You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/mem/package.json
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/merge/package.json,/npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/merge/package.json
Dependency Hierarchy:
jest-cli-22.4.4.tgz (Root Library)
jest-haste-map-22.4.3.tgz
sane-2.5.2.tgz
exec-sh-0.2.2.tgz
❌ merge-1.2.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
Direct dependency fix Resolution (jest-cli): 24.0.0
In order to enable automatic remediation, please create workflow rules
WS-2020-0218
Vulnerable Library - merge-1.2.1.tgz
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/merge/package.json,/npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/merge/package.json
Dependency Hierarchy:
jest-cli-22.4.4.tgz (Root Library)
jest-haste-map-22.4.3.tgz
sane-2.5.2.tgz
exec-sh-0.2.2.tgz
❌ merge-1.2.1.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A Prototype Pollution vulnerability was found in merge before 2.1.0 via the merge.recursive function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/request/package.json,/npm_and_yarn/helpers/node_modules/request/package.json,/npm_and_yarn/helpers/node_modules/npm/node_modules/request/package.json,/npm_and_yarn/helpers/node_modules/request/package.json,/npm_and_yarn/helpers/node_modules/npm/node_modules/request/package.json
Dependency Hierarchy:
jest-cli-22.4.4.tgz (Root Library)
jest-environment-jsdom-22.4.3.tgz
jsdom-11.12.0.tgz
❌ request-2.88.2.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/yargs-parser/package.json,/npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/yargs-parser/package.json
Dependency Hierarchy:
jest-cli-22.4.4.tgz (Root Library)
yargs-10.1.2.tgz
❌ yargs-parser-8.1.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/mem/package.json
Dependency Hierarchy:
jest-cli-22.4.4.tgz (Root Library)
yargs-10.1.2.tgz
os-locale-2.1.0.tgz
❌ mem-1.1.0.tgz (Vulnerable Library)
Found in base branch: main
Vulnerability Details
In 'mem' before v4.0.0 there is a Denial of Service (DoS) vulnerability as a result of a failure in removal old values from the cache.
dev-mend-for-github-combot
changed the title
jest-cli-22.4.4.tgz: 5 vulnerabilities (highest severity is: 9.8)
jest-cli-22.4.4.tgz: 4 vulnerabilities (highest severity is: 9.8)
Oct 26, 2023
dev-mend-for-github-combot
changed the title
jest-cli-22.4.4.tgz: 4 vulnerabilities (highest severity is: 9.8)
jest-cli-22.4.4.tgz: 5 vulnerabilities (highest severity is: 9.8)
Dec 7, 2023
Vulnerable Library - jest-cli-22.4.4.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/mem/package.json
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-28499
Vulnerable Library - merge-1.2.1.tgz
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/merge/package.json,/npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/merge/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
All versions of package merge are vulnerable to Prototype Pollution via _recursiveMerge .
Publish Date: 2021-02-18
URL: CVE-2020-28499
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1666
Release Date: 2021-02-18
Fix Resolution (merge): 2.1.1
Direct dependency fix Resolution (jest-cli): 24.0.0
In order to enable automatic remediation, please create workflow rules
WS-2020-0218
Vulnerable Library - merge-1.2.1.tgz
Merge multiple objects into one, optionally creating a new cloned object. Similar to the jQuery.extend but more flexible. Works in Node.js and the browser.
Library home page: https://registry.npmjs.org/merge/-/merge-1.2.1.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/merge/package.json,/npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/merge/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A Prototype Pollution vulnerability was found in merge before 2.1.0 via the merge.recursive function. It can be tricked into adding or modifying properties of the Object prototype. These properties will be present on all objects.
Publish Date: 2020-10-09
URL: WS-2020-0218
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-10-09
Fix Resolution (merge): 2.1.0
Direct dependency fix Resolution (jest-cli): 24.0.0
In order to enable automatic remediation, please create workflow rules
CVE-2023-28155
Vulnerable Library - request-2.88.2.tgz
Simplified HTTP request client.
Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/request/package.json,/npm_and_yarn/helpers/node_modules/request/package.json,/npm_and_yarn/helpers/node_modules/npm/node_modules/request/package.json,/npm_and_yarn/helpers/node_modules/request/package.json,/npm_and_yarn/helpers/node_modules/npm/node_modules/request/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The Request package through 2.88.1 for Node.js allows a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP). NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-16
URL: CVE-2023-28155
CVSS 3 Score Details (6.1)
Base Score Metrics:
CVE-2020-7608
Vulnerable Library - yargs-parser-8.1.0.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-8.1.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/yargs-parser/package.json,/npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-03-16
Fix Resolution (yargs-parser): 13.1.2
Direct dependency fix Resolution (jest-cli): 24.9.0
In order to enable automatic remediation, please create workflow rules
WS-2019-0307
Vulnerable Library - mem-1.1.0.tgz
Memoize functions - An optimization used to speed up consecutive function calls by caching the result of calls with identical input
Library home page: https://registry.npmjs.org/mem/-/mem-1.1.0.tgz
Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/package.json
Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn_berry/lockfile_only_change/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/mem/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/mem/package.json
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
In 'mem' before v4.0.0 there is a Denial of Service (DoS) vulnerability as a result of a failure in removal old values from the cache.
Publish Date: 2018-08-27
URL: WS-2019-0307
CVSS 3 Score Details (5.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1084
Release Date: 2018-08-27
Fix Resolution (mem): 4.0.0
Direct dependency fix Resolution (jest-cli): 23.0.0-charlie.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
The text was updated successfully, but these errors were encountered: