[Snyk] Fix for 1 vulnerabilities

[naiba4]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • rootfs/standard/var/www/mynode/static/jquery_ui/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	170/1000 Why? Confidentiality impact: None, Integrity impact: None, Availability impact: High, Scope: Unchanged, Exploit Maturity: Proof of Concept, User Interaction (UI): None, Privileges Required (PR): None, Attack Complexity: Low, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 0, Reachable: No, Transitive dependency: Yes, Is Malicious: No, Business Criticality: High, Provider Urgency: High, Package Popularity Score: 99, Impact: 5.99, Likelihood: 2.83, Score Version: V5	Prototype Pollution SNYK-JS-LODASH-6139239	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: grunt-bowercopy

The new version differs by 16 commits.

• 5dd5ea0 1.2.5
• 7d30556 chore(release): add npmrc to remove version prefix
• 54df69f chore(deps): switch to yarn for resolutions support
• 175045b chore(deps): force diff resolution to >=3.5.0
• 8d553b2 chore(deps): upgrade packages
• 9e9afc9 chore(deps): update packages
• c7a961a Merge pull request FEATURE: Wifi Enable/Disable on settings mynodebtc/mynode#49 from timmywil/greenkeeper/grunt-jsonlint-2.0.0
• 2c920cf chore(package): update lockfile package-lock.json
• bf59751 chore(package): update grunt-jsonlint to version 2.0.0
• 03ff5bd Merge pull request Status stuck at "Looking for Drive" with drive attached mynodebtc/mynode#48 from timmywil/greenkeeper/load-grunt-tasks-5.0.0
• 222e332 chore(deps): update lockfile
• 6affe65 chore(package): update load-grunt-tasks to version 5.0.0
• 31936b6 test(glob): fix glob pattern for new deps
• 83ef867 docs(readme): add Greenkeeper badge
• 36d329d chore(package): update dependencies
• 9e2e17f ci(config): update node versions

See the full diff

Package name: grunt-contrib-csslint

The new version differs by 22 commits.

• def72ff v2.0.0.
• ce67536 Reduce lodash usage.
• f387bb9 Merge pull request upgrade to v0.1.68 not fully completed mynodebtc/mynode#73 from danpoltawski/show-line-numbers
• 888c0e1 Merge pull request BTC RPC Explorer does not return any transactions mynodebtc/mynode#74 from gruntjs/update-csslint r=vladikoff
• 099cc12 Update CSSLint to v1.0.0.
• d220e09 Show line numbers with lint issues
• 7a02ddf Merge pull request Write Guide on using Blue Wallet via Tor mynodebtc/mynode#70 from gruntjs/deps
• 930ceee Update dependencies.
• 49d8c8a Upgrade grunt and devDeps to 1.0
• 8e1fde7 Update CHANGELOG.
• d001050 Add Appveyor for Windows testing.
• 70dee40 add quiet_all option
• 0e00ea9 Merge pull request Write Guide for Accessing GUI via Tor mynodebtc/mynode#68 from Eligijuxas/master
• 23cce8c v1.0.0
• 948f5db Added option to disable errors and warnings to console
• 90e20d8 Point main to task
• d53677d Remove peerDeps. Ref Remove peerDependencies from plugins gruntjs/grunt#1116
• 8ba3467 Update copyright to 2016
• 0207106 CI: Remove node.js '0.12' and add '5'.
• 536bbb6 CI: test node.js 4.0.
• 38fbca1 Use lodash's checks more.
• 2130bb7 Normalize package.json.

See the full diff

Package name: grunt-git-authors

The new version differs by 3 commits.

• 2c61431 3.1.1
• 3ba4167 Move grunt to devDependencies
• adf4095 cleanup

See the full diff

Package name: grunt-jscs

The new version differs by 27 commits.

• afe900c Release v3.0.0
• 4f2cbe2 Bump jscs to 3.0.4
• 33894a5 Update grunt to 1.0.1 and update grunt-contrib-nodeunit to 1.0.0 (btc-rpc-explorer v1.1.8, RTL fix for hidden sidebar, Changelog mynodebtc/mynode#124)
• 3787cd4 Merge pull request Stop MAC randomization on reboot RBP3 mynodebtc/mynode#125 from paladox/patch-11
• 93fae93 Release v2.8.0
• e6850df Bump dependencies
• efe03eb Bump jscs to 2.11
• bd03360 Bump lodash and jshint versions
• ed026d9 Release v2.7.0
• aa8ec81 Use lodash `isEmpty` method instead of our own implementation
• 044e67c Bump jscs version to 2.9
• 36e8e61 Release v2.6.0
• e26c599 Bump dependencies
• 017d9f7 Misc: add nodejs 5 to travis
• 7210c59 Release v2.5.0
• cf81ca2 Bump jscs version to 2.7.0
• 1fcd82b Release v2.4.0
• 7a87b6a Update jscs to 2.6.0
• 40db752 Update grunt-contrib-jshint to 0.11.3
• 8ae5126 Add grunt as dependency so grunt runs
• d13072f Release v2.3.0
• d8fef95 Update jscs to 2.5.0 version
• c272f8f Release v2.2.0
• 4767f7f Check 4. and .12 nodes with travis CI

