Hi @majodev,
Issue
Six vulnerabilities (2 high,2 medium and 2 low severity) are introduced in @aaa-backend-stack/build-tools:
1.Vulnerability CVE-2020-28469 (medium severity) is detected in package glob-parent (versions: <5.1.2): https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
2.Vulnerability CVE-2019-10795 (medium severity) is detected in package undefsafe (versions: <2.0.3): https://snyk.io/vuln/SNYK-JS-UNDEFSAFE-548940
3.Vulnerability CVE-2018-1109 (low severity) is detected in package braces (versions: <2.3.1): https://snyk.io/vuln/npm:braces:20180219
4.Vulnerability CVE-2020-8203 (low severity) is detected in package lodash (versions: <4.17.16): https://snyk.io/vuln/SNYK-JS-LODASH-567746
5.Vulnerability CVE-2021-23337 (high severity) is detected in package lodash (versions: <4.17.21): https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054
6.Vulnerability SNYK-JS-LODASH-608086 (high severity) is detected in package lodash (versions: <4.17.17): https://snyk.io/vuln/SNYK-JS-LODASH-608086
The above vulnerable packages are referenced by @aaa-backend-stack/build-tools via:
1.@aaa-backend-stack/build-tools@2.4.4 ➔ lodash@4.17.15
2.@aaa-backend-stack/build-tools@2.4.4 ➔ nodemon@1.11.0 ➔ chokidar@1.7.0 ➔ anymatch@1.3.2 ➔ micromatch@2.3.11 ➔ braces@1.8.5
3.@aaa-backend-stack/build-tools@2.4.4 ➔ nodemon@1.11.0 ➔ undefsafe@0.0.3
4.@aaa-backend-stack/build-tools@2.4.4 ➔ npm-watch@0.2.0 ➔ nodemon@1.19.4 ➔ chokidar@2.1.8 ➔ glob-parent@3.1.0
Solution
Since @aaa-backend-stack/build-tools@2.4.* is transitively referenced by 18 downstream projects (e.g., @aaa-backend-stack/rest 2.4.5 (latest version),
@aaa-backend-stack/utils 2.4.4 (latest version), @aaa-backend-stack/graphql-rest-bindings 2.4.5 (latest version), @aaa-backend-stack/graphql 2.4.4 (latest version), @aaa-backend-stack/git-info 2.4.4 (latest version),
If @aaa-backend-stack/build-tools@2.4.* removes the vulnerable packages from the above version, then its fixed version can help downstream users decrease their pain.
Could you help update packages in these versions?
Fixing suggestions
In @aaa-backend-stack/build-tools@2.4.*, you can kindly perform the following upgrades (not crossing their major versions):
1.lodash 4.17.15 ➔ 4.17.21;
Note:
_lodash@4.17.21 has fixed the vulnerabilities CVE-2020-8203,CVE-2021-23337 and SNYK-JS-LODASH-608086 _
2.nodemon 1.11.0 ➔ 1.14.11;
Note:
nodemon 1.14.11 transitively depends on braces@2.3.2 (a vulnerability CVE-2018-1109 patched version);nodemon 1.14.11 directly depends on undefsafe@2.0.3(a vulnerability CVE-2019-10795 patched version)
3.npm-watch 0.2.0 ➔ 0.7.0;
Note:
npm-watch 0.7.0 transitively depends on glob-parent@5.1.2 (a vulnerability CVE-2020-28469 patched version)
Thanks for your contributions to the npm ecosystem!
Best regards,
Paimon
Hi @majodev,
Issue
Six vulnerabilities (2 high,2 medium and 2 low severity) are introduced in @aaa-backend-stack/build-tools:
1.Vulnerability CVE-2020-28469 (medium severity) is detected in package glob-parent (versions: <5.1.2): https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
2.Vulnerability CVE-2019-10795 (medium severity) is detected in package undefsafe (versions: <2.0.3): https://snyk.io/vuln/SNYK-JS-UNDEFSAFE-548940
3.Vulnerability CVE-2018-1109 (low severity) is detected in package braces (versions: <2.3.1): https://snyk.io/vuln/npm:braces:20180219
4.Vulnerability CVE-2020-8203 (low severity) is detected in package lodash (versions: <4.17.16): https://snyk.io/vuln/SNYK-JS-LODASH-567746
5.Vulnerability CVE-2021-23337 (high severity) is detected in package lodash (versions: <4.17.21): https://snyk.io/vuln/SNYK-JS-LODASHTEMPLATE-1088054
6.Vulnerability SNYK-JS-LODASH-608086 (high severity) is detected in package lodash (versions: <4.17.17): https://snyk.io/vuln/SNYK-JS-LODASH-608086
The above vulnerable packages are referenced by @aaa-backend-stack/build-tools via:
1.
@aaa-backend-stack/build-tools@2.4.4 ➔ lodash@4.17.152.
@aaa-backend-stack/build-tools@2.4.4 ➔ nodemon@1.11.0 ➔ chokidar@1.7.0 ➔ anymatch@1.3.2 ➔ micromatch@2.3.11 ➔ braces@1.8.53.
@aaa-backend-stack/build-tools@2.4.4 ➔ nodemon@1.11.0 ➔ undefsafe@0.0.34.
@aaa-backend-stack/build-tools@2.4.4 ➔ npm-watch@0.2.0 ➔ nodemon@1.19.4 ➔ chokidar@2.1.8 ➔ glob-parent@3.1.0Solution
Since @aaa-backend-stack/build-tools@2.4.* is transitively referenced by 18 downstream projects (e.g., @aaa-backend-stack/rest 2.4.5 (latest version),
@aaa-backend-stack/utils 2.4.4 (latest version), @aaa-backend-stack/graphql-rest-bindings 2.4.5 (latest version), @aaa-backend-stack/graphql 2.4.4 (latest version), @aaa-backend-stack/git-info 2.4.4 (latest version),
If @aaa-backend-stack/build-tools@2.4.* removes the vulnerable packages from the above version, then its fixed version can help downstream users decrease their pain.
Could you help update packages in these versions?
Fixing suggestions
In @aaa-backend-stack/build-tools@2.4.*, you can kindly perform the following upgrades (not crossing their major versions):
1.
lodash 4.17.15 ➔ 4.17.21;Note:
_lodash@4.17.21 has fixed the vulnerabilities CVE-2020-8203,CVE-2021-23337 and SNYK-JS-LODASH-608086 _
2.
nodemon 1.11.0 ➔ 1.14.11;Note:
nodemon 1.14.11 transitively depends on braces@2.3.2 (a vulnerability CVE-2018-1109 patched version);nodemon 1.14.11 directly depends on undefsafe@2.0.3(a vulnerability CVE-2019-10795 patched version)
3.
npm-watch 0.2.0 ➔ 0.7.0;Note:
npm-watch 0.7.0 transitively depends on glob-parent@5.1.2 (a vulnerability CVE-2020-28469 patched version)
Thanks for your contributions to the npm ecosystem!
Best regards,
Paimon