Security: Fix 1 vulnerable package #249
Conversation
Security fixes: - fsevents: transitive → 2.3.3 Addresses vulnerabilities: - CVE-2023-45311 Automated security fix by Security Bot
razorgupta
added
dependencies
![semgrep-code-razorpay[bot]](https://avatars.githubusercontent.com/u/7713209?s=60&v=4){kind=small}
| "node": ">=4.0.0" | ||
| } | ||
| }, | ||
| "node_modules/webpack-dev-server": { |
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 8578 lists a dependency (webpack-dev-server) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of webpack-dev-server are vulnerable to Improper Input Validation. Missing origin validation on webpack-dev-server's Hot Module Replacement websocket allows any webpage to connect to the dev server's socket, access in‐memory compiled assets and source code, and exfiltrate a developer's source files.
To resolve this comment:
Check if you are using webpack-dev-server with Hot Module Replacement enabled (i.e. using the --hot argument).
- If you're affected, upgrade this dependency to at least version 3.1.11 at examples/package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "babel-runtime": "^6.26.0", | ||
| "babel-traverse": "^6.26.0", | ||
| "babel-types": "^6.26.0", | ||
| "babylon": "^6.18.0", | ||
| "lodash": "^4.17.4" | ||
| } | ||
| }, | ||
| "babel-traverse": { | ||
| "node_modules/babel-traverse": { |
There was a problem hiding this comment.
Critical severity vulnerability may affect your project—review required:
Line 1291 lists a dependency (babel-traverse) with a known Critical severity vulnerability.
ℹ️ Why this matters
Affected versions of @babel/traverse, babel-traverse, @babel/plugin-transform-runtime, @babel/preset-env, @babel/helper-define-polyfill-provider, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-corejs3, babel-plugin-polyfill-es-shims, and babel-plugin-polyfill-regenerator are vulnerable to Incomplete List Of Disallowed Inputs. An attacker can exploit a vulnerability in the internal Babel methods path.evaluate() or path.evaluateTruthy() by compiling specially crafted code, potentially resulting in arbitrary code execution during compilation. babel-traverse does not have a fix version. If you are using babel-traverse, switch to @babel/traverse.
To resolve this comment:
Check if you use Babel to compile untrusted JavaScript.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| "node": ">=0.10.0" | ||
| } | ||
| }, | ||
| "node_modules/union-value/node_modules/set-value": { |
There was a problem hiding this comment.
Critical severity vulnerability introduced by a package you're using:
Line 8165 lists a dependency (set-value) with a known Critical severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of set-value and set-value are vulnerable to Improperly Controlled Modification Of Object Prototype Attributes ('Prototype Pollution'). The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
To resolve this comment:
Upgrade this dependency to at least version 2.0.1 at examples/package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| }, | ||
| "set-value": { | ||
| "node_modules/set-value": { |
There was a problem hiding this comment.
Critical severity vulnerability introduced by a package you're using:
Line 7242 lists a dependency (set-value) with a known Critical severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected versions of set-value and set-value are vulnerable to Improperly Controlled Modification Of Object Prototype Attributes ('Prototype Pollution'). The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.
To resolve this comment:
Upgrade this dependency to at least version 2.0.1 at examples/package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
Security Updates
This PR fixes security vulnerabilities found by Semgrep SCA.
✅ All packages validated for:
yarn installornpm installto regenerate lock file with fixed versionsyarn build/npm run build) to verify it compilesUpdated Packages
NPM:
fsevents: transitive → 2.3.3Note: 2 total updates across multiple package files
Vulnerabilities Fixed
Changes Made
This PR was created automatically by Security Bot
Please review and test before merging