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Prototype Pollution

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/grunt-bowercopy@1.2.5	Transitive: environment, filesystem, network, shell	+12	21.6 MB	timmywil
npm/grunt-cli@1.0.0	Transitive: environment, filesystem	+13	170 kB	vladikoff
npm/grunt-contrib-csslint@2.0.0	Transitive: environment	+12	3.29 MB	vladikoff
npm/grunt-git-authors@3.1.1	filesystem Transitive: shell	+1	12.6 kB	scott.gonzalez
npm/grunt-jscs@3.0.0	Transitive: environment, eval, filesystem, network, shell, unsafe	+148	10.7 MB	markelog
npm/grunt@1.0.3	Transitive: environment, eval, filesystem, shell, unsafe	+92	4.2 MB	vladikoff

🚮 Removed packages: npm/grunt-bowercopy@1.2.4, npm/grunt-cli@0.1.13, npm/grunt-contrib-csslint@0.5.0, npm/grunt-git-authors@3.1.0, npm/grunt-jscs@2.1.0, pypi/docker-compose@1.29.2, pypi/docker-compose@1.29.2, pypi/flask@3.0.3, pypi/flask@3.0.3, pypi/glances@3.4.0.5, pypi/glances@3.4.0.5, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/gnureadline@8.1.2, pypi/image@1.5.33, pypi/inotify-simple@1.3.5, pypi/pam@0.2.0, pypi/pam@0.2.0, pypi/pipenv@2023.12.1, pypi/pipenv@2023.12.1, pypi/prometheus-client@0.20.0, pypi/prometheus-client@0.20.0, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/psutil@5.9.8, pypi/pysocks@1.7.1, pypi/pysocks@1.7.1, pypi/pysocks@1.7.1, pypi/python-bitcoinrpc@1.0, pypi/pyudev@0.24.1, pypi/pyudev@0.24.1, pypi/qrcode@7.4.2, pypi/qrcode@7.4.2, pypi/redis@5.1.0b4, pypi/redis@5.1.0b4, pypi/systemd@0.17.1, pypi/transmissionrpc@0.11, pypi/transmissionrpc@0.11, pypi/transmissionrpc@0.11

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Environment variable access	npm/core-js@2.6.12	Env Vars: Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Filesystem access	npm/core-js@2.6.12	Module: fs Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Install scripts	npm/core-js@2.6.12	Install script: postinstall Source: node -e "try{require('./postinstall')}catch(e){}"	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Trivial Package	npm/has-flag@3.0.0	Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Environment variable access	npm/supports-color@5.5.0	Env Vars: Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Unmaintained	npm/validate-npm-package-license@3.0.4	Last Publish: 8/5/2018, 4:59:03 PM	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Unmaintained	npm/error-ex@1.3.2	Last Publish: 6/19/2018, 6:20:32 AM	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Trivial Package	npm/is-arrayish@0.2.1	Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Unmaintained	npm/is-arrayish@0.2.1	Last Publish: 6/19/2018, 8:09:45 AM	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Unmaintained	npm/clone@2.1.2	Last Publish: 3/21/2018, 9:21:25 PM	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Unmaintained	npm/array-find-index@1.0.2	Last Publish: 9/30/2016, 8:39:49 AM	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Unmaintained	npm/babel-runtime@6.26.0	Last Publish: 10/15/2017, 1:11:40 PM	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Unmaintained	npm/is-utf8@0.2.1	Last Publish: 12/19/2015, 4:04:22 AM	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Uses eval	npm/regenerator-runtime@0.11.1	Eval Type: Function Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Environment variable access	npm/nopt@3.0.6	Env Vars: HOME Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Debug access	npm/source-map-support@0.4.18	Module: module Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Unmaintained	npm/currently-unhandled@0.4.1	Last Publish: 6/2/2016, 11:15:15 AM	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Dynamic require	npm/meow@3.7.0	Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Trivial Package	npm/redent@1.0.0	Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Trivial Package	npm/trim-newlines@1.0.0	Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
CVE	npm/trim-newlines@1.0.0	CVE: GHSA-7p7h-4mm5-852v Uncontrolled Resource Consumption in trim-newlines (HIGH) Affected versions: < 3.0.1 Patched version: 3.0.1	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Filesystem access	npm/jsonlint@1.6.3	Module: fs Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Unmaintained	npm/jsonlint@1.6.3	Last Publish: 2/21/2018, 9:56:56 PM	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Unmaintained	npm/nomnom@1.8.1	Last Publish: 11/7/2014, 6:17:52 PM	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Deprecated	npm/nomnom@1.8.1	Reason: Package no longer supported. Contact support@npmjs.com for more info.	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Unmaintained	npm/has-color@0.1.7	Last Publish: 3/24/2018, 4:21:28 PM	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Debug access	npm/coffeescript@1.10.0	Module: module Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Filesystem access	npm/coffeescript@1.10.0	Module: fs Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Debug access	npm/coffeescript@1.10.0	Module: vm Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Shell access	npm/coffeescript@1.10.0	Module: child_process Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Unmaintained	npm/jscs-preset-wikimedia@1.0.1	Last Publish: 3/30/2018, 6:36:45 AM	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Deprecated	npm/jscs-preset-wikimedia@1.0.1	Reason: No longer maintained. We recomment migrating to ESLint with eslint-config-wikimedia.	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Unmaintained	npm/inherit@2.2.7	Last Publish: 10/5/2018, 8:43:59 PM	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Dynamic require	npm/jscs@3.0.7	Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Unmaintained	npm/cst@0.4.10	Last Publish: 6/15/2017, 11:15:03 AM	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Uses eval	npm/js-yaml@3.4.6	Eval Type: Function Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
New author	npm/jscs-jsdoc@2.0.0	New Author: mdevils Previous Author: qfox	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
Uses eval	npm/js-yaml@3.5.5	Eval Type: Function Location: Package overview	rootfs/standard/var/www/mynode/static/jquery_ui/package.json
New author	npm/grunt-cli@1.0.0	New Author: vladikoff Previous Author: shama	rootfs/standard/var/www/mynode/static/jquery_ui/package.json

View full report↗︎

Next steps

What is environment variable access?

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.

What is filesystem access?

Accesses the file system, and could potentially read sensitive data.

If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

What are trivial packages?

Packages less than 10 lines of code are easily copied into your own project and may not warrant the additional supply chain risk of an external dependency.

Removing this package as a dependency and implementing its logic will reduce supply chain risk.

What are unmaintained packages?

Package has not been updated in more than 5 years and may be unmaintained. Problems with the package may go unaddressed.

Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.

What is eval?

Package uses eval() which is a dangerous function. This prevents the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.

Avoid packages that use eval, since this could potentially execute any code.

What is debug access?

Uses debug, reflection and dynamic code execution features.

Removing the use of debug will reduce the risk of any reflection and dynamic code execution.

What is dynamic require?

Dynamic require can indicate the package is performing dangerous or unsafe dynamic code execution.

Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code.

What is a CVE?

Contains a high severity Common Vulnerability and Exposure (CVE).

Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

What is a deprecated package?

The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.

Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/core-js@2.6.12
• @SocketSecurity ignore npm/has-flag@3.0.0
• @SocketSecurity ignore npm/supports-color@5.5.0
• @SocketSecurity ignore npm/validate-npm-package-license@3.0.4
• @SocketSecurity ignore npm/error-ex@1.3.2
• @SocketSecurity ignore npm/is-arrayish@0.2.1
• @SocketSecurity ignore npm/clone@2.1.2
• @SocketSecurity ignore npm/array-find-index@1.0.2
• @SocketSecurity ignore npm/babel-runtime@6.26.0
• @SocketSecurity ignore npm/is-utf8@0.2.1
• @SocketSecurity ignore npm/regenerator-runtime@0.11.1
• @SocketSecurity ignore npm/nopt@3.0.6
• @SocketSecurity ignore npm/source-map-support@0.4.18
• @SocketSecurity ignore npm/currently-unhandled@0.4.1
• @SocketSecurity ignore npm/meow@3.7.0
• @SocketSecurity ignore npm/redent@1.0.0
• @SocketSecurity ignore npm/trim-newlines@1.0.0
• @SocketSecurity ignore npm/jsonlint@1.6.3
• @SocketSecurity ignore npm/nomnom@1.8.1
• @SocketSecurity ignore npm/has-color@0.1.7
• @SocketSecurity ignore npm/coffeescript@1.10.0
• @SocketSecurity ignore npm/jscs-preset-wikimedia@1.0.1
• @SocketSecurity ignore npm/inherit@2.2.7
• @SocketSecurity ignore npm/jscs@3.0.7
• @SocketSecurity ignore npm/cst@0.4.10
• @SocketSecurity ignore npm/js-yaml@3.4.6
• @SocketSecurity ignore npm/jscs-jsdoc@2.0.0
• @SocketSecurity ignore npm/js-yaml@3.5.5
• @SocketSecurity ignore npm/grunt-cli@1.0.0