From 3b87f956240d9905561d246560cf3ed42a45ea9c Mon Sep 17 00:00:00 2001 From: Tom Elliott Date: Tue, 15 Aug 2023 15:06:58 +0100 Subject: [PATCH 1/8] Suppress new flag --- yarn-audit-known-issues | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index 7ed6c39fe7..ff13bc7268 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{"1085674":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-x5rq-j2xg-h7qm","cves":["CVE-2019-1010266"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:38.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085674,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm","created":"2019-07-19T16:13:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.","url":"https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"},"1087627":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-4xc9-xhrj-v574","cves":["CVE-2018-16487"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:02:32.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1087627,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2019-02-07T18:16:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.","url":"https://github.com/advisories/GHSA-4xc9-xhrj-v574"},"1087663":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.5","module_name":"lodash","severity":"low","github_advisory_id":"GHSA-fvqr-27wr-82fm","cves":["CVE-2018-3721"],"access":"public","patched_versions":">=4.17.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:03:02.000Z","recommendation":"Upgrade to version 4.17.5 or later","cwe":["CWE-471"],"found_by":null,"deleted":null,"id":1087663,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2018-07-26T15:14:52.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.","url":"https://github.com/advisories/GHSA-fvqr-27wr-82fm"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088402":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"low","github_advisory_id":"GHSA-56x4-j7p9-fcf9","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:32.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":[],"found_by":null,"deleted":null,"id":1088402,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9\n- https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a\n- https://github.com/advisories/GHSA-56x4-j7p9-fcf9","created":"2022-08-30T20:31:21.000Z","reported_by":null,"title":"Command Injection in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\nAll versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.\n\n* if Alice uses tzdata pipeline to package moment-timezone on her own (for example via `grunt data:2014d`, where `2014d` stands for the version of the tzdata to be used from IANA's website),\n* and Alice let's Mallory select the version (`2014d` in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task\n\n#### Am I affected?\n\n##### Do you build custom versions of moment-timezone with grunt?\n\nIf no, you're not affected.\n\n##### Do you allow a third party to specify which particular version you want build?\n\nIf yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task.\n\n### Description\n\n#### Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint\n\nThe `tasks/data-download.js` script takes in a parameter from grunt and uses it to form a command line which is then executed:\n\n```\n6 module.exports = function (grunt) {\n7 grunt.registerTask('data-download', '1. Download data from iana.org/time-zones.', function (version) {\n8 version = version || 'latest';\n\n10 var done = this.async(),\n11 src = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz',\n12 curl = path.resolve('temp/curl', version, 'data.tar.gz'),\n13 dest = path.resolve('temp/download', version);\n...\n24 exec('curl ' + src + ' -o ' + curl + ' && cd ' + dest + ' && gzip -dc ' + curl + ' | tar -xf -', function (err) {\n```\n\nOrdinarily, one one run this script using something like `grunt data-download:2014d`, in which case version would have the value `2014d`. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary code\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-download:2014d ; echo flag>/tmp/foo #'\n\\Running \"data-download:2014d ; echo flag>/tmp/foo #\" (data-download) task\n>> Downloading https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n>> Downloaded https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n\nDone.\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/foo\nflag\n```\n\n#### Command Injection via data-zdump.js\n\nThe `tasks/data-zdump.js` script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone.\n\n```\n15 files = grunt.file.expand({ filter : 'isFile', cwd : 'temp/zic/' + version }, '**/*');\n...\n27 function next () {\n...\n33 var file = files.pop(),\n34 src = path.join(zicBase, file),\n35 dest = path.join(zdumpBase, file);\n36 exec('zdump -v ' + src, { maxBuffer: 20*1024*1024 }, function (err, stdout) {\n```\n\nIn this case, an attacker able to add a file to `temp/zic/2014d` (for example) with a filename like `Z; curl www.example.com` would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename.\n\n#### Command Injection via data-zic.js\n\nSimilar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization.\n\n```\n10 var done = this.async(),\n11 dest = path.resolve('temp/zic', version),\n...\n22 var file = files.shift(),\n23 src = path.resolve('temp/download', version, file);\n24\n25 exec('zic -d ' + dest + ' ' + src, function (err) {\n```\n\nAs a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice.\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-zic:2014d; echo hi > /tmp/evil; echo '\nRunning \"data-zic:2014d; echo hi > /tmp/evil; echo \" (data-zic) task\nexec: zid -d /usr/src/app/moment-timezone/temp/zic/2014d; echo hi > /tmp/evil; echo /usr/src/app/moment-timezone/temp/download/2014d; echo hi > /tmp/evil; echo /africa\n...\n\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/evil\nhi\n```\n\n### Patches\n\nThe supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches `exec` to `execFile` so arbitrary bash fragments won't be executed any more.\n\n### References\n\n* https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html\n* https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/","url":"https://github.com/advisories/GHSA-56x4-j7p9-fcf9"},"1088403":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"moderate","github_advisory_id":"GHSA-v78c-4p63-2j6c","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:10.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":["CWE-319"],"found_by":null,"deleted":null,"id":1088403,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c\n- https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75\n- https://github.com/advisories/GHSA-v78c-4p63-2j6c","created":"2022-08-30T20:28:43.000Z","reported_by":null,"title":"Cleartext Transmission of Sensitive Information in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\n* if Alice uses `grunt data` (or `grunt release`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website\n* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)\n\n### Patches\nProblem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.\n\n### Workarounds\nSpecify the exact version of tzdata (like `2014d`, full command being `grunt data:2014d`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.\n","url":"https://github.com/advisories/GHSA-v78c-4p63-2j6c"},"1088659":{"findings":[{"version":"2.1.3","paths":["@hmcts/nodejs-healthcheck>superagent>cookiejar"]}],"metadata":null,"vulnerable_versions":"<2.1.4","module_name":"cookiejar","severity":"moderate","github_advisory_id":"GHSA-h452-7996-h45h","cves":["CVE-2022-25901"],"access":"public","patched_versions":">=2.1.4","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-23T16:59:53.000Z","recommendation":"Upgrade to version 2.1.4 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1088659,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/bmeck/node-cookiejar/pull/39\n- https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681\n- https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984\n- https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73\n- https://github.com/advisories/GHSA-h452-7996-h45h","created":"2023-01-18T06:31:03.000Z","reported_by":null,"title":"cookiejar Regular Expression Denial of Service via Cookie.parse function","npm_advisory_id":null,"overview":"Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```","url":"https://github.com/advisories/GHSA-h452-7996-h45h"},"1088907":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-01-27T05:04:51.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1088907,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport before 0.6.0 vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089152":{"findings":[{"version":"4.1.1","paths":["codeceptjs>mocha>yargs-unparser>flat","codeceptjs>mocha-junit-reporter>mocha>yargs-unparser>flat"]}],"metadata":null,"vulnerable_versions":"<5.0.1","module_name":"flat","severity":"critical","github_advisory_id":"GHSA-2j2x-2gpw-g8fm","cves":["CVE-2020-36632"],"access":"public","patched_versions":">=5.0.1","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-29T05:01:29.000Z","recommendation":"Upgrade to version 5.0.1 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1089152,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36632\n- https://github.com/hughsk/flat/issues/105\n- https://github.com/hughsk/flat/pull/106\n- https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13\n- https://github.com/hughsk/flat/releases/tag/5.0.1\n- https://vuldb.com/?ctiid.216777\n- https://vuldb.com/?id.216777\n- https://github.com/advisories/GHSA-2j2x-2gpw-g8fm","created":"2022-12-25T21:30:22.000Z","reported_by":null,"title":"flat vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.","url":"https://github.com/advisories/GHSA-2j2x-2gpw-g8fm"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1091173":{"findings":[{"version":"1.2.5","paths":["codeceptjs>mkdirp>minimist","accessibility-checker>chromedriver>mkdirp>minimist","accessibility-checker>chromedriver>extract-zip>mkdirp>minimist","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>tar>mkdirp>minimist","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","codeceptjs>mocha-junit-reporter>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <1.2.6","module_name":"minimist","severity":"critical","github_advisory_id":"GHSA-xvch-5gv4-984h","cves":["CVE-2021-44906"],"access":"public","patched_versions":">=1.2.6","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-02-28T17:44:01.000Z","recommendation":"Upgrade to version 1.2.6 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1091173,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-44906\n- https://github.com/substack/minimist/issues/164\n- https://github.com/substack/minimist/blob/master/index.js#L69\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\n- https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\n- https://github.com/minimistjs/minimist/issues/11\n- https://github.com/minimistjs/minimist/pull/24\n- https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703\n- https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb\n- https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d\n- https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11\n- https://github.com/minimistjs/minimist/commits/v0.2.4\n- https://github.com/advisories/GHSA-xvch-5gv4-984h","created":"2022-03-18T00:01:09.000Z","reported_by":null,"title":"Prototype Pollution in minimist","npm_advisory_id":null,"overview":"Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file `index.js`, function `setKey()` (lines 69-95).","url":"https://github.com/advisories/GHSA-xvch-5gv4-984h"},"1091181":{"findings":[{"version":"3.1.0","paths":["codeceptjs>mocha>chokidar>glob-parent","codeceptjs>mocha-junit-reporter>mocha>chokidar>glob-parent"]}],"metadata":null,"vulnerable_versions":"<5.1.2","module_name":"glob-parent","severity":"high","github_advisory_id":"GHSA-ww39-953v-wcq6","cves":["CVE-2020-28469"],"access":"public","patched_versions":">=5.1.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-02-28T22:39:43.000Z","recommendation":"Upgrade to version 5.1.2 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1091181,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\n- https://github.com/advisories/GHSA-ww39-953v-wcq6","created":"2021-06-07T21:56:34.000Z","reported_by":null,"title":"glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex","npm_advisory_id":null,"overview":"This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.","url":"https://github.com/advisories/GHSA-ww39-953v-wcq6"},"1091307":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.20","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-p6mc-m468-83gw","cves":["CVE-2020-8203"],"access":"public","patched_versions":">=4.17.20","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-03-08T05:05:35.000Z","recommendation":"Upgrade to version 4.17.20 or later","cwe":["CWE-770","CWE-1321"],"found_by":null,"deleted":null,"id":1091307,"references":"- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://www.npmjs.com/advisories/1523\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/lodash/lodash/issues/4874\n- https://www.oracle.com/security-alerts/cpuApr2021.html\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-p6mc-m468-83gw","created":"2020-07-15T19:15:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","url":"https://github.com/advisories/GHSA-p6mc-m468-83gw"},"1091453":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-03-21T20:10:17.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1091453,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1091832":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-35jh-r3h4-6jhm","cves":["CVE-2021-23337"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":7.2,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-04-26T17:56:06.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-77","CWE-94"],"found_by":null,"deleted":null,"id":1091832,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm","created":"2021-05-06T16:05:51.000Z","reported_by":null,"title":"Command Injection in lodash","npm_advisory_id":null,"overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","url":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm"},"1091860":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-29mw-wpgm-hmr9","cves":["CVE-2020-28500"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-05-01T20:20:44.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1091860,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9","created":"2022-01-06T20:30:46.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = \"1\" for (var i = 0; i < n; i++) { ret += \" \" } return ret + \"1\"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log(\"time_cost0: \" + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log(\"time_cost1: \" + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log(\"time_cost2: \" + time_cost2)","url":"https://github.com/advisories/GHSA-29mw-wpgm-hmr9"},"1092096":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-05-23T13:29:07.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092096,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1092174":{"findings":[{"version":"4.0.5","paths":["@hmcts/media-viewer>socket.io-client>socket.io-parser"]}],"metadata":null,"vulnerable_versions":">=4.0.4 <4.2.3","module_name":"socket.io-parser","severity":"high","github_advisory_id":"GHSA-cqmj-92xf-r6r9","cves":["CVE-2023-32695"],"access":"public","patched_versions":">=4.2.3","cvss":{"score":7.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-06-05T21:07:58.000Z","recommendation":"Upgrade to version 4.2.3 or later","cwe":["CWE-20","CWE-754"],"found_by":null,"deleted":null,"id":1092174,"references":"- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3\n- https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9\n- https://nvd.nist.gov/vuln/detail/CVE-2023-32695\n- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3\n- https://github.com/advisories/GHSA-cqmj-92xf-r6r9","created":"2023-05-23T19:55:13.000Z","reported_by":null,"title":"Insufficient validation when decoding a Socket.IO packet","npm_advisory_id":null,"overview":"### Impact\n\nA specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot convert object to primitive value\n at Socket.emit (node:events:507:25)\n at .../node_modules/socket.io/lib/socket.js:531:14\n```\n\n### Patches\n\nA fix has been released today (2023/05/22):\n\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in `socket.io-parser@4.2.3`\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in `socket.io-parser@3.4.3`\n\n| `socket.io` version | `socket.io-parser` version | Needs minor update? |\n|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|\n| `4.5.2...latest` | `~4.2.0` ([ref](https://github.com/socketio/socket.io/commit/9890b036cf942f6b6ad2afeb6a8361c32cd5d528)) | `npm audit fix` should be sufficient |\n| `4.1.3...4.5.1` | `~4.1.1` ([ref](https://github.com/socketio/socket.io/commit/7c44893d7878cd5bba1eff43150c3e664f88fb57)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.5...4.1.2` | `~4.0.3` ([ref](https://github.com/socketio/socket.io/commit/752dfe3b1e5fecda53dae899b4a39e6fed5a1a17)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.0...3.0.4` | `~4.0.1` ([ref](https://github.com/socketio/socket.io/commit/1af3267e3f5f7884214cf2ca4d5282d620092fb0)) | Please upgrade to `socket.io@4.6.x` |\n| `2.3.0...2.5.0` | `~3.4.0` ([ref](https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd)) | `npm audit fix` should be sufficient |\n\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open a discussion [here](https://github.com/socketio/socket.io/discussions)\n\nThanks to [@rafax00](https://github.com/rafax00) for the responsible disclosure.\n","url":"https://github.com/advisories/GHSA-cqmj-92xf-r6r9"},"1092301":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-06-21T18:11:17.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092301,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://fluidattacks.com/advisories/myers/\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1092316":{"findings":[{"version":"4.1.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got>cacheable-request>http-cache-semantics","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","codeceptjs>mocha-junit-reporter>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics"]}],"metadata":null,"vulnerable_versions":"<4.1.1","module_name":"http-cache-semantics","severity":"high","github_advisory_id":"GHSA-rc47-6667-2j5j","cves":["CVE-2022-25881"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-06-22T17:26:15.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092316,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25881\n- https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332\n- https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783\n- https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74\n- https://security.netapp.com/advisory/ntap-20230622-0008/\n- https://github.com/advisories/GHSA-rc47-6667-2j5j","created":"2023-01-31T06:30:26.000Z","reported_by":null,"title":"http-cache-semantics vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.","url":"https://github.com/advisories/GHSA-rc47-6667-2j5j"},"1092365":{"findings":[{"version":"0.2.0","paths":["http-proxy-middleware>micromatch>snapdragon>source-map-resolve>decode-uri-component","http-proxy-middleware>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","codeceptjs>mocha>chokidar>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>extglob>expand-brackets>snapdragon>source-map-resolve>decode-uri-component"]}],"metadata":null,"vulnerable_versions":"<0.2.1","module_name":"decode-uri-component","severity":"high","github_advisory_id":"GHSA-w573-4hg7-7wgq","cves":["CVE-2022-38900"],"access":"public","patched_versions":">=0.2.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-07-03T18:38:26.000Z","recommendation":"Upgrade to version 0.2.1 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1092365,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-38900\n- https://github.com/SamVerschueren/decode-uri-component/issues/5\n- https://github.com/sindresorhus/query-string/issues/345\n- https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9\n- https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/\n- https://github.com/advisories/GHSA-w573-4hg7-7wgq","created":"2022-11-28T15:30:24.000Z","reported_by":null,"title":"decode-uri-component vulnerable to Denial of Service (DoS)","npm_advisory_id":null,"overview":"decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.","url":"https://github.com/advisories/GHSA-w573-4hg7-7wgq"},"1092420":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.12","module_name":"lodash","severity":"critical","github_advisory_id":"GHSA-jf85-cpcp-j695","cves":["CVE-2019-10744"],"access":"public","patched_versions":">=4.17.12","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-07-07T18:54:15.000Z","recommendation":"Upgrade to version 4.17.12 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1092420,"references":"- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://github.com/advisories/GHSA-jf85-cpcp-j695","created":"2019-07-10T19:45:23.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.","url":"https://github.com/advisories/GHSA-jf85-cpcp-j695"},"1092430":{"findings":[{"version":"10.11.0","paths":["mochawesome-report-generator>validator","mochawesome>mochawesome-report-generator>validator"]}],"metadata":null,"vulnerable_versions":"<13.7.0","module_name":"validator","severity":"moderate","github_advisory_id":"GHSA-qgmg-gppg-76g5","cves":["CVE-2021-3765"],"access":"public","patched_versions":">=13.7.0","cvss":{"score":5.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-07T21:50:05.000Z","recommendation":"Upgrade to version 13.7.0 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092430,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3765\n- https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1\n- https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9\n- https://github.com/advisories/GHSA-qgmg-gppg-76g5","created":"2021-11-03T17:34:45.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in validator.js","npm_advisory_id":null,"overview":"validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-qgmg-gppg-76g5"},"1092461":{"findings":[{"version":"7.3.8","paths":["codeceptjs>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>semver"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=7.5.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-10T22:57:58.000Z","recommendation":"Upgrade to version 7.5.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092461,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1092470":{"findings":[{"version":"2.5.0","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092636":{"findings":[{"version":"1.28.1","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <=1.28.1","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-jv3g-j58f-9mq9","cves":["CVE-2022-36083"],"access":"public","patched_versions":">=1.28.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-21T21:33:36.000Z","recommendation":"Upgrade to version 1.28.2 or later","cwe":["CWE-400","CWE-834"],"found_by":null,"deleted":null,"id":1092636,"references":"- https://github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9\n- https://nvd.nist.gov/vuln/detail/CVE-2022-36083\n- https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d\n- https://github.com/panva/jose/releases/tag/v4.9.2\n- https://github.com/advisories/GHSA-jv3g-j58f-9mq9","created":"2022-09-16T17:44:42.000Z","reported_by":null,"title":"JOSE vulnerable to resource exhaustion via specifically crafted JWE","npm_advisory_id":null,"overview":"The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` ([PBES2 Count](https://www.rfc-editor.org/rfc/rfc7518.html#section-4.8.1.2)), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive.\n\nThis makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish.\n\n### Impact\n\nUnder certain conditions (see below) it is possible to have the user's environment consume unreasonable amount of CPU time.\n\n### Affected users\n\nThe impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means.\n\nThe PBKDF2-based JWE Key Management Algorithm Identifiers are\n\n- `PBES2-HS256+A128KW`\n- `PBES2-HS384+A192KW`\n- `PBES2-HS512+A256KW`\n\ne.g.\n\n```js\nconst secret = new Uint8Array(16)\nconst jwe = '...' // JWE from an untrusted party\n\nawait jose.compactDecrypt(jwe, secret)\n```\n\nYou are NOT affected if any of the following applies to you\n\n- Your code does not use the JWE APIs\n- Your code only produces JWE tokens\n- Your code only decrypts JWEs using an asymmetric JWE Key Management Algorithm (this means you're providing an asymmetric key object to the JWE decryption API)\n- Your code only accepts JWEs produced by trusted sources\n- Your code limits the accepted JWE Key Management Algorithms using the `keyManagementAlgorithms` decryption option not including any of the PBKDF2-based JWE key management algorithms\n\n### Patches\n\n`v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option.\n\n### Workarounds\n\nAll users should be able to upgrade given all stable semver major release lines have had new a patch release introduced which limits the PBKDF2 iteration count to `10000` by default. This removes the ability to craft JWEs that would consume unreasonable amount of CPU time.\n\nIf users are unable to upgrade their required library version they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms.\n\n- they can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether\n- they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-jv3g-j58f-9mq9%20advisory%20question)\n* Email me at [panva.ip@gmail.com](mailto:panva.ip@gmail.com)\n","url":"https://github.com/advisories/GHSA-jv3g-j58f-9mq9"},"1092826":{"findings":[{"version":"2.88.2","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-02T23:08:48.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092826,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package through 2.88.12 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"},"1092964":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:04:30.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092964,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1092969":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:03:59.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1092969,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":5,"moderate":38,"high":47,"critical":24},"dependencies":1008,"devDependencies":7,"optionalDependencies":0,"totalDependencies":1015}} +{"actions":[],"advisories":{"1085674":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-x5rq-j2xg-h7qm","cves":["CVE-2019-1010266"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:01:38.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1085674,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2019-1010266\n- https://github.com/lodash/lodash/issues/3359\n- https://snyk.io/vuln/SNYK-JS-LODASH-73639\n- https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347\n- https://github.com/lodash/lodash/wiki/Changelog\n- https://security.netapp.com/advisory/ntap-20190919-0004/\n- https://github.com/advisories/GHSA-x5rq-j2xg-h7qm","created":"2019-07-19T16:13:07.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.7.11.","url":"https://github.com/advisories/GHSA-x5rq-j2xg-h7qm"},"1087627":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.11","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-4xc9-xhrj-v574","cves":["CVE-2018-16487"],"access":"public","patched_versions":">=4.17.11","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:02:32.000Z","recommendation":"Upgrade to version 4.17.11 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1087627,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-16487\n- https://hackerone.com/reports/380873\n- https://github.com/advisories/GHSA-4xc9-xhrj-v574\n- https://www.npmjs.com/advisories/782\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2019-02-07T18:16:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.11 or later.","url":"https://github.com/advisories/GHSA-4xc9-xhrj-v574"},"1087663":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.5","module_name":"lodash","severity":"low","github_advisory_id":"GHSA-fvqr-27wr-82fm","cves":["CVE-2018-3721"],"access":"public","patched_versions":">=4.17.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-09T05:03:02.000Z","recommendation":"Upgrade to version 4.17.5 or later","cwe":["CWE-471"],"found_by":null,"deleted":null,"id":1087663,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2018-3721\n- https://hackerone.com/reports/310443\n- https://github.com/advisories/GHSA-fvqr-27wr-82fm\n- https://www.npmjs.com/advisories/577\n- https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a\n- https://security.netapp.com/advisory/ntap-20190919-0004/","created":"2018-07-26T15:14:52.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.5 or later.","url":"https://github.com/advisories/GHSA-fvqr-27wr-82fm"},"1088208":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"moderate","github_advisory_id":"GHSA-64g7-mvw6-v9qj","cves":[],"access":"public","patched_versions":">=0.8.5","cvss":{"score":0,"vectorString":null},"updated":"2023-01-11T05:03:39.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1088208,"references":"- https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n- https://github.com/advisories/GHSA-64g7-mvw6-v9qj","created":"2022-01-14T21:09:50.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj"},"1088402":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"low","github_advisory_id":"GHSA-56x4-j7p9-fcf9","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:32.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":[],"found_by":null,"deleted":null,"id":1088402,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9\n- https://github.com/moment/moment-timezone/commit/ce955a301ff372e8e9fb3a5b516620c60e7a082a\n- https://github.com/advisories/GHSA-56x4-j7p9-fcf9","created":"2022-08-30T20:31:21.000Z","reported_by":null,"title":"Command Injection in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\nAll versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.\n\n* if Alice uses tzdata pipeline to package moment-timezone on her own (for example via `grunt data:2014d`, where `2014d` stands for the version of the tzdata to be used from IANA's website),\n* and Alice let's Mallory select the version (`2014d` in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task\n\n#### Am I affected?\n\n##### Do you build custom versions of moment-timezone with grunt?\n\nIf no, you're not affected.\n\n##### Do you allow a third party to specify which particular version you want build?\n\nIf yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task.\n\n### Description\n\n#### Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint\n\nThe `tasks/data-download.js` script takes in a parameter from grunt and uses it to form a command line which is then executed:\n\n```\n6 module.exports = function (grunt) {\n7 grunt.registerTask('data-download', '1. Download data from iana.org/time-zones.', function (version) {\n8 version = version || 'latest';\n\n10 var done = this.async(),\n11 src = 'ftp://ftp.iana.org/tz/tzdata-latest.tar.gz',\n12 curl = path.resolve('temp/curl', version, 'data.tar.gz'),\n13 dest = path.resolve('temp/download', version);\n...\n24 exec('curl ' + src + ' -o ' + curl + ' && cd ' + dest + ' && gzip -dc ' + curl + ' | tar -xf -', function (err) {\n```\n\nOrdinarily, one one run this script using something like `grunt data-download:2014d`, in which case version would have the value `2014d`. However, if an attacker were to provide additional content on the command line, they would be able to execute arbitrary code\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-download:2014d ; echo flag>/tmp/foo #'\n\\Running \"data-download:2014d ; echo flag>/tmp/foo #\" (data-download) task\n>> Downloading https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n>> Downloaded https://data.iana.org/time-zones/releases/tzdata2014d ; echo flag>/tmp/foo #.tar.gz\n\nDone.\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/foo\nflag\n```\n\n#### Command Injection via data-zdump.js\n\nThe `tasks/data-zdump.js` script reads a list of files present in a temporary directory (created by previous tasks), and for each one, assembles and executes a command line without sanitization. As a result, an attacker able to influence the contents of that directory could gain code execution. This attack is exacerbated by timezone data being downloaded via cleartext FTP (described above), but beyond that, an attacker at iana.org able to modify the timezone files could disrupt any systems that build moment-timezone.\n\n```\n15 files = grunt.file.expand({ filter : 'isFile', cwd : 'temp/zic/' + version }, '**/*');\n...\n27 function next () {\n...\n33 var file = files.pop(),\n34 src = path.join(zicBase, file),\n35 dest = path.join(zdumpBase, file);\n36 exec('zdump -v ' + src, { maxBuffer: 20*1024*1024 }, function (err, stdout) {\n```\n\nIn this case, an attacker able to add a file to `temp/zic/2014d` (for example) with a filename like `Z; curl www.example.com` would influence the called to exec on line 36 and run arbitrary code. There are a few minor challenges in exploiting this, since the string needs to be a valid filename.\n\n#### Command Injection via data-zic.js\n\nSimilar to the vulnerability in /tasks/data-download.js, the /tasks/data-zic.js script takes a version from the command line and uses it as part of a command line, executed without sanitization.\n\n```\n10 var done = this.async(),\n11 dest = path.resolve('temp/zic', version),\n...\n22 var file = files.shift(),\n23 src = path.resolve('temp/download', version, file);\n24\n25 exec('zic -d ' + dest + ' ' + src, function (err) {\n```\n\nAs a result, an attacker able to influence that string can run arbitrary commands. Of course, it requires an attacker able to influence the command passed to grunt, so may be unlikely in practice.\n\n```\nroot@e94ba0490b65:/usr/src/app/moment-timezone# grunt 'data-zic:2014d; echo hi > /tmp/evil; echo '\nRunning \"data-zic:2014d; echo hi > /tmp/evil; echo \" (data-zic) task\nexec: zid -d /usr/src/app/moment-timezone/temp/zic/2014d; echo hi > /tmp/evil; echo /usr/src/app/moment-timezone/temp/download/2014d; echo hi > /tmp/evil; echo /africa\n...\n\nroot@e94ba0490b65:/usr/src/app/moment-timezone# cat /tmp/evil\nhi\n```\n\n### Patches\n\nThe supplied patch on top of 0.5.34 is applicable with minor tweaks to all affected versions. It switches `exec` to `execFile` so arbitrary bash fragments won't be executed any more.\n\n### References\n\n* https://knowledge-base.secureflag.com/vulnerabilities/code_injection/os_command_injection_nodejs.html\n* https://auth0.com/blog/preventing-command-injection-attacks-in-node-js-apps/","url":"https://github.com/advisories/GHSA-56x4-j7p9-fcf9"},"1088403":{"findings":[{"version":"0.5.34","paths":["moment-timezone"]}],"metadata":null,"vulnerable_versions":">=0.1.0 <0.5.35","module_name":"moment-timezone","severity":"moderate","github_advisory_id":"GHSA-v78c-4p63-2j6c","cves":[],"access":"public","patched_versions":">=0.5.35","cvss":{"score":0,"vectorString":null},"updated":"2023-01-12T05:07:10.000Z","recommendation":"Upgrade to version 0.5.35 or later","cwe":["CWE-319"],"found_by":null,"deleted":null,"id":1088403,"references":"- https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c\n- https://github.com/moment/moment-timezone/commit/7915ac567ab19700e44ad6b5d8ef0b85e48a9e75\n- https://github.com/advisories/GHSA-v78c-4p63-2j6c","created":"2022-08-30T20:28:43.000Z","reported_by":null,"title":"Cleartext Transmission of Sensitive Information in moment-timezone","npm_advisory_id":null,"overview":"### Impact\n\n* if Alice uses `grunt data` (or `grunt release`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website\n* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)\n\n### Patches\nProblem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.\n\n### Workarounds\nSpecify the exact version of tzdata (like `2014d`, full command being `grunt data:2014d`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.\n","url":"https://github.com/advisories/GHSA-v78c-4p63-2j6c"},"1088659":{"findings":[{"version":"2.1.3","paths":["@hmcts/nodejs-healthcheck>superagent>cookiejar"]}],"metadata":null,"vulnerable_versions":"<2.1.4","module_name":"cookiejar","severity":"moderate","github_advisory_id":"GHSA-h452-7996-h45h","cves":["CVE-2022-25901"],"access":"public","patched_versions":">=2.1.4","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-23T16:59:53.000Z","recommendation":"Upgrade to version 2.1.4 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1088659,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/bmeck/node-cookiejar/pull/39\n- https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681\n- https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984\n- https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73\n- https://github.com/advisories/GHSA-h452-7996-h45h","created":"2023-01-18T06:31:03.000Z","reported_by":null,"title":"cookiejar Regular Expression Denial of Service via Cookie.parse function","npm_advisory_id":null,"overview":"Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```","url":"https://github.com/advisories/GHSA-h452-7996-h45h"},"1088907":{"findings":[{"version":"0.4.1","paths":["@hmcts/rpx-xui-node-lib>passport"]}],"metadata":null,"vulnerable_versions":"<0.6.0","module_name":"passport","severity":"moderate","github_advisory_id":"GHSA-v923-w3x8-wh69","cves":["CVE-2022-25896"],"access":"public","patched_versions":">=0.6.0","cvss":{"score":4.8,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L"},"updated":"2023-01-27T05:04:51.000Z","recommendation":"Upgrade to version 0.6.0 or later","cwe":["CWE-384"],"found_by":null,"deleted":null,"id":1088907,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25896\n- https://github.com/jaredhanson/passport/pull/900\n- https://github.com/jaredhanson/passport/commit/7e9b9cf4d7be02428e963fc729496a45baeea608\n- https://snyk.io/vuln/SNYK-JS-PASSPORT-2840631\n- https://github.com/advisories/GHSA-v923-w3x8-wh69","created":"2022-07-02T00:00:19.000Z","reported_by":null,"title":"Passport before 0.6.0 vulnerable to session regeneration when a users logs in or out","npm_advisory_id":null,"overview":"This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.","url":"https://github.com/advisories/GHSA-v923-w3x8-wh69"},"1088948":{"findings":[{"version":"9.6.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got"]}],"metadata":null,"vulnerable_versions":"<11.8.5","module_name":"got","severity":"moderate","github_advisory_id":"GHSA-pfrx-2q88-qq97","cves":["CVE-2022-33987"],"access":"public","patched_versions":">=11.8.5","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-01-27T05:05:01.000Z","recommendation":"Upgrade to version 11.8.5 or later","cwe":[],"found_by":null,"deleted":null,"id":1088948,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-33987\n- https://github.com/sindresorhus/got/pull/2047\n- https://github.com/sindresorhus/got/compare/v12.0.3...v12.1.0\n- https://github.com/sindresorhus/got/commit/861ccd9ac2237df762a9e2beed7edd88c60782dc\n- https://github.com/sindresorhus/got/releases/tag/v11.8.5\n- https://github.com/sindresorhus/got/releases/tag/v12.1.0\n- https://github.com/advisories/GHSA-pfrx-2q88-qq97","created":"2022-06-19T00:00:21.000Z","reported_by":null,"title":"Got allows a redirect to a UNIX socket","npm_advisory_id":null,"overview":"The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.","url":"https://github.com/advisories/GHSA-pfrx-2q88-qq97"},"1089152":{"findings":[{"version":"4.1.1","paths":["codeceptjs>mocha>yargs-unparser>flat","codeceptjs>mocha-junit-reporter>mocha>yargs-unparser>flat"]}],"metadata":null,"vulnerable_versions":"<5.0.1","module_name":"flat","severity":"critical","github_advisory_id":"GHSA-2j2x-2gpw-g8fm","cves":["CVE-2020-36632"],"access":"public","patched_versions":">=5.0.1","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-29T05:01:29.000Z","recommendation":"Upgrade to version 5.0.1 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1089152,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-36632\n- https://github.com/hughsk/flat/issues/105\n- https://github.com/hughsk/flat/pull/106\n- https://github.com/hughsk/flat/commit/20ef0ef55dfa028caddaedbcb33efbdb04d18e13\n- https://github.com/hughsk/flat/releases/tag/5.0.1\n- https://vuldb.com/?ctiid.216777\n- https://vuldb.com/?id.216777\n- https://github.com/advisories/GHSA-2j2x-2gpw-g8fm","created":"2022-12-25T21:30:22.000Z","reported_by":null,"title":"flat vulnerable to Prototype Pollution","npm_advisory_id":null,"overview":"flat helps flatten/unflatten nested Javascript objects. A vulnerability, which was classified as critical, was found in hughsk flat up to 5.0.0. This affects the function unflatten of the file index.js. The manipulation leads to improperly controlled modification of object prototype attributes ('prototype pollution'). It is possible to initiate the attack remotely. Upgrading to version 5.0.1 can address this issue. The name of the patch is 20ef0ef55dfa028caddaedbcb33efbdb04d18e13. It is recommended to upgrade the affected component. The identifier VDB-216777 was assigned to this vulnerability.","url":"https://github.com/advisories/GHSA-2j2x-2gpw-g8fm"},"1089270":{"findings":[{"version":"2.7.4","paths":["ejs"]}],"metadata":null,"vulnerable_versions":"<3.1.7","module_name":"ejs","severity":"critical","github_advisory_id":"GHSA-phwq-j96m-2c2q","cves":["CVE-2022-29078"],"access":"public","patched_versions":">=3.1.7","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-01-30T05:02:57.000Z","recommendation":"Upgrade to version 3.1.7 or later","cwe":["CWE-74"],"found_by":null,"deleted":null,"id":1089270,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-29078\n- https://eslam.io/posts/ejs-server-side-template-injection-rce/\n- https://github.com/mde/ejs/commit/15ee698583c98dadc456639d6245580d17a24baf\n- https://github.com/mde/ejs/releases\n- https://security.netapp.com/advisory/ntap-20220804-0001/\n- https://github.com/advisories/GHSA-phwq-j96m-2c2q","created":"2022-04-26T00:00:40.000Z","reported_by":null,"title":"ejs template injection vulnerability","npm_advisory_id":null,"overview":"The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).","url":"https://github.com/advisories/GHSA-phwq-j96m-2c2q"},"1089698":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-g973-978j-2c3p","cves":["CVE-2021-32014"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:05:54.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-345","CWE-400"],"found_by":null,"deleted":null,"id":1089698,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32014\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-g973-978j-2c3p","created":"2021-07-22T19:47:15.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (CPU consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js.","url":"https://github.com/advisories/GHSA-g973-978j-2c3p"},"1089699":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-3x9f-74h4-2fqr","cves":["CVE-2021-32012"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:10.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089699,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32012\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-3x9f-74h4-2fqr","created":"2021-07-22T19:48:17.000Z","reported_by":null,"title":"Denial of Service in SheetJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 1 of 2).","url":"https://github.com/advisories/GHSA-3x9f-74h4-2fqr"},"1089700":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.17.0","module_name":"xlsx","severity":"moderate","github_advisory_id":"GHSA-8vcr-vxm8-293m","cves":["CVE-2021-32013"],"access":"public","patched_versions":">=0.17.0","cvss":{"score":5.5,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},"updated":"2023-02-01T05:06:00.000Z","recommendation":"Upgrade to version 0.17.0 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1089700,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-32013\n- https://floqast.com/engineering-blog/post/fuzzing-and-parsing-securely/\n- https://sheetjs.com/pro\n- https://www.npmjs.com/package/xlsx/v/0.17.0\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-8vcr-vxm8-293m","created":"2021-07-22T19:48:13.000Z","reported_by":null,"title":"Denial of Service in SheetsJS Pro","npm_advisory_id":null,"overview":"SheetJS Pro through 0.16.9 allows attackers to cause a denial of service (memory consumption) via a crafted .xlsx document that is mishandled when read by xlsx.js (issue 2 of 2).","url":"https://github.com/advisories/GHSA-8vcr-vxm8-293m"},"1091173":{"findings":[{"version":"1.2.5","paths":["codeceptjs>mkdirp>minimist","accessibility-checker>chromedriver>mkdirp>minimist","accessibility-checker>chromedriver>extract-zip>mkdirp>minimist","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>tar>mkdirp>minimist","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","codeceptjs>mocha-junit-reporter>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>cacache>move-concurrently>copy-concurrently>mkdirp>minimist"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <1.2.6","module_name":"minimist","severity":"critical","github_advisory_id":"GHSA-xvch-5gv4-984h","cves":["CVE-2021-44906"],"access":"public","patched_versions":">=1.2.6","cvss":{"score":9.8,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-02-28T17:44:01.000Z","recommendation":"Upgrade to version 1.2.6 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1091173,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-44906\n- https://github.com/substack/minimist/issues/164\n- https://github.com/substack/minimist/blob/master/index.js#L69\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- https://stackoverflow.com/questions/8588563/adding-custom-properties-to-a-function/20278068#20278068\n- https://github.com/Marynk/JavaScript-vulnerability-detection/blob/main/minimist%20PoC.zip\n- https://github.com/minimistjs/minimist/issues/11\n- https://github.com/minimistjs/minimist/pull/24\n- https://github.com/minimistjs/minimist/commit/34e20b8461118608703d6485326abbb8e35e1703\n- https://github.com/minimistjs/minimist/commit/bc8ecee43875261f4f17eb20b1243d3ed15e70eb\n- https://github.com/minimistjs/minimist/commit/c2b981977fa834b223b408cfb860f933c9811e4d\n- https://github.com/minimistjs/minimist/commit/ef9153fc52b6cea0744b2239921c5dcae4697f11\n- https://github.com/minimistjs/minimist/commits/v0.2.4\n- https://github.com/advisories/GHSA-xvch-5gv4-984h","created":"2022-03-18T00:01:09.000Z","reported_by":null,"title":"Prototype Pollution in minimist","npm_advisory_id":null,"overview":"Minimist prior to 1.2.6 and 0.2.4 is vulnerable to Prototype Pollution via file `index.js`, function `setKey()` (lines 69-95).","url":"https://github.com/advisories/GHSA-xvch-5gv4-984h"},"1091181":{"findings":[{"version":"3.1.0","paths":["codeceptjs>mocha>chokidar>glob-parent","codeceptjs>mocha-junit-reporter>mocha>chokidar>glob-parent"]}],"metadata":null,"vulnerable_versions":"<5.1.2","module_name":"glob-parent","severity":"high","github_advisory_id":"GHSA-ww39-953v-wcq6","cves":["CVE-2020-28469"],"access":"public","patched_versions":">=5.1.2","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-02-28T22:39:43.000Z","recommendation":"Upgrade to version 5.1.2 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1091181,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/gulpjs/glob-parent/pull/36/commits/c6db86422a9731d4f3d332ce4a81c27ea6b0ee46\n- https://github.com/advisories/GHSA-ww39-953v-wcq6","created":"2021-06-07T21:56:34.000Z","reported_by":null,"title":"glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex","npm_advisory_id":null,"overview":"This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.","url":"https://github.com/advisories/GHSA-ww39-953v-wcq6"},"1091307":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.20","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-p6mc-m468-83gw","cves":["CVE-2020-8203"],"access":"public","patched_versions":">=4.17.20","cvss":{"score":7.4,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-03-08T05:05:35.000Z","recommendation":"Upgrade to version 4.17.20 or later","cwe":["CWE-770","CWE-1321"],"found_by":null,"deleted":null,"id":1091307,"references":"- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://www.npmjs.com/advisories/1523\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/lodash/lodash/issues/4874\n- https://www.oracle.com/security-alerts/cpuApr2021.html\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpuapr2022.html\n- https://github.com/advisories/GHSA-p6mc-m468-83gw","created":"2020-07-15T19:15:48.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.","url":"https://github.com/advisories/GHSA-p6mc-m468-83gw"},"1091453":{"findings":[{"version":"0.8.4","paths":["git-rev-sync>shelljs"]}],"metadata":null,"vulnerable_versions":"<0.8.5","module_name":"shelljs","severity":"high","github_advisory_id":"GHSA-4rq4-32rv-6wp6","cves":["CVE-2022-0144"],"access":"public","patched_versions":">=0.8.5","cvss":{"score":7.1,"vectorString":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H"},"updated":"2023-03-21T20:10:17.000Z","recommendation":"Upgrade to version 0.8.5 or later","cwe":["CWE-269"],"found_by":null,"deleted":null,"id":1091453,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-0144\n- https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c\n- https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c\n- https://github.com/advisories/GHSA-4rq4-32rv-6wp6","created":"2022-01-21T23:37:28.000Z","reported_by":null,"title":"Improper Privilege Management in shelljs","npm_advisory_id":null,"overview":"shelljs is vulnerable to Improper Privilege Management","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6"},"1091832":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"high","github_advisory_id":"GHSA-35jh-r3h4-6jhm","cves":["CVE-2021-23337"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":7.2,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},"updated":"2023-04-26T17:56:06.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-77","CWE-94"],"found_by":null,"deleted":null,"id":1091832,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm","created":"2021-05-06T16:05:51.000Z","reported_by":null,"title":"Command Injection in lodash","npm_advisory_id":null,"overview":"`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.","url":"https://github.com/advisories/GHSA-35jh-r3h4-6jhm"},"1091860":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.21","module_name":"lodash","severity":"moderate","github_advisory_id":"GHSA-29mw-wpgm-hmr9","cves":["CVE-2020-28500"],"access":"public","patched_versions":">=4.17.21","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-05-01T20:20:44.000Z","recommendation":"Upgrade to version 4.17.21 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1091860,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://www.oracle.com/security-alerts/cpujul2022.html\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9","created":"2022-01-06T20:30:46.000Z","reported_by":null,"title":"Regular Expression Denial of Service (ReDoS) in lodash","npm_advisory_id":null,"overview":"All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = \"1\" for (var i = 0; i < n; i++) { ret += \" \" } return ret + \"1\"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log(\"time_cost0: \" + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log(\"time_cost1: \" + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log(\"time_cost2: \" + time_cost2)","url":"https://github.com/advisories/GHSA-29mw-wpgm-hmr9"},"1092096":{"findings":[{"version":"0.15.6","paths":["xlsx"]}],"metadata":null,"vulnerable_versions":"<0.19.3","module_name":"xlsx","severity":"high","github_advisory_id":"GHSA-4r6h-8v6p-xvw6","cves":["CVE-2023-30533"],"access":"public","patched_versions":">=0.19.3","cvss":{"score":7.8,"vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},"updated":"2023-05-23T13:29:07.000Z","recommendation":"Upgrade to version 0.19.