[Snyk] Fix for 29 vulnerabilities #205
An automation triggered a pipeline failure
Found 60 vulnerabilities. An additional 0 vulnerabilities have been marked as unaffected.
Output from Automations
6 rules were checked:
If a new dependency is added where the license risk is at least medium
then notify all users in the group admins by email
✔️ The rule did not trigger. Manage rule
If a dependency contains a vulnerability which has not been marked as unaffected and which has not triggered this rule for this dependency before
then notify all users in the group admins by email
✔️ The rule did not trigger. Manage rule
If there is a dependency where the license risk is at least high
then send a pipeline warning
✔️ The rule did not trigger. Manage rule
If a new dependency is added where the license risk is at least high
then fail pipeline
✔️ The rule did not trigger. Manage rule
If a dependency contains a vulnerability which has not been marked as unaffected
then send a pipeline warning
If a dependency contains a vulnerability which has not been marked as unaffected
where CVSS is at least high (7.0-8.9)then fail pipeline
❌ The rule triggered for the following vulnerabilities, causing a pipeline failure. Manage rule
| Vulnerability | CVSS2 | CVSS3 | Dependency | Dependency Licenses |
|---|---|---|---|---|
| CVE-2020-28464 | 10 | 9.8 | djv (npm) | MIT |
| CVE-2022-29078 | 7.5 | 9.8 | ejs (npm) | Apache-2.0, Debricked Unknown License, MIT |
| CVE-2021-23807 | 7.5 | 9.8 | jsonpointer (npm) | Debricked Unknown License, MIT |
| CVE-2023-36665 | N/A | 9.8 | protobufjs (npm) | Apache-2.0, BSD-3-Clause |
| CVE-2023-45133 | N/A | 8.8 | @babel/traverse (npm) | MIT |
| CVE-2022-46175 | N/A | 8.8 | json5 (npm) | Debricked Unknown License, MIT |
| CVE-2021-37713 | 4.4 | 8.6 | tar (npm) | BSD-2-Clause, Debricked Unknown License, ISC |
| CVE-2021-37701 | 4.4 | 8.6 | tar (npm) | BSD-2-Clause, Debricked Unknown License, ISC |
| CVE-2021-37712 | 4.4 | 8.6 | tar (npm) | BSD-2-Clause, Debricked Unknown License, ISC |
| CVE-2021-32803 | 5.8 | 8.1 | tar (npm) | BSD-2-Clause, Debricked Unknown License, ISC |
| CVE-2021-32804 | 5.8 | 8.1 | tar (npm) | BSD-2-Clause, Debricked Unknown License, ISC |
| CVE-2020-36604 | N/A | 8.1 | @hapi/hoek (npm) | BSD-3-Clause |
| CVE-2022-23539 | N/A | 8.1 | jsonwebtoken (npm) | MIT |
| CVE-2021-43138 | 6.8 | 7.8 | async (npm) | MIT |
| CVE-2022-23540 | N/A | 7.6 | jsonwebtoken (npm) | MIT |
| CVE-2023-26115 | N/A | 7.5 | word-wrap (npm) | MIT |
| CVE-2022-25883 | N/A | 7.5 | semver (npm) | BSD-2-Clause, Debricked Unknown License, ISC, MIT |
| CVE-2022-25881 | N/A | 7.5 | http-cache-semantics (npm) | BSD-2-Clause |
| CVE-2021-3749 | 7.8 | 7.5 | axios (npm) | MIT |
| CVE-2022-25887 | N/A | 7.5 | sanitize-html (npm) | MIT |
| CVE-2016-20018 | N/A | 7.5 | knex (npm) | MIT |
| CVE-2021-3765 | 5 | 7.5 | validator (npm) | MIT |
| CVE-2022-31129 | 5 | 7.5 | moment (npm) | MIT |
| CVE-2022-38900 | N/A | 7.5 | decode-uri-component (npm) | MIT |
| CVE-2021-27290 | 4.3 | 7.5 | ssri (npm) | CC0-1.0, ISC |
| CVE-2022-3517 | N/A | 7.5 | minimatch (npm) | Debricked Unknown License, ISC, MIT |
| CVE-2022-25878 | 5 | 7.5 | protobufjs (npm) | Apache-2.0, BSD-3-Clause |
| CVE-2019-20149 | 5 | 7.5 | kind-of (npm) | MIT |
| CVE-2021-3807 | 7.8 | 7.5 | ansi-regex (npm) | MIT |
| CVE-2021-33502 | 5 | 7.5 | normalize-url (npm) | MIT |
| CVE-2020-28469 | 5 | 7.5 | glob-parent (npm) | ISC |
| CVE-2023-2251 | N/A | 7.5 | yaml (npm) | Debricked Unknown License, ISC, MIT |
| CVE-2020-8203 | 5.8 | 7.4 | lodash (npm) | MIT |
| CVE-2020-7788 | 7.5 | 7.3 | ini (npm) | Debricked Unknown License, ISC, MIT |
| CVE-2020-8116 | 7.5 | 7.3 | dot-prop (npm) | MIT |
| CVE-2020-7774 | 7.5 | 7.3 | y18n (npm) | ISC |
| CVE-2021-23337 | 6.5 | 7.2 | lodash (npm) | MIT |