Skip to content
This repository was archived by the owner on Apr 11, 2023. It is now read-only.
This repository was archived by the owner on Apr 11, 2023. It is now read-only.

Upgrade Vulnerable Libraries #1973

Open
Open
Upgrade Vulnerable Libraries#1973
@biljanaLukovic

Description

@biljanaLukovic
biljanaLukovic
opened on Feb 17, 2023

Upgrade included vulnerable libraries to the non-vulnerable versions
Module: trustbloc / wallet

Dependency github.com/opencontainers/runc Version < 1.0.3 Upgrade to ~> 1.0.3
Defined in go.sum
Vulnerabilities
CVE-2021-43784 Moderate severity
CVE-2022-29162 Moderate severity
CVE-2019-19921 Moderate severity

Dependency github.com/whyrusleeping/tar-utils Version < 0.0.0-20201201191210-20a61371de5b Upgrade to ~> 0.0.0-20201201191210-20a61371de5b
Defined in go.sum
Vulnerabilities
CVE-2020-36566 Critical severity

Dependency json5 Version < 1.0.2 Upgrade to ~> 1.0.2
Defined in package-lock.json
Vulnerabilities
CVE-2022-46175 High severity
CVE-2022-46175 High severity
CVE-2022-46175 High severity

Dependency ua-parser-js Version >= 0.8.0 < 1.0.33 Upgrade to ~> 1.0.33
Defined in package-lock.json Suggested update #1960
Vulnerabilities
CVE-2022-25927 High severity
CVE-2022-25927 High severity

Dependency http-cache-semantics Version < 4.1.1 Upgrade to ~> 4.1.1
Defined in package-lock.json Suggested update #1966

Vulnerabilities
CVE-2022-25881 High severity

Dependency @sideway/formula Version < 3.0.1 Upgrade to ~> 3.0.1
Defined in package-lock.json Suggested update #1969
Vulnerabilities
CVE-2023-25166 Moderate severity

Dependency github.com/prometheus/client_golang Version < 1.11.1 Upgrade to ~> 1.11.1
Defined in go.sum
Vulnerabilities
CVE-2022-21698 High severity
CVE-2022-21698 High severity

trustbloc / sandbox
Dependency is-svg Version >= 2.1.0 < 4.2.2 Upgrade to ~> 4.2.2
Defined in package-lock.json
Vulnerabilities
CVE-2021-28092 High severity
CVE-2021-29059 High severity

Dependency mem Version < 4.0.0 Upgrade to ~> 4.0.0
Defined in package-lock.json
Vulnerabilities
GHSA-4xcv-9jjx-gfj3 Moderate severity

Dependency glob-parent Version < 5.1.2 Upgrade to ~> 5.1.2
Defined in package-lock.json
Vulnerabilities
CVE-2020-28469 High severity

Dependency url-parse Version < 1.5.2 Upgrade to ~> 1.5.2
Defined in package-lock.json
Vulnerabilities
CVE-2022-0686 Critical severity
CVE-2021-3664 Moderate severity
CVE-2022-0512 Moderate severity
CVE-2022-0639 Moderate severity
CVE-2022-0691 Moderate severity

Dependency path-parse Version < 1.0.7 Upgrade to ~> 1.0.7
Defined in package-lock.json Suggested update #1157
Vulnerabilities
CVE-2021-23343 Moderate severity
CVE-2021-23343 Moderate severity

Dependency nth-check Version < 2.0.1 Upgrade to ~> 2.0.1
Defined in package-lock.json
Vulnerabilities
CVE-2021-3803 High severity

Dependency validator Version < 13.7.0 Upgrade to ~> 13.7.0
Defined in package-lock.json
Vulnerabilities
CVE-2021-3765 Moderate severity
GHSA-xx4c-jj58-r7x6 Moderate severity

Dependency github.com/tidwall/gjson Version < 1.9.3 Upgrade to ~> 1.9.3
Defined in go.sum
Vulnerabilities
CVE-2021-42836 High severity
CVE-2021-42836 High severity
CVE-2021-42836 High severity
CVE-2021-42836 High severity
CVE-2021-42248 High severity

Dependency json-schema Version < 0.4.0 Upgrade to ~> 0.4.0
Defined in package-lock.json
Vulnerabilities
CVE-2021-3918 Critical severity

Dependency go.mongodb.org/mongo-driver Version < 1.5.1 Upgrade to ~> 1.5.1
Defined in go.sum
Vulnerabilities
CVE-2021-20329 Moderate severity

Dependency follow-redirects Version < 1.14.7 Upgrade to ~> 1.14.7
Defined in package-lock.json
Vulnerabilities
CVE-2022-0155 High severity
CVE-2022-0536 Moderate severity

Dependency node-forge Version < 1.0.0 Upgrade to ~> 1.0.0
Defined in package-lock.json
Vulnerabilities
CVE-2022-24772 High severity
CVE-2022-24771 High severity
GHSA-gf8q-jrpm-jvxq Low severity
GHSA-5rrq-pxf6-6jx5 Low severity
CVE-2022-0122 Moderate severity

Dependency engine.io Version >= 6.0.0 < 6.1.1 Upgrade to ~> 6.1.1
Defined in package-lock.json
Vulnerabilities
CVE-2022-21676 High severity
CVE-2022-41940 Moderate severity

Dependency highlight.js Version >= 9.0.0 < 10.4.1 Upgrade to ~> 10.4.1
Defined in package-lock.json
Vulnerabilities
GHSA-7wwv-vh3v-89cq Moderate severity

Dependency ssri Version >= 7.0.0 < 7.1.1 Upgrade to ~> 7.1.1
Defined in package-lock.json
Vulnerabilities
CVE-2021-27290 High severity

Dependency yargs-parser Version >= 6.0.0 < 13.1.2 Upgrade to ~> 13.1.2
Defined in package-lock.json
Vulnerabilities
CVE-2020-7608 Moderate severity

Dependency node-fetch Version < 2.6.7 Upgrade to ~> 2.6.7
Defined in package-lock.json
Vulnerabilities
CVE-2022-0235 High severity

Dependency ansi-html Version < 0.0.8 Upgrade to ~> 0.0.8
Defined in package-lock.json
Vulnerabilities
CVE-2021-23424 High severity

Dependency nanoid Version >= 3.0.0 < 3.1.31 Upgrade to ~> 3.1.31
Defined in package-lock.json
Vulnerabilities
CVE-2021-23566 Moderate severity

Dependency ansi-regex Version >= 5.0.0 < 5.0.1 Upgrade to ~> 5.0.1
Defined in package-lock.json
Vulnerabilities
CVE-2021-3807 High severity
CVE-2021-3807 High severity
CVE-2021-3807 High severity
CVE-2021-3807 High severity
CVE-2021-3807 High severity

Dependency minimist Version < 1.2.6 Upgrade to ~> 1.2.6
Defined in package-lock.json
Vulnerabilities
CVE-2021-44906 Critical severity
CVE-2021-44906 Critical severity

Dependency ejs Version < 3.1.7 Upgrade to ~> 3.1.7
Defined in package-lock.json
Vulnerabilities
CVE-2022-29078 Critical severity
CVE-2022-29078 Critical severity

Dependency github.com/opencontainers/runc Version < 1.1.2 Upgrade to ~> 1.1.2
Defined in go.sum
Vulnerabilities
CVE-2022-29162 Moderate severity
CVE-2022-29162 Moderate severity
CVE-2022-29162 Moderate severity
CVE-2022-29162 Moderate severity
CVE-2022-29162 Moderate severity

Dependency eventsource Version < 1.1.1 Upgrade to ~> 1.1.1
Defined in package-lock.json Suggested update #1445
Vulnerabilities
CVE-2022-1650 Critical severity

Dependency async Version >= 2.0.0 < 2.6.4 Upgrade to ~> 2.6.4
Defined in package-lock.json
Vulnerabilities
CVE-2021-43138 High severity

Dependency got Version < 11.8.5 Upgrade to ~> 11.8.5
Defined in package-lock.json Suggested update #1462
Vulnerabilities
CVE-2022-33987 Moderate severity

Dependency shell-quote Version <= 1.7.2 Upgrade to ~> 1.7.3
Defined in package-lock.json Suggested update #1463
Vulnerabilities
CVE-2021-42740 Critical severity

Dependency terser Version < 4.8.1 Upgrade to ~> 4.8.1
Defined in package-lock.json Suggested update #1477
Vulnerabilities
CVE-2022-25858 High severity

Dependency socket.io-parser Version >= 4.0.0 < 4.0.5 Upgrade to ~> 4.0.5
Defined in package-lock.json Suggested update #1589
Vulnerabilities
CVE-2022-2421 Critical severity

Dependency minimatch Version < 3.0.5 Upgrade to ~> 3.0.5
Defined in package-lock.json Suggested update #1590
Vulnerabilities
CVE-2022-3517 High severity
CVE-2022-3517 High severity

Dependency loader-utils Version < 1.4.1 Upgrade to ~> 1.4.1
Defined in package-lock.json
Vulnerabilities
CVE-2022-37601 Critical severity
CVE-2022-37601 Critical severity
CVE-2022-37599 High severity
CVE-2022-37603 High severity
CVE-2022-37599 High severity

Dependency github.com/labstack/echo/v4 Version < 4.9.0 Upgrade to ~> 4.9.0
Defined in go.sum
Vulnerabilities
CVE-2022-40083 Critical severity

Dependency decode-uri-component Version < 0.2.1 Upgrade to ~> 0.2.1
Defined in package-lock.json Suggested update #1602

Vulnerabilities
CVE-2022-38900 Low severity
Dependency qs Version >= 6.7.0 < 6.7.3 Upgrade to ~> 6.7.3
Defined in package-lock.json Suggested update #1609

Dependency github.com/whyrusleeping/tar-utils Version < 0.0.0-20201201191210-20a61371de5b Upgrade to ~> 0.0.0-20201201191210-20a61371de5b
Defined in go.sum
Vulnerabilities
CVE-2020-36566 Critical severity
CVE-2020-36566 Critical severity
CVE-2020-36566 Critical severity
CVE-2020-36566 Critical severity
CVE-2020-36566 Critical severity

Dependency json5 Version >= 2.0.0 < 2.2.2 Upgrade to ~> 2.2.2
Defined in package-lock.json Suggested update #1616
Vulnerabilities
CVE-2022-46175 High severity

Dependency ua-parser-js Version >= 0.8.0 < 1.0.33 Upgrade to ~> 1.0.33
Defined in package-lock.json Suggested update #1618
Vulnerabilities
CVE-2022-25927 High severity

Dependency http-cache-semantics Version < 4.1.1 Upgrade to ~> 4.1.1
Defined in package-lock.json Suggested update #1619
Vulnerabilities
CVE-2022-25881 High severity

Dependency github.com/prometheus/client_golang Version < 1.11.1 Upgrade to ~> 1.11.1
Defined in go.sum Suggested update #1624
Vulnerabilities
CVE-2022-21698 High severity
CVE-2022-21698 High severity
CVE-2022-21698 High severity
CVE-2022-21698 High severity
CVE-2022-21698 High severity

trustbloc / adapter
Known security vulnerabilities detected
Dependency lodash Version < 4.17.21 Upgrade to ~> 4.17.21
Defined in package-lock.json
Vulnerabilities
CVE-2021-23337 High severity
CVE-2021-23337 High severity
CVE-2020-8203 High severity
CVE-2020-28500 Moderate severity
CVE-2020-28500 Moderate severity

Dependency browserslist Version >= 4.0.0 < 4.16.5 Upgrade to ~> 4.16.5
Defined in package-lock.json
Vulnerabilities
CVE-2021-23364 Moderate severity
CVE-2021-23364 Moderate severity

Dependency path-parse Version < 1.0.7 Upgrade to ~> 1.0.7
Defined in package-lock.json
Vulnerabilities
CVE-2021-23343 Moderate severity
CVE-2021-23343 Moderate severity
CVE-2021-23343 Moderate severity

Dependency nth-check Version < 2.0.1 Upgrade to ~> 2.0.1
Defined in package-lock.json
Vulnerabilities
CVE-2021-3803 High severity
CVE-2021-3803 High severity
CVE-2021-3803 High severity

Dependency github.com/containerd/containerd Version >= 1.5.0 < 1.5.7 Upgrade to ~> 1.5.7
Defined in go.sum
Vulnerabilities
CVE-2021-43816 High severity
CVE-2022-23648 High severity
GHSA-5j5w-g665-5m35 Low severity
CVE-2021-41103 Moderate severity
CVE-2022-31030 Moderate severity

Dependency github.com/tidwall/gjson Version < 1.9.3 Upgrade to ~> 1.9.3
Defined in go.sum
Vulnerabilities
CVE-2021-42836 High severity
CVE-2021-42836 High severity
CVE-2021-42836 High severity
CVE-2021-42248 High severity
CVE-2021-42248 High severity

Dependency github.com/opencontainers/runc Version < 1.0.3 Upgrade to ~> 1.0.3
Defined in go.sum
Vulnerabilities
CVE-2021-43784 Moderate severity
CVE-2021-43784 Moderate severity
CVE-2021-43784 Moderate severity
CVE-2022-29162 Moderate severity
CVE-2022-29162 Moderate severity

Dependency is-svg Version >= 2.1.0 < 4.2.2 Upgrade to ~> 4.2.2
Defined in package-lock.json
Vulnerabilities
CVE-2021-28092 High severity
CVE-2021-28092 High severity
CVE-2021-29059 High severity
CVE-2021-29059 High severity

Dependency color-string Version < 1.5.5 Upgrade to ~> 1.5.5
Defined in package-lock.json
Vulnerabilities
CVE-2021-29060 Moderate severity
CVE-2021-29060 Moderate severity

Dependency url-parse Version < 1.5.2 Upgrade to ~> 1.5.2
Defined in package-lock.json
Vulnerabilities
CVE-2022-0686 Critical severity
CVE-2022-0686 Critical severity
CVE-2021-3664 Moderate severity
CVE-2021-27515 Moderate severity
CVE-2021-3664 Moderate severity

Dependency json-schema Version < 0.4.0 Upgrade to ~> 0.4.0
Defined in package-lock.json
Vulnerabilities
CVE-2021-3918 Critical severity
CVE-2021-3918 Critical severity

Dependency follow-redirects Version < 1.14.7 Upgrade to ~> 1.14.7
Defined in package-lock.json Suggested update #616

Vulnerabilities
CVE-2022-0155 High severity
CVE-2022-0155 High severity
CVE-2022-0155 High severity
CVE-2022-0536 Moderate severity
CVE-2022-0536 Moderate severity

Dependency node-fetch Version < 2.6.7 Upgrade to ~> 2.6.7
Defined in package-lock.json Suggested update #588
Vulnerabilities
CVE-2022-0235 High severity
CVE-2022-0235 High severity

Dependency hosted-git-info Version < 2.8.9 Upgrade to ~> 2.8.9
Defined in package-lock.json Suggested update #591

Vulnerabilities
CVE-2021-23362 Moderate severity

Dependency node-forge Version < 0.10.0 Upgrade to ~> 0.10.0
Defined in package-lock.json Suggested update #643

Vulnerabilities
CVE-2020-7720 High severity
CVE-2020-7720 High severity
CVE-2022-24772 High severity
CVE-2022-24771 High severity
CVE-2022-24771 High severity

Dependency highlight.js Version >= 9.0.0 < 10.4.1 Upgrade to ~> 10.4.1
Defined in package-lock.json
Vulnerabilities
GHSA-7wwv-vh3v-89cq Moderate severity
GHSA-7wwv-vh3v-89cq Moderate severity

Dependency ssri Version >= 7.0.0 < 7.1.1 Upgrade to ~> 7.1.1
Defined in package-lock.json
Vulnerabilities
CVE-2021-27290 High severity
CVE-2021-27290 High severity

Dependency glob-parent Version < 5.1.2 Upgrade to ~> 5.1.2
Defined in package-lock.json
Vulnerabilities
CVE-2020-28469 High severity
CVE-2020-28469 High severity

Dependency postcss Version >= 7.0.0 < 7.0.36 Upgrade to ~> 7.0.36
Defined in package-lock.json
Vulnerabilities
CVE-2021-23368 Moderate severity
CVE-2021-23368 Moderate severity
CVE-2021-23382 Moderate severity
CVE-2021-23382 Moderate severity

Dependency ajv Version < 6.12.3 Upgrade to ~> 6.12.3
Defined in package-lock.json Suggested update #615
Vulnerabilities
CVE-2020-15366 Moderate severity
CVE-2020-15366 Moderate severity

Dependency ansi-html Version < 0.0.8 Upgrade to ~> 0.0.8
Defined in package-lock.json
Vulnerabilities
CVE-2021-23424 High severity
CVE-2021-23424 High severity

