source": "github:language:python", "source": "grype", @@ -2401,9 +835,9 @@ "epss": [ { "cve": "CVE-2025-64459", - "date": "2026-06-14", - "epss": 0.00282, - "percentile": 0.52082 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -2494,7 +928,7 @@ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-108.yaml" } ], - "risk_score": 0.25521000000000005, + "risk_score": 16.97056, "severity": "critical", "severity_source": "github:language:python", "source": "grype", @@ -2525,9 +959,9 @@ "epss": [ { "cve": "CVE-2025-64458", - "date": "2026-06-14", - "epss": 0.00025, - "percentile": 0.07348 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -2608,7 +1042,7 @@ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/django/PYSEC-2025-107.yaml" } ], - "risk_score": 0.01875, + "risk_score": 1.3965, "severity": "high", "severity_source": "github:language:python", "source": "grype", @@ -2644,9 +1078,9 @@ "epss": [ { "cve": "CVE-2024-45231", - "date": "2026-06-14", - "epss": 0.00235, - "percentile": 0.46717 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -2674,220 +1108,70 @@ "reasons": [ "Also known as: CVE-2024-45231", "Fix available: upgrade to 4.2.16", - "Fix state: fixed", - "https://docs.djangoproject.com/en/dev/releases/security", - "https://github.com/django/django/commit/3c733c78d6f8e50296d6e248968b6516c92a53ca", - "https://github.com/django/django/commit/96d84047715ea1715b4bd1594e46122b8a77b9e2", - "https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199", - "https://groups.google.com/forum/#%21forum/django-announce", - "https://nvd.nist.gov/vuln/detail/CVE-2024-45231", - "https://www.djangoproject.com/weblog/2024/sep/03/security-releases" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-rrqc-c2jx-6jgv" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45231" - }, - { - "type": "advisory", - "url": "https://docs.djangoproject.com/en/dev/releases/security" - }, - { - "type": "advisory", - "url": "https://groups.google.com/forum/#%21forum/django-announce" - }, - { - "type": "advisory", - "url": "https://www.djangoproject.com/weblog/2024/sep/03/security-releases" - }, - { - "type": "advisory", - "url": "https://github.com/django/django/commit/3c733c78d6f8e50296d6e248968b6516c92a53ca" - }, - { - "type": "advisory", - "url": "https://github.com/django/django/commit/96d84047715ea1715b4bd1594e46122b8a77b9e2" - }, - { - "type": "advisory", - "url": "https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199" - } - ], - "risk_score": 0.11750000000000001, - "severity": "medium", - "severity_source": "github:language:python", - "source": "grype", - "title": "Django allows enumeration of user e-mail addresses" - } - ] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "Apache-2.0 OR GPL-2.0-or-later", - "type": "external-depsdev", - "value": "Apache-2.0 OR GPL-2.0-or-later" - } - ], - "matched": true, - "name": "dulwich", - "purl": "pkg:pypi/dulwich@1.2.6", - "version": "1.2.6", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "fastjsonschema", - "purl": "pkg:pypi/fastjsonschema@2.21.2", - "version": "2.21.2", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "BSD-2-Clause", - "type": "external-depsdev", - "value": "BSD-2-Clause" - } - ], - "matched": true, - "name": "feedparser", - "purl": "pkg:pypi/feedparser@6.0.8", - "version": "6.0.8", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "filelock", - "purl": "pkg:pypi/filelock@3.29.4", - "version": "3.29.4", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "findpython", - "purl": "pkg:pypi/findpython@0.8.0", - "version": "0.8.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "gitdb", - "purl": "pkg:pypi/gitdb@4.0.12", - "version": "4.0.12", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "BSD-3-Clause", - "type": "external-depsdev", - "value": "BSD-3-Clause" - } - ], - "matched": true, - "name": "gitpython", - "purl": "pkg:pypi/gitpython@3.1.50", - "version": "3.1.50", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT AND PSF-2.0", - "type": "external-depsdev", - "value": "MIT AND PSF-2.0" - } - ], - "matched": true, - "name": "greenlet", - "purl": "pkg:pypi/greenlet@3.5.1", - "version": "3.5.1", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "h11", - "purl": "pkg:pypi/h11@0.16.0", - "version": "0.16.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "BSD-3-Clause", - "type": "external-depsdev", - "value": "BSD-3-Clause" + "Fix state: fixed", + "https://docs.djangoproject.com/en/dev/releases/security", + "https://github.com/django/django/commit/3c733c78d6f8e50296d6e248968b6516c92a53ca", + "https://github.com/django/django/commit/96d84047715ea1715b4bd1594e46122b8a77b9e2", + "https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199", + "https://groups.google.com/forum/#%21forum/django-announce", + "https://nvd.nist.gov/vuln/detail/CVE-2024-45231", + "https://www.djangoproject.com/weblog/2024/sep/03/security-releases" + ], + "references": [ + { + "type": "data_source", + "url": "https://github.com/advisories/GHSA-rrqc-c2jx-6jgv" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45231" + }, + { + "type": "advisory", + "url": "https://docs.djangoproject.com/en/dev/releases/security" + }, + { + "type": "advisory", + "url": "https://groups.google.com/forum/#%21forum/django-announce" + }, + { + "type": "advisory", + "url": "https://www.djangoproject.com/weblog/2024/sep/03/security-releases" + }, + { + "type": "advisory", + "url": "https://github.com/django/django/commit/3c733c78d6f8e50296d6e248968b6516c92a53ca" + }, + { + "type": "advisory", + "url": "https://github.com/django/django/commit/96d84047715ea1715b4bd1594e46122b8a77b9e2" + }, + { + "type": "advisory", + "url": "https://github.com/django/django/commit/bf4888d317ba4506d091eeac6e8b4f1fcc731199" + } + ], + "risk_score": 0.40249999999999997, + "severity": "medium", + "severity_source": "github:language:python", + "source": "grype", + "title": "Django allows enumeration of user e-mail addresses" } - ], - "matched": true, - "name": "httpcore", - "purl": "pkg:pypi/httpcore@1.0.9", - "version": "1.0.9", - "vulnerabilities": [] + ] }, { "ecosystem": "python", "licenses": [ { - "spdxExpression": "BSD-3-Clause", + "spdxExpression": "BSD-2-Clause", "type": "external-depsdev", - "value": "BSD-3-Clause" + "value": "BSD-2-Clause" } ], "matched": true, - "name": "httpx", - "purl": "pkg:pypi/httpx@0.28.1", - "version": "0.28.1", + "name": "feedparser", + "purl": "pkg:pypi/feedparser@6.0.8", + "version": "6.0.8", "vulnerabilities": [] }, { @@ -2921,7 +1205,7 @@ "cve": "CVE-2026-45409", "id": "CWE-1333", "source": "security-advisories@github.com", - "type": "Primary" + "type": "Secondary" } ], "data_source": "https://github.com/advisories/GHSA-65pc-fj4g-8rjx", @@ -2929,9 +1213,9 @@ "epss": [ { "cve": "CVE-2026-45409", - "date": "2026-06-14", - "epss": 0.00018, - "percentile": 0.04829 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -2977,7 +1261,7 @@ "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45409" } ], - "risk_score": 0.01071, + "risk_score": 0.26655999999999996, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -3013,9 +1297,9 @@ "epss": [ { "cve": "CVE-2024-3651", - "date": "2026-06-14", - "epss": 0.00689, - "percentile": 0.72331 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -3101,7 +1385,7 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4YQUPYH3SVZ5GFF2CDQ55FCM575AZTF2" } ], - "risk_score": 0.3978975, + "risk_score": 0.617925, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -3109,111 +1393,6 @@ } ] }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "iniconfig", - "purl": "pkg:pypi/iniconfig@2.3.0", - "version": "2.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "installer", - "purl": "pkg:pypi/installer@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "isort", - "purl": "pkg:pypi/isort@5.13.2", - "version": "5.13.2", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "jaraco-classes", - "purl": "pkg:pypi/jaraco-classes@3.4.0", - "version": "3.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "jaraco-context", - "purl": "pkg:pypi/jaraco-context@6.1.2", - "version": "6.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "jaraco-functools", - "purl": "pkg:pypi/jaraco-functools@4.5.0", - "version": "4.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "jeepney", - "purl": "pkg:pypi/jeepney@0.9.0", - "version": "0.9.0", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [ @@ -3253,9 +1432,9 @@ "epss": [ { "cve": "CVE-2025-27516", - "date": "2026-06-14", - "epss": 0.00121, - "percentile": 0.30919 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -3315,7 +1494,7 @@ "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html" } ], - "risk_score": 0.06292, + "risk_score": 0.24180000000000001, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -3351,9 +1530,9 @@ "epss": [ { "cve": "CVE-2020-28493", - "date": "2026-06-14", - "epss": 0.00207, - "percentile": 0.4324 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -3428,7 +1607,7 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PVAKCOO7VBVUBM3Q6CBBTPBFNP5NDXF4" } ], - "risk_score": 0.11488499999999996, + "risk_score": 1.9841249999999997, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -3465,9 +1644,9 @@ "epss": [ { "cve": "CVE-2024-22195", - "date": "2026-06-14", - "epss": 0.00151, - "percentile": 0.35654 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -3547,7 +1726,7 @@ "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00009.html" } ], - "risk_score": 0.07852, + "risk_score": 0.4638400000000001, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -3556,165 +1735,46 @@ { "affected_version_range": "\u003c3.1.4 (python)", "aliases": [ - "CVE-2024-34064" - ], - "cvss": [ - { - "score": 5.4, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", - "version": "3.1" - } - ], - "cwes": [ - { - "cve": "CVE-2024-34064", - "id": "CWE-79", - "source": "security-advisories@github.com", - "type": "Secondary" - } - ], - "data_source": "https://github.com/advisories/GHSA-h75v-3vvj-5mfj", - "description": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter", - "epss": [ - { - "cve": "CVE-2024-34064", - "date": "2026-06-14", - "epss": 0.0123, - "percentile": 0.79649 - } - ], - "fix_available": [ - { - "date": "2024-05-07", - "kind": "first-observed", - "version": "3.1.4" - } - ], - "fix_state": "fixed", - "fixed_in": "3.1.4", - "fixed_versions": [ - "3.1.4" - ], - "id": "GHSA-h75v-3vvj-5mfj", - "namespace": "github:language:python", - "reachability": { - "analyzed_at": "\u003ctimestamp\u003e", - "analyzer": "pyreach", - "reason": "package-not-imported", - "status": "unreachable", - "tier": "package" - }, - "reasons": [ - "Also known as: CVE-2024-34064", - "Fix available: upgrade to 3.1.4", - "Fix state: fixed", - "https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb", - "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj", - "https://lists.debian.org/debian-lts-announce/2024/12/msg00009.html", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS", - "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS", - "https://nvd.nist.gov/vuln/detail/CVE-2024-34064" - ], - "references": [ - { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-h75v-3vvj-5mfj" - }, - { - "type": "advisory", - "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj" - }, - { - "type": "advisory", - "url": "https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb" - }, - { - "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS" - }, - { - "type": "advisory", - "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS" - }, - { - "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00009.html" - } - ], - "risk_score": 0.6396000000000001, - "severity": "medium", - "severity_source": "github:language:python", - "source": "grype", - "title": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter" - }, - { - "affected_version_range": "\u003c=3.1.4 (python)", - "aliases": [ - "CVE-2024-56326" - ], - "cvss": [ - { - "score": 7.8, - "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", - "version": "3.1" - }, + "CVE-2024-34064" + ], + "cvss": [ { "score": 5.4, - "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", - "version": "4.0" + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2024-56326", - "id": "CWE-693", - "source": "security-advisories@github.com", - "type": "Secondary" - }, - { - "cve": "CVE-2024-56326", - "id": "CWE-1336", + "cve": "CVE-2024-34064", + "id": "CWE-79", "source": "security-advisories@github.com", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-q2x7-8rv6-6q7h", - "description": "Jinja has a sandbox breakout through indirect reference to format method", + "data_source": "https://github.com/advisories/GHSA-h75v-3vvj-5mfj", + "description": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter", "epss": [ { - "cve": "CVE-2024-56326", - "date": "2026-06-14", - "epss": 0.0057, - "percentile": 0.69168 + "cve": "CVE-2024-34064", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2024-12-24", + "date": "2024-05-07", "kind": "first-observed", - "version": "3.1.5" + "version": "3.1.4" } ], "fix_state": "fixed", - "fixed_in": "3.1.5", + "fixed_in": "3.1.4", "fixed_versions": [ - "3.1.5" + "3.1.4" ], - "id": "GHSA-q2x7-8rv6-6q7h", + "id": "GHSA-h75v-3vvj-5mfj", "namespace": "github:language:python", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", @@ -3724,288 +1784,167 @@ "tier": "package" }, "reasons": [ - "Also known as: CVE-2024-56326", - "Fix available: upgrade to 3.1.5", + "Also known as: CVE-2024-34064", + "Fix available: upgrade to 3.1.4", "Fix state: fixed", - "https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4", - "https://github.com/pallets/jinja/releases/tag/3.1.5", - "https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h", - "https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html", - "https://nvd.nist.gov/vuln/detail/CVE-2024-56326" + "https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb", + "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj", + "https://lists.debian.org/debian-lts-announce/2024/12/msg00009.html", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS", + "https://nvd.nist.gov/vuln/detail/CVE-2024-34064" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-q2x7-8rv6-6q7h" + "url": "https://github.com/advisories/GHSA-h75v-3vvj-5mfj" }, { "type": "advisory", - "url": "https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h" + "url": "https://github.com/pallets/jinja/security/advisories/GHSA-h75v-3vvj-5mfj" }, { "type": "advisory", - "url": "https://github.com/pallets/jinja/releases/tag/3.1.5" + "url": "https://github.com/pallets/jinja/commit/0668239dc6b44ef38e7a6c9f91f312fd4ca581cb" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56326" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34064" }, { "type": "advisory", - "url": "https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/567XIGSZMABG6TSMYWD7MIYNJSUQQRUC" }, { "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html" - } - ], - "risk_score": 0.3306, - "severity": "medium", - "severity_source": "github:language:python", - "source": "grype", - "title": "Jinja has a sandbox breakout through indirect reference to format method" - } - ] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "keyring", - "purl": "pkg:pypi/keyring@25.7.0", - "version": "25.7.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "markdown-it-py", - "purl": "pkg:pypi/markdown-it-py@4.2.0", - "version": "4.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "BSD-3-Clause", - "type": "external-depsdev", - "value": "BSD-3-Clause" - } - ], - "matched": true, - "name": "markupsafe", - "purl": "pkg:pypi/markupsafe@3.0.3", - "version": "3.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "mccabe", - "purl": "pkg:pypi/mccabe@0.7.0", - "version": "0.7.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "mdurl", - "purl": "pkg:pypi/mdurl@0.1.2", - "version": "0.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "more-itertools", - "purl": "pkg:pypi/more-itertools@11.1.0", - "version": "11.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "msgpack", - "purl": "pkg:pypi/msgpack@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "mypy-extensions", - "purl": "pkg:pypi/mypy-extensions@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "Apache-2.0 OR BSD-2-Clause", - "type": "external-depsdev", - "value": "Apache-2.0 OR BSD-2-Clause" - } - ], - "matched": true, - "name": "packaging", - "purl": "pkg:pypi/packaging@26.2", - "version": "26.2", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MPL-2.0", - "type": "external-depsdev", - "value": "MPL-2.0" - } - ], - "matched": true, - "name": "pathspec", - "purl": "pkg:pypi/pathspec@1.1.1", - "version": "1.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "pbs-installer", - "purl": "pkg:pypi/pbs-installer@2026.6.10", - "version": "2026.6.10", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "pkginfo", - "purl": "pkg:pypi/pkginfo@1.12.1.2", - "version": "1.12.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "platformdirs", - "purl": "pkg:pypi/platformdirs@4.10.0", - "version": "4.10.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "pluggy", - "purl": "pkg:pypi/pluggy@1.6.0", - "version": "1.6.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "poetry-core", - "purl": "pkg:pypi/poetry-core@2.4.0", - "version": "2.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCLF44KY43BSVMTE6S53B4V5WP3FRRSE" + }, + { + "type": "advisory", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SSCBHIL6BYKR5NRCBXP4XMP2CEEKGFVS" + }, + { + "type": "advisory", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZALNWE3TXPPHVPSI3AZ5CTMSTAVN5UMS" + }, + { + "type": "advisory", + "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00009.html" + } + ], + "risk_score": 0.5090800000000001, + "severity": "medium", + "severity_source": "github:language:python", + "source": "grype", + "title": "Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter" + }, { - "spdxExpression": "BSD-2-Clause", - "type": "external-depsdev", - "value": "BSD-2-Clause" + "affected_version_range": "\u003c=3.1.4 (python)", + "aliases": [ + "CVE-2024-56326" + ], + "cvss": [ + { + "score": 7.8, + "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + }, + { + "score": 5.4, + "vector": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", + "version": "4.0" + } + ], + "cwes": [ + { + "cve": "CVE-2024-56326", + "id": "CWE-693", + "source": "security-advisories@github.com", + "type": "Secondary" + }, + { + "cve": "CVE-2024-56326", + "id": "CWE-1336", + "source": "security-advisories@github.com", + "type": "Secondary" + } + ], + "data_source": "https://github.com/advisories/GHSA-q2x7-8rv6-6q7h", + "description": "Jinja has a sandbox breakout through indirect reference to format method", + "epss": [ + { + "cve": "CVE-2024-56326", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 + } + ], + "fix_available": [ + { + "date": "2024-12-24", + "kind": "first-observed", + "version": "3.1.5" + } + ], + "fix_state": "fixed", + "fixed_in": "3.1.5", + "fixed_versions": [ + "3.1.5" + ], + "id": "GHSA-q2x7-8rv6-6q7h", + "namespace": "github:language:python", + "reachability": { + "analyzed_at": "\u003ctimestamp\u003e", + "analyzer": "pyreach", + "reason": "package-not-imported", + "status": "unreachable", + "tier": "package" + }, + "reasons": [ + "Also known as: CVE-2024-56326", + "Fix available: upgrade to 3.1.5", + "Fix state: fixed", + "https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4", + "https://github.com/pallets/jinja/releases/tag/3.1.5", + "https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h", + "https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html", + "https://nvd.nist.gov/vuln/detail/CVE-2024-56326" + ], + "references": [ + { + "type": "data_source", + "url": "https://github.com/advisories/GHSA-q2x7-8rv6-6q7h" + }, + { + "type": "advisory", + "url": "https://github.com/pallets/jinja/security/advisories/GHSA-q2x7-8rv6-6q7h" + }, + { + "type": "advisory", + "url": "https://github.com/pallets/jinja/releases/tag/3.1.5" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56326" + }, + { + "type": "advisory", + "url": "https://github.com/pallets/jinja/commit/48b0687e05a5466a91cd5812d604fa37ad0943b4" + }, + { + "type": "advisory", + "url": "https://lists.debian.org/debian-lts-announce/2025/04/msg00022.html" + } + ], + "risk_score": 0.28768, + "severity": "medium", + "severity_source": "github:language:python", + "source": "grype", + "title": "Jinja has a sandbox breakout through indirect reference to format method" } - ], - "matched": true, - "name": "pyasn1", - "purl": "pkg:pypi/pyasn1@0.6.3", - "version": "0.6.3", - "vulnerabilities": [] + ] }, { "ecosystem": "python", @@ -4017,9 +1956,9 @@ } ], "matched": true, - "name": "pycparser", - "purl": "pkg:pypi/pycparser@3.0", - "version": "3.0", + "name": "markupsafe", + "purl": "pkg:pypi/markupsafe@3.0.3", + "version": "3.0.3", "vulnerabilities": [] }, { @@ -4032,9 +1971,9 @@ } ], "matched": true, - "name": "pygments", - "purl": "pkg:pypi/pygments@2.20.0", - "version": "2.20.0", + "name": "pyasn1", + "purl": "pkg:pypi/pyasn1@0.6.3", + "version": "0.6.3", "vulnerabilities": [] }, { @@ -4052,54 +1991,239 @@ "version": "0.4.2", "vulnerabilities": [ { - "affected_version_range": "\u003c=2.11.0 (python)", + "affected_version_range": "\u003c=2.11.0 (python)", + "aliases": [ + "CVE-2026-32597" + ], + "cvss": [ + { + "score": 7.5, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "version": "3.1" + } + ], + "cwes": [ + { + "cve": "CVE-2026-32597", + "id": "CWE-345", + "source": "security-advisories@github.com", + "type": "Secondary" + }, + { + "cve": "CVE-2026-32597", + "id": "CWE-863", + "source": "security-advisories@github.com", + "type": "Secondary" + } + ], + "data_source": "https://github.com/advisories/GHSA-752w-5fwx-jx9f", + "description": "PyJWT accepts unknown `crit` header extensions", + "epss": [ + { + "cve": "CVE-2026-32597", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 + } + ], + "fix_available": [ + { + "date": "2026-03-14", + "kind": "first-observed", + "version": "2.12.0" + } + ], + "fix_state": "fixed", + "fixed_in": "2.12.0", + "fixed_versions": [ + "2.12.0" + ], + "id": "GHSA-752w-5fwx-jx9f", + "namespace": "github:language:python", + "reachability": { + "analyzed_at": "\u003ctimestamp\u003e", + "analyzer": "pyreach", + "confidence": "high", + "hops": 0, + "status": "reachable", + "tier": "package" + }, + "reasons": [ + "Also known as: CVE-2026-32597", + "Fix available: upgrade to 2.12.0", + "Fix state: fixed", + "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f", + "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-120.yaml", + "https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html", + "https://nvd.nist.gov/vuln/detail/CVE-2026-32597" + ], + "references": [ + { + "type": "data_source", + "url": "https://github.com/advisories/GHSA-752w-5fwx-jx9f" + }, + { + "type": "advisory", + "url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32597" + }, + { + "type": "advisory", + "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html" + }, + { + "type": "advisory", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-120.yaml" + } + ], + "risk_score": 0.1485, + "severity": "high", + "severity_source": "github:language:python", + "source": "grype", + "title": "PyJWT accepts unknown `crit` header extensions" + }, + { + "affected_version_range": "\u003c=2.12.1 (python)", + "aliases": [ + "CVE-2026-48522" + ], + "cvss": [ + { + "score": 4.2, + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", + "version": "3.1" + } + ], + "cwes": [ + { + "cve": "CVE-2026-48522", + "id": "CWE-441", + "source": "security-advisories@github.com", + "type": "Secondary" + }, + { + "cve": "CVE-2026-48522", + "id": "CWE-918", + "source": "security-advisories@github.com", + "type": "Secondary" + } + ], + "data_source": "https://github.com/advisories/GHSA-993g-76c3-p5m4", + "description": "PyJWKClient: missing scheme allowlist enables CVE-2024-21643-class SSRF + token forgery via file://, ftp://, data: schemes", + "epss": [ + { + "cve": "CVE-2026-48522", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 + } + ], + "fix_available": [ + { + "date": "2026-06-16", + "kind": "first-observed", + "version": "2.13.0" + } + ], + "fix_state": "fixed", + "fixed_in": "2.13.0", + "fixed_versions": [ + "2.13.0" + ], + "id": "GHSA-993g-76c3-p5m4", + "namespace": "github:language:python", + "reachability": { + "analyzed_at": "\u003ctimestamp\u003e", + "analyzer": "pyreach", + "confidence": "high", + "hops": 0, + "status": "reachable", + "tier": "package" + }, + "reasons": [ + "Also known as: CVE-2026-48522", + "Fix available: upgrade to 2.13.0", + "Fix state: fixed", + "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4", + "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-175.yaml", + "https://nvd.nist.gov/vuln/detail/CVE-2026-48522" + ], + "references": [ + { + "type": "data_source", + "url": "https://github.com/advisories/GHSA-993g-76c3-p5m4" + }, + { + "type": "advisory", + "url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-993g-76c3-p5m4" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48522" + }, + { + "type": "advisory", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-175.yaml" + } + ], + "risk_score": 0.06808, + "severity": "medium", + "severity_source": "github:language:python", + "source": "grype", + "title": "PyJWKClient: missing scheme allowlist enables CVE-2024-21643-class SSRF + token forgery via file://, ftp://, data: schemes" + }, + { + "affected_version_range": "\u003c=2.12.1 (python)", "aliases": [ - "CVE-2026-32597" + "CVE-2026-48524" ], "cvss": [ { - "score": 7.5, - "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", + "score": 3.7, + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1" } ], "cwes": [ { - "cve": "CVE-2026-32597", - "id": "CWE-345", + "cve": "CVE-2026-48524", + "id": "CWE-460", "source": "security-advisories@github.com", "type": "Secondary" }, { - "cve": "CVE-2026-32597", - "id": "CWE-863", + "cve": "CVE-2026-48524", + "id": "CWE-755", "source": "security-advisories@github.com", "type": "Secondary" } ], - "data_source": "https://github.com/advisories/GHSA-752w-5fwx-jx9f", - "description": "PyJWT accepts unknown `crit` header extensions", + "data_source": "https://github.com/advisories/GHSA-fhv5-28vv-h8m8", + "description": "PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)", "epss": [ { - "cve": "CVE-2026-32597", - "date": "2026-06-14", - "epss": 0.00014, - "percentile": 0.02617 + "cve": "CVE-2026-48524", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2026-03-14", + "date": "2026-06-15", "kind": "first-observed", - "version": "2.12.0" + "version": "2.13.0" } ], "fix_state": "fixed", - "fixed_in": "2.12.0", + "fixed_in": "2.13.0", "fixed_versions": [ - "2.12.0" + "2.13.0" ], - "id": "GHSA-752w-5fwx-jx9f", + "id": "GHSA-fhv5-28vv-h8m8", "namespace": "github:language:python", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", @@ -4110,41 +2234,36 @@ "tier": "package" }, "reasons": [ - "Also known as: CVE-2026-32597", - "Fix available: upgrade to 2.12.0", + "Also known as: CVE-2026-48524", + "Fix available: upgrade to 2.13.0", "Fix state: fixed", - "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f", - "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-120.yaml", - "https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html", - "https://nvd.nist.gov/vuln/detail/CVE-2026-32597" + "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8", + "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-177.yaml", + "https://nvd.nist.gov/vuln/detail/CVE-2026-48524" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-752w-5fwx-jx9f" - }, - { - "type": "advisory", - "url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-752w-5fwx-jx9f" + "url": "https://github.com/advisories/GHSA-fhv5-28vv-h8m8" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32597" + "url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-fhv5-28vv-h8m8" }, { "type": "advisory", - "url": "https://lists.debian.org/debian-lts-announce/2026/05/msg00008.html" + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48524" }, { "type": "advisory", - "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-120.yaml" + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-177.yaml" } ], - "risk_score": 0.010499999999999999, - "severity": "high", + "risk_score": 0.068675, + "severity": "low", "severity_source": "github:language:python", "source": "grype", - "title": "PyJWT accepts unknown `crit` header extensions" + "title": "PyJWKClient unbounded JWKS endpoint requests via attacker-controlled kid values (DoS)" }, { "affected_version_range": "\u003c1.5.1 (python)", @@ -4163,9 +2282,9 @@ "epss": [ { "cve": "CVE-2017-11424", - "date": "2026-06-14", - "epss": 0.00193, - "percentile": 0.41256 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -4201,136 +2320,361 @@ ], "references": [ { - "type": "data_source", - "url": "https://github.com/advisories/GHSA-r9jw-mwhq-wp62" + "type": "data_source", + "url": "https://github.com/advisories/GHSA-r9jw-mwhq-wp62" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11424" + }, + { + "type": "advisory", + "url": "https://github.com/jpadilla/pyjwt/pull/277" + }, + { + "type": "advisory", + "url": "http://www.debian.org/security/2017/dsa-3979" + }, + { + "type": "advisory", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2017-24.yaml" + } + ], + "risk_score": 1.353, + "severity": "high", + "severity_source": "github:language:python", + "source": "grype", + "title": "PyJWT vulnerable to key confusion attacks" + }, + { + "affected_version_range": "\u003c2.13.0 (python)", + "aliases": [ + "CVE-2026-48526" + ], + "cvss": [ + { + "score": 7.4, + "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", + "version": "3.1" + } + ], + "cwes": [ + { + "cve": "CVE-2026-48526", + "id": "CWE-287", + "source": "security-advisories@github.com", + "type": "Secondary" + }, + { + "cve": "CVE-2026-48526", + "id": "CWE-347", + "source": "security-advisories@github.com", + "type": "Secondary" + } + ], + "data_source": "https://github.com/advisories/GHSA-xgmm-8j9v-c9wx", + "description": "PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed", + "epss": [ + { + "cve": "CVE-2026-48526", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 + } + ], + "fix_available": [ + { + "date": "2026-06-16", + "kind": "first-observed", + "version": "2.13.0" + } + ], + "fix_state": "fixed", + "fixed_in": "2.13.0", + "fixed_versions": [ + "2.13.0" + ], + "id": "GHSA-xgmm-8j9v-c9wx", + "namespace": "github:language:python", + "reachability": { + "analyzed_at": "\u003ctimestamp\u003e", + "analyzer": "pyreach", + "confidence": "high", + "hops": 0, + "status": "reachable", + "tier": "package" + }, + "reasons": [ + "Also known as: CVE-2026-48526", + "Fix available: upgrade to 2.13.0", + "Fix state: fixed", + "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx", + "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-179.yaml", + "https://nvd.nist.gov/vuln/detail/CVE-2026-48526" + ], + "references": [ + { + "type": "data_source", + "url": "https://github.com/advisories/GHSA-xgmm-8j9v-c9wx" + }, + { + "type": "advisory", + "url": "https://github.com/jpadilla/pyjwt/security/advisories/GHSA-xgmm-8j9v-c9wx" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48526" + }, + { + "type": "advisory", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2026-179.yaml" + } + ], + "risk_score": 0.11026, + "severity": "high", + "severity_source": "github:language:python", + "source": "grype", + "title": "PyJWT: Public-key JWK accepted as HMAC secret enables forged HS256 tokens when mixed families are allowed" + } + ] + }, + { + "ecosystem": "python", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "pytz", + "purl": "pkg:pypi/pytz@2026.2", + "version": "2026.2", + "vulnerabilities": [] + }, + { + "ecosystem": "python", + "licenses": [ + { + "spdxExpression": "MIT", + "type": "external-depsdev", + "value": "MIT" + } + ], + "matched": true, + "name": "pyyaml", + "purl": "pkg:pypi/pyyaml@5.3", + "version": "5.3", + "vulnerabilities": [ + { + "affected_version_range": "\u003e=5.1b7,\u003c5.3.1 (python)", + "aliases": [ + "CVE-2020-1747" + ], + "cvss": [ + { + "score": 9.8, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "version": "3.1" + }, + { + "score": 9.3, + "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", + "version": "4.0" + } + ], + "cwes": [ + { + "cve": "CVE-2020-1747", + "id": "CWE-20", + "source": "secalert@redhat.com", + "type": "Secondary" + }, + { + "cve": "CVE-2020-1747", + "id": "CWE-20", + "source": "nvd@nist.gov", + "type": "Secondary" + } + ], + "data_source": "https://github.com/advisories/GHSA-6757-jp84-gxfx", + "description": "Improper Input Validation in PyYAML", + "epss": [ + { + "cve": "CVE-2020-1747", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 + } + ], + "fix_available": [ + { + "date": "2021-04-22", + "kind": "first-observed", + "version": "5.3.1" + } + ], + "fix_state": "fixed", + "fixed_in": "5.3.1", + "fixed_versions": [ + "5.3.1" + ], + "id": "GHSA-6757-jp84-gxfx", + "namespace": "github:language:python", + "reachability": { + "analyzed_at": "\u003ctimestamp\u003e", + "analyzer": "pyreach", + "reason": "package-not-imported", + "status": "unreachable", + "tier": "package" + }, + "reasons": [ + "Also known as: CVE-2020-1747", + "Fix available: upgrade to 5.3.1", + "Fix state: fixed", + "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html", + "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747", + "https://github.com/github/advisory-database/pull/4942", + "https://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2020-96.yaml", + "https://github.com/yaml/pyyaml/commit/0cedb2a0697b2bc49e4f3841b8d4590b6b15657e", + "https://github.com/yaml/pyyaml/commit/5080ba513377b6355a0502104846ee804656f1e0", + "https://github.com/yaml/pyyaml/pull/386", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH", + "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2", + "https://nvd.nist.gov/vuln/detail/CVE-2020-1747", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "references": [ + { + "type": "data_source", + "url": "https://github.com/advisories/GHSA-6757-jp84-gxfx" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1747" + }, + { + "type": "advisory", + "url": "https://github.com/yaml/pyyaml/pull/386" + }, + { + "type": "advisory", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1747" + }, + { + "type": "advisory", + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00017.html" + }, + { + "type": "advisory", + "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00017.html" + }, + { + "type": "advisory", + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" + }, + { + "type": "advisory", + "url": "https://github.com/yaml/pyyaml/commit/5080ba513377b6355a0502104846ee804656f1e0" + }, + { + "type": "advisory", + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2020-96.yaml" + }, + { + "type": "advisory", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7PPAS6C4SZRDQLR7C22A5U3QOLXY33JX" + }, + { + "type": "advisory", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K5HEPD7LEVDPCITY5IMDYWXUMX37VFMY" + }, + { + "type": "advisory", + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MMQXSZXNJT6ERABJZAAICI3DQSQLCP3D" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-11424" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WORRFHPQVAFKKXXWLSSW6XKUYLWM6CSH" }, { "type": "advisory", - "url": "https://github.com/jpadilla/pyjwt/pull/277" + "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZBJA3SGNJKCAYPSHOHWY3KBCWNM5NYK2" }, { "type": "advisory", - "url": "http://www.debian.org/security/2017/dsa-3979" + "url": "https://github.com/github/advisory-database/pull/4942" }, { "type": "advisory", - "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyjwt/PYSEC-2017-24.yaml" + "url": "https://github.com/yaml/pyyaml/commit/0cedb2a0697b2bc49e4f3841b8d4590b6b15657e" } ], - "risk_score": 0.14475, - "severity": "high", + "risk_score": 4.9148225000000005, + "severity": "critical", "severity_source": "github:language:python", "source": "grype", - "title": "PyJWT vulnerable to key confusion attacks" - } - ] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "GPL-2.0-or-later", - "type": "external-depsdev", - "value": "GPL-2.0-or-later" - } - ], - "matched": true, - "name": "pylint", - "purl": "pkg:pypi/pylint@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "pyproject-hooks", - "purl": "pkg:pypi/pyproject-hooks@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "pytest-cov", - "purl": "pkg:pypi/pytest-cov@4.1.0", - "version": "4.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "pytest", - "purl": "pkg:pypi/pytest@7.4.3", - "version": "7.4.3", - "vulnerabilities": [ + "title": "Improper Input Validation in PyYAML" + }, { - "affected_version_range": "\u003c9.0.3 (python)", + "affected_version_range": "\u003c5.4 (python)", "aliases": [ - "CVE-2025-71176" + "CVE-2020-14343" ], "cvss": [ { - "score": 6.8, - "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L", + "score": 9.8, + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" + }, + { + "score": 9.3, + "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", + "version": "4.0" } ], "cwes": [ { - "cve": "CVE-2025-71176", - "id": "CWE-379", - "source": "cve@mitre.org", + "cve": "CVE-2020-14343", + "id": "CWE-20", + "source": "secalert@redhat.com", "type": "Secondary" + }, + { + "cve": "CVE-2020-14343", + "id": "CWE-20", + "source": "nvd@nist.gov", + "type": "Primary" } ], - "data_source": "https://github.com/advisories/GHSA-6w46-j5rx-g56g", - "description": "pytest has vulnerable tmpdir handling", + "data_source": "https://github.com/advisories/GHSA-8q59-q68h-6hv4", + "description": "Improper Input Validation in PyYAML", "epss": [ { - "cve": "CVE-2025-71176", - "date": "2026-06-14", - "epss": 0.00009, - "percentile": 0.01019 + "cve": "CVE-2020-14343", + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ { - "date": "2026-04-14", + "date": "2021-03-26", "kind": "first-observed", - "version": "9.0.3" + "version": "5.4" } ], "fix_state": "fixed", - "fixed_in": "9.0.3", + "fixed_in": "5.4", "fixed_versions": [ - "9.0.3" + "5.4" ], - "id": "GHSA-6w46-j5rx-g56g", + "id": "GHSA-8q59-q68h-6hv4", "namespace": "github:language:python", "reachability": { "analyzed_at": "\u003ctimestamp\u003e", @@ -4340,129 +2684,74 @@ "tier": "package" }, "reasons": [ - "Also known as: CVE-2025-71176", - "Fix available: upgrade to 9.0.3", + "Also known as: CVE-2020-14343", + "Fix available: upgrade to 5.4", "Fix state: fixed", - "https://github.com/pytest-dev/pytest/commit/95d8423bd24992deea5b9df32555fa1741679e2c", - "https://github.com/pytest-dev/pytest/issues/13669", - "https://github.com/pytest-dev/pytest/pull/14343", - "https://github.com/pytest-dev/pytest/releases/tag/9.0.3", - "https://nvd.nist.gov/vuln/detail/CVE-2025-71176", - "https://www.openwall.com/lists/oss-security/2026/01/21/5" + "https://bugzilla.redhat.com/show_bug.cgi?id=1860466", + "https://github.com/SeldonIO/seldon-core/issues/2252", + "https://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2021-142.yaml", + "https://github.com/yaml/pyyaml/commit/a001f2782501ad2d24986959f0239a354675f9dc", + "https://github.com/yaml/pyyaml/issues/420", + "https://github.com/yaml/pyyaml/issues/420#issuecomment-663673966", + "https://nvd.nist.gov/vuln/detail/CVE-2020-14343", + "https://pypi.org/project/PyYAML", + "https://www.oracle.com/security-alerts/cpuapr2022.html", + "https://www.oracle.com/security-alerts/cpujul2022.html" ], "references": [ { "type": "data_source", - "url": "https://github.com/advisories/GHSA-6w46-j5rx-g56g" + "url": "https://github.com/advisories/GHSA-8q59-q68h-6hv4" + }, + { + "type": "advisory", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14343" + }, + { + "type": "advisory", + "url": "https://github.com/yaml/pyyaml/commit/a001f2782501ad2d24986959f0239a354675f9dc" + }, + { + "type": "advisory", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1860466" + }, + { + "type": "advisory", + "url": "https://github.com/yaml/pyyaml/issues/420#issuecomment-663673966" }, { "type": "advisory", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71176" + "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "advisory", - "url": "https://github.com/pytest-dev/pytest/issues/13669" + "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "type": "advisory", - "url": "https://www.openwall.com/lists/oss-security/2026/01/21/5" + "url": "https://github.com/SeldonIO/seldon-core/issues/2252" }, { "type": "advisory", - "url": "https://github.com/pytest-dev/pytest/pull/14343" + "url": "https://github.com/yaml/pyyaml/issues/420" }, { "type": "advisory", - "url": "https://github.com/pytest-dev/pytest/commit/95d8423bd24992deea5b9df32555fa1741679e2c" + "url": "https://github.com/pypa/advisory-database/tree/main/vulns/pyyaml/PYSEC-2021-142.yaml" }, { "type": "advisory", - "url": "https://github.com/pytest-dev/pytest/releases/tag/9.0.3" + "url": "https://pypi.org/project/PyYAML" } ], - "risk_score": 0.0053100000000000005, - "severity": "medium", + "risk_score": 5.55016, + "severity": "critical", "severity_source": "github:language:python", "source": "grype", - "title": "pytest has vulnerable tmpdir handling" + "title": "Improper Input Validation in PyYAML" } ] }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "python-discovery", - "purl": "pkg:pypi/python-discovery@1.4.2", - "version": "1.4.2", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "pytz", - "purl": "pkg:pypi/pytz@2026.2", - "version": "2026.2", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "pyyaml", - "purl": "pkg:pypi/pyyaml@6.0.3", - "version": "6.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "rapidfuzz", - "purl": "pkg:pypi/rapidfuzz@3.14.5", - "version": "3.14.5", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "requests-toolbelt", - "purl": "pkg:pypi/requests-toolbelt@1.0.0", - "version": "1.0.0", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [ @@ -4502,9 +2791,9 @@ "epss": [ { "cve": "CVE-2024-47081", - "date": "2026-06-14", - "epss": 0.00208, - "percentile": 0.43468 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -4595,7 +2884,7 @@ "url": "http://www.openwall.com/lists/oss-security/2025/06/04/6" } ], - "risk_score": 0.10712, + "risk_score": 0.43569, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -4626,9 +2915,9 @@ "epss": [ { "cve": "CVE-2024-35195", - "date": "2026-06-14", - "epss": 0.00074, - "percentile": 0.22593 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -4694,7 +2983,7 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/N7WP6EYDSUOCOJYHDK5NX43PYZ4SNHGZ" } ], - "risk_score": 0.03922, + "risk_score": 0.1802, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -4725,9 +3014,9 @@ "epss": [ { "cve": "CVE-2026-25645", - "date": "2026-06-14", - "epss": 0.00005, - "percentile": 0.00247 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -4783,7 +3072,7 @@ "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25645" } ], - "risk_score": 0.00235, + "risk_score": 0.07379, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -4814,9 +3103,9 @@ "epss": [ { "cve": "CVE-2023-32681", - "date": "2026-06-14", - "epss": 0.06809, - "percentile": 0.91567 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -4897,7 +3186,7 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KOYASTZDGQG2BWLSNBPL3TQRL2G7QYNZ" } ], - "risk_score": 3.7789949999999997, + "risk_score": 1.5440099999999999, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -4905,21 +3194,6 @@ } ] }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "rich", - "purl": "pkg:pypi/rich@15.0.0", - "version": "15.0.0", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [], @@ -4966,9 +3240,9 @@ "epss": [ { "cve": "CVE-2020-13757", - "date": "2026-06-14", - "epss": 0.00098, - "percentile": 0.27195 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -5039,7 +3313,7 @@ "url": "https://usn.ubuntu.com/4478-1" } ], - "risk_score": 0.0735, + "risk_score": 1.01925, "severity": "high", "severity_source": "github:language:python", "source": "grype", @@ -5081,9 +3355,9 @@ "epss": [ { "cve": "CVE-2020-25658", - "date": "2026-06-14", - "epss": 0.00144, - "percentile": 0.34633 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -5199,7 +3473,7 @@ "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QY4PJWTYSOV7ZEYZVMYIF6XRU73CY6O7" } ], - "risk_score": 0.10476, + "risk_score": 1.1865525000000001, "severity": "high", "severity_source": "github:language:python", "source": "grype", @@ -5207,21 +3481,6 @@ } ] }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "BSD-3-Clause", - "type": "external-depsdev", - "value": "BSD-3-Clause" - } - ], - "matched": true, - "name": "secretstorage", - "purl": "pkg:pypi/secretstorage@3.5.0", - "version": "3.5.0", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [ @@ -5237,36 +3496,6 @@ "version": "1.0.0", "vulnerabilities": [] }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "shellingham", - "purl": "pkg:pypi/shellingham@1.5.4", - "version": "1.5.4", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "BSD-3-Clause", - "type": "external-depsdev", - "value": "BSD-3-Clause" - } - ], - "matched": true, - "name": "smmap", - "purl": "pkg:pypi/smmap@5.0.3", - "version": "5.0.3", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [ @@ -5282,66 +3511,6 @@ "version": "1.4.46", "vulnerabilities": [] }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "Apache-2.0", - "type": "external-depsdev", - "value": "Apache-2.0" - } - ], - "matched": true, - "name": "stevedore", - "purl": "pkg:pypi/stevedore@5.8.0", - "version": "5.8.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "tomlkit", - "purl": "pkg:pypi/tomlkit@0.15.0", - "version": "0.15.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "non-standard", - "type": "external-depsdev", - "value": "non-standard" - } - ], - "matched": true, - "name": "trove-classifiers", - "purl": "pkg:pypi/trove-classifiers@2026.6.1.19", - "version": "2026.6.1.19", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "PSF-2.0", - "type": "external-depsdev", - "value": "PSF-2.0" - } - ], - "matched": true, - "name": "typing-extensions", - "purl": "pkg:pypi/typing-extensions@4.15.0", - "version": "4.15.0", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [ @@ -5381,9 +3550,9 @@ "epss": [ { "cve": "CVE-2025-66471", - "date": "2026-06-14", - "epss": 0.00017, - "percentile": 0.04327 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -5434,7 +3603,7 @@ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66471" } ], - "risk_score": 0.013940000000000003, + "risk_score": 0.43705999999999995, "severity": "high", "severity_source": "github:language:python", "source": "grype", @@ -5465,9 +3634,9 @@ "epss": [ { "cve": "CVE-2024-37891", - "date": "2026-06-14", - "epss": 0.00216, - "percentile": 0.44402 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -5538,7 +3707,7 @@ "url": "https://www.vicarius.io/vsociety/posts/proxy-authorization-header-handling-vulnerability-in-urllib3-cve-2024-37891" } ], - "risk_score": 0.10152000000000001, + "risk_score": 0.45355000000000006, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -5574,9 +3743,9 @@ "epss": [ { "cve": "CVE-2026-21441", - "date": "2026-06-14", - "epss": 0.00014, - "percentile": 0.02667 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -5632,7 +3801,7 @@ "url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00017.html" } ], - "risk_score": 0.010989999999999998, + "risk_score": 0.41134, "severity": "high", "severity_source": "github:language:python", "source": "grype", @@ -5668,9 +3837,9 @@ "epss": [ { "cve": "CVE-2023-45803", - "date": "2026-06-14", - "epss": 0.00056, - "percentile": 0.17965 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -5771,7 +3940,7 @@ "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html" } ], - "risk_score": 0.02786, + "risk_score": 0.27064000000000005, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -5802,9 +3971,9 @@ "epss": [ { "cve": "CVE-2025-66418", - "date": "2026-06-14", - "epss": 0.00025, - "percentile": 0.07399 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -5855,7 +4024,7 @@ "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66418" } ], - "risk_score": 0.0205, + "risk_score": 0.43705999999999995, "severity": "high", "severity_source": "github:language:python", "source": "grype", @@ -5891,9 +4060,9 @@ "epss": [ { "cve": "CVE-2018-25091", - "date": "2026-06-14", - "epss": 0.00223, - "percentile": 0.45286 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -5954,7 +4123,7 @@ "url": "https://github.com/pypa/advisory-database/tree/main/vulns/urllib3/PYSEC-2023-207.yaml" } ], - "risk_score": 0.119305, + "risk_score": 0.27392, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -5990,9 +4159,9 @@ "epss": [ { "cve": "CVE-2019-11324", - "date": "2026-06-14", - "epss": 0.01015, - "percentile": 0.77651 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -6103,7 +4272,7 @@ "url": "https://usn.ubuntu.com/3990-1" } ], - "risk_score": 0.7917000000000001, + "risk_score": 2.19414, "severity": "high", "severity_source": "github:language:python", "source": "grype", @@ -6134,9 +4303,9 @@ "epss": [ { "cve": "CVE-2025-50181", - "date": "2026-06-14", - "epss": 0.00079, - "percentile": 0.23639 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -6192,7 +4361,7 @@ "url": "https://github.com/urllib3/urllib3/releases/tag/2.5.0" } ], - "risk_score": 0.040685, + "risk_score": 0.175615, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -6220,7 +4389,7 @@ "cve": "CVE-2026-44431", "id": "CWE-200", "source": "security-advisories@github.com", - "type": "Primary" + "type": "Secondary" } ], "data_source": "https://github.com/advisories/GHSA-qccp-gfcp-xxvc", @@ -6228,9 +4397,9 @@ "epss": [ { "cve": "CVE-2026-44431", - "date": "2026-06-14", - "epss": 0.00014, - "percentile": 0.02742 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -6276,7 +4445,7 @@ "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44431" } ], - "risk_score": 0.009975, + "risk_score": 0.18525, "severity": "high", "severity_source": "github:language:python", "source": "grype", @@ -6312,9 +4481,9 @@ "epss": [ { "cve": "CVE-2019-11236", - "date": "2026-06-14", - "epss": 0.00609, - "percentile": 0.70323 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -6435,7 +4604,7 @@ "url": "https://usn.ubuntu.com/3990-2" } ], - "risk_score": 0.32581499999999997, + "risk_score": 1.0999599999999998, "severity": "medium", "severity_source": "github:language:python", "source": "grype", @@ -6471,9 +4640,9 @@ "epss": [ { "cve": "CVE-2023-43804", - "date": "2026-06-14", - "epss": 0.0095, - "percentile": 0.76879 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -6569,7 +4738,7 @@ "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00020.html" } ], - "risk_score": 0.672125, + "risk_score": 0.8539525000000001, "severity": "high", "severity_source": "github:language:python", "source": "grype", @@ -6605,9 +4774,9 @@ "epss": [ { "cve": "CVE-2020-26137", - "date": "2026-06-14", - "epss": 0.00177, - "percentile": 0.39231 + "date": "\u003cnormalized\u003e", + "epss": 0, + "percentile": 0 } ], "fix_available": [ @@ -6693,28 +4862,13 @@ "url": "https://usn.ubuntu.com/4570-1" } ], - "risk_score": 0.103545, + "risk_score": 1.2864149999999999, "severity": "medium", "severity_source": "github:language:python", "source": "grype", "title": "CRLF injection in urllib3" } ] - }, - { - "ecosystem": "python", - "licenses": [ - { - "spdxExpression": "MIT", - "type": "external-depsdev", - "value": "MIT" - } - ], - "matched": true, - "name": "virtualenv", - "purl": "pkg:pypi/virtualenv@21.5.0", - "version": "21.5.0", - "vulnerabilities": [] } ], "project": { @@ -6722,7 +4876,7 @@ "name": "\u003cnormalized\u003e", "package_manager": "pip", "path": "\u003cnormalized\u003e", - "target_ref": "e19d10938caf3e06730c23047ae118cd59638e41", + "target_ref": "fe04c758134b95dab102e1fce10275f7d18c0cf2", "target_type": "git repository" }, "schema_version": "1.0" diff --git a/test/smoke/testdata/golden/scan-python-pip.golden.json b/test/smoke/testdata/golden/scan-python-pip.golden.json index 7f39052a..5092f1b6 100644 --- a/test/smoke/testdata/golden/scan-python-pip.golden.json +++ b/test/smoke/testdata/golden/scan-python-pip.golden.json @@ -3,158 +3,17 @@ "manifests": [ { "dependencies": [ - { - "depends_on": [ - "pkg:pypi/idna@2.8", - "pkg:pypi/typing-extensions@4.15.0" - ], - "id": "pkg:pypi/anyio@4.14.0", - "licenses": [], - "name": "anyio", - "package_ref": "pkg:pypi/anyio@4.14.0", - "purl": "pkg:pypi/anyio@4.14.0", - "scopes": [ - "runtime" - ], - "version": "4.14.0" - }, - { - "depends_on": [ - "pkg:pypi/typing-extensions@4.15.0" - ], - "id": "pkg:pypi/astroid@3.1.0", - "licenses": [], - "name": "astroid", - "package_ref": "pkg:pypi/astroid@3.1.0", - "purl": "pkg:pypi/astroid@3.1.0", - "scopes": [ - "runtime" - ], - "version": "3.1.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/backports-zstd@1.6.0", - "licenses": [], - "name": "backports-zstd", - "package_ref": "pkg:pypi/backports-zstd@1.6.0", - "purl": "pkg:pypi/backports-zstd@1.6.0", - "scopes": [ - "runtime" - ], - "version": "1.6.0" - }, - { - "depends_on": [ - "pkg:pypi/gitpython@3.1.50", - "pkg:pypi/pyyaml@6.0.3", - "pkg:pypi/rich@15.0.0", - "pkg:pypi/stevedore@5.8.0" - ], - "id": "pkg:pypi/bandit@1.7.5", - "licenses": [], - "locations": [ - { - "access_path": "requirements-dev.txt", - "position": { - "file": "requirements-dev.txt", - "line": 0 - }, - "real_path": "requirements-dev.txt" - } - ], - "name": "bandit", - "package_ref": "pkg:pypi/bandit@1.7.5", - "purl": "pkg:pypi/bandit@1.7.5", - "scopes": [ - "development" - ], - "version": "1.7.5" - }, - { - "depends_on": [ - "pkg:pypi/click@8.4.1", - "pkg:pypi/mypy-extensions@1.1.0", - "pkg:pypi/packaging@26.2", - "pkg:pypi/pathspec@1.1.1", - "pkg:pypi/platformdirs@4.10.0", - "pkg:pypi/typing-extensions@4.15.0" - ], - "id": "pkg:pypi/black@23.12.1", - "licenses": [], - "locations": [ - { - "access_path": "requirements-dev.txt", - "position": { - "file": "requirements-dev.txt", - "line": 0 - }, - "real_path": "requirements-dev.txt" - } - ], - "name": "black", - "package_ref": "pkg:pypi/black@23.12.1", - "purl": "pkg:pypi/black@23.12.1", - "scopes": [ - "development" - ], - "version": "23.12.1" - }, - { - "depends_on": [ - "pkg:pypi/packaging@26.2", - "pkg:pypi/pyproject-hooks@1.2.0" - ], - "id": "pkg:pypi/build@1.5.0", - "licenses": [], - "name": "build", - "package_ref": "pkg:pypi/build@1.5.0", - "purl": "pkg:pypi/build@1.5.0", - "scopes": [ - "runtime" - ], - "version": "1.5.0" - }, - { - "depends_on": [ - "pkg:pypi/msgpack@1.2.0", - "pkg:pypi/requests@2.21.0" - ], - "id": "pkg:pypi/cachecontrol@0.14.4", - "licenses": [], - "name": "cachecontrol", - "package_ref": "pkg:pypi/cachecontrol@0.14.4", - "purl": "pkg:pypi/cachecontrol@0.14.4", - "scopes": [ - "runtime" - ], - "version": "0.14.4" - }, { "depends_on": [], - "id": "pkg:pypi/certifi@2026.5.20", + "id": "pkg:pypi/certifi@2026.6.17", "licenses": [], "name": "certifi", - "package_ref": "pkg:pypi/certifi@2026.5.20", - "purl": "pkg:pypi/certifi@2026.5.20", - "scopes": [ - "runtime" - ], - "version": "2026.5.20" - }, - { - "depends_on": [ - "pkg:pypi/pycparser@3.0" - ], - "id": "pkg:pypi/cffi@2.0.0", - "licenses": [], - "name": "cffi", - "package_ref": "pkg:pypi/cffi@2.0.0", - "purl": "pkg:pypi/cffi@2.0.0", + "package_ref": "pkg:pypi/certifi@2026.6.17", + "purl": "pkg:pypi/certifi@2026.6.17", "scopes": [ "runtime" ], - "version": "2.0.0" + "version": "2026.6.17" }, { "depends_on": [], @@ -168,134 +27,12 @@ ], "version": "3.0.4" }, - { - "depends_on": [], - "id": "pkg:pypi/charset-normalizer@3.4.7", - "licenses": [], - "name": "charset-normalizer", - "package_ref": "pkg:pypi/charset-normalizer@3.4.7", - "purl": "pkg:pypi/charset-normalizer@3.4.7", - "scopes": [ - "runtime" - ], - "version": "3.4.7" - }, - { - "depends_on": [ - "pkg:pypi/crashtest@0.4.1", - "pkg:pypi/rapidfuzz@3.14.5" - ], - "id": "pkg:pypi/cleo@2.1.0", - "licenses": [], - "name": "cleo", - "package_ref": "pkg:pypi/cleo@2.1.0", - "purl": "pkg:pypi/cleo@2.1.0", - "scopes": [ - "runtime" - ], - "version": "2.1.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/click@8.4.1", - "licenses": [], - "name": "click", - "package_ref": "pkg:pypi/click@8.4.1", - "purl": "pkg:pypi/click@8.4.1", - "scopes": [ - "runtime" - ], - "version": "8.4.1" - }, - { - "depends_on": [], - "id": "pkg:pypi/coverage@7.4.0", - "licenses": [], - "locations": [ - { - "access_path": "requirements-dev.txt", - "position": { - "file": "requirements-dev.txt", - "line": 0 - }, - "real_path": "requirements-dev.txt" - } - ], - "name": "coverage", - "package_ref": "pkg:pypi/coverage@7.4.0", - "purl": "pkg:pypi/coverage@7.4.0", - "scopes": [ - "development" - ], - "version": "7.4.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/crashtest@0.4.1", - "licenses": [], - "name": "crashtest", - "package_ref": "pkg:pypi/crashtest@0.4.1", - "purl": "pkg:pypi/crashtest@0.4.1", - "scopes": [ - "runtime" - ], - "version": "0.4.1" - }, - { - "depends_on": [ - "pkg:pypi/cffi@2.0.0", - "pkg:pypi/typing-extensions@4.15.0" - ], - "id": "pkg:pypi/cryptography@49.0.0", - "licenses": [], - "name": "cryptography", - "package_ref": "pkg:pypi/cryptography@49.0.0", - "purl": "pkg:pypi/cryptography@49.0.0", - "scopes": [ - "runtime" - ], - "version": "49.0.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/dill@0.4.1", - "licenses": [], - "name": "dill", - "package_ref": "pkg:pypi/dill@0.4.1", - "purl": "pkg:pypi/dill@0.4.1", - "scopes": [ - "runtime" - ], - "version": "0.4.1" - }, - { - "depends_on": [], - "id": "pkg:pypi/distlib@0.4.3", - "licenses": [], - "name": "distlib", - "package_ref": "pkg:pypi/distlib@0.4.3", - "purl": "pkg:pypi/distlib@0.4.3", - "scopes": [ - "runtime" - ], - "version": "0.4.3" - }, { "depends_on": [ "pkg:pypi/pytz@2026.2" ], "id": "pkg:pypi/django@1.11.29", "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], "name": "django", "package_ref": "pkg:pypi/django@1.11.29", "purl": "pkg:pypi/django@1.11.29", @@ -304,49 +41,12 @@ ], "version": "1.11.29" }, - { - "depends_on": [ - "pkg:pypi/typing-extensions@4.15.0", - "pkg:pypi/urllib3@1.24.1" - ], - "id": "pkg:pypi/dulwich@1.2.6", - "licenses": [], - "name": "dulwich", - "package_ref": "pkg:pypi/dulwich@1.2.6", - "purl": "pkg:pypi/dulwich@1.2.6", - "scopes": [ - "runtime" - ], - "version": "1.2.6" - }, - { - "depends_on": [], - "id": "pkg:pypi/fastjsonschema@2.21.2", - "licenses": [], - "name": "fastjsonschema", - "package_ref": "pkg:pypi/fastjsonschema@2.21.2", - "purl": "pkg:pypi/fastjsonschema@2.21.2", - "scopes": [ - "runtime" - ], - "version": "2.21.2" - }, { "depends_on": [ "pkg:pypi/sgmllib3k@1.0.0" ], "id": "pkg:pypi/feedparser@6.0.8", "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], "name": "feedparser", "package_ref": "pkg:pypi/feedparser@6.0.8", "purl": "pkg:pypi/feedparser@6.0.8", @@ -357,972 +57,174 @@ }, { "depends_on": [], - "id": "pkg:pypi/filelock@3.29.4", + "id": "pkg:pypi/idna@2.8", "licenses": [], - "name": "filelock", - "package_ref": "pkg:pypi/filelock@3.29.4", - "purl": "pkg:pypi/filelock@3.29.4", + "name": "idna", + "package_ref": "pkg:pypi/idna@2.8", + "purl": "pkg:pypi/idna@2.8", "scopes": [ "runtime" ], - "version": "3.29.4" + "version": "2.8" }, { "depends_on": [ - "pkg:pypi/packaging@26.2", - "pkg:pypi/platformdirs@4.10.0" + "pkg:pypi/markupsafe@3.0.3" ], - "id": "pkg:pypi/findpython@0.8.0", + "id": "pkg:pypi/jinja2@2.10.1", "licenses": [], - "name": "findpython", - "package_ref": "pkg:pypi/findpython@0.8.0", - "purl": "pkg:pypi/findpython@0.8.0", + "name": "jinja2", + "package_ref": "pkg:pypi/jinja2@2.10.1", + "purl": "pkg:pypi/jinja2@2.10.1", "scopes": [ "runtime" ], - "version": "0.8.0" + "version": "2.10.1" }, { - "depends_on": [ - "pkg:pypi/smmap@5.0.3" - ], - "id": "pkg:pypi/gitdb@4.0.12", + "depends_on": [], + "id": "pkg:pypi/markupsafe@3.0.3", "licenses": [], - "name": "gitdb", - "package_ref": "pkg:pypi/gitdb@4.0.12", - "purl": "pkg:pypi/gitdb@4.0.12", + "name": "markupsafe", + "package_ref": "pkg:pypi/markupsafe@3.0.3", + "purl": "pkg:pypi/markupsafe@3.0.3", "scopes": [ "runtime" ], - "version": "4.0.12" + "version": "3.0.3" }, { - "depends_on": [ - "pkg:pypi/gitdb@4.0.12", - "pkg:pypi/typing-extensions@4.15.0" - ], - "id": "pkg:pypi/gitpython@3.1.50", + "depends_on": [], + "id": "pkg:pypi/pyasn1@0.6.3", "licenses": [], - "name": "gitpython", - "package_ref": "pkg:pypi/gitpython@3.1.50", - "purl": "pkg:pypi/gitpython@3.1.50", + "name": "pyasn1", + "package_ref": "pkg:pypi/pyasn1@0.6.3", + "purl": "pkg:pypi/pyasn1@0.6.3", "scopes": [ "runtime" ], - "version": "3.1.50" + "version": "0.6.3" }, { "depends_on": [], - "id": "pkg:pypi/greenlet@3.5.1", + "id": "pkg:pypi/pyjwt@0.4.2", "licenses": [], - "name": "greenlet", - "package_ref": "pkg:pypi/greenlet@3.5.1", - "purl": "pkg:pypi/greenlet@3.5.1", + "name": "pyjwt", + "package_ref": "pkg:pypi/pyjwt@0.4.2", + "purl": "pkg:pypi/pyjwt@0.4.2", "scopes": [ "runtime" ], - "version": "3.5.1" + "version": "0.4.2" }, { "depends_on": [], - "id": "pkg:pypi/h11@0.16.0", + "id": "pkg:pypi/pytz@2026.2", "licenses": [], - "name": "h11", - "package_ref": "pkg:pypi/h11@0.16.0", - "purl": "pkg:pypi/h11@0.16.0", + "name": "pytz", + "package_ref": "pkg:pypi/pytz@2026.2", + "purl": "pkg:pypi/pytz@2026.2", "scopes": [ "runtime" ], - "version": "0.16.0" + "version": "2026.2" }, { - "depends_on": [ - "pkg:pypi/certifi@2026.5.20", - "pkg:pypi/h11@0.16.0" - ], - "id": "pkg:pypi/httpcore@1.0.9", + "depends_on": [], + "id": "pkg:pypi/pyyaml@5.3", "licenses": [], - "name": "httpcore", - "package_ref": "pkg:pypi/httpcore@1.0.9", - "purl": "pkg:pypi/httpcore@1.0.9", + "name": "pyyaml", + "package_ref": "pkg:pypi/pyyaml@5.3", + "purl": "pkg:pypi/pyyaml@5.3", "scopes": [ "runtime" ], - "version": "1.0.9" + "version": "5.3" }, { "depends_on": [ - "pkg:pypi/anyio@4.14.0", - "pkg:pypi/certifi@2026.5.20", - "pkg:pypi/httpcore@1.0.9", - "pkg:pypi/idna@2.8" - ], - "id": "pkg:pypi/httpx@0.28.1", - "licenses": [], - "name": "httpx", - "package_ref": "pkg:pypi/httpx@0.28.1", - "purl": "pkg:pypi/httpx@0.28.1", - "scopes": [ - "runtime" - ], - "version": "0.28.1" - }, - { - "depends_on": [], - "id": "pkg:pypi/idna@2.8", - "licenses": [], - "name": "idna", - "package_ref": "pkg:pypi/idna@2.8", - "purl": "pkg:pypi/idna@2.8", - "scopes": [ - "runtime" + "pkg:pypi/certifi@2026.6.17", + "pkg:pypi/chardet@3.0.4", + "pkg:pypi/idna@2.8", + "pkg:pypi/urllib3@1.24.1" ], - "version": "2.8" - }, - { - "depends_on": [], - "id": "pkg:pypi/iniconfig@2.3.0", + "id": "pkg:pypi/requests@2.21.0", "licenses": [], - "name": "iniconfig", - "package_ref": "pkg:pypi/iniconfig@2.3.0", - "purl": "pkg:pypi/iniconfig@2.3.0", + "name": "requests", + "package_ref": "pkg:pypi/requests@2.21.0", + "purl": "pkg:pypi/requests@2.21.0", "scopes": [ "runtime" ], - "version": "2.3.0" + "version": "2.21.0" }, { - "depends_on": [], - "id": "pkg:pypi/installer@1.0.1", - "licenses": [], - "name": "installer", - "package_ref": "pkg:pypi/installer@1.0.1", - "purl": "pkg:pypi/installer@1.0.1", - "scopes": [ - "runtime" + "depends_on": [ + "pkg:pypi/django@1.11.29", + "pkg:pypi/feedparser@6.0.8", + "pkg:pypi/jinja2@2.10.1", + "pkg:pypi/pyjwt@0.4.2", + "pkg:pypi/pyyaml@5.3", + "pkg:pypi/requests@2.21.0", + "pkg:pypi/rsa@3.4", + "pkg:pypi/sqlalchemy@1.4.46", + "pkg:pypi/urllib3@1.24.1" ], - "version": "1.0.1" - }, - { - "depends_on": [], - "id": "pkg:pypi/isort@5.13.2", + "id": "pkg:pypi/root", "licenses": [], - "name": "isort", - "package_ref": "pkg:pypi/isort@5.13.2", - "purl": "pkg:pypi/isort@5.13.2", - "scopes": [ - "runtime" - ], - "version": "5.13.2" + "name": "root", + "package_ref": "pkg:pypi/root", + "purl": "pkg:pypi/root" }, { "depends_on": [ - "pkg:pypi/more-itertools@11.1.0" + "pkg:pypi/pyasn1@0.6.3" ], - "id": "pkg:pypi/jaraco-classes@3.4.0", + "id": "pkg:pypi/rsa@3.4", "licenses": [], - "name": "jaraco-classes", - "package_ref": "pkg:pypi/jaraco-classes@3.4.0", - "purl": "pkg:pypi/jaraco-classes@3.4.0", + "name": "rsa", + "package_ref": "pkg:pypi/rsa@3.4", + "purl": "pkg:pypi/rsa@3.4", "scopes": [ "runtime" ], - "version": "3.4.0" + "version": "3.4" }, { "depends_on": [], - "id": "pkg:pypi/jaraco-context@6.1.2", + "id": "pkg:pypi/sgmllib3k@1.0.0", "licenses": [], - "name": "jaraco-context", - "package_ref": "pkg:pypi/jaraco-context@6.1.2", - "purl": "pkg:pypi/jaraco-context@6.1.2", + "name": "sgmllib3k", + "package_ref": "pkg:pypi/sgmllib3k@1.0.0", + "purl": "pkg:pypi/sgmllib3k@1.0.0", "scopes": [ "runtime" ], - "version": "6.1.2" + "version": "1.0.0" }, { - "depends_on": [ - "pkg:pypi/more-itertools@11.1.0" - ], - "id": "pkg:pypi/jaraco-functools@4.5.0", + "depends_on": [], + "id": "pkg:pypi/sqlalchemy@1.4.46", "licenses": [], - "name": "jaraco-functools", - "package_ref": "pkg:pypi/jaraco-functools@4.5.0", - "purl": "pkg:pypi/jaraco-functools@4.5.0", + "name": "sqlalchemy", + "package_ref": "pkg:pypi/sqlalchemy@1.4.46", + "purl": "pkg:pypi/sqlalchemy@1.4.46", "scopes": [ "runtime" ], - "version": "4.5.0" + "version": "1.4.46" }, { "depends_on": [], - "id": "pkg:pypi/jeepney@0.9.0", + "id": "pkg:pypi/urllib3@1.24.1", "licenses": [], - "name": "jeepney", - "package_ref": "pkg:pypi/jeepney@0.9.0", - "purl": "pkg:pypi/jeepney@0.9.0", - "scopes": [ - "runtime" - ], - "version": "0.9.0" - }, - { - "depends_on": [ - "pkg:pypi/markupsafe@3.0.3" - ], - "id": "pkg:pypi/jinja2@2.10.1", - "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], - "name": "jinja2", - "package_ref": "pkg:pypi/jinja2@2.10.1", - "purl": "pkg:pypi/jinja2@2.10.1", - "scopes": [ - "runtime" - ], - "version": "2.10.1" - }, - { - "depends_on": [ - "pkg:pypi/jaraco-classes@3.4.0", - "pkg:pypi/jaraco-context@6.1.2", - "pkg:pypi/jaraco-functools@4.5.0", - "pkg:pypi/jeepney@0.9.0", - "pkg:pypi/secretstorage@3.5.0" - ], - "id": "pkg:pypi/keyring@25.7.0", - "licenses": [], - "name": "keyring", - "package_ref": "pkg:pypi/keyring@25.7.0", - "purl": "pkg:pypi/keyring@25.7.0", - "scopes": [ - "runtime" - ], - "version": "25.7.0" - }, - { - "depends_on": [ - "pkg:pypi/mdurl@0.1.2" - ], - "id": "pkg:pypi/markdown-it-py@4.2.0", - "licenses": [], - "name": "markdown-it-py", - "package_ref": "pkg:pypi/markdown-it-py@4.2.0", - "purl": "pkg:pypi/markdown-it-py@4.2.0", - "scopes": [ - "runtime" - ], - "version": "4.2.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/markupsafe@3.0.3", - "licenses": [], - "name": "markupsafe", - "package_ref": "pkg:pypi/markupsafe@3.0.3", - "purl": "pkg:pypi/markupsafe@3.0.3", - "scopes": [ - "runtime" - ], - "version": "3.0.3" - }, - { - "depends_on": [], - "id": "pkg:pypi/mccabe@0.7.0", - "licenses": [], - "name": "mccabe", - "package_ref": "pkg:pypi/mccabe@0.7.0", - "purl": "pkg:pypi/mccabe@0.7.0", - "scopes": [ - "runtime" - ], - "version": "0.7.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/mdurl@0.1.2", - "licenses": [], - "name": "mdurl", - "package_ref": "pkg:pypi/mdurl@0.1.2", - "purl": "pkg:pypi/mdurl@0.1.2", - "scopes": [ - "runtime" - ], - "version": "0.1.2" - }, - { - "depends_on": [], - "id": "pkg:pypi/more-itertools@11.1.0", - "licenses": [], - "name": "more-itertools", - "package_ref": "pkg:pypi/more-itertools@11.1.0", - "purl": "pkg:pypi/more-itertools@11.1.0", - "scopes": [ - "runtime" - ], - "version": "11.1.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/msgpack@1.2.0", - "licenses": [], - "name": "msgpack", - "package_ref": "pkg:pypi/msgpack@1.2.0", - "purl": "pkg:pypi/msgpack@1.2.0", - "scopes": [ - "runtime" - ], - "version": "1.2.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/mypy-extensions@1.1.0", - "licenses": [], - "name": "mypy-extensions", - "package_ref": "pkg:pypi/mypy-extensions@1.1.0", - "purl": "pkg:pypi/mypy-extensions@1.1.0", - "scopes": [ - "runtime" - ], - "version": "1.1.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/packaging@26.2", - "licenses": [], - "name": "packaging", - "package_ref": "pkg:pypi/packaging@26.2", - "purl": "pkg:pypi/packaging@26.2", - "scopes": [ - "runtime" - ], - "version": "26.2" - }, - { - "depends_on": [], - "id": "pkg:pypi/pathspec@1.1.1", - "licenses": [], - "name": "pathspec", - "package_ref": "pkg:pypi/pathspec@1.1.1", - "purl": "pkg:pypi/pathspec@1.1.1", - "scopes": [ - "runtime" - ], - "version": "1.1.1" - }, - { - "depends_on": [], - "id": "pkg:pypi/pbs-installer@2026.6.10", - "licenses": [], - "name": "pbs-installer", - "package_ref": "pkg:pypi/pbs-installer@2026.6.10", - "purl": "pkg:pypi/pbs-installer@2026.6.10", - "scopes": [ - "runtime" - ], - "version": "2026.6.10" - }, - { - "depends_on": [], - "id": "pkg:pypi/pkginfo@1.12.1.2", - "licenses": [], - "name": "pkginfo", - "package_ref": "pkg:pypi/pkginfo@1.12.1.2", - "purl": "pkg:pypi/pkginfo@1.12.1.2", - "scopes": [ - "runtime" - ], - "version": "1.12.1.2" - }, - { - "depends_on": [], - "id": "pkg:pypi/platformdirs@4.10.0", - "licenses": [], - "name": "platformdirs", - "package_ref": "pkg:pypi/platformdirs@4.10.0", - "purl": "pkg:pypi/platformdirs@4.10.0", - "scopes": [ - "runtime" - ], - "version": "4.10.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/pluggy@1.6.0", - "licenses": [], - "name": "pluggy", - "package_ref": "pkg:pypi/pluggy@1.6.0", - "purl": "pkg:pypi/pluggy@1.6.0", - "scopes": [ - "runtime" - ], - "version": "1.6.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/poetry-core@2.4.0", - "licenses": [], - "name": "poetry-core", - "package_ref": "pkg:pypi/poetry-core@2.4.0", - "purl": "pkg:pypi/poetry-core@2.4.0", - "scopes": [ - "runtime" - ], - "version": "2.4.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/pyasn1@0.6.3", - "licenses": [], - "name": "pyasn1", - "package_ref": "pkg:pypi/pyasn1@0.6.3", - "purl": "pkg:pypi/pyasn1@0.6.3", - "scopes": [ - "runtime" - ], - "version": "0.6.3" - }, - { - "depends_on": [], - "id": "pkg:pypi/pycparser@3.0", - "licenses": [], - "name": "pycparser", - "package_ref": "pkg:pypi/pycparser@3.0", - "purl": "pkg:pypi/pycparser@3.0", - "scopes": [ - "runtime" - ], - "version": "3.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/pygments@2.20.0", - "licenses": [], - "name": "pygments", - "package_ref": "pkg:pypi/pygments@2.20.0", - "purl": "pkg:pypi/pygments@2.20.0", - "scopes": [ - "runtime" - ], - "version": "2.20.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/pyjwt@0.4.2", - "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], - "name": "pyjwt", - "package_ref": "pkg:pypi/pyjwt@0.4.2", - "purl": "pkg:pypi/pyjwt@0.4.2", - "scopes": [ - "runtime" - ], - "version": "0.4.2" - }, - { - "depends_on": [ - "pkg:pypi/astroid@3.1.0", - "pkg:pypi/dill@0.4.1", - "pkg:pypi/isort@5.13.2", - "pkg:pypi/mccabe@0.7.0", - "pkg:pypi/platformdirs@4.10.0", - "pkg:pypi/tomlkit@0.15.0", - "pkg:pypi/typing-extensions@4.15.0" - ], - "id": "pkg:pypi/pylint@3.1.0", - "licenses": [], - "locations": [ - { - "access_path": "requirements-dev.txt", - "position": { - "file": "requirements-dev.txt", - "line": 0 - }, - "real_path": "requirements-dev.txt" - } - ], - "name": "pylint", - "package_ref": "pkg:pypi/pylint@3.1.0", - "purl": "pkg:pypi/pylint@3.1.0", - "scopes": [ - "development" - ], - "version": "3.1.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/pyproject-hooks@1.2.0", - "licenses": [], - "name": "pyproject-hooks", - "package_ref": "pkg:pypi/pyproject-hooks@1.2.0", - "purl": "pkg:pypi/pyproject-hooks@1.2.0", - "scopes": [ - "runtime" - ], - "version": "1.2.0" - }, - { - "depends_on": [ - "pkg:pypi/coverage@7.4.0", - "pkg:pypi/pytest@7.4.3" - ], - "id": "pkg:pypi/pytest-cov@4.1.0", - "licenses": [], - "locations": [ - { - "access_path": "requirements-dev.txt", - "position": { - "file": "requirements-dev.txt", - "line": 0 - }, - "real_path": "requirements-dev.txt" - } - ], - "name": "pytest-cov", - "package_ref": "pkg:pypi/pytest-cov@4.1.0", - "purl": "pkg:pypi/pytest-cov@4.1.0", - "scopes": [ - "development" - ], - "version": "4.1.0" - }, - { - "depends_on": [ - "pkg:pypi/iniconfig@2.3.0", - "pkg:pypi/packaging@26.2", - "pkg:pypi/pluggy@1.6.0" - ], - "id": "pkg:pypi/pytest@7.4.3", - "licenses": [], - "locations": [ - { - "access_path": "requirements-dev.txt", - "position": { - "file": "requirements-dev.txt", - "line": 0 - }, - "real_path": "requirements-dev.txt" - } - ], - "name": "pytest", - "package_ref": "pkg:pypi/pytest@7.4.3", - "purl": "pkg:pypi/pytest@7.4.3", - "scopes": [ - "development" - ], - "version": "7.4.3" - }, - { - "depends_on": [ - "pkg:pypi/filelock@3.29.4", - "pkg:pypi/platformdirs@4.10.0" - ], - "id": "pkg:pypi/python-discovery@1.4.2", - "licenses": [], - "name": "python-discovery", - "package_ref": "pkg:pypi/python-discovery@1.4.2", - "purl": "pkg:pypi/python-discovery@1.4.2", - "scopes": [ - "runtime" - ], - "version": "1.4.2" - }, - { - "depends_on": [], - "id": "pkg:pypi/pytz@2026.2", - "licenses": [], - "name": "pytz", - "package_ref": "pkg:pypi/pytz@2026.2", - "purl": "pkg:pypi/pytz@2026.2", - "scopes": [ - "runtime" - ], - "version": "2026.2" - }, - { - "depends_on": [], - "id": "pkg:pypi/pyyaml@6.0.3", - "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], - "name": "pyyaml", - "package_ref": "pkg:pypi/pyyaml@6.0.3", - "purl": "pkg:pypi/pyyaml@6.0.3", - "scopes": [ - "runtime" - ], - "version": "6.0.3" - }, - { - "depends_on": [], - "id": "pkg:pypi/rapidfuzz@3.14.5", - "licenses": [], - "name": "rapidfuzz", - "package_ref": "pkg:pypi/rapidfuzz@3.14.5", - "purl": "pkg:pypi/rapidfuzz@3.14.5", - "scopes": [ - "runtime" - ], - "version": "3.14.5" - }, - { - "depends_on": [ - "pkg:pypi/requests@2.21.0" - ], - "id": "pkg:pypi/requests-toolbelt@1.0.0", - "licenses": [], - "name": "requests-toolbelt", - "package_ref": "pkg:pypi/requests-toolbelt@1.0.0", - "purl": "pkg:pypi/requests-toolbelt@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [ - "pkg:pypi/certifi@2026.5.20", - "pkg:pypi/chardet@3.0.4", - "pkg:pypi/idna@2.8", - "pkg:pypi/urllib3@1.24.1" - ], - "id": "pkg:pypi/requests@2.21.0", - "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], - "name": "requests", - "package_ref": "pkg:pypi/requests@2.21.0", - "purl": "pkg:pypi/requests@2.21.0", - "scopes": [ - "runtime" - ], - "version": "2.21.0" - }, - { - "depends_on": [ - "pkg:pypi/markdown-it-py@4.2.0", - "pkg:pypi/pygments@2.20.0" - ], - "id": "pkg:pypi/rich@15.0.0", - "licenses": [], - "name": "rich", - "package_ref": "pkg:pypi/rich@15.0.0", - "purl": "pkg:pypi/rich@15.0.0", - "scopes": [ - "runtime" - ], - "version": "15.0.0" - }, - { - "depends_on": [ - "pkg:pypi/anyio@4.14.0", - "pkg:pypi/astroid@3.1.0", - "pkg:pypi/backports-zstd@1.6.0", - "pkg:pypi/bandit@1.7.5", - "pkg:pypi/black@23.12.1", - "pkg:pypi/build@1.5.0", - "pkg:pypi/cachecontrol@0.14.4", - "pkg:pypi/certifi@2026.5.20", - "pkg:pypi/cffi@2.0.0", - "pkg:pypi/chardet@3.0.4", - "pkg:pypi/charset-normalizer@3.4.7", - "pkg:pypi/cleo@2.1.0", - "pkg:pypi/click@8.4.1", - "pkg:pypi/coverage@7.4.0", - "pkg:pypi/crashtest@0.4.1", - "pkg:pypi/cryptography@49.0.0", - "pkg:pypi/dill@0.4.1", - "pkg:pypi/distlib@0.4.3", - "pkg:pypi/django@1.11.29", - "pkg:pypi/dulwich@1.2.6", - "pkg:pypi/fastjsonschema@2.21.2", - "pkg:pypi/feedparser@6.0.8", - "pkg:pypi/filelock@3.29.4", - "pkg:pypi/findpython@0.8.0", - "pkg:pypi/gitdb@4.0.12", - "pkg:pypi/gitpython@3.1.50", - "pkg:pypi/greenlet@3.5.1", - "pkg:pypi/h11@0.16.0", - "pkg:pypi/httpcore@1.0.9", - "pkg:pypi/httpx@0.28.1", - "pkg:pypi/idna@2.8", - "pkg:pypi/iniconfig@2.3.0", - "pkg:pypi/installer@1.0.1", - "pkg:pypi/isort@5.13.2", - "pkg:pypi/jaraco-classes@3.4.0", - "pkg:pypi/jaraco-context@6.1.2", - "pkg:pypi/jaraco-functools@4.5.0", - "pkg:pypi/jeepney@0.9.0", - "pkg:pypi/jinja2@2.10.1", - "pkg:pypi/keyring@25.7.0", - "pkg:pypi/markdown-it-py@4.2.0", - "pkg:pypi/markupsafe@3.0.3", - "pkg:pypi/mccabe@0.7.0", - "pkg:pypi/mdurl@0.1.2", - "pkg:pypi/more-itertools@11.1.0", - "pkg:pypi/msgpack@1.2.0", - "pkg:pypi/mypy-extensions@1.1.0", - "pkg:pypi/packaging@26.2", - "pkg:pypi/pathspec@1.1.1", - "pkg:pypi/pbs-installer@2026.6.10", - "pkg:pypi/pkginfo@1.12.1.2", - "pkg:pypi/platformdirs@4.10.0", - "pkg:pypi/pluggy@1.6.0", - "pkg:pypi/poetry-core@2.4.0", - "pkg:pypi/pyasn1@0.6.3", - "pkg:pypi/pycparser@3.0", - "pkg:pypi/pygments@2.20.0", - "pkg:pypi/pyjwt@0.4.2", - "pkg:pypi/pylint@3.1.0", - "pkg:pypi/pyproject-hooks@1.2.0", - "pkg:pypi/pytest-cov@4.1.0", - "pkg:pypi/pytest@7.4.3", - "pkg:pypi/python-discovery@1.4.2", - "pkg:pypi/pytz@2026.2", - "pkg:pypi/pyyaml@6.0.3", - "pkg:pypi/rapidfuzz@3.14.5", - "pkg:pypi/requests-toolbelt@1.0.0", - "pkg:pypi/requests@2.21.0", - "pkg:pypi/rich@15.0.0", - "pkg:pypi/rsa@3.4", - "pkg:pypi/secretstorage@3.5.0", - "pkg:pypi/sgmllib3k@1.0.0", - "pkg:pypi/shellingham@1.5.4", - "pkg:pypi/smmap@5.0.3", - "pkg:pypi/sqlalchemy@1.4.46", - "pkg:pypi/stevedore@5.8.0", - "pkg:pypi/tomlkit@0.15.0", - "pkg:pypi/trove-classifiers@2026.6.1.19", - "pkg:pypi/typing-extensions@4.15.0", - "pkg:pypi/urllib3@1.24.1", - "pkg:pypi/virtualenv@21.5.0" - ], - "id": "pkg:pypi/root", - "licenses": [], - "name": "root", - "package_ref": "pkg:pypi/root", - "purl": "pkg:pypi/root" - }, - { - "depends_on": [ - "pkg:pypi/pyasn1@0.6.3" - ], - "id": "pkg:pypi/rsa@3.4", - "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], - "name": "rsa", - "package_ref": "pkg:pypi/rsa@3.4", - "purl": "pkg:pypi/rsa@3.4", - "scopes": [ - "runtime" - ], - "version": "3.4" - }, - { - "depends_on": [ - "pkg:pypi/cryptography@49.0.0", - "pkg:pypi/jeepney@0.9.0" - ], - "id": "pkg:pypi/secretstorage@3.5.0", - "licenses": [], - "name": "secretstorage", - "package_ref": "pkg:pypi/secretstorage@3.5.0", - "purl": "pkg:pypi/secretstorage@3.5.0", - "scopes": [ - "runtime" - ], - "version": "3.5.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/sgmllib3k@1.0.0", - "licenses": [], - "name": "sgmllib3k", - "package_ref": "pkg:pypi/sgmllib3k@1.0.0", - "purl": "pkg:pypi/sgmllib3k@1.0.0", - "scopes": [ - "runtime" - ], - "version": "1.0.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/shellingham@1.5.4", - "licenses": [], - "name": "shellingham", - "package_ref": "pkg:pypi/shellingham@1.5.4", - "purl": "pkg:pypi/shellingham@1.5.4", - "scopes": [ - "runtime" - ], - "version": "1.5.4" - }, - { - "depends_on": [], - "id": "pkg:pypi/smmap@5.0.3", - "licenses": [], - "name": "smmap", - "package_ref": "pkg:pypi/smmap@5.0.3", - "purl": "pkg:pypi/smmap@5.0.3", - "scopes": [ - "runtime" - ], - "version": "5.0.3" - }, - { - "depends_on": [ - "pkg:pypi/greenlet@3.5.1" - ], - "id": "pkg:pypi/sqlalchemy@1.4.46", - "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], - "name": "sqlalchemy", - "package_ref": "pkg:pypi/sqlalchemy@1.4.46", - "purl": "pkg:pypi/sqlalchemy@1.4.46", - "scopes": [ - "runtime" - ], - "version": "1.4.46" - }, - { - "depends_on": [], - "id": "pkg:pypi/stevedore@5.8.0", - "licenses": [], - "name": "stevedore", - "package_ref": "pkg:pypi/stevedore@5.8.0", - "purl": "pkg:pypi/stevedore@5.8.0", - "scopes": [ - "runtime" - ], - "version": "5.8.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/tomlkit@0.15.0", - "licenses": [], - "name": "tomlkit", - "package_ref": "pkg:pypi/tomlkit@0.15.0", - "purl": "pkg:pypi/tomlkit@0.15.0", - "scopes": [ - "runtime" - ], - "version": "0.15.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/trove-classifiers@2026.6.1.19", - "licenses": [], - "name": "trove-classifiers", - "package_ref": "pkg:pypi/trove-classifiers@2026.6.1.19", - "purl": "pkg:pypi/trove-classifiers@2026.6.1.19", - "scopes": [ - "runtime" - ], - "version": "2026.6.1.19" - }, - { - "depends_on": [], - "id": "pkg:pypi/typing-extensions@4.15.0", - "licenses": [], - "name": "typing-extensions", - "package_ref": "pkg:pypi/typing-extensions@4.15.0", - "purl": "pkg:pypi/typing-extensions@4.15.0", - "scopes": [ - "runtime" - ], - "version": "4.15.0" - }, - { - "depends_on": [], - "id": "pkg:pypi/urllib3@1.24.1", - "licenses": [], - "locations": [ - { - "access_path": "requirements.txt", - "position": { - "file": "requirements.txt", - "line": 0 - }, - "real_path": "requirements.txt" - } - ], - "name": "urllib3", - "package_ref": "pkg:pypi/urllib3@1.24.1", - "purl": "pkg:pypi/urllib3@1.24.1", + "name": "urllib3", + "package_ref": "pkg:pypi/urllib3@1.24.1", + "purl": "pkg:pypi/urllib3@1.24.1", "scopes": [ "runtime" ], "version": "1.24.1" - }, - { - "depends_on": [ - "pkg:pypi/distlib@0.4.3", - "pkg:pypi/filelock@3.29.4", - "pkg:pypi/platformdirs@4.10.0", - "pkg:pypi/python-discovery@1.4.2", - "pkg:pypi/typing-extensions@4.15.0" - ], - "id": "pkg:pypi/virtualenv@21.5.0", - "licenses": [], - "name": "virtualenv", - "package_ref": "pkg:pypi/virtualenv@21.5.0", - "purl": "pkg:pypi/virtualenv@21.5.0", - "scopes": [ - "runtime" - ], - "version": "21.5.0" } ], "detector": "pip-detector", @@ -1331,154 +233,26 @@ "package_manager": "pip", "path": "requirements.txt", "subproject": "." - } - ], - "metadata": { - "duration_ms": 0 - }, - "packages": [ - { - "ecosystem": "python", - "licenses": [], - "name": "anyio", - "purl": "pkg:pypi/anyio@4.14.0", - "version": "4.14.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "astroid", - "purl": "pkg:pypi/astroid@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "backports-zstd", - "purl": "pkg:pypi/backports-zstd@1.6.0", - "version": "1.6.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "bandit", - "purl": "pkg:pypi/bandit@1.7.5", - "version": "1.7.5", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "black", - "purl": "pkg:pypi/black@23.12.1", - "version": "23.12.1", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "build", - "purl": "pkg:pypi/build@1.5.0", - "version": "1.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "cachecontrol", - "purl": "pkg:pypi/cachecontrol@0.14.4", - "version": "0.14.4", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "certifi", - "purl": "pkg:pypi/certifi@2026.5.20", - "version": "2026.5.20", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "cffi", - "purl": "pkg:pypi/cffi@2.0.0", - "version": "2.0.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "chardet", - "purl": "pkg:pypi/chardet@3.0.4", - "version": "3.0.4", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "charset-normalizer", - "purl": "pkg:pypi/charset-normalizer@3.4.7", - "version": "3.4.7", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "cleo", - "purl": "pkg:pypi/cleo@2.1.0", - "version": "2.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "click", - "purl": "pkg:pypi/click@8.4.1", - "version": "8.4.1", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "coverage", - "purl": "pkg:pypi/coverage@7.4.0", - "version": "7.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "crashtest", - "purl": "pkg:pypi/crashtest@0.4.1", - "version": "0.4.1", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "cryptography", - "purl": "pkg:pypi/cryptography@49.0.0", - "version": "49.0.0", - "vulnerabilities": [] - }, + } + ], + "metadata": { + "duration_ms": 0 + }, + "packages": [ { "ecosystem": "python", "licenses": [], - "name": "dill", - "purl": "pkg:pypi/dill@0.4.1", - "version": "0.4.1", + "name": "certifi", + "purl": "pkg:pypi/certifi@2026.6.17", + "version": "2026.6.17", "vulnerabilities": [] }, { "ecosystem": "python", "licenses": [], - "name": "distlib", - "purl": "pkg:pypi/distlib@0.4.3", - "version": "0.4.3", + "name": "chardet", + "purl": "pkg:pypi/chardet@3.0.4", + "version": "3.0.4", "vulnerabilities": [] }, { @@ -1489,22 +263,6 @@ "version": "1.11.29", "vulnerabilities": [] }, - { - "ecosystem": "python", - "licenses": [], - "name": "dulwich", - "purl": "pkg:pypi/dulwich@1.2.6", - "version": "1.2.6", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "fastjsonschema", - "purl": "pkg:pypi/fastjsonschema@2.21.2", - "version": "2.21.2", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [], @@ -1513,70 +271,6 @@ "version": "6.0.8", "vulnerabilities": [] }, - { - "ecosystem": "python", - "licenses": [], - "name": "filelock", - "purl": "pkg:pypi/filelock@3.29.4", - "version": "3.29.4", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "findpython", - "purl": "pkg:pypi/findpython@0.8.0", - "version": "0.8.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "gitdb", - "purl": "pkg:pypi/gitdb@4.0.12", - "version": "4.0.12", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "gitpython", - "purl": "pkg:pypi/gitpython@3.1.50", - "version": "3.1.50", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "greenlet", - "purl": "pkg:pypi/greenlet@3.5.1", - "version": "3.5.1", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "h11", - "purl": "pkg:pypi/h11@0.16.0", - "version": "0.16.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "httpcore", - "purl": "pkg:pypi/httpcore@1.0.9", - "version": "1.0.9", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "httpx", - "purl": "pkg:pypi/httpx@0.28.1", - "version": "0.28.1", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [], @@ -1585,62 +279,6 @@ "version": "2.8", "vulnerabilities": [] }, - { - "ecosystem": "python", - "licenses": [], - "name": "iniconfig", - "purl": "pkg:pypi/iniconfig@2.3.0", - "version": "2.3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "installer", - "purl": "pkg:pypi/installer@1.0.1", - "version": "1.0.1", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "isort", - "purl": "pkg:pypi/isort@5.13.2", - "version": "5.13.2", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "jaraco-classes", - "purl": "pkg:pypi/jaraco-classes@3.4.0", - "version": "3.4.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "jaraco-context", - "purl": "pkg:pypi/jaraco-context@6.1.2", - "version": "6.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "jaraco-functools", - "purl": "pkg:pypi/jaraco-functools@4.5.0", - "version": "4.5.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "jeepney", - "purl": "pkg:pypi/jeepney@0.9.0", - "version": "0.9.0", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [], @@ -1649,22 +287,6 @@ "version": "2.10.1", "vulnerabilities": [] }, - { - "ecosystem": "python", - "licenses": [], - "name": "keyring", - "purl": "pkg:pypi/keyring@25.7.0", - "version": "25.7.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "markdown-it-py", - "purl": "pkg:pypi/markdown-it-py@4.2.0", - "version": "4.2.0", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [], @@ -1673,102 +295,6 @@ "version": "3.0.3", "vulnerabilities": [] }, - { - "ecosystem": "python", - "licenses": [], - "name": "mccabe", - "purl": "pkg:pypi/mccabe@0.7.0", - "version": "0.7.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "mdurl", - "purl": "pkg:pypi/mdurl@0.1.2", - "version": "0.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "more-itertools", - "purl": "pkg:pypi/more-itertools@11.1.0", - "version": "11.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "msgpack", - "purl": "pkg:pypi/msgpack@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "mypy-extensions", - "purl": "pkg:pypi/mypy-extensions@1.1.0", - "version": "1.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "packaging", - "purl": "pkg:pypi/packaging@26.2", - "version": "26.2", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "pathspec", - "purl": "pkg:pypi/pathspec@1.1.1", - "version": "1.1.1", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "pbs-installer", - "purl": "pkg:pypi/pbs-installer@2026.6.10", - "version": "2026.6.10", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "pkginfo", - "purl": "pkg:pypi/pkginfo@1.12.1.2", - "version": "1.12.1.2", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "platformdirs", - "purl": "pkg:pypi/platformdirs@4.10.0", - "version": "4.10.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "pluggy", - "purl": "pkg:pypi/pluggy@1.6.0", - "version": "1.6.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "poetry-core", - "purl": "pkg:pypi/poetry-core@2.4.0", - "version": "2.4.0", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [], @@ -1777,22 +303,6 @@ "version": "0.6.3", "vulnerabilities": [] }, - { - "ecosystem": "python", - "licenses": [], - "name": "pycparser", - "purl": "pkg:pypi/pycparser@3.0", - "version": "3.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "pygments", - "purl": "pkg:pypi/pygments@2.20.0", - "version": "2.20.0", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [], @@ -1801,46 +311,6 @@ "version": "0.4.2", "vulnerabilities": [] }, - { - "ecosystem": "python", - "licenses": [], - "name": "pylint", - "purl": "pkg:pypi/pylint@3.1.0", - "version": "3.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "pyproject-hooks", - "purl": "pkg:pypi/pyproject-hooks@1.2.0", - "version": "1.2.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "pytest-cov", - "purl": "pkg:pypi/pytest-cov@4.1.0", - "version": "4.1.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "pytest", - "purl": "pkg:pypi/pytest@7.4.3", - "version": "7.4.3", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "python-discovery", - "purl": "pkg:pypi/python-discovery@1.4.2", - "version": "1.4.2", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [], @@ -1853,24 +323,8 @@ "ecosystem": "python", "licenses": [], "name": "pyyaml", - "purl": "pkg:pypi/pyyaml@6.0.3", - "version": "6.0.3", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "rapidfuzz", - "purl": "pkg:pypi/rapidfuzz@3.14.5", - "version": "3.14.5", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "requests-toolbelt", - "purl": "pkg:pypi/requests-toolbelt@1.0.0", - "version": "1.0.0", + "purl": "pkg:pypi/pyyaml@5.3", + "version": "5.3", "vulnerabilities": [] }, { @@ -1881,14 +335,6 @@ "version": "2.21.0", "vulnerabilities": [] }, - { - "ecosystem": "python", - "licenses": [], - "name": "rich", - "purl": "pkg:pypi/rich@15.0.0", - "version": "15.0.0", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [], @@ -1904,14 +350,6 @@ "version": "3.4", "vulnerabilities": [] }, - { - "ecosystem": "python", - "licenses": [], - "name": "secretstorage", - "purl": "pkg:pypi/secretstorage@3.5.0", - "version": "3.5.0", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [], @@ -1920,22 +358,6 @@ "version": "1.0.0", "vulnerabilities": [] }, - { - "ecosystem": "python", - "licenses": [], - "name": "shellingham", - "purl": "pkg:pypi/shellingham@1.5.4", - "version": "1.5.4", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "smmap", - "purl": "pkg:pypi/smmap@5.0.3", - "version": "5.0.3", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [], @@ -1944,38 +366,6 @@ "version": "1.4.46", "vulnerabilities": [] }, - { - "ecosystem": "python", - "licenses": [], - "name": "stevedore", - "purl": "pkg:pypi/stevedore@5.8.0", - "version": "5.8.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "tomlkit", - "purl": "pkg:pypi/tomlkit@0.15.0", - "version": "0.15.0", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "trove-classifiers", - "purl": "pkg:pypi/trove-classifiers@2026.6.1.19", - "version": "2026.6.1.19", - "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "typing-extensions", - "purl": "pkg:pypi/typing-extensions@4.15.0", - "version": "4.15.0", - "vulnerabilities": [] - }, { "ecosystem": "python", "licenses": [], @@ -1983,14 +373,6 @@ "purl": "pkg:pypi/urllib3@1.24.1", "version": "1.24.1", "vulnerabilities": [] - }, - { - "ecosystem": "python", - "licenses": [], - "name": "virtualenv", - "purl": "pkg:pypi/virtualenv@21.5.0", - "version": "21.5.0", - "vulnerabilities": [] } ], "project": { @@ -1998,7 +380,7 @@ "name": "\u003cnormalized\u003e", "package_manager": "pip", "path": "\u003cnormalized\u003e", - "target_ref": "v1.0.0", + "target_ref": "fe04c758134b95dab102e1fce10275f7d18c0cf2", "target_type": "git repository" }, "schema_version": "1.0" diff --git a/test/smoke/testdata/golden/scan-python-poetry.golden.json b/test/smoke/testdata/golden/scan-python-poetry.golden.json index 55deac75..0453a42e 100644 --- a/test/smoke/testdata/golden/scan-python-poetry.golden.json +++ b/test/smoke/testdata/golden/scan-python-poetry.golden.json @@ -3,121 +3,259 @@ "manifests": [ { "dependencies": [ + { + "depends_on": [], + "id": "pkg:pypi/certifi@2024.8.30", + "licenses": [], + "name": "certifi", + "package_ref": "pkg:pypi/certifi@2024.8.30", + "purl": "pkg:pypi/certifi@2024.8.30", + "scopes": [ + "runtime" + ], + "version": "2024.8.30" + }, + { + "depends_on": [], + "id": "pkg:pypi/chardet@3.0.4", + "licenses": [], + "name": "chardet", + "package_ref": "pkg:pypi/chardet@3.0.4", + "purl": "pkg:pypi/chardet@3.0.4", + "scopes": [ + "runtime" + ], + "version": "3.0.4" + }, + { + "depends_on": [], + "id": "pkg:pypi/colorama@0.4.6", + "licenses": [], + "name": "colorama", + "package_ref": "pkg:pypi/colorama@0.4.6", + "purl": "pkg:pypi/colorama@0.4.6", + "scopes": [ + "development" + ], + "version": "0.4.6" + }, { "depends_on": [ "pkg:pypi/pytz@2024.1" ], "id": "pkg:pypi/django@1.11.29", "licenses": [], - "locations": [ - { - "access_path": "/poetry.lock", - "real_path": "/poetry.lock" - } - ], "name": "django", "package_ref": "pkg:pypi/django@1.11.29", "purl": "pkg:pypi/django@1.11.29", + "scopes": [ + "runtime" + ], "version": "1.11.29" }, + { + "depends_on": [ + "pkg:pypi/django@1.11.29", + "pkg:pypi/feedparser@6.0.8", + "pkg:pypi/pyjwt@0.4.2", + "pkg:pypi/pytest@9.0.3", + "pkg:pypi/requests@2.21.0", + "pkg:pypi/rsa@3.4" + ], + "id": "pkg:pypi/example-python3-poetry@0.1.0", + "licenses": [], + "name": "example-python3-poetry", + "package_ref": "pkg:pypi/example-python3-poetry@0.1.0", + "purl": "pkg:pypi/example-python3-poetry@0.1.0", + "version": "0.1.0" + }, { "depends_on": [ "pkg:pypi/sgmllib3k@1.0.0" ], "id": "pkg:pypi/feedparser@6.0.8", "licenses": [], - "locations": [ - { - "access_path": "/poetry.lock", - "real_path": "/poetry.lock" - } - ], "name": "feedparser", "package_ref": "pkg:pypi/feedparser@6.0.8", "purl": "pkg:pypi/feedparser@6.0.8", + "scopes": [ + "runtime" + ], "version": "6.0.8" }, { "depends_on": [], - "id": "pkg:pypi/pyasn1@0.6.0", + "id": "pkg:pypi/idna@2.8", + "licenses": [], + "name": "idna", + "package_ref": "pkg:pypi/idna@2.8", + "purl": "pkg:pypi/idna@2.8", + "scopes": [ + "runtime" + ], + "version": "2.8" + }, + { + "depends_on": [], + "id": "pkg:pypi/iniconfig@2.3.0", + "licenses": [], + "name": "iniconfig", + "package_ref": "pkg:pypi/iniconfig@2.3.0", + "purl": "pkg:pypi/iniconfig@2.3.0", + "scopes": [ + "development" + ], + "version": "2.3.0" + }, + { + "depends_on": [], + "id": "pkg:pypi/packaging@26.2", + "licenses": [], + "name": "packaging", + "package_ref": "pkg:pypi/packaging@26.2", + "purl": "pkg:pypi/packaging@26.2", + "scopes": [ + "development" + ], + "version": "26.2" + }, + { + "depends_on": [], + "id": "pkg:pypi/pluggy@1.6.0", "licenses": [], - "locations": [ - { - "access_path": "/poetry.lock", - "real_path": "/poetry.lock" - } + "name": "pluggy", + "package_ref": "pkg:pypi/pluggy@1.6.0", + "purl": "pkg:pypi/pluggy@1.6.0", + "scopes": [ + "development" ], + "version": "1.6.0" + }, + { + "depends_on": [], + "id": "pkg:pypi/pyasn1@0.6.0", + "licenses": [], "name": "pyasn1", "package_ref": "pkg:pypi/pyasn1@0.6.0", "purl": "pkg:pypi/pyasn1@0.6.0", + "scopes": [ + "runtime" + ], "version": "0.6.0" }, { "depends_on": [], - "id": "pkg:pypi/pyjwt@0.4.2", + "id": "pkg:pypi/pygments@2.20.0", "licenses": [], - "locations": [ - { - "access_path": "/poetry.lock", - "real_path": "/poetry.lock" - } + "name": "pygments", + "package_ref": "pkg:pypi/pygments@2.20.0", + "purl": "pkg:pypi/pygments@2.20.0", + "scopes": [ + "development" ], + "version": "2.20.0" + }, + { + "depends_on": [], + "id": "pkg:pypi/pyjwt@0.4.2", + "licenses": [], "name": "pyjwt", "package_ref": "pkg:pypi/pyjwt@0.4.2", "purl": "pkg:pypi/pyjwt@0.4.2", + "scopes": [ + "runtime" + ], "version": "0.4.2" }, + { + "depends_on": [ + "pkg:pypi/colorama@0.4.6", + "pkg:pypi/iniconfig@2.3.0", + "pkg:pypi/packaging@26.2", + "pkg:pypi/pluggy@1.6.0", + "pkg:pypi/pygments@2.20.0" + ], + "id": "pkg:pypi/pytest@9.0.3", + "licenses": [], + "name": "pytest", + "package_ref": "pkg:pypi/pytest@9.0.3", + "purl": "pkg:pypi/pytest@9.0.3", + "scopes": [ + "development" + ], + "version": "9.0.3" + }, { "depends_on": [], "id": "pkg:pypi/pytz@2024.1", "licenses": [], - "locations": [ - { - "access_path": "/poetry.lock", - "real_path": "/poetry.lock" - } - ], "name": "pytz", "package_ref": "pkg:pypi/pytz@2024.1", "purl": "pkg:pypi/pytz@2024.1", + "scopes": [ + "runtime" + ], "version": "2024.1" }, + { + "depends_on": [ + "pkg:pypi/certifi@2024.8.30", + "pkg:pypi/chardet@3.0.4", + "pkg:pypi/idna@2.8", + "pkg:pypi/urllib3@1.24.3" + ], + "id": "pkg:pypi/requests@2.21.0", + "licenses": [], + "name": "requests", + "package_ref": "pkg:pypi/requests@2.21.0", + "purl": "pkg:pypi/requests@2.21.0", + "scopes": [ + "runtime" + ], + "version": "2.21.0" + }, { "depends_on": [ "pkg:pypi/pyasn1@0.6.0" ], "id": "pkg:pypi/rsa@3.4", "licenses": [], - "locations": [ - { - "access_path": "/poetry.lock", - "real_path": "/poetry.lock" - } - ], "name": "rsa", "package_ref": "pkg:pypi/rsa@3.4", "purl": "pkg:pypi/rsa@3.4", + "scopes": [ + "runtime" + ], "version": "3.4" }, { "depends_on": [], "id": "pkg:pypi/sgmllib3k@1.0.0", "licenses": [], - "locations": [ - { - "access_path": "/poetry.lock", - "real_path": "/poetry.lock" - } - ], "name": "sgmllib3k", "package_ref": "pkg:pypi/sgmllib3k@1.0.0", "purl": "pkg:pypi/sgmllib3k@1.0.0", + "scopes": [ + "runtime" + ], "version": "1.0.0" + }, + { + "depends_on": [], + "id": "pkg:pypi/urllib3@1.24.3", + "licenses": [], + "name": "urllib3", + "package_ref": "pkg:pypi/urllib3@1.24.3", + "purl": "pkg:pypi/urllib3@1.24.3", + "scopes": [ + "runtime" + ], + "version": "1.24.3" } ], - "detector": "syft-detector", + "detector": "poetry-detector", "ecosystem": "python", - "kind": "poetry", + "kind": "poetry.lock", "package_manager": "poetry", "path": "poetry.lock", "subproject": "." @@ -128,7 +266,31 @@ }, "packages": [ { - "ecosystem": "pypi", + "ecosystem": "python", + "licenses": [], + "name": "certifi", + "purl": "pkg:pypi/certifi@2024.8.30", + "version": "2024.8.30", + "vulnerabilities": [] + }, + { + "ecosystem": "python", + "licenses": [], + "name": "chardet", + "purl": "pkg:pypi/chardet@3.0.4", + "version": "3.0.4", + "vulnerabilities": [] + }, + { + "ecosystem": "python", + "licenses": [], + "name": "colorama", + "purl": "pkg:pypi/colorama@0.4.6", + "version": "0.4.6", + "vulnerabilities": [] + }, + { + "ecosystem": "python", "licenses": [], "name": "django", "purl": "pkg:pypi/django@1.11.29", @@ -136,7 +298,15 @@ "vulnerabilities": [] }, { - "ecosystem": "pypi", + "ecosystem": "python", + "licenses": [], + "name": "example-python3-poetry", + "purl": "pkg:pypi/example-python3-poetry@0.1.0", + "version": "0.1.0", + "vulnerabilities": [] + }, + { + "ecosystem": "python", "licenses": [], "name": "feedparser", "purl": "pkg:pypi/feedparser@6.0.8", @@ -144,7 +314,39 @@ "vulnerabilities": [] }, { - "ecosystem": "pypi", + "ecosystem": "python", + "licenses": [], + "name": "idna", + "purl": "pkg:pypi/idna@2.8", + "version": "2.8", + "vulnerabilities": [] + }, + { + "ecosystem": "python", + "licenses": [], + "name": "iniconfig", + "purl": "pkg:pypi/iniconfig@2.3.0", + "version": "2.3.0", + "vulnerabilities": [] + }, + { + "ecosystem": "python", + "licenses": [], + "name": "packaging", + "purl": "pkg:pypi/packaging@26.2", + "version": "26.2", + "vulnerabilities": [] + }, + { + "ecosystem": "python", + "licenses": [], + "name": "pluggy", + "purl": "pkg:pypi/pluggy@1.6.0", + "version": "1.6.0", + "vulnerabilities": [] + }, + { + "ecosystem": "python", "licenses": [], "name": "pyasn1", "purl": "pkg:pypi/pyasn1@0.6.0", @@ -152,7 +354,15 @@ "vulnerabilities": [] }, { - "ecosystem": "pypi", + "ecosystem": "python", + "licenses": [], + "name": "pygments", + "purl": "pkg:pypi/pygments@2.20.0", + "version": "2.20.0", + "vulnerabilities": [] + }, + { + "ecosystem": "python", "licenses": [], "name": "pyjwt", "purl": "pkg:pypi/pyjwt@0.4.2", @@ -160,7 +370,15 @@ "vulnerabilities": [] }, { - "ecosystem": "pypi", + "ecosystem": "python", + "licenses": [], + "name": "pytest", + "purl": "pkg:pypi/pytest@9.0.3", + "version": "9.0.3", + "vulnerabilities": [] + }, + { + "ecosystem": "python", "licenses": [], "name": "pytz", "purl": "pkg:pypi/pytz@2024.1", @@ -168,7 +386,15 @@ "vulnerabilities": [] }, { - "ecosystem": "pypi", + "ecosystem": "python", + "licenses": [], + "name": "requests", + "purl": "pkg:pypi/requests@2.21.0", + "version": "2.21.0", + "vulnerabilities": [] + }, + { + "ecosystem": "python", "licenses": [], "name": "rsa", "purl": "pkg:pypi/rsa@3.4", @@ -176,12 +402,20 @@ "vulnerabilities": [] }, { - "ecosystem": "pypi", + "ecosystem": "python", "licenses": [], "name": "sgmllib3k", "purl": "pkg:pypi/sgmllib3k@1.0.0", "version": "1.0.0", "vulnerabilities": [] + }, + { + "ecosystem": "python", + "licenses": [], + "name": "urllib3", + "purl": "pkg:pypi/urllib3@1.24.3", + "version": "1.24.3", + "vulnerabilities": [] } ], "project": {