graphql-cli-3.0.3.tgz: 41 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-for-github-com]

Vulnerable Library - graphql-cli-3.0.3.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/async,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/async,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/async/package.json

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (graphql-cli version)	Remediation Possible**	Reachability
CVE-2021-44906	Critical	9.8	detected in multiple dependencies	Transitive	3.0.4	✅
CVE-2021-3918	Critical	9.8	json-schema-0.2.3.tgz	Transitive	3.0.4	✅
CVE-2019-10744	Critical	9.1	detected in multiple dependencies	Transitive	4.0.0-experimental.8	✅
WS-2019-0063	High	8.1	js-yaml-3.12.0.tgz	Transitive	3.0.4	✅
WS-2018-0107	High	7.8	open-0.0.5.tgz	Transitive	4.0.0-experimental.8	✅
CVE-2021-43138	High	7.8	async-2.6.1.tgz	Transitive	3.0.4	✅
WS-2019-0310	High	7.5	https-proxy-agent-2.2.1.tgz	Transitive	3.0.4	✅
WS-2019-0032	High	7.5	js-yaml-3.12.0.tgz	Transitive	3.0.4	✅
CVE-2024-45590	High	7.5	body-parser-1.18.3.tgz	Transitive	N/A*	❌
CVE-2024-45296	High	7.5	detected in multiple dependencies	Transitive	4.0.0-experimental.8	✅
CVE-2022-3517	High	7.5	minimatch-3.0.4.tgz	Transitive	N/A*	❌
CVE-2022-24999	High	7.5	qs-6.5.2.tgz	Transitive	3.0.4	✅
CVE-2021-3807	High	7.5	ansi-regex-3.0.0.tgz	Transitive	3.0.4	✅
CVE-2021-3765	High	7.5	validator-9.3.0.tgz	Transitive	4.0.0-experimental.8	✅
CVE-2020-7661	High	7.5	url-regex-3.2.0.tgz	Transitive	N/A*	❌
CVE-2020-8203	High	7.4	detected in multiple dependencies	Transitive	4.0.0-experimental.8	✅
CVE-2020-4038	High	7.4	detected in multiple dependencies	Transitive	4.0.0-experimental.8	✅
CVE-2020-8116	High	7.3	dot-prop-4.2.0.tgz	Transitive	3.0.4	✅
CVE-2020-7788	High	7.3	ini-1.3.5.tgz	Transitive	3.0.4	✅
CVE-2020-7774	High	7.3	detected in multiple dependencies	Transitive	3.0.4	✅
CVE-2021-23337	High	7.2	detected in multiple dependencies	Transitive	4.0.0	✅
WS-2018-0590	High	7.1	diff-1.4.0.tgz	Transitive	4.0.0-experimental.8	✅
CVE-2023-26136	Medium	6.5	tough-cookie-2.4.3.tgz	Transitive	4.0.0-experimental.8	✅
CVE-2022-1365	Medium	6.5	cross-fetch-2.2.2.tgz	Transitive	4.0.0-experimental.8	✅
CVE-2019-1010266	Medium	6.5	lodash-4.17.5.tgz	Transitive	4.0.0-experimental.8	✅
CVE-2017-16024	Medium	6.5	sync-exec-0.6.2.tgz	Transitive	N/A*	❌
CVE-2022-23540	Medium	6.4	jsonwebtoken-8.4.0.tgz	Transitive	4.0.0-experimental.8	✅
CVE-2024-29041	Medium	6.1	express-4.16.4.tgz	Transitive	4.0.0-experimental.8	✅
CVE-2022-0235	Medium	6.1	detected in multiple dependencies	Transitive	N/A*	❌
CVE-2022-23539	Medium	5.9	jsonwebtoken-8.4.0.tgz	Transitive	4.0.0-experimental.8	✅
CVE-2020-7598	Medium	5.6	detected in multiple dependencies	Transitive	3.0.4	✅
CVE-2020-15366	Medium	5.6	detected in multiple dependencies	Transitive	4.0.0-experimental.8	✅
CVE-2018-16487	Medium	5.6	lodash-4.17.5.tgz	Transitive	4.0.0-experimental.8	✅
CVE-2022-33987	Medium	5.3	got-6.7.1.tgz	Transitive	4.0.0-experimental.8	✅
CVE-2022-25883	Medium	5.3	semver-5.6.0.tgz	Transitive	4.0.0-experimental.8	✅
CVE-2021-23362	Medium	5.3	hosted-git-info-2.5.0.tgz	Transitive	3.0.4	✅
CVE-2020-7608	Medium	5.3	detected in multiple dependencies	Transitive	4.0.0-experimental.8	✅
CVE-2020-28500	Medium	5.3	detected in multiple dependencies	Transitive	4.0.0	✅
WS-2019-0307	Medium	5.1	mem-1.1.0.tgz	Transitive	4.0.0-experimental.8	✅
CVE-2022-23541	Medium	5.0	jsonwebtoken-8.4.0.tgz	Transitive	4.0.0-experimental.8	✅
CVE-2020-15168	Low	2.6	detected in multiple dependencies	Transitive	4.1.0	✅

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (12 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2021-44906

Vulnerable Libraries - minimist-1.2.0.tgz, minimist-0.0.8.tgz

minimist-1.2.0.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/get-pkg-repo/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/strong-log-transformer/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/strong-log-transformer/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/no_lockfile_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/get-pkg-repo/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/meow/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/watch/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/git_dependency_local_file/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/meow/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/sane/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/git_dependency_local_file/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/git_dependency_local_file/node_modules/minimist/package.json

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • update-notifier-2.5.0.tgz
    • latest-version-3.1.0.tgz
      • package-json-4.0.1.tgz
        • registry-auth-token-3.3.2.tgz
          • rc-1.2.7.tgz
            • ❌ minimist-1.2.0.tgz (Vulnerable Library)

minimist-0.0.8.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_multiple/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/path_dependency/deps/etag/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/no_lockfile_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/yarn/resolution_specified/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/etag_no_lockfile/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/peer_dependency_multiple/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimist,/npm_and_yarn/spec/fixtures/projects/npm6/path_dependency/deps/etag/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/library/node_modules/mocha/node_modules/minimist/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/path_dependency/deps/etag/node_modules/mocha/node_modules/minimist/package.json

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • mkdirp-0.5.1.tgz
    • ❌ minimist-0.0.8.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (graphql-cli): 3.0.4

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (graphql-cli): 3.0.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-3918

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm7/lerna/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/json-schema/package.json,/npm_and_yarn/helpers/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/json-schema,/npm_and_yarn/spec/fixtures/projects/yarn/no_lockfile_change/node_modules/json-schema,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/json-schema/package.json,/npm_and_yarn/helpers/node_modules/npm/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/diverged_sub_dependency_missing_yarn/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/json-schema,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/diverged_sub_dependency_missing_npm/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/app_no_version/node_modules/json-schema/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/json-schema,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/json-schema/package.json

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • request-2.88.0.tgz
    • http-signature-1.2.0.tgz
      • jsprim-1.4.1.tgz
        • ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (graphql-cli): 3.0.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-10744

Vulnerable Libraries - lodash-4.17.5.tgz, lodash-4.17.11.tgz

lodash-4.17.5.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.5.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/lodash

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • graphql-cli-prepare-1.4.19.tgz
    • ❌ lodash-4.17.5.tgz (Vulnerable Library)

lodash-4.17.11.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.11.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-template/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-template/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/lodash,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/peer_dependency_changed/node_modules/react-apollo/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/lodash,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-generator/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_changed/node_modules/react-apollo/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-register/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-template/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/request-promise-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-template/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-core/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/babel-types/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/babel-traverse/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/async/node_modules/lodash/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/babel-template/node_modules/lodash/package.json

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • ❌ lodash-4.17.11.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-25

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-25

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (graphql-cli): 4.0.0-experimental.8

Fix Resolution (lodash): 4.17.12

Direct dependency fix Resolution (graphql-cli): 4.0.0-experimental.8

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0063

Vulnerable Library - js-yaml-3.12.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/js-yaml,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/js-yaml/package.json

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • ❌ js-yaml-3.12.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution (js-yaml): 3.13.1

Direct dependency fix Resolution (graphql-cli): 3.0.4

⛑️ Automatic Remediation will be attempted for this issue.

WS-2018-0107

Vulnerable Library - open-0.0.5.tgz

open a file or url in the user's preferred application

Library home page: https://registry.npmjs.org/open/-/open-0.0.5.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/open

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • graphql-cli-prepare-1.4.19.tgz
    • graphql-static-binding-0.9.3.tgz
      • cucumber-html-reporter-3.0.4.tgz
        • ❌ open-0.0.5.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

All versions of open are vulnerable to command injection when unsanitized user input is passed in.

Publish Date: 2018-05-16

URL: WS-2018-0107

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2018-0107

Release Date: 2018-01-27

Fix Resolution (open): 6.0.0

Direct dependency fix Resolution (graphql-cli): 4.0.0-experimental.8

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-43138

Vulnerable Library - async-2.6.1.tgz

Higher-order functions and common patterns for asynchronous code

Library home page: https://registry.npmjs.org/async/-/async-2.6.1.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/async,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/async,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/async/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/async/package.json

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • express-request-proxy-2.2.2.tgz
    • ❌ async-2.6.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.

