@openrewrite/recipes-nodejs 0.37.0-20260104-170507 → 0.37.0-20260106-082310
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -0
- package/dist/index.js.map +1 -1
- package/dist/resources/advisories-npm.csv +19 -4
- package/dist/security/dependency-vulnerability-check.d.ts +25 -2
- package/dist/security/dependency-vulnerability-check.d.ts.map +1 -1
- package/dist/security/dependency-vulnerability-check.js +338 -96
- package/dist/security/dependency-vulnerability-check.js.map +1 -1
- package/dist/security/index.d.ts +1 -0
- package/dist/security/index.d.ts.map +1 -1
- package/dist/security/index.js +1 -0
- package/dist/security/index.js.map +1 -1
- package/dist/security/npm-utils.d.ts +21 -0
- package/dist/security/npm-utils.d.ts.map +1 -0
- package/dist/security/npm-utils.js +268 -0
- package/dist/security/npm-utils.js.map +1 -0
- package/dist/security/remove-redundant-overrides.d.ts +40 -0
- package/dist/security/remove-redundant-overrides.d.ts.map +1 -0
- package/dist/security/remove-redundant-overrides.js +379 -0
- package/dist/security/remove-redundant-overrides.js.map +1 -0
- package/package.json +7 -3
- package/src/index.ts +2 -1
- package/src/security/dependency-vulnerability-check.ts +622 -66
- package/src/security/index.ts +1 -0
- package/src/security/npm-utils.ts +414 -0
- package/src/security/remove-redundant-overrides.ts +515 -0
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,kBAAkB,EAAE,iBAAiB,EAAC,MAAM,sBAAsB,CAAC;AAyB3E,eAAO,MAAM,MAAM,EAAE,kBAAkB,EAA+B,CAAC;AACvE,eAAO,MAAM,OAAO,EAAE,kBAAkB,EAA0C,CAAC;AACnF,eAAO,MAAM,QAAQ,EAAE,kBAAkB,EAA2C,CAAC;AAErF,wBAAsB,QAAQ,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAC,kBAAkB,EAAE,iBAAiB,EAAC,MAAM,sBAAsB,CAAC;AAyB3E,eAAO,MAAM,MAAM,EAAE,kBAAkB,EAA+B,CAAC;AACvE,eAAO,MAAM,OAAO,EAAE,kBAAkB,EAA0C,CAAC;AACnF,eAAO,MAAM,QAAQ,EAAE,kBAAkB,EAA2C,CAAC;AAErF,wBAAsB,QAAQ,CAAC,WAAW,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CA0B5E"}
|
package/dist/index.js
CHANGED
|
@@ -62,6 +62,7 @@ function activate(marketplace) {
|
|
|
62
62
|
yield marketplace.install(upgrade_node_22_1.UpgradeNode22, exports.Migrate);
|
|
63
63
|
yield marketplace.install(upgrade_node_24_1.UpgradeNode24, exports.Migrate);
|
|
64
64
|
yield marketplace.install(security_1.DependencyVulnerabilityCheck, exports.Security);
|
|
65
|
+
yield marketplace.install(security_1.RemoveRedundantOverrides, exports.Security);
|
|
65
66
|
});
|
|
66
67
|
}
|
|
67
68
|
//# sourceMappingURL=index.js.map
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;AA6BA,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;AA6BA,4BA0BC;AAtDD,qEAA0E;AAC1E,yDAAoE;AACpE,yEAAwF;AACxF,uEAAwE;AACxE,iDAAkD;AAClD,uDAAwD;AACxD,yEAAyE;AACzE,uDAAwD;AACxD,uDAAwD;AACxD,uEAAuE;AACvE,yEAAwE;AACxE,mEAA4E;AAC5E,uDAAwD;AACxD,+DAA6E;AAC7E,+DAA+D;AAC/D,uDAA8D;AAC9D,iFAAiF;AACjF,yEAAyE;AACzE,+EAA+E;AAC/E,yFAAuF;AACvF,+DAAwD;AACxD,+DAAwD;AACxD,yCAAkF;AAErE,QAAA,MAAM,GAAyB,CAAC,EAAC,WAAW,EAAE,SAAS,EAAC,CAAC,CAAC;AAC1D,QAAA,OAAO,GAAyB,CAAC,GAAG,cAAM,EAAE,EAAC,WAAW,EAAE,SAAS,EAAC,CAAC,CAAC;AACtE,QAAA,QAAQ,GAAyB,CAAC,GAAG,cAAM,EAAE,EAAC,WAAW,EAAE,UAAU,EAAC,CAAC,CAAC;AAErF,SAAsB,QAAQ,CAAC,WAA8B;;QACzD,MAAM,WAAW,CAAC,OAAO,CAAC,iDAA4B,EAAE,eAAO,CAAC,CAAC;QACjE,MAAM,WAAW,CAAC,OAAO,CAAC,2CAA4B,EAAE,eAAO,CAAC,CAAC;QACjE,MAAM,WAAW,CAAC,OAAO,CAAC,+DAAwC,EAAE,eAAO,CAAC,CAAC;QAC7E,MAAM,WAAW,CAAC,OAAO,CAAC,+CAAyB,EAAE,eAAO,CAAC,CAAC;QAC9D