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092096,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-30533\n- https://cdn.sheetjs.com/advisories/CVE-2023-30533\n- https://git.sheetjs.com/sheetjs/sheetjs/src/branch/master/CHANGELOG.md\n- https://git.sheetjs.com/sheetjs/sheetjs/issues/2667\n- https://github.com/advisories/GHSA-4r6h-8v6p-xvw6","created":"2023-04-24T09:30:19.000Z","reported_by":null,"title":"Prototype Pollution in sheetJS","npm_advisory_id":null,"overview":"All versions of SheetJS CE through 0.19.2 are vulnerable to \"Prototype Pollution\" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected.\n\nA non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package `xlsx` are no longer maintained.","url":"https://github.com/advisories/GHSA-4r6h-8v6p-xvw6"},"1092174":{"findings":[{"version":"4.0.5","paths":["@hmcts/media-viewer>socket.io-client>socket.io-parser"]}],"metadata":null,"vulnerable_versions":">=4.0.4 <4.2.3","module_name":"socket.io-parser","severity":"high","github_advisory_id":"GHSA-cqmj-92xf-r6r9","cves":["CVE-2023-32695"],"access":"public","patched_versions":">=4.2.3","cvss":{"score":7.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"},"updated":"2023-06-05T21:07:58.000Z","recommendation":"Upgrade to version 4.2.3 or later","cwe":["CWE-20","CWE-754"],"found_by":null,"deleted":null,"id":1092174,"references":"- https://github.com/socketio/socket.io-parser/security/advisories/GHSA-cqmj-92xf-r6r9\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3\n- https://github.com/socketio/socket.io-parser/commit/1c220ddbf45ea4b44bc8dbf6f9ae245f672ba1b9\n- https://nvd.nist.gov/vuln/detail/CVE-2023-32695\n- https://github.com/socketio/socket.io-parser/releases/tag/4.2.3\n- https://github.com/advisories/GHSA-cqmj-92xf-r6r9","created":"2023-05-23T19:55:13.000Z","reported_by":null,"title":"Insufficient validation when decoding a Socket.IO packet","npm_advisory_id":null,"overview":"### Impact\n\nA specially crafted Socket.IO packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process.\n\n```\nTypeError: Cannot convert object to primitive value\n at Socket.emit (node:events:507:25)\n at .../node_modules/socket.io/lib/socket.js:531:14\n```\n\n### Patches\n\nA fix has been released today (2023/05/22):\n\n- https://github.com/socketio/socket.io-parser/commit/3b78117bf6ba7e99d7a5cfc1ba54d0477554a7f3, included in `socket.io-parser@4.2.3`\n- https://github.com/socketio/socket.io-parser/commit/2dc3c92622dad113b8676be06f23b1ed46b02ced, included in `socket.io-parser@3.4.3`\n\n| `socket.io` version | `socket.io-parser` version | Needs minor update? |\n|---------------------|---------------------------------------------------------------------------------------------------------|--------------------------------------|\n| `4.5.2...latest` | `~4.2.0` ([ref](https://github.com/socketio/socket.io/commit/9890b036cf942f6b6ad2afeb6a8361c32cd5d528)) | `npm audit fix` should be sufficient |\n| `4.1.3...4.5.1` | `~4.1.1` ([ref](https://github.com/socketio/socket.io/commit/7c44893d7878cd5bba1eff43150c3e664f88fb57)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.5...4.1.2` | `~4.0.3` ([ref](https://github.com/socketio/socket.io/commit/752dfe3b1e5fecda53dae899b4a39e6fed5a1a17)) | Please upgrade to `socket.io@4.6.x` |\n| `3.0.0...3.0.4` | `~4.0.1` ([ref](https://github.com/socketio/socket.io/commit/1af3267e3f5f7884214cf2ca4d5282d620092fb0)) | Please upgrade to `socket.io@4.6.x` |\n| `2.3.0...2.5.0` | `~3.4.0` ([ref](https://github.com/socketio/socket.io/commit/cf39362014f5ff13a17168b74772c43920d6e4fd)) | `npm audit fix` should be sufficient |\n\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open a discussion [here](https://github.com/socketio/socket.io/discussions)\n\nThanks to [@rafax00](https://github.com/rafax00) for the responsible disclosure.\n","url":"https://github.com/advisories/GHSA-cqmj-92xf-r6r9"},"1092301":{"findings":[{"version":"0.4.23","paths":["protractor-screenshot-utils>protractor>selenium-webdriver>xml2js","protractor-screenshot-utils>protractor>webdriver-js-extender>selenium-webdriver>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-06-21T18:11:17.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092301,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://fluidattacks.com/advisories/myers/\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"},"1092316":{"findings":[{"version":"4.1.0","paths":["@hmcts/rpx-xui-node-lib>openid-client>got>cacheable-request>http-cache-semantics","codeceptjs>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","codeceptjs>mocha-junit-reporter>mocha>chokidar>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>make-fetch-happen>http-cache-semantics"]}],"metadata":null,"vulnerable_versions":"<4.1.1","module_name":"http-cache-semantics","severity":"high","github_advisory_id":"GHSA-rc47-6667-2j5j","cves":["CVE-2022-25881"],"access":"public","patched_versions":">=4.1.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-06-22T17:26:15.000Z","recommendation":"Upgrade to version 4.1.1 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092316,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25881\n- https://github.com/kornelski/http-cache-semantics/blob/master/index.js%23L83\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3253332\n- https://security.snyk.io/vuln/SNYK-JS-HTTPCACHESEMANTICS-3248783\n- https://github.com/kornelski/http-cache-semantics/commit/560b2d8ef452bbba20ffed69dc155d63ac757b74\n- https://security.netapp.com/advisory/ntap-20230622-0008/\n- https://github.com/advisories/GHSA-rc47-6667-2j5j","created":"2023-01-31T06:30:26.000Z","reported_by":null,"title":"http-cache-semantics vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"http-cache semantics contains an Inefficient Regular Expression Complexity , leading to Denial of Service. This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.","url":"https://github.com/advisories/GHSA-rc47-6667-2j5j"},"1092365":{"findings":[{"version":"0.2.0","paths":["http-proxy-middleware>micromatch>snapdragon>source-map-resolve>decode-uri-component","http-proxy-middleware>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-ts-auto-mock>ts-auto-mock>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","codeceptjs>mocha>chokidar>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/environment>@jest/fake-timers>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>expect>jest-message-util>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>braces>snapdragon>source-map-resolve>decode-uri-component","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>anymatch>micromatch>extglob>expand-brackets>snapdragon>source-map-resolve>decode-uri-component"]}],"metadata":null,"vulnerable_versions":"<0.2.1","module_name":"decode-uri-component","severity":"high","github_advisory_id":"GHSA-w573-4hg7-7wgq","cves":["CVE-2022-38900"],"access":"public","patched_versions":">=0.2.1","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-07-03T18:38:26.000Z","recommendation":"Upgrade to version 0.2.1 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1092365,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-38900\n- https://github.com/SamVerschueren/decode-uri-component/issues/5\n- https://github.com/sindresorhus/query-string/issues/345\n- https://github.com/SamVerschueren/decode-uri-component/commit/746ca5dcb6667c5d364e782d53c542830e4c10b9\n- https://github.com/SamVerschueren/decode-uri-component/releases/tag/v0.2.1\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERN6YE3DS7NBW7UH44SCJBMNC2NWQ7SM/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KAC5KQ2SEWAMQ6UZAUBZ5KXKEOESH375/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VNV2GNZXOTEDAJRFH3ZYWRUBGIVL7BSU/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QABOUA2I542UTANVZIVFKWMRYVHLV32D/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UW4SCMT3SEUFVIL7YIADQ5K36GJEO6I5/\n- https://github.com/advisories/GHSA-w573-4hg7-7wgq","created":"2022-11-28T15:30:24.000Z","reported_by":null,"title":"decode-uri-component vulnerable to Denial of Service (DoS)","npm_advisory_id":null,"overview":"decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.","url":"https://github.com/advisories/GHSA-w573-4hg7-7wgq"},"1092420":{"findings":[{"version":"3.10.1","paths":["lodash","@edium/fsm>lodash","codeceptjs>inquirer>lodash","codeceptjs>chai-deep-match>lodash-pickdeep>lodash"]}],"metadata":null,"vulnerable_versions":"<4.17.12","module_name":"lodash","severity":"critical","github_advisory_id":"GHSA-jf85-cpcp-j695","cves":["CVE-2019-10744"],"access":"public","patched_versions":">=4.17.12","cvss":{"score":9.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"},"updated":"2023-07-07T18:54:15.000Z","recommendation":"Upgrade to version 4.17.12 or later","cwe":["CWE-20"],"found_by":null,"deleted":null,"id":1092420,"references":"- https://github.com/lodash/lodash/pull/4336\n- https://nvd.nist.gov/vuln/detail/CVE-2019-10744\n- https://snyk.io/vuln/SNYK-JS-LODASH-450202\n- https://www.npmjs.com/advisories/1065\n- https://access.redhat.com/errata/RHSA-2019:3024\n- https://security.netapp.com/advisory/ntap-20191004-0005/\n- https://support.f5.com/csp/article/K47105354?utm_source=f5support&utm_medium=RSS\n- https://www.oracle.com/security-alerts/cpujan2021.html\n- https://www.oracle.com/security-alerts/cpuoct2020.html\n- https://github.com/advisories/GHSA-jf85-cpcp-j695","created":"2019-07-10T19:45:23.000Z","reported_by":null,"title":"Prototype Pollution in lodash","npm_advisory_id":null,"overview":"Versions of `lodash` before 4.17.12 are vulnerable to Prototype Pollution. The function `defaultsDeep` allows a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects.\n\n\n\n\n## Recommendation\n\nUpdate to version 4.17.12 or later.","url":"https://github.com/advisories/GHSA-jf85-cpcp-j695"},"1092430":{"findings":[{"version":"10.11.0","paths":["mochawesome-report-generator>validator","mochawesome>mochawesome-report-generator>validator"]}],"metadata":null,"vulnerable_versions":"<13.7.0","module_name":"validator","severity":"moderate","github_advisory_id":"GHSA-qgmg-gppg-76g5","cves":["CVE-2021-3765"],"access":"public","patched_versions":">=13.7.0","cvss":{"score":5.3,"vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-07T21:50:05.000Z","recommendation":"Upgrade to version 13.7.0 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092430,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2021-3765\n- https://github.com/validatorjs/validator.js/commit/496fc8b2a7f5997acaaec33cc44d0b8dba5fb5e1\n- https://huntr.dev/bounties/c37e975c-21a3-4c5f-9b57-04d63b28cfc9\n- https://github.com/advisories/GHSA-qgmg-gppg-76g5","created":"2021-11-03T17:34:45.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in validator.js","npm_advisory_id":null,"overview":"validator.js prior to 13.7.0 is vulnerable to Inefficient Regular Expression Complexity","url":"https://github.com/advisories/GHSA-qgmg-gppg-76g5"},"1092461":{"findings":[{"version":"7.3.8","paths":["codeceptjs>semver","@hmcts/nodejs-healthcheck>superagent>semver","applicationinsights>continuation-local-storage>async-listener>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-resolve-dependencies>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>semver","@hmcts/rpx-xui-node-lib>jest-mock-axios>jest>jest-cli>@jest/core>jest-config>jest-runner>jest-runtime>@jest/globals>@jest/expect>jest-snapshot>@jest/transform>jest-haste-map>fsevents>nan>node-gyp>semver"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=7.5.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-10T22:57:58.000Z","recommendation":"Upgrade to version 7.5.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092461,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"},"1092470":{"findings":[{"version":"2.5.0","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"},"1092636":{"findings":[{"version":"1.28.1","paths":["@hmcts/rpx-xui-node-lib>openid-client>jose"]}],"metadata":null,"vulnerable_versions":">=1.0.0 <=1.28.1","module_name":"jose","severity":"moderate","github_advisory_id":"GHSA-jv3g-j58f-9mq9","cves":["CVE-2022-36083"],"access":"public","patched_versions":">=1.28.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-21T21:33:36.000Z","recommendation":"Upgrade to version 1.28.2 or later","cwe":["CWE-400","CWE-834"],"found_by":null,"deleted":null,"id":1092636,"references":"- https://github.com/panva/jose/security/advisories/GHSA-jv3g-j58f-9mq9\n- https://nvd.nist.gov/vuln/detail/CVE-2022-36083\n- https://github.com/panva/jose/commit/03d6d013bf6e070e85adfe5731f526978e3e8e4d\n- https://github.com/panva/jose/releases/tag/v4.9.2\n- https://github.com/advisories/GHSA-jv3g-j58f-9mq9","created":"2022-09-16T17:44:42.000Z","reported_by":null,"title":"JOSE vulnerable to resource exhaustion via specifically crafted JWE","npm_advisory_id":null,"overview":"The PBKDF2-based JWE key management algorithms expect a JOSE Header Parameter named `p2c` ([PBES2 Count](https://www.rfc-editor.org/rfc/rfc7518.html#section-4.8.1.2)), which determines how many PBKDF2 iterations must be executed in order to derive a CEK wrapping key. The purpose of this parameter is to intentionally slow down the key derivation function in order to make password brute-force and dictionary attacks more expensive.\n\nThis makes the PBES2 algorithms unsuitable for situations where the JWE is coming from an untrusted source: an adversary can intentionally pick an extremely high PBES2 Count value, that will initiate a CPU-bound computation that may take an unreasonable amount of time to finish.\n\n### Impact\n\nUnder certain conditions (see below) it is possible to have the user's environment consume unreasonable amount of CPU time.\n\n### Affected users\n\nThe impact is limited only to users utilizing the JWE decryption APIs with symmetric secrets to decrypt JWEs from untrusted parties who do not limit the accepted JWE Key Management Algorithms (`alg` Header Parameter) using the `keyManagementAlgorithms` (or `algorithms` in v1.x) decryption option or through other means.\n\nThe PBKDF2-based JWE Key Management Algorithm Identifiers are\n\n- `PBES2-HS256+A128KW`\n- `PBES2-HS384+A192KW`\n- `PBES2-HS512+A256KW`\n\ne.g.\n\n```js\nconst secret = new Uint8Array(16)\nconst jwe = '...' // JWE from an untrusted party\n\nawait jose.compactDecrypt(jwe, secret)\n```\n\nYou are NOT affected if any of the following applies to you\n\n- Your code does not use the JWE APIs\n- Your code only produces JWE tokens\n- Your code only decrypts JWEs using an asymmetric JWE Key Management Algorithm (this means you're providing an asymmetric key object to the JWE decryption API)\n- Your code only accepts JWEs produced by trusted sources\n- Your code limits the accepted JWE Key Management Algorithms using the `keyManagementAlgorithms` decryption option not including any of the PBKDF2-based JWE key management algorithms\n\n### Patches\n\n`v1.28.2`, `v2.0.6`, `v3.20.4`, and `v4.9.2` releases limit the maximum PBKDF2 iteration count to `10000` by default. It is possible to adjust this limit with a newly introduced `maxPBES2Count` decryption option.\n\n### Workarounds\n\nAll users should be able to upgrade given all stable semver major release lines have had new a patch release introduced which limits the PBKDF2 iteration count to `10000` by default. This removes the ability to craft JWEs that would consume unreasonable amount of CPU time.\n\nIf users are unable to upgrade their required library version they have two options depending on whether they expect to receive JWEs using any of the three PBKDF2-based JWE key management algorithms.\n\n- they can use the `keyManagementAlgorithms` decryption option to disable accepting PBKDF2 altogether\n- they can inspect the JOSE Header prior to using the decryption API and limit the PBKDF2 iteration count (`p2c` Header Parameter)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an discussion in the project's [repository](https://github.com/panva/jose/discussions/new?category=q-a&title=GHSA-jv3g-j58f-9mq9%20advisory%20question)\n* Email me at [panva.ip@gmail.com](mailto:panva.ip@gmail.com)\n","url":"https://github.com/advisories/GHSA-jv3g-j58f-9mq9"},"1092964":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-5v2h-r2cx-5xgj","cves":["CVE-2022-21681"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:04:30.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092964,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-5v2h-r2cx-5xgj\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21681\n- https://github.com/markedjs/marked/commit/8f806573a3f6c6b7a39b8cdb66ab5ebb8d55a5f5\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-5v2h-r2cx-5xgj","created":"2022-01-14T21:04:46.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `inline.reflinkSearch` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from 'marked';\n\nconsole.log(marked.parse(`[x]: x\n\n\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](\\\\[\\\\](`));\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-5v2h-r2cx-5xgj"},"1092969":{"findings":[{"version":"0.7.0","paths":["ngx-md>marked"]}],"metadata":null,"vulnerable_versions":"<4.0.10","module_name":"marked","severity":"high","github_advisory_id":"GHSA-rrrm-qjm4-v8hf","cves":["CVE-2022-21680"],"access":"public","patched_versions":">=4.0.10","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-08-14T05:03:59.000Z","recommendation":"Upgrade to version 4.0.10 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1092969,"references":"- https://github.com/markedjs/marked/security/advisories/GHSA-rrrm-qjm4-v8hf\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21680\n- https://github.com/markedjs/marked/commit/c4a3ccd344b6929afa8a1d50ac54a721e57012c0\n- https://github.com/markedjs/marked/releases/tag/v4.0.10\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AIXDMC3CSHYW3YWVSQOXAWLUYQHAO5UX/\n- https://github.com/advisories/GHSA-rrrm-qjm4-v8hf","created":"2022-01-14T21:04:41.000Z","reported_by":null,"title":"Inefficient Regular Expression Complexity in marked","npm_advisory_id":null,"overview":"### Impact\n\n_What kind of vulnerability is it?_\n\nDenial of service.\n\nThe regular expression `block.def` may cause catastrophic backtracking against some strings.\nPoC is the following.\n\n```javascript\nimport * as marked from \"marked\";\n\nmarked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);\n```\n\n_Who is impacted?_\n\nAnyone who runs untrusted markdown through marked and does not use a worker with a time limit.\n\n### Patches\n\n_Has the problem been patched?_\n\nYes\n\n_What versions should users upgrade to?_\n\n4.0.10\n\n### Workarounds\n\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nDo not run untrusted markdown through marked or run marked on a [worker](https://marked.js.org/using_advanced#workers) thread and set a reasonable time limit to prevent draining resources.\n\n### References\n\n_Are there any links users can visit to find out more?_\n\n- https://marked.js.org/using_advanced#workers\n- https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n* Open an issue in [marked](https://github.com/markedjs/marked)\n","url":"https://github.com/advisories/GHSA-rrrm-qjm4-v8hf"},"1092972":{"findings":[{"version":"2.88.2","paths":["protractor-screenshot-utils>protractor>webdriver-manager>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":5,"moderate":38,"high":47,"critical":24},"dependencies":1008,"devDependencies":7,"optionalDependencies":0,"totalDependencies":1015}} From 137e7c6d6ff576e4cf489052595cc7057e7bb2a2 Mon Sep 17 00:00:00 2001 From: codaimaster <55559010+codaimaster@users.noreply.github.com> Date: Tue, 15 Aug 2023 16:05:00 +0100 Subject: [PATCH 2/8] Retry mechanism introduced for delayed case retrievals --- package.json | 2 +- src/app/services/ccd-config/ccd-case.config.ts | 8 ++++++++ src/app/services/logger/logger.service.ts | 1 + src/assets/config/config.json | 6 +++++- src/cases/cases.module.ts | 4 +++- .../case-create-submit.component.spec.ts | 8 +++++--- yarn.lock | 10 +++++----- 7 files changed, 28 insertions(+), 11 deletions(-) diff --git a/package.json b/package.json index 63a340f492..fdcde8cec4 100644 --- a/package.json +++ b/package.json @@ -85,7 +85,7 @@ "@angular/platform-browser-dynamic": "^11.2.14", "@angular/router": "^11.2.14", "@edium/fsm": "^2.1.2", - "@hmcts/ccd-case-ui-toolkit": "6.18.3-ConsoleLogs.1", + "@hmcts/ccd-case-ui-toolkit": "6.19.0-RetryCaseRetrievals.5", "@hmcts/ccpay-web-component": "5.2.8", "@hmcts/frontend": "0.0.39-alpha", "@hmcts/media-viewer": "2.9.3", diff --git a/src/app/services/ccd-config/ccd-case.config.ts b/src/app/services/ccd-config/ccd-case.config.ts index a6351f4a23..3590662fb5 100644 --- a/src/app/services/ccd-config/ccd-case.config.ts +++ b/src/app/services/ccd-config/ccd-case.config.ts @@ -131,6 +131,14 @@ export class AppConfig extends AbstractAppConfig { return this.config.activity_retry; } + public getTimeoutsForCaseRetrieval() { + return this.config.timeouts_case_retrieval; + } + + public getTimeoutsCaseRetrievalArtificialDelay() { + return this.config.timeouts_case_retrieval_artificial_delay; + } + public getActivityBatchCollectionDelayMs() { return this.config.activity_batch_collection_delay_ms; } diff --git a/src/app/services/logger/logger.service.ts b/src/app/services/logger/logger.service.ts index dcaae5dc63..ccb1a85085 100644 --- a/src/app/services/logger/logger.service.ts +++ b/src/app/services/logger/logger.service.ts @@ -40,6 +40,7 @@ export class LoggerService implements ILoggerService { private setupSwitcherForConsoleLogs() { this.environmentService.config$.subscribe((config) => { + console.info(`Environment is ${this.environmentService.isProd() ? 'prod' : 'non-prod'}.`); LoggerService.switchConsoleLogs({ switchOffAll: false }); }); } diff --git a/src/assets/config/config.json b/src/assets/config/config.json index 703bf64867..a1eadc0aaa 100644 --- a/src/assets/config/config.json +++ b/src/assets/config/config.json @@ -20,6 +20,10 @@ "activity_batch_collection_delay_ms": 1, "activity_next_poll_request_ms": 30000, "activity_retry": 30, + "timeouts_case_retrieval": [ + 18 + ], + "timeouts_case_retrieval_artificial_delay": 0, "activity_url": "/activity", "activity_max_request_per_batch": 25, "print_service_url": "/print", @@ -49,4 +53,4 @@ "oauthCallbackUrl": "oauth2/callback" } } -} +} \ No newline at end of file diff --git a/src/cases/cases.module.ts b/src/cases/cases.module.ts index 6589d3b35d..1ecc05ccb1 100644 --- a/src/cases/cases.module.ts +++ b/src/cases/cases.module.ts @@ -42,7 +42,8 @@ import { RouterHelperService, SearchFiltersModule, SearchResultModule, - WorkbasketFiltersModule + WorkbasketFiltersModule, + RetryUtil } from '@hmcts/ccd-case-ui-toolkit'; import { ExuiCommonLibModule } from '@hmcts/rpx-xui-common-lib'; import { EffectsModule } from '@ngrx/effects'; @@ -106,6 +107,7 @@ import { effects, reducers } from './store'; ErrorNotifierService, NavigationNotifierService, CasesService, + RetryUtil, CCDAuthService, HttpService, HttpErrorService, diff --git a/src/cases/containers/case-create-submit/case-create-submit.component.spec.ts b/src/cases/containers/case-create-submit/case-create-submit.component.spec.ts index c53623ef20..080dc69604 100644 --- a/src/cases/containers/case-create-submit/case-create-submit.component.spec.ts +++ b/src/cases/containers/case-create-submit/case-create-submit.component.spec.ts @@ -11,6 +11,7 @@ import { CaseEventTrigger, CaseField, CasesService, + RetryUtil, createCaseEventTrigger, DraftService, HttpErrorService, @@ -34,9 +35,9 @@ import { CaseCreateSubmitComponent } from './case-create-submit.component'; class MockSortService { public features = {}; // eslint-disable-next-line @typescript-eslint/no-empty-function - public getFeatureToggle() {} + public getFeatureToggle() { } // eslint-disable-next-line @typescript-eslint/no-empty-function - public getEditorConfiguration() {} + public getEditorConfiguration() { } } const EVENT_TRIGGER: CaseEventTrigger = createCaseEventTrigger( @@ -78,7 +79,7 @@ const SANITISED_EDIT_FORM: CaseEventData = { template: '
