WS-2019-0063 (High) detected in js-yaml-3.7.0.tgz

[mend-bolt-for-github]

WS-2019-0063 - High Severity Vulnerability

Vulnerable Library - js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: /mono-switch/package.json

Path to vulnerable library: mono-switch/node_modules/postcss-svgo/node_modules/js-yaml/package.json

Dependency Hierarchy:

• electron-webpack-2.7.2.tgz (Root Library)
  • html-loader-1.0.0-alpha.0.tgz
    • htmlnano-0.1.10.tgz
      • cssnano-3.10.0.tgz
        • postcss-svgo-2.1.6.tgz
          • svgo-0.7.2.tgz
            • ❌ js-yaml-3.7.0.tgz (Vulnerable Library)

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution: js-yaml - 3.13.1

---

Step up your Open Source Security Game with WhiteSource here