,MAAM,WAAW,CAAC,OAAO,CAAC,yBAAc,EAAE,eAAO,CAAC,CAAC;QACnD,MAAM,WAAW,CAAC,OAAO,CAAC,+BAAiB,EAAE,eAAO,CAAC,CAAC;QACtD,MAAM,WAAW,CAAC,OAAO,CAAC,gDAAyB,EAAE,eAAO,CAAC,CAAC;QAC9D,MAAM,WAAW,CAAC,OAAO,CAAC,+BAAiB,EAAE,eAAO,CAAC,CAAC;QACtD,MAAM,WAAW,CAAC,OAAO,CAAC,+BAAiB,EAAE,eAAO,CAAC,CAAC;QACtD,MAAM,WAAW,CAAC,OAAO,CAAC,8CAAwB,EAAE,eAAO,CAAC,CAAC;QAC7D,MAAM,WAAW,CAAC,OAAO,CAAC,+CAAwB,EAAE,eAAO,CAAC,CAAC;QAC7D,MAAM,WAAW,CAAC,OAAO,CAAC,mDAA+B,EAAE,eAAO,CAAC,CAAC;QACpE,MAAM,WAAW,CAAC,OAAO,CAAC,+BAAiB,EAAE,eAAO,CAAC,CAAC;QACtD,MAAM,WAAW,CAAC,OAAO,CAAC,oDAAkC,EAAE,eAAO,CAAC,CAAC;QACvE,MAAM,WAAW,CAAC,OAAO,CAAC,sCAAoB,EAAE,eAAO,CAAC,CAAC;QACzD,MAAM,WAAW,CAAC,OAAO,CAAC,qCAAuB,EAAE,eAAO,CAAC,CAAC;QAC5D,MAAM,WAAW,CAAC,OAAO,CAAC,wDAA6B,EAAE,eAAO,CAAC,CAAC;QAClE,MAAM,WAAW,CAAC,OAAO,CAAC,gDAAyB,EAAE,eAAO,CAAC,CAAC;QAC9D,MAAM,WAAW,CAAC,OAAO,CAAC,sDAA4B,EAAE,eAAO,CAAC,CAAC;QACjE,MAAM,WAAW,CAAC,OAAO,CAAC,8DAA+B,EAAE,eAAO,CAAC,CAAC;QACpE,MAAM,WAAW,CAAC,OAAO,CAAC,+BAAa,EAAE,eAAO,CAAC,CAAC;QAClD,MAAM,WAAW,CAAC,OAAO,CAAC,+BAAa,EAAE,eAAO,CAAC,CAAC;QAElD,MAAM,WAAW,CAAC,OAAO,CAAC,uCAA4B,EAAE,gBAAQ,CAAC,CAAC;QAClE,MAAM,WAAW,CAAC,OAAO,CAAC,mCAAwB,EAAE,gBAAQ,CAAC,CAAC;IAClE,CAAC;CAAA"}
|
|
@@ -938,7 +938,7 @@ CVE-2019-18841,2019-12-02T18:04:11Z,"Prototype Pollution in chartkick",chartkick
|
|
|
938
938
|
CVE-2019-18954,2019-12-02T18:16:34Z,"Pomelo allows external control of critical state data",pomelo,0,2.2.7,,MODERATE,CWE-668
|
|
939
939
|
CVE-2019-19507,2019-12-04T21:25:28Z,"Validation bypass is possible in Json Pattern Validator",jpv,0,2.1.1,,MODERATE,CWE-287
|
|
940
940
|
CVE-2019-19596,2022-05-24T17:02:45Z,"GitBook allows Cross-site Scripting via a local .md file.",gitbook,0,,2.6.9,MODERATE,CWE-79
|
|
941
|
-
CVE-2019-19609,
|
|
941
|
+
CVE-2019-19609,2020-09-04T16:54:02Z,"Command Injection in strapi",strapi,0,3.0.0-beta.17.8,,HIGH,CWE-77
|
|
942
942
|
CVE-2019-19723,2020-09-04T17:23:03Z,"Improper Authorization in passport-cognito",passport-cognito,0.0.0,,,CRITICAL,CWE-285
|
|
943
943
|
CVE-2019-19729,2022-05-24T22:01:17Z,"bson-objectid contains Improper input validation",bson-objectid,0,,1.3.0,HIGH,CWE-20;CWE-670
|
|
944
944
|
CVE-2019-19771,2019-12-16T19:29:33Z,"lodahs is malware",lodahs,0.0.1,,,HIGH,CWE-506
|
|
@@ -3589,7 +3589,7 @@ CVE-2024-6485,2024-07-11T18:31:14Z,"Bootstrap Cross-Site Scripting (XSS) vulnera
|
|
|
3589
3589
|
CVE-2024-6531,2024-07-11T18:31:14Z,"Withdrawn Advisory: Bootstrap Cross-Site Scripting (XSS) vulnerability",bootstrap,4.0.0,5.0.0,,MODERATE,CWE-79
|
|
3590
3590
|
CVE-2024-6534,2024-08-27T19:54:29Z,"Directus has an insecure object reference via PATH presets",directus,0,10.13.2,,MODERATE,CWE-639
|
|
3591
3591
|
CVE-2024-6582,2024-09-13T18:31:48Z,"Withdrawn Advisory: Lunary Improper Authentication vulnerability",lunary,0,1.4.9,,HIGH,CWE-287;CWE-306
|
|
3592
|
-
CVE-2024-6783,2024-07-23T15:31:09Z,"vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)",vue-template-compiler,2.0.0
|
|
3592
|
+
CVE-2024-6783,2024-07-23T15:31:09Z,"vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)",vue-template-compiler,2.0.0,,,MODERATE,CWE-79
|
|
3593
3593
|
CVE-2024-6833,2024-07-17T15:30:52Z,"Zowe CLI allows storage of previously entered secure credentials in a plaintext file",@zowe/cli,7.18.0,7.23.5,,MODERATE,CWE-256
|
|
3594
3594
|
CVE-2024-6862,2024-09-13T18:31:48Z,"Withdrawn Advisory: Lunary Cross-Site Request Forgery (CSRF) vulnerability",@lunary/backend,0,1.4.10,,MODERATE,CWE-352
|
|
3595
3595
|
CVE-2024-6862,2024-09-13T18:31:48Z,"Withdrawn Advisory: Lunary Cross-Site Request Forgery (CSRF) vulnerability",lunary,0,1.4.10,,MODERATE,CWE-352
|
|
@@ -3646,6 +3646,7 @@ CVE-2025-14284,2025-12-09T18:30:35Z,"@tiptap/extension-link vulnerable to Cross-
|
|
|
3646
3646
|
CVE-2025-1467,2025-02-23T18:30:24Z,"tarteaucitron Cross-site Scripting (XSS)",tarteaucitronjs,0,1.17.0,,LOW,CWE-79
|
|
3647
3647
|
CVE-2025-14874,2025-12-18T09:30:30Z,"Nodemailer is vulnerable to DoS through Uncontrolled Recursion",nodemailer,0,7.0.11,,MODERATE,CWE-674;CWE-703
|
|
3648
3648
|
CVE-2025-1520,2025-04-23T18:30:58Z,"PostHog Plugin Server SQL Injection Vulnerability",@posthog/plugin-server,0,,1.10.7,HIGH,CWE-89
|
|
3649
|
+
CVE-2025-15284,2025-12-30T21:02:54Z,"qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",qs,0,6.14.1,,HIGH,CWE-20
|
|
3649
3650
|
CVE-2025-1691,2025-02-27T15:31:51Z,"MongoDB Shell may be susceptible to Control Character Injection via autocomplete",mongosh,0,2.3.9,,HIGH,CWE-74
|
|
3650
3651
|
CVE-2025-1692,2025-02-27T15:31:51Z,"MongoDB Shell may be susceptible to control character injection via pasting",mongosh,0,2.3.9,,MODERATE,CWE-150
|
|
3651
3652
|
CVE-2025-1693,2025-02-27T15:31:51Z,"MongoDB Shell may be susceptible to control character Injection via shell output",mongosh,0,2.3.9,,LOW,CWE-150
|
|
@@ -4321,6 +4322,7 @@ CVE-2025-66035,2025-11-26T23:18:50Z,"Angular is Vulnerable to XSRF Token Leakage
|
|
|
4321
4322
|
CVE-2025-66202,2025-12-08T16:26:43Z,"Astro has an Authentication Bypass via Double URL Encoding, a bypass for CVE-2025-64765",astro,0,5.15.8,,MODERATE,CWE-647
|
|
4322
4323
|
CVE-2025-66219,2025-11-26T22:09:27Z,"willitmerge has a Command Injection vulnerability",willitmerge,0,,0.2.1,MODERATE,CWE-77
|
|
4323
4324
|
CVE-2025-6624,2025-06-26T06:31:04Z,"Snyk CLI Insertion of Sensitive Information into Log File allowed in DEBUG or DEBUG/TRACE mode",snyk,0,1.1297.3,,LOW,CWE-532
|
|
4325
|
+
CVE-2025-66398,2026-01-02T15:11:49Z,"Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)",signalk-server,0,2.19.0,,CRITICAL,CWE-78;CWE-913
|
|
4324
4326
|
CVE-2025-66400,2025-12-02T01:25:46Z,"mdast-util-to-hast has unsanitized class attribute",mdast-util-to-hast,13.0.0,13.2.1,,MODERATE,CWE-20;CWE-915
|
|
4325
4327
|
CVE-2025-66401,2025-12-02T00:38:14Z,"MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL",mcp-watch,0,,0.1.2,CRITICAL,CWE-78
|
|
4326
4328
|
CVE-2025-66402,2025-12-15T20:55:27Z,"misskey.js's export data contains private post data",misskey-js,13.0.0-beta.16,2025.12.0,,HIGH,CWE-862
|
|
@@ -4371,6 +4373,8 @@ CVE-2025-68150,2025-12-16T22:35:40Z,"Parse Server is vulnerable to Server-Side R
|
|
|
4371
4373
|
CVE-2025-68150,2025-12-16T22:35:40Z,"Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter",parse-server,9.0.0,9.1.1.alpha.1,,HIGH,CWE-918
|
|
4372
4374
|
CVE-2025-68154,2025-12-16T22:37:23Z,"systeminformation has a Command Injection vulnerability in fsSize() function on Windows",systeminformation,0,5.27.14,,HIGH,CWE-78
|
|
4373
4375
|
CVE-2025-68155,2025-12-16T22:32:26Z,"@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint",@vitejs/plugin-rsc,0,0.5.8,,HIGH,CWE-22;CWE-73
|
|
4376
|
+
CVE-2025-68272,2026-01-02T15:20:05Z,"Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding",signalk-server,0,2.19.0,,HIGH,CWE-400;CWE-770
|
|
4377
|
+
CVE-2025-68273,2026-01-02T15:22:11Z,"Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints",signalk-server,0,2.19.0,,MODERATE,CWE-200
|
|
4374
4378
|
CVE-2025-68278,2025-12-18T18:45:41Z,"tinacms is vulnerable to arbitrary code execution",@tinacms/cli,0,2.0.4,,HIGH,CWE-94
|
|
4375
4379
|
CVE-2025-68278,2025-12-18T18:45:41Z,"tinacms is vulnerable to arbitrary code execution",@tinacms/graphql,0,2.0.3,,HIGH,CWE-94
|
|
4376
4380
|
CVE-2025-68278,2025-12-18T18:45:41Z,"tinacms is vulnerable to arbitrary code execution",tinacms,0,3.1.1,,HIGH,CWE-94
|
|
@@ -4385,12 +4389,19 @@ CVE-2025-68475,2025-12-22T21:36:55Z,"Fedify has ReDoS Vulnerability in HTML Pars
|
|
|
4385
4389
|
CVE-2025-68475,2025-12-22T21:36:55Z,"Fedify has ReDoS Vulnerability in HTML Parsing Regex",@fedify/fedify,1.9.0,1.9.2,,HIGH,CWE-1333
|
|
4386
4390
|
CVE-2025-68613,2025-12-22T16:19:13Z,"n8n Vulnerable to Remote Code Execution via Expression Injection",n8n,0.211.0,1.120.4,,CRITICAL,CWE-913
|
|
4387
4391
|
CVE-2025-68613,2025-12-22T16:19:13Z,"n8n Vulnerable to Remote Code Execution via Expression Injection",n8n,1.121.0,1.121.1,,CRITICAL,CWE-913
|
|
4392
|
+
CVE-2025-68619,2026-01-02T15:23:39Z,"Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package",signalk-server,0,2.9.0,,HIGH,CWE-94
|
|
4393
|
+
CVE-2025-68620,2026-01-02T15:28:54Z,"Signal K Server vulnerable to JWT Token Theft via WebSocket Enumeration and Unauthenticated Polling",signalk-server,0,2.19.0,,CRITICAL,CWE-288
|
|
4388
4394
|
CVE-2025-68665,2025-12-23T20:08:48Z,"LangChain serialization injection vulnerability enables secret extraction",@langchain/core,0,0.3.80,,HIGH,CWE-502
|
|
4389
4395
|
CVE-2025-68665,2025-12-23T20:08:48Z,"LangChain serialization injection vulnerability enables secret extraction",@langchain/core,1.0.0,1.1.8,,HIGH,CWE-502
|
|
4390
4396
|
CVE-2025-68665,2025-12-23T20:08:48Z,"LangChain serialization injection vulnerability enables secret extraction",langchain,0,0.3.37,,HIGH,CWE-502
|
|
4391
4397
|
CVE-2025-68665,2025-12-23T20:08:48Z,"LangChain serialization injection vulnerability enables secret extraction",langchain,1.0.0,1.2.3,,HIGH,CWE-502
|
|
4392
4398
|
CVE-2025-68668,2025-12-26T18:18:05Z,"n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node ",n8n,1.0.0,2.0.0,,CRITICAL,CWE-693
|
|
4393
|
-
CVE-2025-68697,2025-12-26T18:26:38Z,"Self-hosted n8n has Legacy Code node that enables arbitrary file read/write",n8n,
|
|
4399
|
+
CVE-2025-68697,2025-12-26T18:26:38Z,"Self-hosted n8n has Legacy Code node that enables arbitrary file read/write",n8n,1.2.1,2.0.0,,HIGH,CWE-269;CWE-749
|
|
4400
|
+
CVE-2025-69202,2025-12-30T15:37:55Z,"axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header",axios-cache-interceptor,0,1.11.1,,MODERATE,CWE-524
|
|
4401
|
+
CVE-2025-69203,2026-01-02T15:26:11Z,"Signal K Server Vulnerable to Access Request Spoofing",signalk-server,0,2.19.0,,MODERATE,CWE-290
|
|
4402
|
+
CVE-2025-69206,2025-12-29T21:31:04Z,"hemmelig allows SSRF Filter bypass via Secret Request functionality",hemmelig,0,7.3.3,,MODERATE,CWE-918
|
|
4403
|
+
CVE-2025-69211,2025-12-30T15:32:44Z,"Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)",@nestjs/platform-fastify,0,11.1.11,,MODERATE,CWE-367
|
|
4404
|
+
CVE-2025-69256,2025-12-31T22:05:32Z,"serverless MCP Server vulnerable to Command Injection in list-projects tool",serverless,4.29.0,4.29.3,,HIGH,CWE-77
|
|
4394
4405
|
CVE-2025-7338,2025-07-17T21:01:54Z,"Multer vulnerable to Denial of Service via unhandled exception from malformed request",multer,1.4.4-lts.1,2.0.2,,HIGH,CWE-248
|
|
4395
4406
|
CVE-2025-7339,2025-07-17T21:17:19Z,"on-headers is vulnerable to http response header manipulation",on-headers,0,1.1.0,,LOW,CWE-241
|
|
4396
4407
|
CVE-2025-7783,2025-07-21T19:04:54Z,"form-data uses unsafe random function in form-data for choosing boundary",form-data,0,2.5.4,,CRITICAL,CWE-330
|
|
@@ -4414,6 +4425,8 @@ CVE-2025-9654,2025-08-29T15:30:38Z,"AiondaDotCom mcp-ssh command injection vulne
|
|
|
4414
4425
|
CVE-2025-9862,2025-09-15T20:31:14Z,"Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark",ghost,5.99.0,5.130.4,,MODERATE,CWE-918
|
|
4415
4426
|
CVE-2025-9862,2025-09-15T20:31:14Z,"Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark",ghost,6.0.0,6.0.9,,MODERATE,CWE-918
|
|
4416
4427
|
CVE-2025-9910,2025-09-11T06:30:23Z,"jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin",jsondiffpatch,0,0.7.2,,MODERATE,CWE-79
|
|
4428
|
+
CVE-2026-21440,2026-01-02T18:58:32Z,"AdonisJS Path Traversal in Multipart File Handling",@adonisjs/bodyparser,0,10.1.2,,CRITICAL,CWE-22
|
|
4429
|
+
CVE-2026-21440,2026-01-02T18:58:32Z,"AdonisJS Path Traversal in Multipart File Handling",@adonisjs/bodyparser,11.0.0-next.0,11.0.0-next.6,,CRITICAL,CWE-22
|
|
4417
4430
|
GHSA-224h-p7p5-rh85,2020-09-01T17:32:26Z,"Directory Traversal in wenluhong1",wenluhong1,0.0.0,,,HIGH,CWE-22
|
|
4418
4431
|
GHSA-224p-v68g-5g8f,2025-08-26T18:45:55Z,"GraphQL Armor Max-Depth Plugin Bypass via fragment caching","@escape.tech/graphql-armor-max-depth",0,2.4.2,,MODERATE,CWE-400
|
|
4419
4432
|
GHSA-226w-6hhj-69hp,2020-09-03T19:06:52Z,"Malicious Package in cal_rd",cal_rd,0.0.0,,,CRITICAL,CWE-506
|
|
@@ -4512,6 +4525,7 @@ GHSA-4964-cjrr-jg97,2020-09-02T21:38:43Z,"Malicious Package in jqeury",jqeury,0,
|
|
|
4512
4525
|
GHSA-49c6-3wr4-8jr4,2020-09-04T15:05:26Z,"Malicious Package in malicious-npm-package",malicious-npm-package,0.0.0,,,CRITICAL,CWE-506
|
|
4513
4526
|
GHSA-49mg-94fc-2fx6,2020-09-04T17:32:49Z,"Command Injection in npm-git-publish",npm-git-publish,0.0.0,,,CRITICAL,CWE-77
|
|
4514
4527
|
GHSA-49r3-3h96-rwj6,2019-06-13T19:09:31Z,"Cross-Site Scripting in ids-enterprise",ids-enterprise,0,4.18.2,,HIGH,CWE-79
|
|
4528
|
+
GHSA-49vv-6q7q-w5cf,2021-12-10T17:22:12Z,"Duplicate Advisory: OS Command Injection in Strapi",strapi,0,3.0.0-beta.17.8,,HIGH,CWE-20;CWE-78
|
|
4515
4529
|
GHSA-4f9m-pxwh-68hg,2020-09-11T21:20:14Z,"Cross-Site Scripting in swagger-ui",swagger-ui,0,3.20.9,,MODERATE,CWE-79
|
|
4516
4530
|
GHSA-4fqg-89cc-5pv5,2020-09-04T14:58:44Z,"Malicious Package in sj-labc",sj-labc,0.0.0,,,CRITICAL,CWE-506
|
|
4517
4531
|
GHSA-4fr9-3x69-36wv,2025-10-03T19:27:06Z,"Flowise vulnerable to XSS",flowise,0,3.0.8,,MODERATE,CWE-79
|
|
@@ -4819,7 +4833,6 @@ GHSA-9hc2-w9gg-q6jw,2020-09-01T21:07:41Z,"Malicious Package in boogeyman",boogey
|
|
|
4819
4833
|
GHSA-9hqj-38j2-5jgm,2020-09-01T21:19:23Z,"Command Injection in ascii-art",ascii-art,0,1.4.4,,LOW,CWE-77
|
|
4820
4834
|
GHSA-9mjp-gv34-3jcf,2020-09-02T18:37:35Z,"Malicious Package in aasync",aasync,0,,,CRITICAL,CWE-506
|
|
4821
4835
|
GHSA-9mmw-3fmh-96g3,2020-09-02T20:23:38Z,"Malicious Package in calk",calk,0,,,CRITICAL,CWE-506
|
|
4822
|
-
GHSA-9p2w-rmx4-9mw7,2020-09-04T16:54:02Z,"Command Injection in strapi",strapi,0,3.0.0-beta.17.8,,HIGH,CWE-77
|
|
4823
4836
|
GHSA-9p64-h5q4-phpm,2020-09-02T15:44:58Z,"Remote Code Execution in office-converter",office-converter,0.0.0,,,HIGH,CWE-20
|
|
4824
4837
|
GHSA-9pcf-h8q9-63f6,2020-09-03T17:12:41Z,"Sandbox Breakout / Arbitrary Code Execution in safe-eval",safe-eval,0.0.0,,,HIGH,
|
|
4825
4838
|
GHSA-9pr3-7449-977r,2020-09-02T18:21:26Z,"Cross-Site Scripting in express-cart",express-cart,0,,,LOW,CWE-79
|
|
@@ -4966,6 +4979,7 @@ GHSA-g8q2-24jh-5hpc,2018-07-27T14:47:52Z,"High severity vulnerability that affec
|
|
|
4966
4979
|
GHSA-g8vp-6hv4-m67c,2020-09-11T21:23:29Z,"Command Injection in entitlements",entitlements,0,1.3.0,,HIGH,CWE-77
|
|
4967
4980
|
GHSA-g95f-p29q-9xw4,2019-06-06T15:30:30Z,"Regular Expression Denial of Service in braces",braces,0,2.3.1,,LOW,CWE-185;CWE-400
|
|
4968
4981
|
GHSA-g9cg-h3jm-cwrc,2020-09-03T15:47:23Z,"Prototype Pollution in @hapi/subtext",@hapi/pez,0,5.0.1,,HIGH,CWE-1321
|
|
4982
|
+
GHSA-g9jg-w8vm-g96v,2025-12-31T22:07:25Z,"Trix has a stored XSS vulnerability through its attachment attribute",trix,0,2.1.16,,MODERATE,CWE-79
|
|
4969
4983
|
GHSA-g9r4-xpmj-mj65,2020-09-04T15:06:32Z,"Prototype Pollution in handlebars",handlebars,0,3.0.8,,HIGH,CWE-1321
|
|
4970
4984
|
GHSA-g9r4-xpmj-mj65,2020-09-04T15:06:32Z,"Prototype Pollution in handlebars",handlebars,4.0.0,4.5.3,,HIGH,CWE-1321
|
|
4971
4985
|
GHSA-g9wf-393q-4w38,2020-09-03T17:28:26Z,"Malicious Package in only-test-not-install",only-test-not-install,0.0.0,,,CRITICAL,CWE-506
|
|
@@ -5465,6 +5479,7 @@ GHSA-xm28-fw2x-fqv2,2019-05-31T23:08:14Z,"Denial of Service in foreman",foreman,
|
|
|
5465
5479
|
GHSA-xm7f-x4wx-wmgv,2019-06-04T15:47:43Z,"Out-of-bounds Read in byte",byte,0,1.4.1,,MODERATE,CWE-125
|
|
5466
5480
|
GHSA-xmh9-rg6f-j3mr,2021-03-12T22:39:01Z,"Verification flaw in Solid identity-token-verifier","@solid/identity-token-verifier",0,0.5.2,,MODERATE,CWE-290
|
|
5467
5481
|
GHSA-xmmp-hrmx-x5g7,2020-09-02T21:32:22Z,"Malicious Package in bowe",bowe,0,,,CRITICAL,CWE-506
|
|
5482
|
+
GHSA-xphh-5v4r-r3rx,2025-12-30T19:25:04Z,"PsiTransfer has Zip Slip Path Traversal via TAR Archive Download",psitransfer,0,2.3.1,,HIGH,CWE-22;CWE-23
|
|
5468
5483
|
GHSA-xr3g-4gg5-w3wq,2020-09-03T17:06:14Z,"Malicious Package in degbu",degbu,0.0.0,,,CRITICAL,CWE-506
|
|
5469
5484
|
GHSA-xr53-m937-jr9c,2020-09-03T15:49:14Z,"Cross-Site Scripting in ngx-md",ngx-md,0,6.0.3,,HIGH,CWE-79
|
|
5470
5485
|
GHSA-xrmp-99wj-p6jc,2019-05-31T23:43:09Z,"Prototype Pollution in deap",deap,0,1.0.1,,HIGH,CWE-400
|
|
@@ -2,6 +2,7 @@ import { ExecutionContext, ScanningRecipe, TreeVisitor } from "@openrewrite/rewr
|
|
|
2
2
|
import { DependencyRecipeAccumulator, DependencyScope, PackageManager, ResolvedDependency } from "@openrewrite/rewrite/javascript";
|
|
3
3
|
import { Severity, Vulnerability, VulnerabilityDatabase } from "./vulnerability";
|
|
4
4
|
export type UpgradeDelta = 'none' | 'patch' | 'minor' | 'major';
|
|
5
|
+
export type TransitiveFixStrategy = 'report' | 'override' | 'prefer-direct-upgrade';
|
|
5
6
|
interface PathSegment {
|
|
6
7
|
name: string;
|
|
7
8
|
version: string;
|
|
@@ -19,8 +20,19 @@ interface VulnerabilityFix {
|
|
|
19
20
|
newVersion: string;
|
|
20
21
|
isTransitive: boolean;
|
|
21
22
|
cves: string[];
|
|
23
|
+
cveSummaries: Map<string, string>;
|
|
22
24
|
scope?: DependencyScope;
|
|
23
25
|
originalMajorVersion?: number;
|
|
26
|
+
directDepInfo?: {
|
|
27
|
+
name: string;
|
|
28
|
+
version: string;
|
|
29
|
+
scope: DependencyScope;
|
|
30
|
+
};
|
|
31
|
+
fixViaDirectUpgrade?: {
|
|
32
|
+
directDepName: string;
|
|
33
|
+
directDepVersion: string;
|
|
34
|
+
directDepScope: DependencyScope;
|
|
35
|
+
};
|
|
24
36
|
}
|
|
25
37
|
interface ProjectUpdateInfo {
|
|
26
38
|
packageJsonPath: string;
|
|
@@ -44,20 +56,27 @@ export declare class DependencyVulnerabilityCheck extends ScanningRecipe<Accumul
|
|
|
44
56
|
readonly description: string;
|
|
45
57
|
private readonly vulnerabilityReport;
|
|
46
58
|
scope?: DependencyScope;
|
|
47
|
-
|
|
59
|
+
transitiveFixStrategy?: TransitiveFixStrategy;
|
|
48
60
|
maximumUpgradeDelta?: UpgradeDelta;
|
|
49
61
|
minimumSeverity?: Severity;
|
|
50
62
|
cvePattern?: string;
|
|
51
63
|
fixDeclaredVersions?: boolean;
|
|
64
|
+
addOverrideComments?: boolean;
|
|
52
65
|
private cvePatternRegex?;
|
|
53
66
|
constructor(options?: {
|
|
54
67
|
scope?: DependencyScope;
|
|
55
|
-
|
|
68
|
+
transitiveFixStrategy?: TransitiveFixStrategy;
|
|
56
69
|
maximumUpgradeDelta?: UpgradeDelta;
|
|
57
70
|
minimumSeverity?: string;
|
|
58
71
|
cvePattern?: string;
|
|
59
72
|
fixDeclaredVersions?: boolean;
|
|
73
|
+
addOverrideComments?: boolean;
|
|
60
74
|
});
|
|
75
|
+
private shouldScanTransitives;
|
|
76
|
+
private shouldFixTransitives;
|
|
77
|
+
private shouldVerifyTransitiveFixes;
|
|
78
|
+
private filterRemainingTransitiveFixes;
|
|
79
|
+
private isVersionStillVulnerable;
|
|
61
80
|
initialValue(_ctx: ExecutionContext): Accumulator;
|
|
62
81
|
private isReportOnly;
|
|
63
82
|
private matchesCvePattern;
|
|
@@ -73,12 +92,16 @@ export declare class DependencyVulnerabilityCheck extends ScanningRecipe<Accumul
|
|
|
73
92
|
private findHighestSafeVersion;
|
|
74
93
|
private isVersionWithinDelta;
|
|
75
94
|
private computeFixes;
|
|
95
|
+
private tryFindDirectDepUpgrade;
|
|
96
|
+
private tryDirectUpgradesForTransitives;
|
|
76
97
|
scanner(acc: Accumulator): Promise<TreeVisitor<any, ExecutionContext>>;
|
|
77
98
|
editorWithData(acc: Accumulator): Promise<TreeVisitor<any, ExecutionContext>>;
|
|
78
99
|
private runPackageManagerInstall;
|
|
79
100
|
private runWorkspacePackageManagerInstall;
|
|
80
101
|
private createModifiedPackageJsonDirectOnly;
|
|
81
102
|
private createModifiedPackageJson;
|
|
103
|
+
private generateOverrideComment;
|
|
104
|
+
private addOverrideCommentsToPackageJson;
|
|
82
105
|
}
|
|
83
106
|
export declare function extractVersionPrefix(versionString: string): {
|
|
84
107
|
prefix: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dependency-vulnerability-check.d.ts","sourceRoot":"","sources":["../../src/security/dependency-vulnerability-check.ts"],"names":[],"mappings":"AAMA,OAAO,EAGH,gBAAgB,EAGhB,cAAc,EAGd,WAAW,EACd,MAAM,sBAAsB,CAAC;AAI9B,OAAO,EAGH,2BAA2B,EAC3B,eAAe,EAIf,cAAc,EACd,kBAAkB,EAMrB,MAAM,iCAAiC,CAAC;AAGzC,OAAO,EAAgB,QAAQ,EAAmB,aAAa,EAAE,qBAAqB,EAAC,MAAM,iBAAiB,CAAC;
|
|
1
|
+
{"version":3,"file":"dependency-vulnerability-check.d.ts","sourceRoot":"","sources":["../../src/security/dependency-vulnerability-check.ts"],"names":[],"mappings":"AAMA,OAAO,EAGH,gBAAgB,EAGhB,cAAc,EAGd,WAAW,EACd,MAAM,sBAAsB,CAAC;AAI9B,OAAO,EAGH,2BAA2B,EAC3B,eAAe,EAIf,cAAc,EACd,kBAAkB,EAMrB,MAAM,iCAAiC,CAAC;AAGzC,OAAO,EAAgB,QAAQ,EAAmB,aAAa,EAAE,qBAAqB,EAAC,MAAM,iBAAiB,CAAC;AAkB/G,MAAM,MAAM,YAAY,GAAG,MAAM,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;AAiBhE,MAAM,MAAM,qBAAqB,GAAG,QAAQ,GAAG,UAAU,GAAG,uBAAuB,CAAC;AAsHpF,UAAU,WAAW;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACnB;AAKD,UAAU,oBAAoB;IAE1B,QAAQ,EAAE,kBAAkB,CAAC;IAE7B,aAAa,EAAE,aAAa,CAAC;IAE7B,KAAK,EAAE,MAAM,CAAC;IAEd,QAAQ,EAAE,OAAO,CAAC;IAElB,KAAK,CAAC,EAAE,eAAe,CAAC;IAExB,IAAI,EAAE,WAAW,EAAE,CAAC;CACvB;AAKD,UAAU,gBAAgB;IAEtB,WAAW,EAAE,MAAM,CAAC;IAEpB,UAAU,EAAE,MAAM,CAAC;IAEnB,YAAY,EAAE,OAAO,CAAC;IAEtB,IAAI,EAAE,MAAM,EAAE,CAAC;IAEf,YAAY,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAElC,KAAK,CAAC,EAAE,eAAe,CAAC;IAExB,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAM9B,aAAa,CAAC,EAAE;QACZ,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,MAAM,CAAC;QAChB,KAAK,EAAE,eAAe,CAAC;KAC1B,CAAC;IAMF,mBAAmB,CAAC,EAAE;QAElB,aAAa,EAAE,MAAM,CAAC;QAEtB,gBAAgB,EAAE,MAAM,CAAC;QAEzB,cAAc,EAAE,eAAe,CAAC;KACnC,CAAC;CACL;AAKD,UAAU,iBAAiB;IAEvB,eAAe,EAAE,MAAM,CAAC;IAExB,mBAAmB,EAAE,MAAM,CAAC;IAE5B,cAAc,EAAE,cAAc,CAAC;IAE/B,WAAW,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACxC;AAKD,UAAU,WAAY,SAAQ,2BAA2B,CAAC,iBAAiB,CAAC;IAExE,EAAE,EAAE,qBAAqB,CAAC;IAE1B,mBAAmB,EAAE,GAAG,CAAC,MAAM,EAAE,oBAAoB,EAAE,CAAC,CAAC;IAEzD,cAAc,EAAE,GAAG,CAAC,MAAM,EAAE,gBAAgB,EAAE,CAAC,CAAC;IAEhD,iBAAiB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEvC,sBAAsB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAE5C,cAAc,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;IAEtC,+BAA+B,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAErD,0BAA0B,EAAE,OAAO,CAAC;CACvC;AAgBD,qBAAa,4BAA6B,SAAQ,cAAc,CAAC,WAAW,CAAC;IACzE,QAAQ,CAAC,IAAI,yDAAyD;IACtE,QAAQ,CAAC,WAAW,8CAA8C;IAClE,QAAQ,CAAC,WAAW,SAI8D;IAElF,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAKlC;IAUF,KAAK,CAAC,EAAE,eAAe,CAAC;IAaxB,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;IAa9C,mBAAmB,CAAC,EAAE,YAAY,CAAC;IAWnC,eAAe,CAAC,EAAE,QAAQ,CAAC;IAW3B,UAAU,CAAC,EAAE,MAAM,CAAC;IAYpB,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAU9B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAG9B,OAAO,CAAC,eAAe,CAAC,CAAS;gBAErB,OAAO,CAAC,EAAE;QAClB,KAAK,CAAC,EAAE,eAAe,CAAC;QACxB,qBAAqB,CAAC,EAAE,qBAAqB,CAAC;QAC9C,mBAAmB,CAAC,EAAE,YAAY,CAAC;QACnC,eAAe,CAAC,EAAE,MAAM,CAAC;QACzB,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,mBAAmB,CAAC,EAAE,OAAO,CAAC;QAC9B,mBAAmB,CAAC,EAAE,OAAO,CAAC;KACjC;IAuBD,OAAO,CAAC,qBAAqB;IAO7B,OAAO,CAAC,oBAAoB;IAQ5B,OAAO,CAAC,2BAA2B;IAcnC,OAAO,CAAC,8BAA8B;IAiDtC,OAAO,CAAC,wBAAwB;IAevB,YAAY,CAAC,IAAI,EAAE,gBAAgB,GAAG,WAAW;IAgB1D,OAAO,CAAC,YAAY;IAOpB,OAAO,CAAC,iBAAiB;IAUzB,OAAO,CAAC,iBAAiB;IAwCzB,OAAO,CAAC,wBAAwB;IAwDhC,OAAO,CAAC,iBAAiB;IAkBzB,OAAO,CAAC,wBAAwB;IAgBhC,OAAO,CAAC,UAAU;IAclB,OAAO,CAAC,mBAAmB;IA0E3B,OAAO,CAAC,mBAAmB;IAgF3B,OAAO,CAAC,oBAAoB;IAW5B,OAAO,CAAC,qBAAqB;IA8B7B,OAAO,CAAC,sBAAsB;IAsD9B,OAAO,CAAC,oBAAoB;YAqCd,YAAY;YAyIZ,uBAAuB;YAuDvB,+BAA+B;IA8C9B,OAAO,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;IAkLtE,cAAc,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;YAuY9E,wBAAwB;YA4HxB,iCAAiC;IAoK/C,OAAO,CAAC,mCAAmC;IA6B3C,OAAO,CAAC,yBAAyB;IAgKjC,OAAO,CAAC,uBAAuB;IA8B/B,OAAO,CAAC,gCAAgC;CAmC3C;AAMD,wBAAgB,oBAAoB,CAAC,aAAa,EAAE,MAAM,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAU/F;AAKD,wBAAgB,kBAAkB,CAAC,eAAe,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAGtF"}
|