You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
mend-local-appbot
changed the title
cssnano-4.1.0.tgz: 2 vulnerabilities (highest severity is: 9.8)
cssnano-4.1.0.tgz: 3 vulnerabilities (highest severity is: 9.8)
Nov 15, 2023
mend-local-appbot
changed the title
cssnano-4.1.0.tgz: 3 vulnerabilities (highest severity is: 9.8)
cssnano-4.1.0.tgz: 2 vulnerabilities (highest severity is: 9.8)
Nov 16, 2023
Vulnerable Library - cssnano-4.1.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dot-prop/package.json
Found in HEAD commit: df030affe6fe3de4496f2f71d0bed6559686b108
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-8116
Vulnerable Library - dot-prop-4.2.0.tgz
Get, set, or delete a property from a nested object using a dot path
Library home page: https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/dot-prop/package.json
Dependency Hierarchy:
Found in HEAD commit: df030affe6fe3de4496f2f71d0bed6559686b108
Found in base branch: master
Vulnerability Details
Prototype pollution vulnerability in dot-prop npm package version 5.1.0 and earlier allows an attacker to add arbitrary properties to JavaScript language constructs such as objects.
Publish Date: 2020-02-04
URL: CVE-2020-8116
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8116
Release Date: 2020-02-04
Fix Resolution: dot-prop - 5.1.1
WS-2019-0032
Vulnerable Library - js-yaml-3.10.0.tgz
YAML 1.2 parser and serializer
Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.10.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/svgo/node_modules/js-yaml/package.json
Dependency Hierarchy:
Found in HEAD commit: df030affe6fe3de4496f2f71d0bed6559686b108
Found in base branch: master
Vulnerability Details
Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.
Publish Date: 2019-03-20
URL: WS-2019-0032
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/788/versions
Release Date: 2019-03-20
Fix Resolution: js-yaml - 3.13.0
The text was updated successfully, but these errors were encountered: