[
https://issues.apache.org/jira/browse/FLINK-36716?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mehdi updated FLINK-36716:
--------------------------
Description:
When running `npm audit` we get 36 vulnerabilities (1 low, 15 moderate, 17
high, 3 critical) we should address any current, open vulnerabilities.
These critical vulnerabilities gone by raising the version of angular and we do
need also to raise node version, so there is two sub tasks for this ticket
Result of the npm audit:
{code:java}
npm audit report@adobe/css-tools <=4.3.1
Severity: moderate
@adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS
- https://github.com/advisories/GHSA-hpx4-r86g-5jrg
@adobe/css-tools Improper Input Validation and Inefficient Regular Expression
Complexity - https://github.com/advisories/GHSA-prr3-c3m5-p7q2
fix available via `npm audit fix`
node_modules/@adobe/css-tools@babel/traverse <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically
crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traversebody-parser <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled -
https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via `npm audit fix`
node_modules/body-parser
express <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of cookie
Depends on vulnerable versions of path-to-regexp
Depends on vulnerable versions of send
Depends on vulnerable versions of serve-static
node_modules/expressbraces <3.0.3
Severity: high
Uncontrolled resource consumption in braces -
https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/bracescookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters -
https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix`
node_modules/cookie
node_modules/express/node_modules/cookie
engine.io 0.7.8 - 0.7.9 || 1.8.0 - 6.6.1
Depends on vulnerable versions of cookie
Depends on vulnerable versions of ws
node_modules/engine.io
socket.io 1.6.0 - 4.7.5
Depends on vulnerable versions of engine.io
node_modules/socket.iod3-color <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix`
node_modules/d3-interpolate/node_modules/d3-color
d3-interpolate 0.1.3 - 2.0.1
Depends on vulnerable versions of d3-color
node_modules/d3-interpolate
@antv/g-base <=0.5.11
Depends on vulnerable versions of d3-interpolate
node_modules/@antv/g-basefollow-redirects <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function -
https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts -
https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/follow-redirectshttp-proxy-middleware <2.0.7
Severity: high
Denial of service in http-proxy-middleware -
https://github.com/advisories/GHSA-c7qv-q95q-8v27
fix available via `npm audit fix`
node_modules/http-proxy-middlewareip *
Severity: high
NPM IP package incorrectly identifies some private IP addresses as public -
https://github.com/advisories/GHSA-78xj-cgh5-2h22
ip SSRF improper categorization in isPublic -
https://github.com/advisories/GHSA-2p57-rm9w-gvfp
fix available via `npm audit fix`
node_modules/iploader-utils 3.0.0 - 3.2.0
Severity: high
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via
url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) -
https://github.com/advisories/GHSA-hhq3-ff78-jv3g
fix available via `npm audit fix`
node_modules/loader-utils
@angular-devkit/build-angular *
Depends on vulnerable versions of loader-utils
Depends on vulnerable versions of postcss
Depends on vulnerable versions of protractor
Depends on vulnerable versions of semver
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-middleware
node_modules/@angular-devkit/build-angularmicromatch <4.0.8
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch -
https://github.com/advisories/GHSA-952p-6rrq-rcjv
fix available via `npm audit fix`
node_modules/micromatchpath-to-regexp <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions -
https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix`
node_modules/path-to-regexppostcss <8.4.31
Severity: moderate
PostCSS line return parsing error -
https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix`
node_modules/postcssrequest *
Severity: moderate
Server-Side Request Forgery in Request -
https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request
webdriver-manager *
Depends on vulnerable versions of request
Depends on vulnerable versions of xml2js
node_modules/webdriver-manager
protractor >=1.3.0
Depends on vulnerable versions of selenium-webdriver
Depends on vulnerable versions of webdriver-js-extender
Depends on vulnerable versions of webdriver-manager
node_modules/protractorsemver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: high
semver vulnerable to Regular Expression Denial of Service -
https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service -
https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service -
https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/@angular-devkit/build-angular/node_modules/semver
node_modules/@angular/cli/node_modules/semver
