Checking \yarn.lock dependencies. Checking \node_modules\@quasar\babel-preset-app\yarn.lock dependencies. Checking \node_modules\autocomplete.js\yarn.lock dependencies. Checking \node_modules\browserify-zlib\yarn.lock dependencies. Checking \node_modules\combined-stream\yarn.lock dependencies. Checking \node_modules\eventsource\yarn.lock dependencies. Checking \node_modules\form-data\yarn.lock dependencies. Checking \node_modules\postcss-discard-overridden\yarn.lock dependencies. Checking \node_modules\pug-plain-loader\yarn.lock dependencies. Checking \node_modules\register-service-worker\yarn.lock dependencies. Checking \node_modules\tiny-emitter\yarn.lock dependencies. Checking \node_modules\uri-js\yarn.lock dependencies. Checking \node_modules\vue-style-loader\yarn.lock dependencies. Security Alert: [moderate] [brace-expansion] Type: ReDoS Advisory Version: <=1.1.6 Current version: 1.1.6 Recommendation: Update to version 1.1.7 or later. Url: https://npmjs.com/advisories/338 Detail: Affected versions of `brace-expansion` are vulnerable to a regular expression denial of service condition. ## Proof of Concept ``` var expand = require('brace-expansion'); expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}'); ``` Security Alert: [low] [braces] Type: Regular Expression Denial of Service Advisory Version: <2.3.1 Current version: 0.1.5 Recommendation: Upgrade to version 2.3.1 or higher. Url: https://npmjs.com/advisories/786 Detail: Versions of `braces` prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service. Security Alert: [moderate] [concat-stream] Type: Memory Exposure Advisory Version: >=1.3.0 <1.3.2 || >=1.4.0 <1.4.11 || >=1.5.0 <1.5.2 Current version: 1.5.0 Recommendation: Update to version 1.5.2, 1.4.11, 1.3.2 or later. If you are unable to update make sure user provided input into the `write()` function is not a number. Url: https://npmjs.com/advisories/597 Detail: Versions of `concat-stream` before 1.5.2 are vulnerable to memory exposure if userp provided input is passed into `write()` Versions <1.3.0 are not affected due to not using unguarded Buffer constructor. Security Alert: [low] [debug] Type: Regular Expression Denial of Service Advisory Version: <= 2.6.8 || >= 3.0.0 <= 3.0.1 Current version: 0.7.4 Recommendation: Version 2.x.x: Update to version 2.6.9 or later. Version 3.x.x: Update to version 3.1.0 or later. Url: https://npmjs.com/advisories/534 Detail: Affected versions of `debug` are vulnerable to regular expression denial of service when untrusted user input is passed into the `o` formatter. As it takes 50,000 characters to block the event loop for 2 seconds, this issue is a low severity issue. Security Alert: [low] [deep-extend] Type: Prototype Pollution Advisory Version: <=0.5.0 Current version: 0.4.1 Recommendation: Update to version 0.5.1 or later. Url: https://npmjs.com/advisories/612 Detail: Versions of `deep-extend` before 0.5.1 are vulnerable to prototype pollution. Security Alert: [high] [forwarded] Type: Regular Expression Denial of Service Advisory Version: < 0.1.2 Current version: 0.1.0 Recommendation: Update to version 0.1.2 or later Url: https://npmjs.com/advisories/527 Detail: Affected versions of `forwarded` are vulnerable to regular expression denial of service when parsing specially crafted user input. Security Alert: [high] [fresh] Type: Regular Expression Denial of Service Advisory Version: < 0.5.2 Current version: 0.3.0 Recommendation: Update to version 0.5.2 or later. Url: https://npmjs.com/advisories/526 Detail: Affected versions of `fresh` are vulnerable to regular expression denial of service when parsing specially crafted user input. Security Alert: [high] [fstream] Type: Arbitrary File Overwrite Advisory Version: <1.0.12 Current version: 1.0.10 Recommendation: Upgrade to version 1.0.12 or later. Url: https://npmjs.com/advisories/886 Detail: Versions of `fstream` prior to 1.0.12 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system and a file that matches the hardlink will overwrite the system's file with the co ntents of the extracted file. The `fstream.DirWriter()` function is vulnerable. Security Alert: [critical] [growl] Type: Command Injection Advisory Version: <1.10.2 Current version: 1.9.2 Recommendation: Update to version 1.10.2 or later. Url: https://npmjs.com/advisories/146 Detail: Affected versions of `growl` do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution. Security Alert: [high] [handlebars] Type: Prototype Pollution Advisory Version: <=4.0.13 || >=4.1.0 <4.1.2 Current version: 4.0.6 Recommendation: For handlebars 4.1.x upgrade to 4.1.2 or later. For handlebars 4.0.x upgrade to 4.0.14 or later. Url: https://npmjs.com/advisories/755 Detail: Versions of `handlebars` prior to 4.0.14 are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server. Security Alert: [moderate] [hawk] Type: Regular Expression Denial of Service Advisory Version: < 3.1.3 || >= 4.0.0 <4.1.1 Current version: 1.0.0 Recommendation: Update to hawk version 4.1.1 or later. Url: https://npmjs.com/advisories/77 Detail: Versions of `hawk` prior to 3.1.3, or 4.x prior to 4.1.1 are affected by a regular expression denial of service vulnerability related to excessively long headers and URI's. Security Alert: [moderate] [hoek] Type: Prototype Pollution Advisory Version: <= 4.2.0 || >= 5.0.0 < 5.0.3 Current version: 0.9.1 Recommendation: Update to version 4.2.1, 5.0.3 or later. Url: https://npmjs.com/advisories/566 Detail: Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution. The `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing th e `__proto__` property. This can be demonstrated like so: ```javascript var Hoek = require('hoek'); var malicious_payload = '{"__proto__":{"oops":"It works !"}}'; var a = {}; console.log("Before : " + a.oops); Hoek.merge({}, JSON.parse(malicious_payload)); console.log("After : " + a.oops); ``` This type of attack can be used to overwrite existing properties causing a potential denial of service. Security Alert: [moderate] [jquery] Type: Prototype Pollution Advisory Version: <3.4.0 Current version: 3.2.1 Recommendation: Upgrade to version 3.4.0 or later. Url: https://npmjs.com/advisories/796 Detail: Versions of `jquery` prior to 3.4.0 are vulnerable to Prototype Pollution. The extend() method allows an attacker to modify the prototype for `Object` causing changes in properties that will exist on all objects. Security Alert: [high] [js-yaml] Type: Code Injection Advisory Version: <3.13.1 Current version: 3.6.1 Recommendation: Upgrade to version 3.13.1. Url: https://npmjs.com/advisories/813 Detail: Versions of `js-yaml` prior to 3.13.1 are vulnerable to Code Injection. The `load()` function may execute arbitrary code injected through a malicious YAML file. Objects that have `toString` as key, JavaScript code as value and are used as explicit m apping keys allow attackers to execute the supplied code through the `load()` function. The `safeLoad()` function is unaffected. An example payload is `{ toString: !<tag:yaml.org,2002:js/function> 'function (){return Date.now()}' } : 1` which returns the object { "1553107949161": 1 } Security Alert: [moderate] [js-yaml] Type: Denial of Service Advisory Version: <3.13.0 Current version: 3.6.1 Recommendation: Upgrade to version 3.13.0. Url: https://npmjs.com/advisories/788 Detail: Versions of `js-yaml` prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service. Security Alert: [moderate] [lodash] Type: Prototype Pollution Advisory Version: <4.17.11 Current version: 2.4.2 Recommendation: Update to version 4.17.11 or later. Url: https://npmjs.com/advisories/782 Detail: Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `{constructor: {prototype: {...}}}` causing the addition or modification of an existing property that will exist on all objects. Security Alert: [low] [lodash] Type: Prototype Pollution Advisory Version: <4.17.5 Current version: 2.4.2 Recommendation: Update to version 4.17.5 or later. Url: https://npmjs.com/advisories/577 Detail: Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects. Security Alert: [high] [marked] Type: Regular Expression Denial of Service Advisory Version: <0.3.9 Current version: 0.3.6 Recommendation: Update to version 0.3.9 or later. Url: https://npmjs.com/advisories/531 Detail: Affected versions of `marked` are vulnerable to a regular expression denial of service. The amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds. Security Alert: [moderate] [mime] Type: Regular Expression Denial of Service Advisory Version: < 1.4.1 || > 2.0.0 < 2.0.3 Current version: 1.3.4 Recommendation: Update to version 2.0.3 or later. Url: https://npmjs.com/advisories/535 Detail: Affected versions of `mime` are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input. Security Alert: [high] [minimatch] Type: Regular Expression Denial of Service Advisory Version: <=3.0.1 Current version: 2.0.10 Recommendation: Update to version 3.0.2 or later. Url: https://npmjs.com/advisories/118 Detail: Affected versions of `minimatch` are vulnerable to regular expression denial of service attacks when user input is passed into the `pattern` argument of `minimatch(path, pattern)`. ## Proof of Concept ``` var minimatch = require(“minimatch”); // utility function for generating long strings var genstr = function (len, chr) { var result = “”; for (i=0; i<=len; i++) { result = result + chr; } return result; } var exploit = “[!” + genstr(1000000, “\\”) + “A”; // minimatch exploit. console.log(“starting minimatch”); minimatch(“foo”, exploit); console.log(“finishing minimatch”); ``` Security Alert: [moderate] [morgan] Type: Code Injection Advisory Version: <=1.9.0 Current version: 1.7.0 Recommendation: Update to version 1.9.1 or later. Url: https://npmjs.com/advisories/736 Detail: Verisons of `morgan` before 1.9.1 are vulnerable to code injection when user input is allowed into the filter or combined with a prototype pollution attack. Security Alert: [moderate] [ms] Type: Regular Expression Denial of Service Advisory Version: <=0.7.0 Current version: 0.6.2 Recommendation: Update to version 0.7.1 or later. Alternatively, apply a reasonable length limit to parsed version strings. Url: https://npmjs.com/advisories/46 Detail: Versions of `ms` prior to 0.7.1 are affected by a regular expression denial of service vulnerability when extremely long version strings are parsed. ## Proof of Concept ```javascript var ms = require('ms'); var genstr = function (len, chr) { var result = ""; for (i=0; i<=len; i++) { result = result + chr; } return result; } ms(genstr(process.argv[2], "5") + " minutea"); ``` ### Results Showing increase in execution time based on the input string. ``` $ time node ms.js 10000 real 0m0.758s user 0m0.724s sys 0m0.031s $ time node ms.js 20000 real 0m2.580s user 0m2.494s sys 0m0.047s $ time node ms.js 30000 real 0m5.747s user 0m5.483s sys 0m0.080s $ time node ms.js 80000 real 0m41.022s user 0m38.894s sys 0m0.529s ``` Security Alert: [critical] [open] Type: Command Injection Advisory Version: <=0.0.5 Current version: 0.0.5 Recommendation: `open` is now the deprecated `opn` package. Upgrading to the latest version is likely have unwanted effects since it now has a very different API but will prevent this vulnerability. Url: https://npmjs.com/advisories/663 Detail: Versions of `open` before 6.0.0 are vulnerable to command injection when unsanitized user input is passed in. The package does come with the following warning in the readme: ``` The same care should be taken when calling open as if you were calling child_process.exec directly. If it is an executable it will run in a new shell. ``` Security Alert: [high] [parsejson] Type: Regular Expression Denial of Service Advisory Version: <=0.0.3 Current version: 0.0.3 Recommendation: The `parsejson` package has not been functionally updated since it was initially released. Additionally, it provides functionality which is natively included in Node.js, and therefore the native `JSON.parse()` should be used, for both performance and security reasons. Url: https://npmjs.com/advisories/528 Detail: Affected versions of `parsejson` are vulnerable to a regular expression denial of service when parsing untrusted user input. Security Alert: [high] [qs] Type: Denial-of-Service Memory Exhaustion Advisory Version: <1.0.0 Current version: 0.6.6 Recommendation: Update to version 1.0.0 or later. Url: https://npmjs.com/advisories/29 Detail: Versions prior to 1.0 of `qs` are affected by a denial of service condition. This condition is triggered by parsing a crafted string that deserializes into very large sparse arrays, resulting in the process running out of memory and eventually crash ing. Security Alert: [low] [randomatic] Type: Cryptographically Weak PRNG Advisory Version: <3.0.0 Current version: 1.1.6 Recommendation: Update to version 3.0.0 or later. Url: https://npmjs.com/advisories/157 Detail: Affected versions of `randomatic` generate random values using a cryptographically weak psuedo-random number generator. This may result in predictable values instead of random values as intended. Security Alert: [moderate] [request] Type: Remote Memory Exposure Advisory Version: >=2.2.6 <2.47.0 || >2.51.0 <=2.67.0 Current version: 2.36.0 Recommendation: Update to version 2.68.0 or later Url: https://npmjs.com/advisories/309 Detail: Affected versions of `request` will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of `body` is `number`, then a buffer of that size will be allocated and sent to the remote se rver as the body. ## Proof of Concept ``` var request = require('request'); var http = require('http'); var serveFunction = function (req, res){ req.on('data', function (data) { console.log(data) }); res.end(); }; var server = http.createServer(serveFunction); server.listen(8000); request({ method: "POST", uri: 'http://localhost:8000', multipart: [{body:500}] },function(err,res,body){}); ``` Security Alert: [high] [sshpk] Type: Regular Expression Denial of Service Advisory Version: <1.13.2 || >=1.14.0 <1.14.1 Current version: 1.10.1 Recommendation: Update to version 1.13.2, 1.14.1 or later. Url: https://npmjs.com/advisories/606 Detail: Versions of `sshpk` before 1.13.2 or 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys. Security Alert: [moderate] [stringstream] Type: Out-of-bounds Read Advisory Version: <=0.0.5 Current version: 0.0.5 Recommendation: No fix is currently available for this vulnerability. It is our recommendation to not install or use this module if user input is being passed in to `stringstream`. Url: https://npmjs.com/advisories/664 Detail: All versions of `stringstream` are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below. Security Alert: [high] [tar] Type: Arbitrary File Overwrite Advisory Version: <2.2.2 || >=3.0.0 <4.4.2 Current version: 2.2.1 Recommendation: For tar 4.x, upgrade to version 4.4.2 or later. For tar 2.x, upgrade to version 2.2.2 or later. Url: https://npmjs.com/advisories/803 Detail: Versions of `tar` prior to 4.4.2 for 4.x and 2.2.2 for 2.x are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the sys tem's file with the contents of the extracted file. Security Alert: [high] [tough-cookie] Type: Regular Expression Denial of Service Advisory Version: <2.3.3 Current version: 2.3.2 Recommendation: Update to version 2.3.3 or later. Url: https://npmjs.com/advisories/525 Detail: Affected versions of `tough-cookie` are susceptible to a regular expression denial of service. The amplification on this vulnerability is relatively low - it takes around 2 seconds for the engine to execute on a malicious input which is 50,000 characters in length. If node was compiled using the `-DHTTP_MAX_HEADER_SIZE` however, the impact of the vulnerability can be significant, as the primary limitation for the vulnerability is the default max HTTP header length in node. Security Alert: [moderate] [tunnel-agent] Type: Memory Exposure Advisory Version: <0.6.0 Current version: 0.4.3 Recommendation: Update to version 0.6.0 or later. Url: https://npmjs.com/advisories/598 Detail: Versions of `tunnel-agent` before 0.6.0 are vulnerable to memory exposure. This is exploitable if user supplied input is provided to the auth value and is a number. Proof-of-concept: ```js require('request')({ method: 'GET', uri: 'http://www.example.com', tunnel: true, proxy:{ protocol: 'http:', host:'127.0.0.1', port:8080, auth:USERSUPPLIEDINPUT // number } }); ``` Security Alert: [moderate] [underscore.string] Type: Regular Expression Denial of Service Advisory Version: <=3.3.4 Current version: 2.3.3 Recommendation: Upgrade to version 3.3.5 or higher. Url: https://npmjs.com/advisories/745 Detail: Versions of `underscore.string` prior to *3.3.5* are vulnerable to Regular Expression Denial of Service (ReDoS). The function `unescapeHTML` is vulnerable to ReDoS due to an overly-broad regex. The slowdown is approximately 2s for 50,000 characters but grows exponentially with larger inputs. Security Alert: [high] [url-parse] Type: Open Redirect Advisory Version: <1.4.3 Current version: 1.0.5 Recommendation: Update to version 1.4.3 or later. Url: https://npmjs.com/advisories/678 Detail: Versions of `url-parse` before 1.4.3 returns the wrong hostname which could lead to Open Redirect, Server Side Request Forgery (SSRF), or Bypass Authentication Protocol vulnerabilities. Security Alert: [high] [useragent] Type: ReDoS via long UserAgent header Advisory Version: <=2.1.12 Current version: 2.1.12 Recommendation: Update to version 2.1.13 or later. Url: https://npmjs.com/advisories/312 Detail: Affected versions of `useragent` are vulnerable to regular expression denial of service when an arbitrarily long `User-Agent` header is parsed. ## Proof of Concept ``` var useragent = require('useragent'); var badUserAgent = 'MSIE 0.0'+Array(900000).join('0')+'XBLWP'; var request = 'GET / HTTP/1.1\r\nUser-Agent: ' + badUserAgent + '\r\n\r\n'; console.log(useragent.parse(request)); ``` Security Alert: [high] [webpack-dev-server] Type: Missing Origin Validation Advisory Version: <2.11.4 || >=3.0.0 <=3.1.10 Current version: 1.16.3 Recommendation: For `webpack-dev-server` 2.x update to version 2.11.4 or later. For `webpack-dev-server` 3.x update to version 3.1.11 or later. Url: https://npmjs.com/advisories/725 Detail: Versions of `webpack-dev-server` before 3.1.10 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated. Security Alert: [high] [ws] Type: Denial of Service Advisory Version: <1.1.5 || >=2.0.0 <3.3.1 Current version: 1.1.2 Recommendation: Update to version 3.3.1 or later. Url: https://npmjs.com/advisories/550 Detail: Affected versions of `ws` can crash when a specially crafted `Sec-WebSocket-Extensions` header containing `Object.prototype` property names as extension or parameter names is sent. ## Proof of concept ``` const WebSocket = require('ws'); const net = require('net'); const wss = new WebSocket.Server({ port: 3000 }, function () { const payload = 'constructor'; // or ',;constructor' const request = [ 'GET / HTTP/1.1', 'Connection: Upgrade', 'Sec-WebSocket-Key: test', 'Sec-WebSocket-Version: 8', `Sec-WebSocket-Extensions: ${payload}`, 'Upgrade: websocket', '\r\n' ].join('\r\n'); const socket = net.connect(3000, function () { socket.resume(); socket.write(request); }); }); ``` Security Alert: [high] [cached-path-relative] Type: Prototype Pollution Advisory Version: <=1.0.1 Current version: 1.0.1 Recommendation: Update to version 1.0.2 or later. Url: https://npmjs.com/advisories/739 Detail: Version of `cached-path-relative` before 1.0.2 are vulnerable to prototype pollution. Security Alert: [moderate] [static-eval] Type: Sandbox Breakout / Arbitrary Code Execution Advisory Version: <=2.0.1 Current version: 0.2.4 Recommendation: Upgrade to version 2.0.2 or later. Url: https://npmjs.com/advisories/758 Detail: Versions of `static-eval`prior to 2.0.2 pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. ## Proof of concept ``` var evaluate = require('static-eval'); var parse = require('esprima').parse; var src = process.argv[2]; var payload = '(function({x}){return x.constructor})({x:"".sub})("console.log(process.env)")()' var ast = parse(payload).body[0].expression; console.log(evaluate(ast, {x:1})); ``` Security Alert: [moderate] [static-eval] Type: Sandbox Breakout / Arbitrary Code Execution Advisory Version: <=1.1.1 Current version: 0.2.4 Recommendation: Update to version 2.0.0 or later. Url: https://npmjs.com/advisories/548 Detail: Affected versions of `static-eval` pass untrusted user input directly to the global function constructor, resulting in an arbitrary code execution vulnerability when user input is parsed via the package. ## Proof of concept ``` var evaluate = require('static-eval'); var parse = require('esprima').parse; var src = '(function(){console.log(process.pid)})()'; var ast = parse(src).body[0].expression; var res = evaluate(ast, {}); // Will print the process id ``` Security Alert: [high] [cryptiles] Type: Insufficient Entropy Advisory Version: >=3.1.0 <3.1.3 || >=4.0.0 <4.1.2 Current version: 3.1.2 Recommendation: Update to version 3.1.3 or 4.1.2 or later. Url: https://npmjs.com/advisories/720 Detail: Versions of `cryptiles` from version 3.1.0 through 3.1.2, and versions 4.0.0 to version 4.1.1 are vulnerable to insufficient entropy. The `randomDigits` method generates digits that lack a perfect distribution over enough attempts. Security Alert: [high] [ecstatic] Type: Open Redirect Advisory Version: <2.2.2 || >=3.0.0 <3.3.2 || >=4.0.0 <4.1.2 Current version: 0.4.13 Recommendation: If using `ecstatic` 4.x, upgrade to 4.1.2 or later. If using `ecstatic` 3.x, upgrade to 3.3.2 or later. If using `ecstatic` 2.x, upgrade to 2.2.2 or later. Url: https://npmjs.com/advisories/830 Detail: Versions of `ecstatic` prior to 4.1.2, 3.3.2 or 2.2.2 are vulnerable to Open Redirect. The package fails to validate redirects, allowing attackers to craft requests that result in an `HTTP 301` redirect to any other domains. Security Alert: [moderate] [ecstatic] Type: Denial of Service Advisory Version: < 2.0.0 Current version: 0.4.13 Recommendation: Update to version 2.0.0 or later. Url: https://npmjs.com/advisories/553 Detail: `ecstatic`, a simple static file server middleware, is vulnerable to denial of service. If a payload with a large number of null bytes (`%00`) is provided by an attacker it can crash ecstatic by running it out of memory. [Results from the original advisory](https://www.checkmarx.com/advisories/denial-of-service-dos-vulnerability-in-ecstatic-npm-package/) ``` A payload of 22kB caused a lag of 1 second, A payload of 35kB caused a lag of 3 seconds, A payload of 86kB caused the server to crash ``` Security Alert: [high] [ecstatic] Type: Denial of Service Advisory Version: <1.4.0 Current version: 0.4.13 Recommendation: Update to version 1.4.0 or later. Url: https://npmjs.com/advisories/64 Detail: Versions of `ecstatic` prior to 1.4.0 are affected by a denial of service vulnerability when certain input strings are sent via the `Last-Modified` or `If-Modified-Since` headers. Parsing certain inputs with `new Date()` or `Date.parse()` cases v8 to crash. As ecstatic passes the value of the affected headers into one of these functions, sending certain inputs via one of the headers will cause the server to crash. Security Alert: [low] [merge] Type: Prototype Pollution Advisory Version: <=1.2.0 Current version: 1.0.0 Recommendation: Update to version 1.2.1 or later. Url: https://npmjs.com/advisories/722 Detail: Versions of `merge` before 1.2.1 are vulnerable to prototype pollution. The `merge.recursive` function can be tricked into adding or modifying properties of the Object prototype. Security Alert: [critical] [shell-quote] Type: Potential Command Injection Advisory Version: <=1.6.0 Current version: 0.0.1 Recommendation: Update to version 1.6.1 or later. Url: https://npmjs.com/advisories/117 Detail: Affected versions of `shell-quote` do not properly escape command line arguments, which may result in command injection if the library is used to escape user input destined for use as command line arguments. ## Proof of Concept: The following characters are not escaped properly: `>`,`;`,`{`,`}` Bash has a neat but not well known feature known as "Bash Brace Expansion", wherein a sub-command can be executed without spaces by running it between a set of `{}` and using the `,` instead of ` ` to seperate arguments. Because of this, full command injectio n is possible even though it was initially thought to be impossible. ``` const quote = require('shell-quote').quote; console.log(quote(['a;{echo,test,123,234}'])); // Actual "a;{echo,test,123,234}" // Expected "a\;\{echo,test,123,234\}" // Functional Equivalent "a; echo 'test' '123' '1234'" ``` Security Alert: [low] [uglify-js] Type: Regular Expression Denial of Service Advisory Version: <2.6.0 Current version: 2.5.0 Recommendation: Update to version 2.6.0 or later. Url: https://npmjs.com/advisories/48 Detail: Versions of `uglify-js` prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the `parse()` method. ### Proof of Concept ``` var u = require('uglify-js'); var genstr = function (len, chr) { var result = ""; for (i=0; i<=len; i++) { result = result + chr; } return result; } u.parse("var a = " + genstr(process.argv[2], "1") + ".1ee7;"); ``` ### Results ``` $ time node test.js 10000 real 0m1.091s user 0m1.047s sys 0m0.039s $ time node test.js 80000 real 0m6.486s user 0m6.229s sys 0m0.094s ``` Security Alert: [low] [uglify-js] Type: Incorrect Handling of Non-Boolean Comparisons During Minification Advisory Version: <= 2.4.23 Current version: 2.2.5 Recommendation: Upgrade UglifyJS to version >= 2.4.24. Url: https://npmjs.com/advisories/39 Detail: Versions of `uglify-js` prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.