You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
The NPM package braces, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
mend-bolt-for-githubbot
changed the title
nodemon-2.0.7.tgz: 4 vulnerabilities (highest severity is: 9.8)
nodemon-2.0.7.tgz: 5 vulnerabilities (highest severity is: 7.5)
Jun 21, 2022
mend-bolt-for-githubbot
changed the title
nodemon-2.0.7.tgz: 5 vulnerabilities (highest severity is: 7.5)
nodemon-2.0.7.tgz: 6 vulnerabilities (highest severity is: 7.5)
Jul 26, 2022
mend-bolt-for-githubbot
changed the title
nodemon-2.0.7.tgz: 6 vulnerabilities (highest severity is: 7.5)
nodemon-2.0.7.tgz: 5 vulnerabilities (highest severity is: 7.5)
Jul 28, 2022
mend-bolt-for-githubbot
changed the title
nodemon-2.0.7.tgz: 5 vulnerabilities (highest severity is: 7.5)
nodemon-2.0.7.tgz: 5 vulnerabilities (highest severity is: 9.8)
Aug 27, 2022
mend-bolt-for-githubbot
changed the title
nodemon-2.0.7.tgz: 5 vulnerabilities (highest severity is: 9.8)
nodemon-2.0.7.tgz: 6 vulnerabilities (highest severity is: 9.8)
Oct 19, 2022
mend-bolt-for-githubbot
changed the title
nodemon-2.0.7.tgz: 6 vulnerabilities (highest severity is: 9.8)
nodemon-2.0.7.tgz: 7 vulnerabilities (highest severity is: 9.8)
Feb 1, 2023
mend-bolt-for-githubbot
changed the title
nodemon-2.0.7.tgz: 7 vulnerabilities (highest severity is: 9.8)
nodemon-2.0.7.tgz: 8 vulnerabilities (highest severity is: 9.8)
Dec 7, 2023
mend-bolt-for-githubbot
changed the title
nodemon-2.0.7.tgz: 8 vulnerabilities (highest severity is: 9.8)
nodemon-2.0.7.tgz: 9 vulnerabilities (highest severity is: 9.8)
May 14, 2024
Vulnerable Library - nodemon-2.0.7.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/minimatch/package.json
Found in HEAD commit: f5172785566c2c03fdf69340e5d75e019f5e6db6
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-44906
Vulnerable Library - minimist-1.2.5.tgz
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: f5172785566c2c03fdf69340e5d75e019f5e6db6
Found in base branch: master
Vulnerability Details
Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
Publish Date: 2022-03-17
URL: CVE-2021-44906
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-xvch-5gv4-984h
Release Date: 2022-03-17
Fix Resolution (minimist): 1.2.6
Direct dependency fix Resolution (nodemon): 2.0.8
Step up your Open Source Security Game with Mend here
CVE-2024-4068
Vulnerable Library - braces-3.0.2.tgz
Bash-like brace expansion, implemented in JavaScript. Safer than other brace expansion libs, with complete support for the Bash 4.3 braces specification, without sacrificing speed.
Library home page: https://registry.npmjs.org/braces/-/braces-3.0.2.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/braces/package.json
Dependency Hierarchy:
Found in HEAD commit: f5172785566c2c03fdf69340e5d75e019f5e6db6
Found in base branch: master
Vulnerability Details
The NPM package
braces
, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. Inlib/parse.js,
if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.Mend Note: After conducting a further research, it was concluded that CVE-2024-4068 does not contain a high security risk that reflects the NVD score, but should be kept for users' awareness. Users of braces should follow the fix recommendation as noted.
Publish Date: 2024-05-14
URL: CVE-2024-4068
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-14
Fix Resolution: braces - 3.0.3
Step up your Open Source Security Game with Mend here
CVE-2022-3517
Vulnerable Library - minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: f5172785566c2c03fdf69340e5d75e019f5e6db6
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
CVE-2022-25883
Vulnerable Library - semver-5.7.1.tgz
The semantic version parser used by npm.
Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/semver/package.json
Dependency Hierarchy:
Found in HEAD commit: f5172785566c2c03fdf69340e5d75e019f5e6db6
Found in base branch: master
Vulnerability Details
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.
Publish Date: 2023-06-21
URL: CVE-2022-25883
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-c2qf-rxjj-qqgw
Release Date: 2023-06-21
Fix Resolution (semver): 5.7.2
Direct dependency fix Resolution (nodemon): 3.0.0
Step up your Open Source Security Game with Mend here
CVE-2022-25881
Vulnerable Library - http-cache-semantics-4.1.0.tgz
Parses Cache-Control and other headers. Helps building correct HTTP caches and proxies
Library home page: https://registry.npmjs.org/http-cache-semantics/-/http-cache-semantics-4.1.0.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/http-cache-semantics/package.json
Dependency Hierarchy:
Found in HEAD commit: f5172785566c2c03fdf69340e5d75e019f5e6db6
Found in base branch: master
Vulnerability Details
This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library.
Publish Date: 2023-01-31
URL: CVE-2022-25881
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-rc47-6667-2j5j
Release Date: 2023-01-31
Fix Resolution (http-cache-semantics): 4.1.1
Direct dependency fix Resolution (nodemon): 2.0.8
Step up your Open Source Security Game with Mend here
CVE-2021-3807
Vulnerable Libraries - ansi-regex-4.1.0.tgz, ansi-regex-5.0.0.tgz
ansi-regex-4.1.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/ansi-align/node_modules/ansi-regex/package.json
Dependency Hierarchy:
ansi-regex-5.0.0.tgz
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.0.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/ansi-regex/package.json
Dependency Hierarchy:
Found in HEAD commit: f5172785566c2c03fdf69340e5d75e019f5e6db6
Found in base branch: master
Vulnerability Details
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (nodemon): 2.0.8
Fix Resolution (ansi-regex): 4.1.1
Direct dependency fix Resolution (nodemon): 2.0.8
Step up your Open Source Security Game with Mend here
CVE-2021-33502
Vulnerable Library - normalize-url-4.5.0.tgz
Normalize a URL
Library home page: https://registry.npmjs.org/normalize-url/-/normalize-url-4.5.0.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/normalize-url/package.json
Dependency Hierarchy:
Found in HEAD commit: f5172785566c2c03fdf69340e5d75e019f5e6db6
Found in base branch: master
Vulnerability Details
The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
Publish Date: 2021-05-24
URL: CVE-2021-33502
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
Release Date: 2021-05-24
Fix Resolution (normalize-url): 4.5.1
Direct dependency fix Resolution (nodemon): 2.0.8
Step up your Open Source Security Game with Mend here
CVE-2020-28469
Vulnerable Library - glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: f5172785566c2c03fdf69340e5d75e019f5e6db6
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (nodemon): 2.0.8
Step up your Open Source Security Game with Mend here
CVE-2022-33987
Vulnerable Library - got-9.6.0.tgz
Simplified HTTP requests
Library home page: https://registry.npmjs.org/got/-/got-9.6.0.tgz
Path to dependency file: /auth/package.json
Path to vulnerable library: /auth/node_modules/got/package.json
Dependency Hierarchy:
Found in HEAD commit: f5172785566c2c03fdf69340e5d75e019f5e6db6
Found in base branch: master
Vulnerability Details
The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
Publish Date: 2022-06-18
URL: CVE-2022-33987
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987
Release Date: 2022-06-18
Fix Resolution (got): 11.8.6
Direct dependency fix Resolution (nodemon): 2.0.17
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: