src/frontend NPM Vulnerability Report #2047
Description
NPM Vulnerability Report - Tuesday, September 17th, 2024
NPM packages have been checked for vulnerabilities using npm audit.
MODERATE severity vulnerabilities.
HIGH severity vulnerabilities.
Severity: high
Vulnerable Range: <3.0.3
Via:
Expand to see vulnerability details.
1: Uncontrolled resource consumption in braces.
Severity: high
Vulnerable Range: <3.0.3
CVSS Score: 7.5 / 10
Weaknesses: CWE-400,CWE-1050
Latest Available Version: 3.0.3
This dependency has a fix available, but braces is NOT a direct dependency in your package.json.
See affected dependencies below:
Expand to see direct dependencies affacted by this vulnerability.
-
Direct dependency
reactdoes NOT have a fix available. -
Direct dependency
@types/reactdoes NOT have a fix available. -
Direct dependency
@babel/coredoes NOT have a fix available. -
Direct dependency
stylelint-config-standarddoes NOT have a fix available. -
Direct dependency
stylelint-scssdoes NOT have a fix available.
Severity: moderate
Vulnerable Range: 7.0.0 - 8.2.1 || 13.3.0 - 15.2.4
Via:
Expand to see vulnerability details.
Via micromatch
Latest Available Version: 15.2.10
This dependency has a fix available, and is a direct dependency in your package.json.
See affected dependencies below:
Update lint-staged to 15.2.10.
Severity: moderate
Vulnerable Range: <4.0.8
Via:
Expand to see vulnerability details.
1: Regular Expression Denial of Service (ReDoS) in micromatch.
Severity: moderate
Vulnerable Range: <4.0.8
CVSS Score: 5.3 / 10
Weaknesses: CWE-1333
Latest Available Version: 4.0.8
This dependency has a fix available, but micromatch is NOT a direct dependency in your package.json.
See affected dependencies below:
Expand to see direct dependencies affacted by this vulnerability.
- Direct dependency
reactmay have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version ofreactavailable.
Update from version 18.2.0 to 18.3.1.
- Direct dependency
@types/reactmay have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of@types/reactavailable.
Update from version 18.2.43 to 18.3.7.
- Direct dependency
@babel/coremay have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version of@babel/coreavailable.
Update from version 7.23.6 to 7.25.2.
- Direct dependency
stylelint-config-standardmay have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version ofstylelint-config-standardavailable.
Update from version 34.0.0 to 36.0.1.
- Direct dependency
stylelint-scssmay have a fix available because one of it's nested child dependencies fixes the vulnerability and there is a new version ofstylelint-scssavailable.
Update from version 5.3.1 to 6.6.0.
-
Direct dependency
lint-stagedhas a fix available. Install version15.2.10oflint-staged. -
Direct dependency
stylelinthas a fix available. Install version16.9.0ofstylelint.
Severity: high
Vulnerable Range: 4.0.0 - 4.5.2
Via:
Expand to see vulnerability details.
1: Vite XSS vulnerability in server.transformIndexHtml via URL payload.
Severity: moderate
Vulnerable Range: =4.5.0
CVSS Score: 6.1 / 10
Weaknesses: CWE-79
2: Vite dev server option server.fs.deny can be bypassed when hosted on case-insensitive filesystem.
Severity: high
Vulnerable Range: >=4.0.0 <=4.5.1
CVSS Score: 7.5 / 10
Weaknesses: CWE-178,CWE-200,CWE-284
3: Vite's server.fs.deny did not deny requests for patterns with directories..
Severity: moderate
Vulnerable Range: >=4.0.0 <=4.5.2
CVSS Score: 5.9 / 10
Weaknesses: CWE-200,CWE-284
Latest Available Version: 5.4.6
This dependency has a fix available, and is a direct dependency in your package.json.
See affected dependencies below:
Update vite to 5.4.6.