' }) -class FakeExuidCcdConnectorComponent {} +class FakeExuidCcdConnectorComponent { } describe('CaseCreateSubmitComponent', () => { let component: CaseCreateSubmitComponent; @@ -127,6 +128,7 @@ describe('CaseCreateSubmitComponent', () => { } }, CasesService, + RetryUtil, CCDAuthService, DraftService, AlertService, diff --git a/yarn.lock b/yarn.lock index 4443a6dcae..db3e68e640 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2386,12 +2386,12 @@ __metadata: languageName: node linkType: hard -"@hmcts/ccd-case-ui-toolkit@npm:6.18.3-ConsoleLogs.1": - version: 6.18.3-ConsoleLogs.1 - resolution: "@hmcts/ccd-case-ui-toolkit@npm:6.18.3-ConsoleLogs.1" +"@hmcts/ccd-case-ui-toolkit@npm:6.19.0-RetryCaseRetrievals.5": + version: 6.19.0-RetryCaseRetrievals.5 + resolution: "@hmcts/ccd-case-ui-toolkit@npm:6.19.0-RetryCaseRetrievals.5" dependencies: tslib: ^2.0.0 - checksum: b8612d60d8cd86303ef6ac126f99f4a00973133a5cf60fc8147120efa783a87b969ff2169163481cbd47c0387f17c44203041d9f046e4d36e789d25780626a45 + checksum: 7c242328928382deff97869964e571029569546a7f840126b272fc63b6d819bc42a773a896815330ee1d917ff38a1fe545d5d9d4f3eb99e702e1482449720ff8 languageName: node linkType: hard @@ -19270,7 +19270,7 @@ __metadata: "@angular/platform-browser-dynamic": ^11.2.14 "@angular/router": ^11.2.14 "@edium/fsm": ^2.1.2 - "@hmcts/ccd-case-ui-toolkit": 6.18.3-ConsoleLogs.1 + "@hmcts/ccd-case-ui-toolkit": 6.19.0-RetryCaseRetrievals.5 "@hmcts/ccpay-web-component": 5.2.8 "@hmcts/frontend": 0.0.39-alpha "@hmcts/media-viewer": 2.9.3 From 7af88b0f8c4674a44b503e554d6ef0fdf890a99c Mon Sep 17 00:00:00 2001 From: codaimaster <55559010+codaimaster@users.noreply.github.com> Date: Tue, 15 Aug 2023 17:01:01 +0100 Subject: [PATCH 3/8] Revert "Retry mechanism introduced for delayed case retrievals" (#3222) This reverts commit 137e7c6d6ff576e4cf489052595cc7057e7bb2a2. --- package.json | 2 +- src/app/services/ccd-config/ccd-case.config.ts | 8 -------- src/app/services/logger/logger.service.ts | 1 - src/assets/config/config.json | 6 +----- src/cases/cases.module.ts | 4 +--- .../case-create-submit.component.spec.ts | 8 +++----- yarn.lock | 10 +++++----- 7 files changed, 11 insertions(+), 28 deletions(-) diff --git a/package.json b/package.json index fdcde8cec4..63a340f492 100644 --- a/package.json +++ b/package.json @@ -85,7 +85,7 @@ "@angular/platform-browser-dynamic": "^11.2.14", "@angular/router": "^11.2.14", "@edium/fsm": "^2.1.2", - "@hmcts/ccd-case-ui-toolkit": "6.19.0-RetryCaseRetrievals.5", + "@hmcts/ccd-case-ui-toolkit": "6.18.3-ConsoleLogs.1", "@hmcts/ccpay-web-component": "5.2.8", "@hmcts/frontend": "0.0.39-alpha", "@hmcts/media-viewer": "2.9.3", diff --git a/src/app/services/ccd-config/ccd-case.config.ts b/src/app/services/ccd-config/ccd-case.config.ts index 3590662fb5..a6351f4a23 100644 --- a/src/app/services/ccd-config/ccd-case.config.ts +++ b/src/app/services/ccd-config/ccd-case.config.ts @@ -131,14 +131,6 @@ export class AppConfig extends AbstractAppConfig { return this.config.activity_retry; } - public getTimeoutsForCaseRetrieval() { - return this.config.timeouts_case_retrieval; - } - - public getTimeoutsCaseRetrievalArtificialDelay() { - return this.config.timeouts_case_retrieval_artificial_delay; - } - public getActivityBatchCollectionDelayMs() { return this.config.activity_batch_collection_delay_ms; } diff --git a/src/app/services/logger/logger.service.ts b/src/app/services/logger/logger.service.ts index ccb1a85085..dcaae5dc63 100644 --- a/src/app/services/logger/logger.service.ts +++ b/src/app/services/logger/logger.service.ts @@ -40,7 +40,6 @@ export class LoggerService implements ILoggerService { private setupSwitcherForConsoleLogs() { this.environmentService.config$.subscribe((config) => { - console.info(`Environment is ${this.environmentService.isProd() ? 'prod' : 'non-prod'}.`); LoggerService.switchConsoleLogs({ switchOffAll: false }); }); } diff --git a/src/assets/config/config.json b/src/assets/config/config.json index a1eadc0aaa..703bf64867 100644 --- a/src/assets/config/config.json +++ b/src/assets/config/config.json @@ -20,10 +20,6 @@ "activity_batch_collection_delay_ms": 1, "activity_next_poll_request_ms": 30000, "activity_retry": 30, - "timeouts_case_retrieval": [ - 18 - ], - "timeouts_case_retrieval_artificial_delay": 0, "activity_url": "/activity", "activity_max_request_per_batch": 25, "print_service_url": "/print", @@ -53,4 +49,4 @@ "oauthCallbackUrl": "oauth2/callback" } } -} \ No newline at end of file +} diff --git a/src/cases/cases.module.ts b/src/cases/cases.module.ts index 1ecc05ccb1..6589d3b35d 100644 --- a/src/cases/cases.module.ts +++ b/src/cases/cases.module.ts @@ -42,8 +42,7 @@ import { RouterHelperService, SearchFiltersModule, SearchResultModule, - WorkbasketFiltersModule, - RetryUtil + WorkbasketFiltersModule } from '@hmcts/ccd-case-ui-toolkit'; import { ExuiCommonLibModule } from '@hmcts/rpx-xui-common-lib'; import { EffectsModule } from '@ngrx/effects'; @@ -107,7 +106,6 @@ import { effects, reducers } from './store'; ErrorNotifierService, NavigationNotifierService, CasesService, - RetryUtil, CCDAuthService, HttpService, HttpErrorService, diff --git a/src/cases/containers/case-create-submit/case-create-submit.component.spec.ts b/src/cases/containers/case-create-submit/case-create-submit.component.spec.ts index 080dc69604..c53623ef20 100644 --- a/src/cases/containers/case-create-submit/case-create-submit.component.spec.ts +++ b/src/cases/containers/case-create-submit/case-create-submit.component.spec.ts @@ -11,7 +11,6 @@ import { CaseEventTrigger, CaseField, CasesService, - RetryUtil, createCaseEventTrigger, DraftService, HttpErrorService, @@ -35,9 +34,9 @@ import { CaseCreateSubmitComponent } from './case-create-submit.component'; class MockSortService { public features = {}; // eslint-disable-next-line @typescript-eslint/no-empty-function - public getFeatureToggle() { } + public getFeatureToggle() {} // eslint-disable-next-line @typescript-eslint/no-empty-function - public getEditorConfiguration() { } + public getEditorConfiguration() {} } const EVENT_TRIGGER: CaseEventTrigger = createCaseEventTrigger( @@ -79,7 +78,7 @@ const SANITISED_EDIT_FORM: CaseEventData = { template: '
' }) -class FakeExuidCcdConnectorComponent { } +class FakeExuidCcdConnectorComponent {} describe('CaseCreateSubmitComponent', () => { let component: CaseCreateSubmitComponent; @@ -128,7 +127,6 @@ describe('CaseCreateSubmitComponent', () => { } }, CasesService, - RetryUtil, CCDAuthService, DraftService, AlertService, diff --git a/yarn.lock b/yarn.lock index db3e68e640..4443a6dcae 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2386,12 +2386,12 @@ __metadata: languageName: node linkType: hard -"@hmcts/ccd-case-ui-toolkit@npm:6.19.0-RetryCaseRetrievals.5": - version: 6.19.0-RetryCaseRetrievals.5 - resolution: "@hmcts/ccd-case-ui-toolkit@npm:6.19.0-RetryCaseRetrievals.5" +"@hmcts/ccd-case-ui-toolkit@npm:6.18.3-ConsoleLogs.1": + version: 6.18.3-ConsoleLogs.1 + resolution: "@hmcts/ccd-case-ui-toolkit@npm:6.18.3-ConsoleLogs.1" dependencies: tslib: ^2.0.0 - checksum: 7c242328928382deff97869964e571029569546a7f840126b272fc63b6d819bc42a773a896815330ee1d917ff38a1fe545d5d9d4f3eb99e702e1482449720ff8 + checksum: b8612d60d8cd86303ef6ac126f99f4a00973133a5cf60fc8147120efa783a87b969ff2169163481cbd47c0387f17c44203041d9f046e4d36e789d25780626a45 languageName: node linkType: hard @@ -19270,7 +19270,7 @@ __metadata: "@angular/platform-browser-dynamic": ^11.2.14 "@angular/router": ^11.2.14 "@edium/fsm": ^2.1.2 - "@hmcts/ccd-case-ui-toolkit": 6.19.0-RetryCaseRetrievals.5 + "@hmcts/ccd-case-ui-toolkit": 6.18.3-ConsoleLogs.1 "@hmcts/ccpay-web-component": 5.2.8 "@hmcts/frontend": 0.0.39-alpha "@hmcts/media-viewer": 2.9.3 From 8452e8f7531d11ecf03a618ec1b48ccc07ec120a Mon Sep 17 00:00:00 2001 From: codaimaster <55559010+codaimaster@users.noreply.github.com> Date: Tue, 15 Aug 2023 18:46:27 +0100 Subject: [PATCH 4/8] Release retries with app config safe-guard --- package.json | 2 +- src/app/services/ccd-config/ccd-case.config.ts | 8 ++++++++ src/app/services/logger/logger.service.ts | 1 + src/assets/config/config.json | 6 +++++- src/cases/cases.module.ts | 4 +++- .../case-create-submit.component.spec.ts | 8 +++++--- yarn.lock | 10 +++++----- 7 files changed, 28 insertions(+), 11 deletions(-) diff --git a/package.json b/package.json index 63a340f492..690e318cf2 100644 --- a/package.json +++ b/package.json @@ -85,7 +85,7 @@ "@angular/platform-browser-dynamic": "^11.2.14", "@angular/router": "^11.2.14", "@edium/fsm": "^2.1.2", - "@hmcts/ccd-case-ui-toolkit": "6.18.3-ConsoleLogs.1", + "@hmcts/ccd-case-ui-toolkit": "6.19.1-RetryCaseRetrievals.2", "@hmcts/ccpay-web-component": "5.2.8", "@hmcts/frontend": "0.0.39-alpha", "@hmcts/media-viewer": "2.9.3", diff --git a/src/app/services/ccd-config/ccd-case.config.ts b/src/app/services/ccd-config/ccd-case.config.ts index a6351f4a23..3590662fb5 100644 --- a/src/app/services/ccd-config/ccd-case.config.ts +++ b/src/app/services/ccd-config/ccd-case.config.ts @@ -131,6 +131,14 @@ export class AppConfig extends AbstractAppConfig { return this.config.activity_retry; } + public getTimeoutsForCaseRetrieval() { + return this.config.timeouts_case_retrieval; + } + + public getTimeoutsCaseRetrievalArtificialDelay() { + return this.config.timeouts_case_retrieval_artificial_delay; + } + public getActivityBatchCollectionDelayMs() { return this.config.activity_batch_collection_delay_ms; } diff --git a/src/app/services/logger/logger.service.ts b/src/app/services/logger/logger.service.ts index dcaae5dc63..ccb1a85085 100644 --- a/src/app/services/logger/logger.service.ts +++ b/src/app/services/logger/logger.service.ts @@ -40,6 +40,7 @@ export class LoggerService implements ILoggerService { private setupSwitcherForConsoleLogs() { this.environmentService.config$.subscribe((config) => { + console.info(`Environment is ${this.environmentService.isProd() ? 'prod' : 'non-prod'}.`); LoggerService.switchConsoleLogs({ switchOffAll: false }); }); } diff --git a/src/assets/config/config.json b/src/assets/config/config.json index 703bf64867..a1eadc0aaa 100644 --- a/src/assets/config/config.json +++ b/src/assets/config/config.json @@ -20,6 +20,10 @@ "activity_batch_collection_delay_ms": 1, "activity_next_poll_request_ms": 30000, "activity_retry": 30, + "timeouts_case_retrieval": [ + 18 + ], + "timeouts_case_retrieval_artificial_delay": 0, "activity_url": "/activity", "activity_max_request_per_batch": 25, "print_service_url": "/print", @@ -49,4 +53,4 @@ "oauthCallbackUrl": "oauth2/callback" } } -} +} \ No newline at end of file diff --git a/src/cases/cases.module.ts b/src/cases/cases.module.ts index 6589d3b35d..1ecc05ccb1 100644 --- a/src/cases/cases.module.ts +++ b/src/cases/cases.module.ts @@ -42,7 +42,8 @@ import { RouterHelperService, SearchFiltersModule, SearchResultModule, - WorkbasketFiltersModule + WorkbasketFiltersModule, + RetryUtil } from '@hmcts/ccd-case-ui-toolkit'; import { ExuiCommonLibModule } from '@hmcts/rpx-xui-common-lib'; import { EffectsModule } from '@ngrx/effects'; @@ -106,6 +107,7 @@ import { effects, reducers } from './store'; ErrorNotifierService, NavigationNotifierService, CasesService, + RetryUtil, CCDAuthService, HttpService, HttpErrorService, diff --git a/src/cases/containers/case-create-submit/case-create-submit.component.spec.ts b/src/cases/containers/case-create-submit/case-create-submit.component.spec.ts index c53623ef20..080dc69604 100644 --- a/src/cases/containers/case-create-submit/case-create-submit.component.spec.ts +++ b/src/cases/containers/case-create-submit/case-create-submit.component.spec.ts @@ -11,6 +11,7 @@ import { CaseEventTrigger, CaseField, CasesService, + RetryUtil, createCaseEventTrigger, DraftService, HttpErrorService, @@ -34,9 +35,9 @@ import { CaseCreateSubmitComponent } from './case-create-submit.component'; class MockSortService { public features = {}; // eslint-disable-next-line @typescript-eslint/no-empty-function - public getFeatureToggle() {} + public getFeatureToggle() { } // eslint-disable-next-line @typescript-eslint/no-empty-function - public getEditorConfiguration() {} + public getEditorConfiguration() { } } const EVENT_TRIGGER: CaseEventTrigger = createCaseEventTrigger( @@ -78,7 +79,7 @@ const SANITISED_EDIT_FORM: CaseEventData = { template: '
' }) -class FakeExuidCcdConnectorComponent {} +class FakeExuidCcdConnectorComponent { } describe('CaseCreateSubmitComponent', () => { let component: CaseCreateSubmitComponent; @@ -127,6 +128,7 @@ describe('CaseCreateSubmitComponent', () => { } }, CasesService, + RetryUtil, CCDAuthService, DraftService, AlertService, diff --git a/yarn.lock b/yarn.lock index 4443a6dcae..d6b72ddc8a 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2386,12 +2386,12 @@ __metadata: languageName: node linkType: hard -"@hmcts/ccd-case-ui-toolkit@npm:6.18.3-ConsoleLogs.1": - version: 6.18.3-ConsoleLogs.1 - resolution: "@hmcts/ccd-case-ui-toolkit@npm:6.18.3-ConsoleLogs.1" +"@hmcts/ccd-case-ui-toolkit@npm:6.19.1-RetryCaseRetrievals.2": + version: 6.19.1-RetryCaseRetrievals.2 + resolution: "@hmcts/ccd-case-ui-toolkit@npm:6.19.1-RetryCaseRetrievals.2" dependencies: tslib: ^2.0.0 - checksum: b8612d60d8cd86303ef6ac126f99f4a00973133a5cf60fc8147120efa783a87b969ff2169163481cbd47c0387f17c44203041d9f046e4d36e789d25780626a45 + checksum: bab9f194f43f1ba2dc60685d576a8460fbf07cb69d13945cd6f628bf377ded6886fd1760f319f35b4f1afd845a799cf562bbb0470c6d1df98aa223ffef6deff6 languageName: node linkType: hard @@ -19270,7 +19270,7 @@ __metadata: "@angular/platform-browser-dynamic": ^11.2.14 "@angular/router": ^11.2.14 "@edium/fsm": ^2.1.2 - "@hmcts/ccd-case-ui-toolkit": 6.18.3-ConsoleLogs.1 + "@hmcts/ccd-case-ui-toolkit": 6.19.1-RetryCaseRetrievals.2 "@hmcts/ccpay-web-component": 5.2.8 "@hmcts/frontend": 0.0.39-alpha "@hmcts/media-viewer": 2.9.3 From 732ad2bf273d58c5da5d6f494404dd909f0d05dd Mon Sep 17 00:00:00 2001 From: codaimaster <55559010+codaimaster@users.noreply.github.com> Date: Wed, 16 Aug 2023 12:07:47 +0100 Subject: [PATCH 5/8] provide the timeout in the second element (#3224) provide the timeout in the second element --- src/assets/config/config.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/assets/config/config.json b/src/assets/config/config.json index a1eadc0aaa..607b8eb27e 100644 --- a/src/assets/config/config.json +++ b/src/assets/config/config.json @@ -21,7 +21,7 @@ "activity_next_poll_request_ms": 30000, "activity_retry": 30, "timeouts_case_retrieval": [ - 18 + 18, 17 ], "timeouts_case_retrieval_artificial_delay": 0, "activity_url": "/activity", @@ -53,4 +53,4 @@ "oauthCallbackUrl": "oauth2/callback" } } -} \ No newline at end of file +} From 6ea8216cb1b848a4a145810c0463f5756f6b64c9 Mon Sep 17 00:00:00 2001 From: connorpgpmcelroy <74015088+connorpgpmcelroy@users.noreply.github.com> Date: Thu, 17 Aug 2023 08:13:05 +0100 Subject: [PATCH 6/8] Set initial service codes for location and add unit tests (#3154) * Set initial service codes for location and add unit tests * Incorporate CCD Toolkit JudicialUser field fixes EUI-8601/8687/8732/8738 into Manage Cases release for EUI-8633 --------- Co-authored-by: Daniel Lam Co-authored-by: Daniel Lam --- .../staff-select-location.component.spec.ts | 41 +++++++++++++++---- .../staff-select-location.component.ts | 15 ++++--- .../models/location-by-service-code-model.ts | 1 + 3 files changed, 44 insertions(+), 13 deletions(-) diff --git a/src/staff-administrator/components/staff-add-edit-user/staff-add-edit-user-form/staff-select-location/staff-select-location.component.spec.ts b/src/staff-administrator/components/staff-add-edit-user/staff-add-edit-user-form/staff-select-location/staff-select-location.component.spec.ts index 355d98d3cf..2f980a8418 100644 --- a/src/staff-administrator/components/staff-add-edit-user/staff-add-edit-user-form/staff-select-location/staff-select-location.component.spec.ts +++ b/src/staff-administrator/components/staff-add-edit-user/staff-add-edit-user-form/staff-select-location/staff-select-location.component.spec.ts @@ -1,6 +1,6 @@ import { ComponentFixture, fakeAsync, flush, TestBed, tick } from '@angular/core/testing'; -import { FormControl } from '@angular/forms'; +import { FormControl, ReactiveFormsModule } from '@angular/forms'; import { MatAutocompleteModule } from '@angular/material/autocomplete'; import { RefDataService } from '@hmcts/rpx-xui-common-lib'; import { of } from 'rxjs'; @@ -17,7 +17,8 @@ describe('StaffSelectLocationComponent', () => { refDataServiceMock.getLocationsByServiceCodes.and.returnValue(of([])); await TestBed.configureTestingModule({ - imports: [MatAutocompleteModule], + imports: [MatAutocompleteModule, + ReactiveFormsModule], declarations: [StaffSelectLocationComponent], providers: [ { provide: RefDataService, useValue: refDataServiceMock } @@ -262,8 +263,11 @@ describe('StaffSelectLocationComponent', () => { })); it('should get an array when search term is not an empty string', fakeAsync(() => { + // obsCount added as observable should always run initially + let obsCount = 0; component.filteredList$.subscribe((result) => { - expect(Array.isArray(result)).toBe(true); + obsCount > 0 ? expect(Array.isArray(result)).toBe(true) : expect(Array.isArray(result)).toBe(false); + obsCount++; }); component.searchTermFormControl.setValue('123'); @@ -273,9 +277,10 @@ describe('StaffSelectLocationComponent', () => { it('should filter out locations based on searchTerm', fakeAsync(() => { refDataServiceMock.getLocationsByServiceCodes.and.returnValue(of([dummyLocations[0], dummyLocations[1]])); - component.locationsControl.setValue([dummyLocations[0], dummyLocations[1]]); + let obsCount = 0; component.filteredList$.subscribe((result) => { - expect(result).toEqual([dummyLocations[0]]); + obsCount > 0 ? expect(result).toEqual([dummyLocations[0]]) : expect(Array.isArray(result)).toBe(false); + obsCount++; }); component.searchTermFormControl.setValue(dummyLocations[0].venue_name); @@ -285,14 +290,36 @@ describe('StaffSelectLocationComponent', () => { it('should fill locations with correct service codes', fakeAsync(() => { refDataServiceMock.getLocationsByServiceCodes.and.returnValue(of([dummyLocations[0], dummyLocations[1]])); + let obsCount = 0; component.filteredList$.subscribe((result) => { - expect(result).toEqual([dummyLocations[0]]); - expect(result[0].serviceCodes).toEqual(['BFA1', 'AAA7']); + if (obsCount > 1) { + expect(result).toEqual([dummyLocations[0]]); + expect(result[0].serviceCodes).toEqual(['BFA1', 'AAA7']); + } + obsCount++; }); component.searchTermFormControl.setValue(dummyLocations[0].venue_name); tick(); flush(); })); + + it('should correctly set service codes for locations in formControl', fakeAsync(() => { + refDataServiceMock.getLocationsByServiceCodes.and.returnValue(of([dummyLocations[0], dummyLocations[1]])); + const mockLocationInControl: any = dummyLocations[0]; + // also ensures we are checking numbers as well as strings + mockLocationInControl.location_id = parseInt(mockLocationInControl.epimms_id); + component.locationsControl.setValue([mockLocationInControl]); + let obsCount = 0; + component.filteredList$.subscribe((result) => { + obsCount > 0 ? expect(result).toEqual([dummyLocations[0]]) : expect(result).toEqual(false); + expect(component.locationsControl.value[0].serviceCodes[0]).toEqual('BFA1'); + obsCount++; + }); + + component.searchTermFormControl.setValue(dummyLocations[0].venue_name); + tick(); + flush(); + })); }); }); }); diff --git a/src/staff-administrator/components/staff-add-edit-user/staff-add-edit-user-form/staff-select-location/staff-select-location.component.ts b/src/staff-administrator/components/staff-add-edit-user/staff-add-edit-user-form/staff-select-location/staff-select-location.component.ts index 63c7ae71b0..46b6b45f03 100644 --- a/src/staff-administrator/components/staff-add-edit-user/staff-add-edit-user-form/staff-select-location/staff-select-location.component.ts +++ b/src/staff-administrator/components/staff-add-edit-user/staff-add-edit-user-form/staff-select-location/staff-select-location.component.ts @@ -2,7 +2,7 @@ import { Component, Input, OnInit } from '@angular/core'; import { FormControl } from '@angular/forms'; import { RefDataService } from '@hmcts/rpx-xui-common-lib'; import { combineLatest, iif, Observable, of } from 'rxjs'; -import { map, switchMap, tap } from 'rxjs/operators'; +import { map, startWith, switchMap, tap } from 'rxjs/operators'; import { LocationByEpimmsModelWithServiceCodes } from '../../../../models/location-by-service-code-model'; import { StaffUserLocation } from '../../../../models/staff-user-location.model'; @@ -22,6 +22,8 @@ export class StaffSelectLocationComponent implements OnInit { public autocompleteSelectedLocation: LocationByEpimmsModelWithServiceCodes | false; private fullLocations: LocationByEpimmsModelWithServiceCodes[]; + private initialLocationServicesSet = false; + public get selectedLocations(): StaffUserLocation[] { return this.locationsControl?.value; } @@ -30,7 +32,7 @@ export class StaffSelectLocationComponent implements OnInit { public ngOnInit() { this.filteredList$ = combineLatest([ - this.searchTermFormControl.valueChanges, + this.searchTermFormControl.valueChanges.pipe(startWith('')), this.serviceCodes$ ]).pipe( tap(([term]: [string, string[]]) => { @@ -39,7 +41,7 @@ export class StaffSelectLocationComponent implements OnInit { } }), switchMap(([term, serviceCodes]: [string, string[]]) => iif( - () => (!!term && term.length >= 0), + () => ((!!term && term.length >= 0) || !this.initialLocationServicesSet), this.refDataService.getLocationsByServiceCodes( serviceCodes ).pipe( @@ -64,7 +66,7 @@ export class StaffSelectLocationComponent implements OnInit { private setLocationServiceCodes(locations: LocationByEpimmsModelWithServiceCodes[]): LocationByEpimmsModelWithServiceCodes[] { locations.map((location) => { - const currentId = location.epimms_id; + const currentId = location.epimms_id.toString(); const serviceCodes = location.serviceCodes; location.serviceCodes = this.getAllServiceCodes(serviceCodes, currentId); }); @@ -72,11 +74,12 @@ export class StaffSelectLocationComponent implements OnInit { // note: we could edit location types to produce less code - i.e. making them the same const fixedSelectedLocations = this.locationsControl.value; fixedSelectedLocations.forEach((location) => { - const currentId = location.location_id; - const serviceCodes = location.service_codes; + const currentId = location.location_id.toString(); + const serviceCodes = location.service_codes ? location.service_codes : []; location.service_codes = this.getAllServiceCodes(serviceCodes, currentId); }); this.locationsControl.setValue(fixedSelectedLocations); + this.initialLocationServicesSet = true; return locations; } diff --git a/src/staff-administrator/models/location-by-service-code-model.ts b/src/staff-administrator/models/location-by-service-code-model.ts index 6b75385a03..16a802985d 100644 --- a/src/staff-administrator/models/location-by-service-code-model.ts +++ b/src/staff-administrator/models/location-by-service-code-model.ts @@ -1,5 +1,6 @@ export interface LocationByEpimmsModelWithServiceCodes { epimms_id: string; + location_id?: string; site_name?: string; court_name?: string; open_for_public?: string; From dfc0c040543b8c8a570e175348e8a05d3f4fd35d Mon Sep 17 00:00:00 2001 From: codaimaster <55559010+codaimaster@users.noreply.github.com> Date: Thu, 17 Aug 2023 12:30:05 +0100 Subject: [PATCH 7/8] upgrade toolkit for the new patch (#3229) --- package.json | 2 +- yarn.lock | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/package.json b/package.json index 690e318cf2..41a3b94c1a 100644 --- a/package.json +++ b/package.json @@ -85,7 +85,7 @@ "@angular/platform-browser-dynamic": "^11.2.14", "@angular/router": "^11.2.14", "@edium/fsm": "^2.1.2", - "@hmcts/ccd-case-ui-toolkit": "6.19.1-RetryCaseRetrievals.2", + "@hmcts/ccd-case-ui-toolkit": "6.19.3-RetryCaseRetrievals.1", "@hmcts/ccpay-web-component": "5.2.8", "@hmcts/frontend": "0.0.39-alpha", "@hmcts/media-viewer": "2.9.3", diff --git a/yarn.lock b/yarn.lock index d6b72ddc8a..4e118b3f78 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2386,12 +2386,12 @@ __metadata: languageName: node linkType: hard -"@hmcts/ccd-case-ui-toolkit@npm:6.19.1-RetryCaseRetrievals.2": - version: 6.19.1-RetryCaseRetrievals.2 - resolution: "@hmcts/ccd-case-ui-toolkit@npm:6.19.1-RetryCaseRetrievals.2" +"@hmcts/ccd-case-ui-toolkit@npm:6.19.3-RetryCaseRetrievals.1": + version: 6.19.3-RetryCaseRetrievals.1 + resolution: "@hmcts/ccd-case-ui-toolkit@npm:6.19.3-RetryCaseRetrievals.1" dependencies: tslib: ^2.0.0 - checksum: bab9f194f43f1ba2dc60685d576a8460fbf07cb69d13945cd6f628bf377ded6886fd1760f319f35b4f1afd845a799cf562bbb0470c6d1df98aa223ffef6deff6 + checksum: 804b26964c596540b05e0c88baadda0f07a4d3a9aaa5ca6782d3d9879ae01f7e6cfb59e4892483385a9d4a8428e709b06f64efa0b99518039ade9e81ced3175c languageName: node linkType: hard @@ -19270,7 +19270,7 @@ __metadata: "@angular/platform-browser-dynamic": ^11.2.14 "@angular/router": ^11.2.14 "@edium/fsm": ^2.1.2 - "@hmcts/ccd-case-ui-toolkit": 6.19.1-RetryCaseRetrievals.2 + "@hmcts/ccd-case-ui-toolkit": 6.19.3-RetryCaseRetrievals.1 "@hmcts/ccpay-web-component": 5.2.8 "@hmcts/frontend": 0.0.39-alpha "@hmcts/media-viewer": 2.9.3 From 5b459c692c887cd95db264bb958c31b1471bc685 Mon Sep 17 00:00:00 2001 From: Tom Elliott Date: Thu, 24 Aug 2023 14:43:16 +0100 Subject: [PATCH 8/8] EXUI-266: Configure github action to update preview deployment id (#3230) --- .../populate-preview-deployment-id.yaml | 29 +++++++++++++++++++ api/lib/http/index.ts | 4 +++ .../xui-webapp/values.preview.template.yaml | 1 + 3 files changed, 34 insertions(+) create mode 100644 .github/workflows/populate-preview-deployment-id.yaml diff --git a/.github/workflows/populate-preview-deployment-id.yaml b/.github/workflows/populate-preview-deployment-id.yaml new file mode 100644 index 0000000000..6597c657c4 --- /dev/null +++ b/.github/workflows/populate-preview-deployment-id.yaml @@ -0,0 +1,29 @@ +name: Populate Preview Deployment ID + +on: + pull_request: + branches: + - master + +permissions: + contents: write + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: tibdex/github-app-token@v1 + id: generate-token + with: + app_id: ${{ secrets.HMCTS_GITHUB_EXUI_APP_ID }} + private_key: ${{ secrets.HMCTS_GITHUB_EXUI_PRIVATE_KEY }} + - uses: actions/checkout@v3 + with: + token: ${{ steps.generate-token.outputs.token }} + - name: Populate preview deployment ID + run: | + sed -i 's/PREVIEW_DEPLOYMENT_ID:.*/PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-${{ github.event.number }}/' charts/xui-webapp/values.preview.template.yaml + shell: bash + - uses: stefanzweifel/git-auto-commit-action@v4 + with: + commit_message: "${{ github.event.pull_request.head.ref }}: Setting Preview Deployment ID" diff --git a/api/lib/http/index.ts b/api/lib/http/index.ts index b1907eaf62..5bb7ebcf1f 100644 --- a/api/lib/http/index.ts +++ b/api/lib/http/index.ts @@ -2,7 +2,11 @@ import axios, { AxiosInstance } from 'axios'; import { errorInterceptor, requestInterceptor, successInterceptor } from '../interceptors'; export const http: AxiosInstance = axios.create({}); +const previewDeploymentId: string = process.env.PREVIEW_DEPLOYMENT_ID; +if (previewDeploymentId) { + axios.defaults.headers.common['hmcts-deployment-id'] = previewDeploymentId; +} axios.defaults.headers.common['Content-Type'] = 'application/json'; http.interceptors.request.use(requestInterceptor); http.interceptors.response.use(successInterceptor, errorInterceptor); diff --git a/charts/xui-webapp/values.preview.template.yaml b/charts/xui-webapp/values.preview.template.yaml index 0b6f1835f1..130e2808c7 100644 --- a/charts/xui-webapp/values.preview.template.yaml +++ b/charts/xui-webapp/values.preview.template.yaml @@ -23,6 +23,7 @@ nodejs: SERVICES_CASE_JUDICIAL_API: http://rd-judicial-api-aat.service.core-compute-aat.internal SERVICES_LOCATION_REF_API_URL: http://rd-location-ref-api-aat.service.core-compute-aat.internal FEATURE_ACCESS_MANAGEMENT_ENABLED: true + PREVIEW_DEPLOYMENT_ID: exui-preview-deployment-3230 keyVaults: rpx: secrets: