Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

critical/high Vulnerabilities #1281

Open
1 of 12 tasks
paul-asvb opened this issue Oct 23, 2023 · 0 comments
Open
1 of 12 tasks

critical/high Vulnerabilities #1281

paul-asvb opened this issue Oct 23, 2023 · 0 comments
Labels
bug Something isn't working

Comments

@paul-asvb
Copy link

paul-asvb commented Oct 23, 2023

I am interested in helping provide a fix!

Yes

Which generators are impacted?

  • All
  • Angular
  • HTML
  • Preact
  • Qwik
  • React
  • React-Native
  • Solid
  • Stencil
  • Svelte
  • Vue
  • Web components

Reproduction case

No UI Problem

Expected Behaviour

Have no CRITICAL / HIGH vulnerabilites

Actual Behaviour

pnpm audit + trivy audit both get the same vulnerabilities:

Severity Vulnerability Description Package Vulnerable Versions Patched Versions Paths More Info
critical vm2 Sandbox Escape vulnerability vm2 <=3.9.19 <0.0.0 . > [email protected] Link
mypackage > @builder.io/[email protected] > @builder.io/[email protected] > [email protected]
mypackage > @builder.io/[email protected] > @builder.io/[email protected] > @builder.io/[email protected] > [email protected]
critical Prototype Pollution in lodash lodash.template <4.5.0 >=4.5.0 . > [email protected] Link
mypackage > @builder.io/[email protected] > [email protected] > [email protected]
high glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex glob-parent <5.1.2 >=5.1.2 mypackage > @builder.io/[email protected] > [email protected] > [email protected] > [email protected] > [email protected] Link
mypackage > @builder.io/[email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]
high node-fetch forwards secure headers to untrusted sites node-fetch <2.6.7 >=2.6.7 mypackage > @builder.io/[email protected] > @builder.io/[email protected] > [email protected] > [email protected] > [email protected] > [email protected] Link
mypackage > @builder.io/[email protected] > @builder.io/[email protected] > @builder.io/[email protected] > [email protected] > [email protected] > [email protected] > [email protected]

Additional Information

I love this project, happy to provide a fix.

@paul-asvb paul-asvb added the bug Something isn't working label Oct 23, 2023
@paul-asvb paul-asvb changed the title Audition of Vulnerabilities critical/high critical/high Vulnerabilities Oct 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

1 participant