Publish Date: 2022-04-06

URL: CVE-2021-43138

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138

Release Date: 2022-04-06

Fix Resolution (async): 2.6.4

Direct dependency fix Resolution (graphql-cli): 3.0.4

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0310

Vulnerable Library - https-proxy-agent-2.2.1.tgz

An HTTP(s) proxy `http.Agent` implementation for HTTPS

Library home page: https://registry.npmjs.org/https-proxy-agent/-/https-proxy-agent-2.2.1.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm7/lerna/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/https-proxy-agent/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/https-proxy-agent,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/https-proxy-agent/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/https-proxy-agent

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • graphql-config-extension-prisma-0.2.5.tgz
    • prisma-yml-1.20.0-beta.18.tgz
      • ❌ https-proxy-agent-2.2.1.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

"in 'https-proxy-agent', before v2.2.3, there is a failure of TLS enforcement on the socket. Attacker may intercept unencrypted communications.

Publish Date: 2019-10-07

URL: WS-2019-0310

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1184

Release Date: 2019-10-07

Fix Resolution (https-proxy-agent): 2.2.3

Direct dependency fix Resolution (graphql-cli): 3.0.4

⛑️ Automatic Remediation will be attempted for this issue.

WS-2019-0032

Vulnerable Library - js-yaml-3.12.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/js-yaml,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/js-yaml/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/js-yaml/package.json

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • ❌ js-yaml-3.12.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution (js-yaml): 3.13.0

Direct dependency fix Resolution (graphql-cli): 3.0.4

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-45590

Vulnerable Library - body-parser-1.18.3.tgz

Node.js body parsing middleware

Library home page: https://registry.npmjs.org/body-parser/-/body-parser-1.18.3.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/body-parser,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/body-parser

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • express-4.16.4.tgz
    • ❌ body-parser-1.18.3.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

body-parser is Node.js body parsing middleware. body-parser <1.20.3 is vulnerable to denial of service when url encoding is enabled. A malicious actor using a specially crafted payload could flood the server with a large number of requests, resulting in denial of service. This issue is patched in 1.20.3.

Publish Date: 2024-09-10

URL: CVE-2024-45590

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qwcr-r2fm-qrc7

Release Date: 2024-09-10

Fix Resolution: body-parser - 1.20.3

CVE-2024-45296

Vulnerable Libraries - path-to-regexp-0.1.7.tgz, path-to-regexp-1.7.0.tgz

path-to-regexp-0.1.7.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.7.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/path-to-regexp,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/path-to-regexp

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • express-4.16.4.tgz
    • ❌ path-to-regexp-0.1.7.tgz (Vulnerable Library)

path-to-regexp-1.7.0.tgz

Express style path to RegExp utility

Library home page: https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-1.7.0.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/path-to-regexp

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • express-request-proxy-2.2.2.tgz
    • ❌ path-to-regexp-1.7.0.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a DoS. The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

Publish Date: 2024-09-09

URL: CVE-2024-45296

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9wv6-86v2-598j

Release Date: 2024-09-09

Fix Resolution (path-to-regexp): 0.1.10

Direct dependency fix Resolution (graphql-cli): 4.0.0-experimental.8

Fix Resolution (path-to-regexp): 0.1.10

Direct dependency fix Resolution (graphql-cli): 4.0.0-experimental.8

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-3517

Vulnerable Library - minimatch-3.0.4.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/path_dependency/deps/etag/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/library/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_switch/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/peer_dependency_multiple/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/helpers/node_modules/npm/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/etag_no_lockfile/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/npm7/path_dependency/deps/etag/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/no_lockfile_change/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/yarn/dist_tag/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/yarn/lockfile_only_change/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/path_dependency/deps/etag/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/peer_dependency_multiple/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/npm6/multiple_sources/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/app_no_version/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/peer_dependency_switch/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/peer_dependency_multiple/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/peer_dependency_switch/node_modules/minimatch,/npm_and_yarn/helpers/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/minimatch,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/minimatch/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/minimatch/package.json

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • graphql-schema-linter-0.1.6.tgz
    • glob-7.1.2.tgz
      • ❌ minimatch-3.0.4.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.

Publish Date: 2022-10-17

URL: CVE-2022-3517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-17

Fix Resolution: minimatch - 3.0.5

CVE-2022-24999

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/package.json

Path to vulnerable library: /npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/lerna/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/lerna/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm5/subdependency_update/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/diverged_sub_dependency_missing_npm/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/github_dependency_slash/node_modules/qs,/npm_and_yarn/helpers/node_modules/npm/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm6/subdependency_update/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/yarn/duplicate_indirect_dependency/node_modules/qs,/npm_and_yarn/helpers/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm5_and_yarn/npm_subdependency_update/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/subdependency_update/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm7/app_no_version/node_modules/qs/package.json,/npm_and_yarn/spec/fixtures/projects/npm6_and_yarn/npm_subdependency_update/node_modules/qs/package.json

Dependency Hierarchy:

• graphql-cli-3.0.3.tgz (Root Library)
  • request-2.88.0.tgz
    • ❌ qs-6.5.2.tgz (Vulnerable Library)

Found in base branch: main

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: qs@6.9.7" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (graphql-cli): 3.0.4

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.