Dependency ansi-regex Version >= 5.0.0 < 5.0.1 Upgrade to ~> 5.0.1
Defined in package-lock.json
Vulnerabilities
CVE-2021-3807 High severity
CVE-2021-3807 High severity
CVE-2021-3807 High severity
CVE-2021-3807 High severity
CVE-2021-3807 High severity

Dependency minimist Version < 1.2.6 Upgrade to ~> 1.2.6
Defined in package-lock.json
Vulnerabilities
CVE-2021-44906 Critical severity
CVE-2021-44906 Critical severity
CVE-2021-44906 Critical severity

Dependency axios Version < 0.21.2 Upgrade to ~> 0.21.2
Defined in package-lock.json Suggested update #652
Vulnerabilities
CVE-2021-3749 High severity
CVE-2021-3749 High severity

Dependency ejs Version < 3.1.7 Upgrade to ~> 3.1.7
Defined in package-lock.json
Vulnerabilities
CVE-2022-29078 Critical severity
CVE-2022-29078 Critical severity

Dependency eventsource Version < 1.1.1 Upgrade to ~> 1.1.1
Defined in package-lock.json Suggested update #658
Vulnerabilities
CVE-2022-1650 Critical severity
CVE-2022-1650 Critical severity

Dependency async Version >= 2.0.0 < 2.6.4 Upgrade to ~> 2.6.4
Defined in package-lock.json
Vulnerabilities
CVE-2021-43138 High severity
CVE-2021-43138 High severity

Dependency shell-quote Version <= 1.7.2 Upgrade to ~> 1.7.3
Defined in package-lock.json Suggested update #662
Vulnerabilities
CVE-2021-42740 Critical severity
CVE-2021-42740 Critical severity

Dependency thenify Version < 3.3.1 Upgrade to ~> 3.3.1
Defined in package-lock.json Suggested update #664

Vulnerabilities
CVE-2020-7677 Critical severity
CVE-2020-7677 Critical severity

Dependency terser Version >= 5.0.0 < 5.14.2 Upgrade to ~> 5.14.2
Defined in package-lock.json Suggested update #666
Vulnerabilities
CVE-2022-25858 High severity
CVE-2022-25858 High severity
CVE-2022-25858 High severity
CVE-2022-25858 High severity

Dependency minimatch Version < 3.0.5 Upgrade to ~> 3.0.5
Defined in package-lock.json
Vulnerabilities
CVE-2022-3517 High severity
CVE-2022-3517 High severity
CVE-2022-3517 High severity

Dependency loader-utils Version < 1.4.1 Upgrade to ~> 1.4.1
Defined in package-lock.json
Vulnerabilities
CVE-2022-37601 Critical severity
CVE-2022-37601 Critical severity
CVE-2022-37601 Critical severity
CVE-2022-37599 High severity
CVE-2022-37599 High severity

Dependency decode-uri-component Version < 0.2.1 Upgrade to ~> 0.2.1
Defined in package-lock.json Suggested update #680
Vulnerabilities
CVE-2022-38900 Low severity
CVE-2022-38900 Low severity

Dependency qs Version >= 6.7.0 < 6.7.3 Upgrade to ~> 6.7.3
Defined in package-lock.json Suggested update #681
Vulnerabilities
CVE-2022-24999 High severity
CVE-2022-24999 High severity
CVE-2022-24999 High severity

Dependency github.com/whyrusleeping/tar-utils Version < 0.0.0-20201201191210-20a61371de5b Upgrade to ~> 0.0.0-20201201191210-20a61371de5b
Defined in go.sum
Vulnerabilities
CVE-2020-36566 Critical severity
CVE-2020-36566 Critical severity
CVE-2020-36566 Critical severity

Dependency json5 Version >= 2.0.0 < 2.2.2 Upgrade to ~> 2.2.2
Defined in package-lock.json Suggested update #688
Vulnerabilities
CVE-2022-46175 High severity
CVE-2022-46175 High severity
CVE-2022-46175 High severity
CVE-2022-46175 High severity

Dependency github.com/prometheus/client_golang Version < 1.11.1 Upgrade to ~> 1.11.1
Defined in go.sum Suggested update #690
Vulnerabilities
CVE-2022-21698 High severity
CVE-2022-21698 High severity
CVE-2022-21698 High severity

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions