cve update

hmcts · Dec 12, 2024 · b22fa0f · b22fa0f
1 parent 1833fac
commit b22fa0f
Show file tree

Hide file tree

Showing 2 changed files with 168 additions and 235 deletions.
diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues
@@ -5,9 +5,11 @@
 {"value":"cookie","children":{"ID":1099846,"Issue":"cookie accepts cookie name, path, and domain with out of bounds characters","URL":"https://github.com/advisories/GHSA-pxg6-pf52-xh8x","Severity":"low","Vulnerable Versions":"<0.7.0","Tree Versions":["0.5.0"],"Dependents":["express@npm:4.18.2"]}}
 {"value":"copy-concurrently","children":{"ID":"copy-concurrently (deprecation)","Issue":"This package is no longer supported.","Severity":"moderate","Vulnerable Versions":"1.0.5","Tree Versions":["1.0.5"],"Dependents":["move-concurrently@npm:1.0.1"]}}
 {"value":"core-js","children":{"ID":"core-js (deprecation)","Issue":"core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.","Severity":"moderate","Vulnerable Versions":"1.2.7","Tree Versions":["1.2.7"],"Dependents":["fbjs@npm:0.8.18"]}}
+{"value":"cross-spawn","children":{"ID":1100562,"Issue":"Regular Expression Denial of Service (ReDoS) in cross-spawn","URL":"https://github.com/advisories/GHSA-3xgq-45jj-v275","Severity":"high","Vulnerable Versions":"<6.0.6","Tree Versions":["5.1.0"],"Dependents":["execa@npm:0.7.0"]}}
+{"value":"cross-spawn","children":{"ID":1100563,"Issue":"Regular Expression Denial of Service (ReDoS) in cross-spawn","URL":"https://github.com/advisories/GHSA-3xgq-45jj-v275","Severity":"high","Vulnerable Versions":">=7.0.0 <7.0.5","Tree Versions":["7.0.3"],"Dependents":["foreground-child@npm:3.1.1"]}}
 {"value":"domexception","children":{"ID":"domexception (deprecation)","Issue":"Use your platform's native DOMException instead","Severity":"moderate","Vulnerable Versions":"4.0.0","Tree Versions":["4.0.0"],"Dependents":["jsdom@virtual:ce56289c4b7a2e9003d709997e253c1c80dcaee4c6fbe440cbe9ba5de5db8af3a7b7ad41bbdec5a5e3d40dc9c3c54bef92dd6885ff84cd436d636d5a1b380a61#npm:20.0.3"]}}
 {"value":"express","children":{"ID":1096820,"Issue":"Express.js Open Redirect in malformed URLs","URL":"https://github.com/advisories/GHSA-rv95-896h-c2vc","Severity":"moderate","Vulnerable Versions":"<4.19.2","Tree Versions":["4.18.2"],"Dependents":["json-server@npm:0.15.1"]}}
-{"value":"express","children":{"ID":1099529,"Issue":"express vulnerable to XSS via response.redirect()","URL":"https://github.com/advisories/GHSA-qw6h-vgh9-j6wx","Severity":"moderate","Vulnerable Versions":"<4.20.0","Tree Versions":["4.18.2"],"Dependents":["json-server@npm:0.15.1"]}}
+{"value":"express","children":{"ID":1100530,"Issue":"express vulnerable to XSS via response.redirect()","URL":"https://github.com/advisories/GHSA-qw6h-vgh9-j6wx","Severity":"low","Vulnerable Versions":"<4.20.0","Tree Versions":["4.18.2"],"Dependents":["json-server@npm:0.15.1"]}}
 {"value":"figgy-pudding","children":{"ID":"figgy-pudding (deprecation)","Issue":"This module is no longer supported.","Severity":"moderate","Vulnerable Versions":"3.5.2","Tree Versions":["3.5.2"],"Dependents":["npm-registry-fetch@npm:4.0.7"]}}
 {"value":"fs-write-stream-atomic","children":{"ID":"fs-write-stream-atomic (deprecation)","Issue":"This package is no longer supported.","Severity":"moderate","Vulnerable Versions":"1.0.10","Tree Versions":["1.0.10"],"Dependents":["move-concurrently@npm:1.0.1"]}}
 {"value":"gauge","children":{"ID":"gauge (deprecation)","Issue":"This package is no longer supported.","Severity":"moderate","Vulnerable Versions":"4.0.4","Tree Versions":["4.0.4"],"Dependents":["npmlog@npm:6.0.2"]}}
@@ -26,23 +28,23 @@
 {"value":"mermaid","children":{"ID":1100231,"Issue":"Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify","URL":"https://github.com/advisories/GHSA-m4gq-x24j-jpmf","Severity":"high","Vulnerable Versions":"<=10.9.2","Tree Versions":["10.9.1"],"Dependents":["ngx-markdown@virtual:6ff8c2a3aef81417d9f60600e3255d97c9c6c863d8733a87ed99d869392767523e0e28c07db1eb2a034bc9265813386132447698258584d621a7fd0e13d93585#npm:17.2.1"]}}
 {"value":"micromatch","children":{"ID":1098681,"Issue":"Regular Expression Denial of Service (ReDoS) in micromatch","URL":"https://github.com/advisories/GHSA-952p-6rrq-rcjv","Severity":"moderate","Vulnerable Versions":"<4.0.8","Tree Versions":["4.0.5"],"Dependents":["fast-glob@npm:3.3.2"]}}
 {"value":"move-concurrently","children":{"ID":"move-concurrently (deprecation)","Issue":"This package is no longer supported.","Severity":"moderate","Vulnerable Versions":"1.0.1","Tree Versions":["1.0.1"],"Dependents":["cacache@npm:12.0.4"]}}
+{"value":"nanoid","children":{"ID":1101092,"Issue":"Infinite loop in nanoid","URL":"https://github.com/advisories/GHSA-mwcw-c2x4-8c55","Severity":"low","Vulnerable Versions":"<3.3.8","Tree Versions":["2.1.11"],"Dependents":["json-server@npm:0.15.1"]}}
 {"value":"node-fetch-npm","children":{"ID":"node-fetch-npm (deprecation)","Issue":"This module is not used anymore, npm uses minipass-fetch for its fetch implementation now","Severity":"moderate","Vulnerable Versions":"2.0.4","Tree Versions":["2.0.4"],"Dependents":["make-fetch-happen@npm:5.0.2"]}}
 {"value":"npmlog","children":{"ID":"npmlog (deprecation)","Issue":"This package is no longer supported.","Severity":"moderate","Vulnerable Versions":"6.0.2","Tree Versions":["6.0.2"],"Dependents":["node-gyp@npm:9.4.0"]}}
 {"value":"osenv","children":{"ID":"osenv (deprecation)","Issue":"This package is no longer supported.","Severity":"moderate","Vulnerable Versions":"0.1.5","Tree Versions":["0.1.5"],"Dependents":["npm-package-arg@npm:6.1.1"]}}
 {"value":"path-to-regexp","children":{"ID":1099561,"Issue":"path-to-regexp outputs backtracking regular expressions","URL":"https://github.com/advisories/GHSA-9wv6-86v2-598j","Severity":"high","Vulnerable Versions":">=0.2.0 <1.9.0","Tree Versions":["1.8.0"],"Dependents":["express-urlrewrite@npm:1.4.0"]}}
 {"value":"path-to-regexp","children":{"ID":1099562,"Issue":"path-to-regexp outputs backtracking regular expressions","URL":"https://github.com/advisories/GHSA-9wv6-86v2-598j","Severity":"high","Vulnerable Versions":"<0.1.10","Tree Versions":["0.1.7"],"Dependents":["express@npm:4.18.2"]}}
+{"value":"path-to-regexp","children":{"ID":1101081,"Issue":"Unpatched `path-to-regexp` ReDoS in 0.1.x","URL":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w","Severity":"moderate","Vulnerable Versions":"<0.1.12","Tree Versions":["0.1.7"],"Dependents":["express@npm:4.18.2"]}}
 {"value":"prismjs","children":{"ID":1089189,"Issue":"prismjs Regular Expression Denial of Service vulnerability","URL":"https://github.com/advisories/GHSA-hqhp-5p83-hx96","Severity":"moderate","Vulnerable Versions":"<1.25.0","Tree Versions":["1.24.1"],"Dependents":["@hmcts/ccd-case-ui-toolkit@workspace:."]}}
 {"value":"prismjs","children":{"ID":1090424,"Issue":"Cross-site Scripting in Prism","URL":"https://github.com/advisories/GHSA-3949-f494-cm99","Severity":"high","Vulnerable Versions":">=1.14.0 <1.27.0","Tree Versions":["1.24.1"],"Dependents":["@hmcts/ccd-case-ui-toolkit@workspace:."]}}
 {"value":"request","children":{"ID":1096727,"Issue":"Server-Side Request Forgery in Request","URL":"https://github.com/advisories/GHSA-p8p7-x288-28g6","Severity":"moderate","Vulnerable Versions":"<=2.88.2","Tree Versions":["2.88.2"],"Dependents":["json-server@npm:0.15.1"]}}
 {"value":"resolve-url","children":{"ID":"resolve-url (deprecation)","Issue":"https://github.com/lydell/resolve-url#deprecated","Severity":"moderate","Vulnerable Versions":"0.2.1","Tree Versions":["0.2.1"],"Dependents":["source-map-resolve@npm:0.5.3"]}}
-{"value":"rimraf","children":{"ID":"rimraf (deprecation)","Issue":"Rimraf versions prior to v4 are no longer supported","Severity":"moderate","Vulnerable Versions":"3.0.2","Tree Versions":["3.0.2"],"Dependents":["@mapbox/node-pre-gyp@npm:1.0.11"]}}
-{"value":"send","children":{"ID":1099525,"Issue":"send vulnerable to template injection that can lead to XSS","URL":"https://github.com/advisories/GHSA-m6fv-jmcg-4jfg","Severity":"moderate","Vulnerable Versions":"<0.19.0","Tree Versions":["0.18.0"],"Dependents":["express@npm:4.18.2"]}}
-{"value":"serve-static","children":{"ID":1099527,"Issue":"serve-static vulnerable to template injection that can lead to XSS","URL":"https://github.com/advisories/GHSA-cm22-4g7w-348p","Severity":"moderate","Vulnerable Versions":"<1.16.0","Tree Versions":["1.15.0"],"Dependents":["express@npm:4.18.2"]}}
-{"value":"socket.io-parser","children":{"ID":1098329,"Issue":"Insufficient validation when decoding a Socket.IO packet","URL":"https://github.com/advisories/GHSA-cqmj-92xf-r6r9","Severity":"high","Vulnerable Versions":">=4.0.4 <4.2.3","Tree Versions":["4.0.5"],"Dependents":["socket.io-client@npm:3.1.3"]}}
+{"value":"rimraf","children":{"ID":"rimraf (deprecation)","Issue":"Rimraf versions prior to v4 are no longer supported","Severity":"moderate","Vulnerable Versions":"3.0.2","Tree Versions":["3.0.2"],"Dependents":["node-gyp@npm:9.4.0"]}}
+{"value":"send","children":{"ID":1100526,"Issue":"send vulnerable to template injection that can lead to XSS","URL":"https://github.com/advisories/GHSA-m6fv-jmcg-4jfg","Severity":"low","Vulnerable Versions":"<0.19.0","Tree Versions":["0.18.0"],"Dependents":["express@npm:4.18.2"]}}
+{"value":"serve-static","children":{"ID":1100528,"Issue":"serve-static vulnerable to template injection that can lead to XSS","URL":"https://github.com/advisories/GHSA-cm22-4g7w-348p","Severity":"low","Vulnerable Versions":"<1.16.0","Tree Versions":["1.15.0"],"Dependents":["express@npm:4.18.2"]}}
 {"value":"source-map-resolve","children":{"ID":"source-map-resolve (deprecation)","Issue":"See https://github.com/lydell/source-map-resolve#deprecated","Severity":"moderate","Vulnerable Versions":"0.5.3","Tree Versions":["0.5.3"],"Dependents":["snapdragon@npm:0.8.2"]}}
 {"value":"source-map-url","children":{"ID":"source-map-url (deprecation)","Issue":"See https://github.com/lydell/source-map-url#deprecated","Severity":"moderate","Vulnerable Versions":"0.4.1","Tree Versions":["0.4.1"],"Dependents":["source-map-resolve@npm:0.5.3"]}}
-{"value":"tar","children":{"ID":1097493,"Issue":"Denial of service while parsing a tar file due to lack of folders count validation","URL":"https://github.com/advisories/GHSA-f5x3-32g6-xq36","Severity":"moderate","Vulnerable Versions":"<6.2.1","Tree Versions":["6.1.15"],"Dependents":["@mapbox/node-pre-gyp@npm:1.0.11"]}}
+{"value":"tar","children":{"ID":1097493,"Issue":"Denial of service while parsing a tar file due to lack of folders count validation","URL":"https://github.com/advisories/GHSA-f5x3-32g6-xq36","Severity":"moderate","Vulnerable Versions":"<6.2.1","Tree Versions":["6.1.15"],"Dependents":["node-gyp@npm:9.4.0"]}}
 {"value":"tough-cookie","children":{"ID":1097682,"Issue":"tough-cookie Prototype Pollution vulnerability","URL":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3","Severity":"moderate","Vulnerable Versions":"<4.1.3","Tree Versions":["2.5.0"],"Dependents":["request@npm:2.88.2"]}}
 {"value":"urix","children":{"ID":"urix (deprecation)","Issue":"Please see https://github.com/lydell/urix#deprecated","Severity":"moderate","Vulnerable Versions":"0.1.0","Tree Versions":["0.1.0"],"Dependents":["source-map-resolve@npm:0.5.3"]}}
-{"value":"uuid","children":{"ID":"uuid (deprecation)","Issue":"Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.","Severity":"moderate","Vulnerable Versions":"3.4.0","Tree Versions":["3.4.0"],"Dependents":["@hmcts/media-viewer@virtual:6ff8c2a3aef81417d9f60600e3255d97c9c6c863d8733a87ed99d869392767523e0e28c07db1eb2a034bc9265813386132447698258584d621a7fd0e13d93585#npm:4.0.8"]}}
-{"value":"ws","children":{"ID":1098393,"Issue":"ws affected by a DoS when handling a request with many HTTP headers","URL":"https://github.com/advisories/GHSA-3h5v-q93c-6h6q","Severity":"high","Vulnerable Versions":">=7.0.0 <7.5.10","Tree Versions":["7.4.6"],"Dependents":["engine.io-client@npm:4.1.4"]}}
+{"value":"uuid","children":{"ID":"uuid (deprecation)","Issue":"Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.","Severity":"moderate","Vulnerable Versions":"3.4.0","Tree Versions":["3.4.0"],"Dependents":["request@npm:2.88.2"]}}