node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/@babel/helper-define-polyfill-provider/node_modules/semver
node_modules/@babel/plugin-transform-runtime/node_modules/semver
node_modules/@babel/preset-env/node_modules/semver
node_modules/babel-plugin-polyfill-corejs2/node_modules/semver
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/less/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/read-pkg/node_modules/semver
node_modules/semver
node_modules/webdriver-manager/node_modules/semver
@angular/cli 9.1.0-next.0 - 14.2.11 || 15.0.0-next.0 - 15.2.8 ||
16.0.0-next.0 - 16.1.1
Depends on vulnerable versions of semver
node_modules/@angular/clisend <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS -
https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix`
node_modules/send
serve-static <=1.16.0
Depends on vulnerable versions of send
node_modules/serve-static tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count
validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tartough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability -
https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tough-cookiewebpack 5.0.0-alpha.0 - 5.93.0
Severity: critical
Cross-realm object access in Webpack 5 -
https://github.com/advisories/GHSA-hc6q-2mpp-qw7j
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to
XSS - https://github.com/advisories/GHSA-4vvj-4cpr-p986
fix available via `npm audit fix`
node_modules/webpackwebpack-dev-middleware <=5.3.3
Severity: high
Path traversal in webpack-dev-middleware -
https://github.com/advisories/GHSA-wr3j-pwj9-hqq6
fix available via `npm audit fix`
node_modules/webpack-dev-middlewareword-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service -
https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrapws 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers -
https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/ws
socket.io-adapter 2.5.2 - 2.5.4
Depends on vulnerable versions of ws
node_modules/socket.io-adapterxml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution -
https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/xml2js
selenium-webdriver 2.43.1 - 4.0.0-rc-2
Depends on vulnerable versions of xml2js
node_modules/selenium-webdriver
webdriver-js-extender *
Depends on vulnerable versions of selenium-webdriver
node_modules/webdriver-js-extender36 vulnerabilities (1 low, 15 moderate,
17 high, 3 critical) {code}
h4.
was:
When running `npm audit` we get 36 vulnerabilities (1 low, 15 moderate, 17
high, 3 critical) we should address any current, open vulnerabilities.
These critical vulnerabilities gone by raising the version of angular.
Result of the npm audit:
{code:java}
npm audit report@adobe/css-tools <=4.3.1
Severity: moderate
@adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS
- https://github.com/advisories/GHSA-hpx4-r86g-5jrg
@adobe/css-tools Improper Input Validation and Inefficient Regular Expression
Complexity - https://github.com/advisories/GHSA-prr3-c3m5-p7q2
fix available via `npm audit fix`
node_modules/@adobe/css-tools@babel/traverse <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically
crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traversebody-parser <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled -
https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via `npm audit fix`
node_modules/body-parser
express <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of cookie
Depends on vulnerable versions of path-to-regexp
Depends on vulnerable versions of send
Depends on vulnerable versions of serve-static
node_modules/expressbraces <3.0.3
Severity: high
Uncontrolled resource consumption in braces -
https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/bracescookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters -
https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix`
node_modules/cookie
node_modules/express/node_modules/cookie
engine.io 0.7.8 - 0.7.9 || 1.8.0 - 6.6.1
Depends on vulnerable versions of cookie
Depends on vulnerable versions of ws
node_modules/engine.io
socket.io 1.6.0 - 4.7.5
Depends on vulnerable versions of engine.io
node_modules/socket.iod3-color <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix`
node_modules/d3-interpolate/node_modules/d3-color
d3-interpolate 0.1.3 - 2.0.1
Depends on vulnerable versions of d3-color
node_modules/d3-interpolate
@antv/g-base <=0.5.11
Depends on vulnerable versions of d3-interpolate
node_modules/@antv/g-basefollow-redirects <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function -
https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts -
https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/follow-redirectshttp-proxy-middleware <2.0.7
Severity: high
Denial of service in http-proxy-middleware -
https://github.com/advisories/GHSA-c7qv-q95q-8v27
fix available via `npm audit fix`
node_modules/http-proxy-middlewareip *
Severity: high
NPM IP package incorrectly identifies some private IP addresses as public -
https://github.com/advisories/GHSA-78xj-cgh5-2h22
ip SSRF improper categorization in isPublic -
https://github.com/advisories/GHSA-2p57-rm9w-gvfp
fix available via `npm audit fix`
node_modules/iploader-utils 3.0.0 - 3.2.0
Severity: high
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via
url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) -
https://github.com/advisories/GHSA-hhq3-ff78-jv3g
fix available via `npm audit fix`
node_modules/loader-utils
@angular-devkit/build-angular *
Depends on vulnerable versions of loader-utils
Depends on vulnerable versions of postcss
Depends on vulnerable versions of protractor
Depends on vulnerable versions of semver
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-middleware
node_modules/@angular-devkit/build-angularmicromatch <4.0.8
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch -
https://github.com/advisories/GHSA-952p-6rrq-rcjv
fix available via `npm audit fix`
node_modules/micromatchpath-to-regexp <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions -
https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix`
node_modules/path-to-regexppostcss <8.4.31
Severity: moderate
PostCSS line return parsing error -
https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix`
node_modules/postcssrequest *
Severity: moderate
Server-Side Request Forgery in Request -
https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request
webdriver-manager *
Depends on vulnerable versions of request
Depends on vulnerable versions of xml2js
node_modules/webdriver-manager
protractor >=1.3.0
Depends on vulnerable versions of selenium-webdriver
Depends on vulnerable versions of webdriver-js-extender
Depends on vulnerable versions of webdriver-manager
node_modules/protractorsemver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: high
semver vulnerable to Regular Expression Denial of Service -
https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service -
https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service -
https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/@angular-devkit/build-angular/node_modules/semver
node_modules/@angular/cli/node_modules/semver
node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/@babel/helper-define-polyfill-provider/node_modules/semver
node_modules/@babel/plugin-transform-runtime/node_modules/semver
node_modules/@babel/preset-env/node_modules/semver
node_modules/babel-plugin-polyfill-corejs2/node_modules/semver
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/less/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/read-pkg/node_modules/semver
node_modules/semver
node_modules/webdriver-manager/node_modules/semver
@angular/cli 9.1.0-next.0 - 14.2.11 || 15.0.0-next.0 - 15.2.8 ||
16.0.0-next.0 - 16.1.1
Depends on vulnerable versions of semver
node_modules/@angular/clisend <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS -
https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix`
node_modules/send
serve-static <=1.16.0
Depends on vulnerable versions of send
node_modules/serve-static tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count
validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tartough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability -
https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tough-cookiewebpack 5.0.0-alpha.0 - 5.93.0
Severity: critical
Cross-realm object access in Webpack 5 -
https://github.com/advisories/GHSA-hc6q-2mpp-qw7j
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to
XSS - https://github.com/advisories/GHSA-4vvj-4cpr-p986
fix available via `npm audit fix`
node_modules/webpackwebpack-dev-middleware <=5.3.3
Severity: high
Path traversal in webpack-dev-middleware -
https://github.com/advisories/GHSA-wr3j-pwj9-hqq6
fix available via `npm audit fix`
node_modules/webpack-dev-middlewareword-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service -
https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrapws 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers -
https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/ws
socket.io-adapter 2.5.2 - 2.5.4
Depends on vulnerable versions of ws
node_modules/socket.io-adapterxml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution -
https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/xml2js
selenium-webdriver 2.43.1 - 4.0.0-rc-2
Depends on vulnerable versions of xml2js
node_modules/selenium-webdriver
webdriver-js-extender *
Depends on vulnerable versions of selenium-webdriver
node_modules/webdriver-js-extender36 vulnerabilities (1 low, 15 moderate,
17 high, 3 critical) {code}
h4.
> Address vulnerabilities in Flink UI
> -----------------------------------
>
> Key: FLINK-36716
> URL: https://issues.apache.org/jira/browse/FLINK-36716
> Project: Flink
> Issue Type: Improvement
> Components: Runtime / Web Frontend
> Affects Versions: 2.0.0, 1.20.0
> Reporter: Mehdi
> Assignee: Mehdi
> Priority: Major
>
> When running `npm audit` we get 36 vulnerabilities (1 low, 15 moderate, 17
> high, 3 critical) we should address any current, open vulnerabilities.
> These critical vulnerabilities gone by raising the version of angular and we
> do need also to raise node version, so there is two sub tasks for this ticket
> Result of the npm audit:
> {code:java}
> npm audit report@adobe/css-tools <=4.3.1
> Severity: moderate
> @adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing
> CSS - https://github.com/advisories/GHSA-hpx4-r86g-5jrg
> @adobe/css-tools Improper Input Validation and Inefficient Regular Expression
> Complexity - https://github.com/advisories/GHSA-prr3-c3m5-p7q2
> fix available via `npm audit fix`
> node_modules/@adobe/css-tools@babel/traverse <7.23.2
> Severity: critical
> Babel vulnerable to arbitrary code execution when compiling specifically
> crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
> fix available via `npm audit fix`
> node_modules/@babel/traversebody-parser <1.20.3
> Severity: high
> body-parser vulnerable to denial of service when url encoding is enabled -
> https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
> fix available via `npm audit fix`
> node_modules/body-parser
> express <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
> Depends on vulnerable versions of body-parser
> Depends on vulnerable versions of cookie
> Depends on vulnerable versions of path-to-regexp
> Depends on vulnerable versions of send
> Depends on vulnerable versions of serve-static
> node_modules/expressbraces <3.0.3
> Severity: high
> Uncontrolled resource consumption in braces -
> https://github.com/advisories/GHSA-grv7-fg5c-xmjg
> fix available via `npm audit fix`
> node_modules/bracescookie <0.7.0
> cookie accepts cookie name, path, and domain with out of bounds characters -
> https://github.com/advisories/GHSA-pxg6-pf52-xh8x
> fix available via `npm audit fix`
> node_modules/cookie
> node_modules/express/node_modules/cookie
> engine.io 0.7.8 - 0.7.9 || 1.8.0 - 6.6.1
> Depends on vulnerable versions of cookie
> Depends on vulnerable versions of ws
> node_modules/engine.io
> socket.io 1.6.0 - 4.7.5
> Depends on vulnerable versions of engine.io
> node_modules/socket.iod3-color <3.1.0
> Severity: high
> d3-color vulnerable to ReDoS -
> https://github.com/advisories/GHSA-36jr-mh4h-2g58
> fix available via `npm audit fix`
> node_modules/d3-interpolate/node_modules/d3-color
> d3-interpolate 0.1.3 - 2.0.1
> Depends on vulnerable versions of d3-color
> node_modules/d3-interpolate
> @antv/g-base <=0.5.11
> Depends on vulnerable versions of d3-interpolate
> node_modules/@antv/g-basefollow-redirects <=1.15.5
> Severity: moderate
> Follow Redirects improperly handles URLs in the url.parse() function -
> https://github.com/advisories/GHSA-jchw-25xp-jwwc
> follow-redirects' Proxy-Authorization header kept across hosts -
> https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
> fix available via `npm audit fix`
> node_modules/follow-redirectshttp-proxy-middleware <2.0.7
> Severity: high
> Denial of service in http-proxy-middleware -
> https://github.com/advisories/GHSA-c7qv-q95q-8v27
> fix available via `npm audit fix`
> node_modules/http-proxy-middlewareip *
> Severity: high
> NPM IP package incorrectly identifies some private IP addresses as public -
> https://github.com/advisories/GHSA-78xj-cgh5-2h22
> ip SSRF improper categorization in isPublic -
> https://github.com/advisories/GHSA-2p57-rm9w-gvfp
> fix available via `npm audit fix`
> node_modules/iploader-utils 3.0.0 - 3.2.0
> Severity: high
> loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS)
> via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
> loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) -
> https://github.com/advisories/GHSA-hhq3-ff78-jv3g
> fix available via `npm audit fix`
> node_modules/loader-utils
> @angular-devkit/build-angular *
> Depends on vulnerable versions of loader-utils
> Depends on vulnerable versions of postcss
> Depends on vulnerable versions of protractor
> Depends on vulnerable versions of semver
> Depends on vulnerable versions of webpack
> Depends on vulnerable versions of webpack-dev-middleware
> node_modules/@angular-devkit/build-angularmicromatch <4.0.8
> Severity: moderate
> Regular Expression Denial of Service (ReDoS) in micromatch -
> https://github.com/advisories/GHSA-952p-6rrq-rcjv
> fix available via `npm audit fix`
> node_modules/micromatchpath-to-regexp <0.1.10
> Severity: high
> path-to-regexp outputs backtracking regular expressions -
> https://github.com/advisories/GHSA-9wv6-86v2-598j
> fix available via `npm audit fix`
> node_modules/path-to-regexppostcss <8.4.31
> Severity: moderate
> PostCSS line return parsing error -
> https://github.com/advisories/GHSA-7fh5-64p2-3v2j
> fix available via `npm audit fix`
> node_modules/postcssrequest *
> Severity: moderate
> Server-Side Request Forgery in Request -
> https://github.com/advisories/GHSA-p8p7-x288-28g6
> Depends on vulnerable versions of tough-cookie
> fix available via `npm audit fix --force`
> Will install [email protected], which is a breaking change
> node_modules/request
> webdriver-manager *
> Depends on vulnerable versions of request
> Depends on vulnerable versions of xml2js
> node_modules/webdriver-manager
> protractor >=1.3.0
> Depends on vulnerable versions of selenium-webdriver
> Depends on vulnerable versions of webdriver-js-extender
> Depends on vulnerable versions of webdriver-manager
> node_modules/protractorsemver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
> Severity: high
> semver vulnerable to Regular Expression Denial of Service -
> https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
> semver vulnerable to Regular Expression Denial of Service -
> https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
> semver vulnerable to Regular Expression Denial of Service -
> https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
> fix available via `npm audit fix`
> node_modules/@angular-devkit/build-angular/node_modules/semver
> node_modules/@angular/cli/node_modules/semver
> node_modules/@babel/core/node_modules/semver
> node_modules/@babel/helper-compilation-targets/node_modules/semver
> node_modules/@babel/helper-define-polyfill-provider/node_modules/semver
> node_modules/@babel/plugin-transform-runtime/node_modules/semver
> node_modules/@babel/preset-env/node_modules/semver
> node_modules/babel-plugin-polyfill-corejs2/node_modules/semver
> node_modules/istanbul-lib-instrument/node_modules/semver
> node_modules/less/node_modules/semver
> node_modules/make-dir/node_modules/semver
> node_modules/read-pkg/node_modules/semver
> node_modules/semver
> node_modules/webdriver-manager/node_modules/semver
> @angular/cli 9.1.0-next.0 - 14.2.11 || 15.0.0-next.0 - 15.2.8 ||
> 16.0.0-next.0 - 16.1.1
> Depends on vulnerable versions of semver
> node_modules/@angular/clisend <0.19.0
> Severity: moderate
> send vulnerable to template injection that can lead to XSS -
> https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
> fix available via `npm audit fix`
> node_modules/send
> serve-static <=1.16.0
> Depends on vulnerable versions of send
> node_modules/serve-static tar <6.2.1
> Severity: moderate
> Denial of service while parsing a tar file due to lack of folders count
> validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
> fix available via `npm audit fix`
> node_modules/tartough-cookie <4.1.3
> Severity: moderate
> tough-cookie Prototype Pollution vulnerability -
> https://github.com/advisories/GHSA-72xf-g2v4-qvf3
> fix available via `npm audit fix --force`
> Will install [email protected], which is a breaking change
> node_modules/tough-cookiewebpack 5.0.0-alpha.0 - 5.93.0
> Severity: critical
> Cross-realm object access in Webpack 5 -
> https://github.com/advisories/GHSA-hc6q-2mpp-qw7j
> Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads
> to XSS - https://github.com/advisories/GHSA-4vvj-4cpr-p986
> fix available via `npm audit fix`
> node_modules/webpackwebpack-dev-middleware <=5.3.3
> Severity: high
> Path traversal in webpack-dev-middleware -
> https://github.com/advisories/GHSA-wr3j-pwj9-hqq6
> fix available via `npm audit fix`
> node_modules/webpack-dev-middlewareword-wrap <1.2.4
> Severity: moderate
> word-wrap vulnerable to Regular Expression Denial of Service -
> https://github.com/advisories/GHSA-j8xg-fqg3-53r7
> fix available via `npm audit fix`
> node_modules/word-wrapws 8.0.0 - 8.17.0
> Severity: high
> ws affected by a DoS when handling a request with many HTTP headers -
> https://github.com/advisories/GHSA-3h5v-q93c-6h6q
> fix available via `npm audit fix`
> node_modules/ws
> socket.io-adapter 2.5.2 - 2.5.4
> Depends on vulnerable versions of ws
> node_modules/socket.io-adapterxml2js <0.5.0
> Severity: moderate
> xml2js is vulnerable to prototype pollution -
> https://github.com/advisories/GHSA-776f-qx25-q3cc
> fix available via `npm audit fix --force`
> Will install [email protected], which is a breaking change
> node_modules/xml2js
> selenium-webdriver 2.43.1 - 4.0.0-rc-2
> Depends on vulnerable versions of xml2js
> node_modules/selenium-webdriver
> webdriver-js-extender *
> Depends on vulnerable versions of selenium-webdriver
> node_modules/webdriver-js-extender36 vulnerabilities (1 low, 15 moderate,
> 17 high, 3 critical) {code}
> h4.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
