Yarn Audit Report

[captn3m0]

Generated using:

yarn audit --json | yarn-audit-html
pandoc --from html --to markdown_github yarn-audit.html

7 unique from 192 known vulnerabilities | 27645 dependencies

high Prototype Pollution

• Module: set-value

• Installed version: 2.0.0

• Published: 6/20/2019, 8:05:11 PM

• Reported by: Jon Schlinkert

• CWE-471

• CVE-2019-10747

• Vulnerable: <2.0.1 || >=3.0.0 <3.0.1

• Patched: >=2.0.1 <3.0.0 || >=3.0.1

• CVSS: 5

Overview

Versions of set-value prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

Remediation

If you are using set-value 3.x, upgrade to version 3.0.1 or later. If you are using set-value 2.x, upgrade to version 2.0.1 or later.

References

• Snyk Report

More about this vulnerability

high Prototype Pollution

• Module: set-value

• Installed version: 0.4.3

• Published: 6/20/2019, 8:05:11 PM

• Reported by: Jon Schlinkert

• CWE-471

• CVE-2019-10747

• Vulnerable: <2.0.1 || >=3.0.0 <3.0.1

• Patched: >=2.0.1 <3.0.0 || >=3.0.1

• CVSS: 5

Overview

Versions of set-value prior to 3.0.1 or 2.0.1 are vulnerable to Prototype Pollution. The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

Remediation

If you are using set-value 3.x, upgrade to version 3.0.1 or later. If you are using set-value 2.x, upgrade to version 2.0.1 or later.

References

• Snyk Report

More about this vulnerability

high SQL Injection

• Module: sequelize

• Installed version: 5.8.12

• Published: 9/6/2019, 1:56:35 AM

• Reported by: Unknown

• CWE-89

• CVE-2019-10752

• Vulnerable: <4.44.3 || >=5.0.0 <5.15.1

• Patched: >=4.44.3 <5.0.0 || >=5.15.1

• CVSS: 6

Overview

Affected versions of sequelize are vulnerable to SQL Injection. The function sequelize.json() incorrectly formatted sub paths for JSON queries, which allows attackers to inject SQL statements and execute arbitrary SQL queries if user input is passed to the query. Exploitation example:

return User.findAll({ where: this.sequelize.json("data.id')) AS DECIMAL) = 1 DELETE YOLO INJECTIONS; -- ", 1) });

Remediation

If you are using sequelize 5.x, upgrade to version 5.15.1 or later. If you are using sequelize 4.x, upgrade to version 4.44.3 or later.

References

• GitHub PR
• Snyk Report

Reasons this module exists

sequelize

More about this vulnerability

high Prototype Pollution

• Module: handlebars

• Installed version: 4.1.2

• Published: 9/16/2019, 8:44:43 PM

• Reported by: itszn

• CWE-471

• Vulnerable: <4.3.0

• Patched: >=4.3.0

• CVSS: 6

Overview

Versions of handlebars prior to are vulnerable to Prototype Pollution leading to Remote Code Execution. Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

Remediation

Upgrade to version 4.3.0 or later.

Reasons this module exists

jest-cli>istanbul-api>istanbul-reports>handlebars

More about this vulnerability

moderate Configuration Override

• Module: helmet-csp

• Installed version: 2.7.1

• Published: 9/21/2019, 4:33:16 AM

• Reported by: William Durand

• CWE-16

• Vulnerable: >=1.2.2 <2.9.1

• Patched: >=2.9.1

• CVSS: 6

Overview

Versions of helmet-csp before to 2.9.1 are vulnerable to a Configuration Override affecting the application's Content Security Policy (CSP). The package's browser sniffing for Firefox deletes the default-src CSP policy, which is the fallback policy. This allows an attacker to remove an application's default CSP, possibly rendering the application vulnerable to Cross-Site Scripting.

Remediation

Upgrade to version 2.9.1 or later. Setting the browserSniff configuration to false in vulnerable versions also mitigates the issue.

Reasons this module exists

koa-helmet>helmet>helmet-csp

More about this vulnerability

low Regular Expression Denial of Service

• Module: clean-css

• Installed version: 3.4.28

• Published: 2/16/2019, 3:10:03 AM

• Reported by: Santosh Rao

• CWE-185

• Vulnerable: <4.1.11

• Patched: >=4.1.11

• CVSS: 4

Overview

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Remediation

Upgrade to version 4.1.11 or higher.

References

• GitHub Commit

Reasons this module exists

html-webpack-plugin>html-minifier>clean-css

More about this vulnerability

low Regular Expression Denial of Service

• Module: braces

• Installed version: 1.8.5

• Published: 2/16/2019, 3:14:30 AM

• Reported by: Santosh Rao

• CWE-185

• Vulnerable: <2.3.1

• Patched: >=2.3.1

• CVSS: 4

Overview

Versions of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Remediation

Upgrade to version 2.3.1 or higher.

References

• GitHub Commit

More about this vulnerability

Report generated at 10/16/2019, 3:15:55 PM.

[tommoor]

Interestingly the only one that GitHub itself warns of is set-value. Although it's high severity the dependency is deeply nested and only used in development as part of nodemon.

[tommoor]

Down to 3 issues as of the latest commit e726089 – two of which are set-value. It's a pain to get rid of because it seems like it'll mean updating jest and babel :(

[tommoor]

I was mistaken, yarn upgrade took care of this – audit report is now clean 😄

[captn3m0]

Glad to see this fixed 👍