Version Details and Security Vulnerabilities

📦

svg-term-cli

1.3.0

Comparision Betweeen 1.3.0 and 1.2.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

svg-term-cli

1.3.0

Comparision Betweeen 1.3.0 and 1.2.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.3.0 of the package svg-term-cli.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.3.0 of the package

Summary:

Regular Expression Denial of Service (ReDoS) in cross-spawn

Details:

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Details about cross-spawn@5.1.0

Summary:

Uncontrolled Resource Consumption in trim-newlines

Details:

@rkesters/gnuplot is an easy to use node module to draw charts using gnuplot and ps2pdf. The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.

Details about trim-newlines@1.0.0

Summary:

node-fetch forwards secure headers to untrusted sites

Details:

node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.

Details about node-fetch@1.7.3

Summary:

Prototype pollution in Plist before 3.0.5 can cause denial of service

Details:

Prototype pollution vulnerability via .parse() in Plist allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.

Details about plist@2.1.0

Summary:

Misinterpretation of malicious XML input

Details:

Impact

xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to 0.5.0 (once it is released)

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

For more information

If you have any questions or comments about this advisory:

Open an issue in xmldom/xmldom
Email us: send an email to all addresses that are shown by npm owner ls xmldom

Details about xmldom@0.1.31

Summary:

Misinterpretation of malicious XML input

Details:

Impact

xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to one of the fixed versions of @xmldom/xmldom (>=0.7.0)

See issue #271 for the status of publishing xmldom to npm or join #270 for Q&A/discussion until it's resolved.

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
https://mattermost.com/blog/securing-xml-implementations-across-the-web/

For more information

If you have any questions or comments about this advisory:

Open an issue in xmldom/xmldom
Email us: send an email to all addresses that are shown by npm owner ls @xmldom/xmldom

Details about xmldom@0.1.31

Summary:

xmldom allows multiple root nodes in a DOM

Details:

Impact

xmldom parses XML that is not well-formed because it contains multiple top level elements, and adds all root nodes to the childNodes collection of the Document, without reporting any error or throwing. This breaks the assumption that there is only a single root node in the tree, which led to https://nvd.nist.gov/vuln/detail/CVE-2022-39299 and is a potential issue for dependents.

Patches

Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next).

Workarounds

One of the following approaches might help, depending on your use case:

Instead of searching for elements in the whole DOM, only search in the documentElement.
Reject a document with a document that has more then 1 childNode.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-39299
https://github.com/jindw/xmldom/issues/150

For more information

If you have any questions or comments about this advisory:

Email us at security@xmldom.org

Details about xmldom@0.1.31

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.3.0 of the package svg-term-cli.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.3.0 of the package

Summary:

Regular Expression Denial of Service (ReDoS) in cross-spawn

Details:

Details about cross-spawn@5.1.0

Summary:

Uncontrolled Resource Consumption in trim-newlines

Details:

Details about trim-newlines@1.0.0

Summary:

node-fetch forwards secure headers to untrusted sites

Details:

node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.

Details about node-fetch@1.7.3

Summary:

Prototype pollution in Plist before 3.0.5 can cause denial of service

Details:

Prototype pollution vulnerability via .parse() in Plist allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.

Details about plist@2.1.0

Summary:

Misinterpretation of malicious XML input

Details:

Impact

xmldom versions 0.4.0 and older do not correctly preserve system identifiers, FPIs or namespaces when repeatedly parsing and serializing maliciously crafted documents.

This may lead to unexpected syntactic changes during XML processing in some downstream applications.

Patches

Update to 0.5.0 (once it is released)

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

For more information

If you have any questions or comments about this advisory:

Open an issue in xmldom/xmldom
Email us: send an email to all addresses that are shown by npm owner ls xmldom

Details about xmldom@0.1.31

Summary:

Misinterpretation of malicious XML input

Details:

Impact

Patches

Update to one of the fixed versions of @xmldom/xmldom (>=0.7.0)

See issue #271 for the status of publishing xmldom to npm or join #270 for Q&A/discussion until it's resolved.

Workarounds

Downstream applications can validate the input and reject the maliciously crafted documents.

References

Similar to this one reported on the Go standard library:

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/
https://mattermost.com/blog/securing-xml-implementations-across-the-web/

For more information

If you have any questions or comments about this advisory:

Open an issue in xmldom/xmldom
Email us: send an email to all addresses that are shown by npm owner ls @xmldom/xmldom

Details about xmldom@0.1.31

Summary:

xmldom allows multiple root nodes in a DOM

Details:

Impact

Patches

Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next).

Workarounds

One of the following approaches might help, depending on your use case:

Instead of searching for elements in the whole DOM, only search in the documentElement.
Reject a document with a document that has more then 1 childNode.

References

https://nvd.nist.gov/vuln/detail/CVE-2022-39299
https://github.com/jindw/xmldom/issues/150

For more information

If you have any questions or comments about this advisory:

Email us at security@xmldom.org

Details about xmldom@0.1.31

Version Details and Security Vulnerabilities

svg-term-cli

Comparision Betweeen 1.3.0 and 1.2.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

svg-term-cli

Comparision Betweeen 1.3.0 and 1.2.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

cross-spawn@5.1.0 GHSA-3xgq-45jj-v275 7.7

trim-newlines@1.0.0 GHSA-7p7h-4mm5-852v 7.5

node-fetch@1.7.3 GHSA-r683-j2x4-v87g 8.8

plist@2.1.0 GHSA-4cpg-3vgw-4877 9.8

xmldom@0.1.31 GHSA-h6q6-9hqw-rwfv 4.3

Impact

Patches

Workarounds

References

For more information

xmldom@0.1.31 GHSA-5fg8-2547-mr8q 6.5

Impact

Patches

Workarounds

References

For more information

xmldom@0.1.31 GHSA-crh6-fp67-6883 9.8

Impact

Patches

Workarounds

References

For more information

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

cross-spawn@5.1.0 GHSA-3xgq-45jj-v275 7.7

trim-newlines@1.0.0 GHSA-7p7h-4mm5-852v 7.5

node-fetch@1.7.3 GHSA-r683-j2x4-v87g 8.8

plist@2.1.0 GHSA-4cpg-3vgw-4877 9.8

xmldom@0.1.31 GHSA-h6q6-9hqw-rwfv 4.3

Impact

Patches

Workarounds

References

For more information

xmldom@0.1.31 GHSA-5fg8-2547-mr8q 6.5

Impact

Patches

Workarounds

References

For more information

xmldom@0.1.31 GHSA-crh6-fp67-6883 9.8

Impact

Patches

Workarounds

References

For more information