From b3d69bcab6b23de7f5b0679ec01c51168bbe0078 Mon Sep 17 00:00:00 2001 From: Gareth Jones Date: Sat, 7 Oct 2023 06:55:15 +1300 Subject: [PATCH] test: update e2e fixtures --- fixtures/locks-e2e/1-Pipfile.lock.out.txt | 7 ++++++- fixtures/locks-e2e/1-package-lock.json.out.txt | 10 +++++++++- fixtures/locks-e2e/1-poetry.lock.out.txt | 7 ++++++- fixtures/locks-e2e/1-pom.xml.out.txt | 3 +-- fixtures/locks-e2e/1-yarn.lock.out.txt | 6 +++++- fixtures/locks-e2e/2-composer.lock.out.txt | 4 +++- fixtures/locks-e2e/2-go.mod.out.txt | 2 +- fixtures/locks-e2e/2-package-lock.json.out.txt | 7 ++++++- fixtures/locks-e2e/2-poetry.lock.out.txt | 8 +++++++- fixtures/locks-e2e/2-pom.xml.out.txt | 2 +- fixtures/locks-e2e/2-yarn.lock.out.txt | 10 +++++++++- 11 files changed, 54 insertions(+), 12 deletions(-) diff --git a/fixtures/locks-e2e/1-Pipfile.lock.out.txt b/fixtures/locks-e2e/1-Pipfile.lock.out.txt index ea445b35..4dda3e19 100644 --- a/fixtures/locks-e2e/1-Pipfile.lock.out.txt +++ b/fixtures/locks-e2e/1-Pipfile.lock.out.txt @@ -15,19 +15,24 @@ fixtures/locks-e2e/1-Pipfile.lock: found 114 packages GHSA-v8gr-m533-ghj9: Vulnerable OpenSSL included in cryptography wheels (https://github.com/advisories/GHSA-v8gr-m533-ghj9) pillow@8.4.0 is affected by the following vulnerabilities: GHSA-4fx9-vc88-q2xc: Infinite loop in Pillow (https://github.com/advisories/GHSA-4fx9-vc88-q2xc) + GHSA-56pw-mpj4-fxww: Bundled libwebp in Pillow vulnerable (https://github.com/advisories/GHSA-56pw-mpj4-fxww) GHSA-8vj2-vxx3-667w: Arbitrary expression injection in Pillow (https://github.com/advisories/GHSA-8vj2-vxx3-667w) GHSA-9j59-75qj-795w: Path traversal in Pillow (https://github.com/advisories/GHSA-9j59-75qj-795w) + GHSA-j7hp-h8jx-5ppr: libwebp: OOB write in BuildHuffmanTable (https://github.com/advisories/GHSA-j7hp-h8jx-5ppr) GHSA-m2vv-5vj5-2hm7: Pillow vulnerable to Data Amplification attack. (https://github.com/advisories/GHSA-m2vv-5vj5-2hm7) GHSA-pw3c-h7wp-cvhx: Improper Initialization in Pillow (https://github.com/advisories/GHSA-pw3c-h7wp-cvhx) GHSA-xrcv-f9gm-v42c: Out-of-bounds Read in Pillow (https://github.com/advisories/GHSA-xrcv-f9gm-v42c) + PYSEC-2023-175: Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are... pygments@2.14.0 is affected by the following vulnerabilities: GHSA-mrwq-x4v8-fh7p: Pygments vulnerable to ReDoS (https://github.com/advisories/GHSA-mrwq-x4v8-fh7p) requests@2.28.2 is affected by the following vulnerabilities: GHSA-j8r2-6x86-q33q: Unintended leak of Proxy-Authorization header in requests (https://github.com/advisories/GHSA-j8r2-6x86-q33q) sqlparse@0.4.3 is affected by the following vulnerabilities: GHSA-rrm6-wvj7-cwh2: sqlparse contains a regular expression that is vulnerable to Regular Expression Denial of Service (https://github.com/advisories/GHSA-rrm6-wvj7-cwh2) + urllib3@1.26.16 is affected by the following vulnerabilities: + GHSA-v845-jxx5-vc9f: `Cookie` HTTP header isn't stripped on cross-origin redirects (https://github.com/advisories/GHSA-v845-jxx5-vc9f) wagtail@2.12.6 is affected by the following vulnerabilities: GHSA-33pv-vcgh-jfg9: Wagtail vulnerable to denial-of-service via memory exhaustion when uploading large files (https://github.com/advisories/GHSA-33pv-vcgh-jfg9) GHSA-5286-f2rf-35c2: Wagtail vulnerable to stored Cross-site Scripting attack via ModelAdmin views (https://github.com/advisories/GHSA-5286-f2rf-35c2) - 17 known vulnerabilities found in fixtures/locks-e2e/1-Pipfile.lock + 21 known vulnerabilities found in fixtures/locks-e2e/1-Pipfile.lock diff --git a/fixtures/locks-e2e/1-package-lock.json.out.txt b/fixtures/locks-e2e/1-package-lock.json.out.txt index 9e444390..c1fe5bcf 100644 --- a/fixtures/locks-e2e/1-package-lock.json.out.txt +++ b/fixtures/locks-e2e/1-package-lock.json.out.txt @@ -10,8 +10,16 @@ fixtures/locks-e2e/1-package-lock.json: found 1273 packages GHSA-93q8-gq69-wqmw: Inefficient Regular Expression Complexity in chalk/ansi-regex (https://github.com/advisories/GHSA-93q8-gq69-wqmw) engine.io@6.2.1 is affected by the following vulnerabilities: GHSA-q9mw-68c2-j6m5: engine.io Uncaught Exception vulnerability (https://github.com/advisories/GHSA-q9mw-68c2-j6m5) + get-func-name@2.0.0 is affected by the following vulnerabilities: + GHSA-4q6p-r6v2-jvc5: Chaijs/get-func-name vulnerable to ReDoS (https://github.com/advisories/GHSA-4q6p-r6v2-jvc5) nth-check@1.0.2 is affected by the following vulnerabilities: GHSA-rp65-9cf3-cjxr: Inefficient Regular Expression Complexity in nth-check (https://github.com/advisories/GHSA-rp65-9cf3-cjxr) + postcss@7.0.36 is affected by the following vulnerabilities: + GHSA-7fh5-64p2-3v2j: PostCSS line return parsing error (https://github.com/advisories/GHSA-7fh5-64p2-3v2j) + postcss@7.0.39 is affected by the following vulnerabilities: + GHSA-7fh5-64p2-3v2j: PostCSS line return parsing error (https://github.com/advisories/GHSA-7fh5-64p2-3v2j) + postcss@8.4.26 is affected by the following vulnerabilities: + GHSA-7fh5-64p2-3v2j: PostCSS line return parsing error (https://github.com/advisories/GHSA-7fh5-64p2-3v2j) semver@7.0.0 is affected by the following vulnerabilities: GHSA-c2qf-rxjj-qqgw: semver vulnerable to Regular Expression Denial of Service (https://github.com/advisories/GHSA-c2qf-rxjj-qqgw) socket.io-parser@4.2.2 is affected by the following vulnerabilities: @@ -25,4 +33,4 @@ fixtures/locks-e2e/1-package-lock.json: found 1273 packages word-wrap@1.2.3 is affected by the following vulnerabilities: GHSA-j8xg-fqg3-53r7: word-wrap vulnerable to Regular Expression Denial of Service (https://github.com/advisories/GHSA-j8xg-fqg3-53r7) - 10 known vulnerabilities found in fixtures/locks-e2e/1-package-lock.json + 14 known vulnerabilities found in fixtures/locks-e2e/1-package-lock.json diff --git a/fixtures/locks-e2e/1-poetry.lock.out.txt b/fixtures/locks-e2e/1-poetry.lock.out.txt index fec4556c..3035a54f 100644 --- a/fixtures/locks-e2e/1-poetry.lock.out.txt +++ b/fixtures/locks-e2e/1-poetry.lock.out.txt @@ -30,14 +30,19 @@ fixtures/locks-e2e/1-poetry.lock: found 142 packages GHSA-xpfp-f569-q3p2: SQL Injection in Django (https://github.com/advisories/GHSA-xpfp-f569-q3p2) pillow@8.4.0 is affected by the following vulnerabilities: GHSA-4fx9-vc88-q2xc: Infinite loop in Pillow (https://github.com/advisories/GHSA-4fx9-vc88-q2xc) + GHSA-56pw-mpj4-fxww: Bundled libwebp in Pillow vulnerable (https://github.com/advisories/GHSA-56pw-mpj4-fxww) GHSA-8vj2-vxx3-667w: Arbitrary expression injection in Pillow (https://github.com/advisories/GHSA-8vj2-vxx3-667w) GHSA-9j59-75qj-795w: Path traversal in Pillow (https://github.com/advisories/GHSA-9j59-75qj-795w) + GHSA-j7hp-h8jx-5ppr: libwebp: OOB write in BuildHuffmanTable (https://github.com/advisories/GHSA-j7hp-h8jx-5ppr) GHSA-m2vv-5vj5-2hm7: Pillow vulnerable to Data Amplification attack. (https://github.com/advisories/GHSA-m2vv-5vj5-2hm7) GHSA-pw3c-h7wp-cvhx: Improper Initialization in Pillow (https://github.com/advisories/GHSA-pw3c-h7wp-cvhx) GHSA-xrcv-f9gm-v42c: Out-of-bounds Read in Pillow (https://github.com/advisories/GHSA-xrcv-f9gm-v42c) + PYSEC-2023-175: Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are... + urllib3@1.26.16 is affected by the following vulnerabilities: + GHSA-v845-jxx5-vc9f: `Cookie` HTTP header isn't stripped on cross-origin redirects (https://github.com/advisories/GHSA-v845-jxx5-vc9f) wagtail@2.15 is affected by the following vulnerabilities: GHSA-33pv-vcgh-jfg9: Wagtail vulnerable to denial-of-service via memory exhaustion when uploading large files (https://github.com/advisories/GHSA-33pv-vcgh-jfg9) GHSA-5286-f2rf-35c2: Wagtail vulnerable to stored Cross-site Scripting attack via ModelAdmin views (https://github.com/advisories/GHSA-5286-f2rf-35c2) GHSA-xqxm-2rpm-3889: Comment reply notifications sent to incorrect users (https://github.com/advisories/GHSA-xqxm-2rpm-3889) - 31 known vulnerabilities found in fixtures/locks-e2e/1-poetry.lock + 35 known vulnerabilities found in fixtures/locks-e2e/1-poetry.lock diff --git a/fixtures/locks-e2e/1-pom.xml.out.txt b/fixtures/locks-e2e/1-pom.xml.out.txt index 0f06246e..30af29b9 100644 --- a/fixtures/locks-e2e/1-pom.xml.out.txt +++ b/fixtures/locks-e2e/1-pom.xml.out.txt @@ -19,7 +19,6 @@ fixtures/locks-e2e/1-pom.xml: found 5 packages GHSA-4487-x383-qpph: Possible privilege escalation in org.springframework:spring-core (https://github.com/advisories/GHSA-4487-x383-qpph) GHSA-45vg-2v73-vm62: Moderate severity vulnerability that affects org.springframework:spring-core (https://github.com/advisories/GHSA-45vg-2v73-vm62) GHSA-564r-hj7v-mcr5: Spring Framework vulnerable to denial of service via specially crafted SpEL expression (https://github.com/advisories/GHSA-564r-hj7v-mcr5) - GHSA-6v7w-535j-rq5m: Moderate severity vulnerability that affects org.springframework:spring-core (https://github.com/advisories/GHSA-6v7w-535j-rq5m) GHSA-8crv-49fr-2h6j: Spring Security and Spring Framework may not recognize certain paths that should be protected (https://github.com/advisories/GHSA-8crv-49fr-2h6j) GHSA-ffvq-7w96-97p7: Denial of Service in Spring Framework (https://github.com/advisories/GHSA-ffvq-7w96-97p7) GHSA-g5mm-vmx4-3rg7: Improper handling of case sensitivity in Spring Framework (https://github.com/advisories/GHSA-g5mm-vmx4-3rg7) @@ -31,4 +30,4 @@ fixtures/locks-e2e/1-pom.xml: found 5 packages GHSA-rqph-vqwm-22vc: Allocation of Resources Without Limits or Throttling in Spring Framework (https://github.com/advisories/GHSA-rqph-vqwm-22vc) GHSA-wxqc-pxw9-g2p8: Spring Framework vulnerable to denial of service (https://github.com/advisories/GHSA-wxqc-pxw9-g2p8) - 22 known vulnerabilities found in fixtures/locks-e2e/1-pom.xml + 21 known vulnerabilities found in fixtures/locks-e2e/1-pom.xml diff --git a/fixtures/locks-e2e/1-yarn.lock.out.txt b/fixtures/locks-e2e/1-yarn.lock.out.txt index 9cbe29d0..7cfb5b67 100644 --- a/fixtures/locks-e2e/1-yarn.lock.out.txt +++ b/fixtures/locks-e2e/1-yarn.lock.out.txt @@ -10,6 +10,8 @@ fixtures/locks-e2e/1-yarn.lock: found 1678 packages GHSA-93q8-gq69-wqmw: Inefficient Regular Expression Complexity in chalk/ansi-regex (https://github.com/advisories/GHSA-93q8-gq69-wqmw) async@2.6.3 is affected by the following vulnerabilities: GHSA-fwr7-v2mv-hh25: Prototype Pollution in async (https://github.com/advisories/GHSA-fwr7-v2mv-hh25) + debug@4.1.1 is affected by the following vulnerabilities: + GHSA-gxpj-cx7g-858c: Regular Expression Denial of Service in debug (https://github.com/advisories/GHSA-gxpj-cx7g-858c) decode-uri-component@0.2.0 is affected by the following vulnerabilities: GHSA-w573-4hg7-7wgq: decode-uri-component vulnerable to Denial of Service (DoS) (https://github.com/advisories/GHSA-w573-4hg7-7wgq) engine.io@3.5.0 is affected by the following vulnerabilities: @@ -52,6 +54,8 @@ fixtures/locks-e2e/1-yarn.lock: found 1678 packages GHSA-r8f7-9pfq-mjmv: Improper Certificate Validation in node-sass (https://github.com/advisories/GHSA-r8f7-9pfq-mjmv) nth-check@1.0.2 is affected by the following vulnerabilities: GHSA-rp65-9cf3-cjxr: Inefficient Regular Expression Complexity in nth-check (https://github.com/advisories/GHSA-rp65-9cf3-cjxr) + postcss@7.0.39 is affected by the following vulnerabilities: + GHSA-7fh5-64p2-3v2j: PostCSS line return parsing error (https://github.com/advisories/GHSA-7fh5-64p2-3v2j) qs@6.2.3 is affected by the following vulnerabilities: GHSA-hrpp-h998-j3pp: qs vulnerable to Prototype Pollution (https://github.com/advisories/GHSA-hrpp-h998-j3pp) request@2.88.2 is affected by the following vulnerabilities: @@ -99,4 +103,4 @@ fixtures/locks-e2e/1-yarn.lock: found 1678 packages word-wrap@1.2.3 is affected by the following vulnerabilities: GHSA-j8xg-fqg3-53r7: word-wrap vulnerable to Regular Expression Denial of Service (https://github.com/advisories/GHSA-j8xg-fqg3-53r7) - 56 known vulnerabilities found in fixtures/locks-e2e/1-yarn.lock + 58 known vulnerabilities found in fixtures/locks-e2e/1-yarn.lock diff --git a/fixtures/locks-e2e/2-composer.lock.out.txt b/fixtures/locks-e2e/2-composer.lock.out.txt index 1fde76be..7d90b7ad 100644 --- a/fixtures/locks-e2e/2-composer.lock.out.txt +++ b/fixtures/locks-e2e/2-composer.lock.out.txt @@ -5,8 +5,10 @@ fixtures/locks-e2e/2-composer.lock: found 254 packages Using db Packagist (%% vulnerabilities, including withdrawn - last updated %%) composer/composer@1.10.23 is affected by the following vulnerabilities: + GHSA-jm6m-4632-36hf: Composer Remote Code Execution vulnerability via web-accessible composer.phar (https://github.com/advisories/GHSA-jm6m-4632-36hf) GHSA-x7cr-6qr6-2hh6: Missing input validation can lead to command execution in composer (https://github.com/advisories/GHSA-x7cr-6qr6-2hh6) drupal/core@8.9.18 is affected by the following vulnerabilities: + GHSA-3xr3-phjp-g6p2: Drupal core access bypass vulnerability (https://github.com/advisories/GHSA-3xr3-phjp-g6p2) GHSA-4wfq-jc9h-vpcx: Lack of domain validation in Druple core (https://github.com/advisories/GHSA-4wfq-jc9h-vpcx) GHSA-6955-67hm-vjjq: Drupal core arbitrary PHP code execution (https://github.com/advisories/GHSA-6955-67hm-vjjq) GHSA-73q4-j324-2qcc: Incorrect authorization in Drupal core (https://github.com/advisories/GHSA-73q4-j324-2qcc) @@ -34,4 +36,4 @@ fixtures/locks-e2e/2-composer.lock: found 254 packages twig/twig@v1.42.5 is affected by the following vulnerabilities: GHSA-52m2-vc4m-jj33: Twig may load a template outside a configured directory when using the filesystem loader (https://github.com/advisories/GHSA-52m2-vc4m-jj33) - 22 known vulnerabilities found in fixtures/locks-e2e/2-composer.lock + 24 known vulnerabilities found in fixtures/locks-e2e/2-composer.lock diff --git a/fixtures/locks-e2e/2-go.mod.out.txt b/fixtures/locks-e2e/2-go.mod.out.txt index 81223e43..08d349c8 100644 --- a/fixtures/locks-e2e/2-go.mod.out.txt +++ b/fixtures/locks-e2e/2-go.mod.out.txt @@ -33,7 +33,7 @@ fixtures/locks-e2e/2-go.mod: found 73 packages golang.org/x/sys@0.0.0-20210502180810-71e4cd670f79 is affected by the following vulnerabilities: GHSA-p782-xgp4-8hr8: golang.org/x/sys/unix has Incorrect privilege reporting in syscall (https://github.com/advisories/GHSA-p782-xgp4-8hr8) golang.org/x/text@0.3.5 is affected by the following vulnerabilities: - GHSA-69ch-w2m2-3vjp: Denial of service in golang.org/x/text/language (https://github.com/advisories/GHSA-69ch-w2m2-3vjp) + GHSA-69ch-w2m2-3vjp: golang.org/x/text/language Denial of service via crafted Accept-Language header (https://github.com/advisories/GHSA-69ch-w2m2-3vjp) GHSA-ppp9-7jff-5vj2: golang.org/x/text/language Out-of-bounds Read vulnerability (https://github.com/advisories/GHSA-ppp9-7jff-5vj2) 24 known vulnerabilities found in fixtures/locks-e2e/2-go.mod diff --git a/fixtures/locks-e2e/2-package-lock.json.out.txt b/fixtures/locks-e2e/2-package-lock.json.out.txt index 13771239..039d88a4 100644 --- a/fixtures/locks-e2e/2-package-lock.json.out.txt +++ b/fixtures/locks-e2e/2-package-lock.json.out.txt @@ -81,7 +81,12 @@ fixtures/locks-e2e/2-package-lock.json: found 1468 packages GHSA-rp65-9cf3-cjxr: Inefficient Regular Expression Complexity in nth-check (https://github.com/advisories/GHSA-rp65-9cf3-cjxr) postcss@7.0.32 is affected by the following vulnerabilities: GHSA-566m-qj78-rww5: Regular Expression Denial of Service in postcss (https://github.com/advisories/GHSA-566m-qj78-rww5) + GHSA-7fh5-64p2-3v2j: PostCSS line return parsing error (https://github.com/advisories/GHSA-7fh5-64p2-3v2j) GHSA-hwj9-h5mp-3pm3: Regular Expression Denial of Service in postcss (https://github.com/advisories/GHSA-hwj9-h5mp-3pm3) + postcss@7.0.36 is affected by the following vulnerabilities: + GHSA-7fh5-64p2-3v2j: PostCSS line return parsing error (https://github.com/advisories/GHSA-7fh5-64p2-3v2j) + postcss@8.3.6 is affected by the following vulnerabilities: + GHSA-7fh5-64p2-3v2j: PostCSS line return parsing error (https://github.com/advisories/GHSA-7fh5-64p2-3v2j) qs@6.5.2 is affected by the following vulnerabilities: GHSA-hrpp-h998-j3pp: qs vulnerable to Prototype Pollution (https://github.com/advisories/GHSA-hrpp-h998-j3pp) qs@6.7.0 is affected by the following vulnerabilities: @@ -119,4 +124,4 @@ fixtures/locks-e2e/2-package-lock.json: found 1468 packages yargs-parser@10.1.0 is affected by the following vulnerabilities: GHSA-p9pc-299p-vxgp: yargs-parser Vulnerable to Prototype Pollution (https://github.com/advisories/GHSA-p9pc-299p-vxgp) - 65 known vulnerabilities found in fixtures/locks-e2e/2-package-lock.json + 68 known vulnerabilities found in fixtures/locks-e2e/2-package-lock.json diff --git a/fixtures/locks-e2e/2-poetry.lock.out.txt b/fixtures/locks-e2e/2-poetry.lock.out.txt index 4cfb054a..7d0ba57e 100644 --- a/fixtures/locks-e2e/2-poetry.lock.out.txt +++ b/fixtures/locks-e2e/2-poetry.lock.out.txt @@ -9,8 +9,14 @@ fixtures/locks-e2e/2-poetry.lock: found 143 packages PYSEC-2021-125: A flaw was found in Ansible where the secret information present in async_files... cryptography@41.0.3 is affected by the following vulnerabilities: GHSA-v8gr-m533-ghj9: Vulnerable OpenSSL included in cryptography wheels (https://github.com/advisories/GHSA-v8gr-m533-ghj9) + pillow@9.5.0 is affected by the following vulnerabilities: + GHSA-56pw-mpj4-fxww: Bundled libwebp in Pillow vulnerable (https://github.com/advisories/GHSA-56pw-mpj4-fxww) + GHSA-j7hp-h8jx-5ppr: libwebp: OOB write in BuildHuffmanTable (https://github.com/advisories/GHSA-j7hp-h8jx-5ppr) + PYSEC-2023-175: Pillow versions before v10.0.1 bundled libwebp binaries in wheels that are... + urllib3@1.26.16 is affected by the following vulnerabilities: + GHSA-v845-jxx5-vc9f: `Cookie` HTTP header isn't stripped on cross-origin redirects (https://github.com/advisories/GHSA-v845-jxx5-vc9f) wagtail@2.16.3 is affected by the following vulnerabilities: GHSA-33pv-vcgh-jfg9: Wagtail vulnerable to denial-of-service via memory exhaustion when uploading large files (https://github.com/advisories/GHSA-33pv-vcgh-jfg9) GHSA-5286-f2rf-35c2: Wagtail vulnerable to stored Cross-site Scripting attack via ModelAdmin views (https://github.com/advisories/GHSA-5286-f2rf-35c2) - 5 known vulnerabilities found in fixtures/locks-e2e/2-poetry.lock + 9 known vulnerabilities found in fixtures/locks-e2e/2-poetry.lock diff --git a/fixtures/locks-e2e/2-pom.xml.out.txt b/fixtures/locks-e2e/2-pom.xml.out.txt index da58b62f..77f91046 100644 --- a/fixtures/locks-e2e/2-pom.xml.out.txt +++ b/fixtures/locks-e2e/2-pom.xml.out.txt @@ -9,7 +9,7 @@ fixtures/locks-e2e/2-pom.xml: found 8 packages GHSA-fvm3-cfvj-gxqq: High severity vulnerability that affects commons-fileupload:commons-fileupload (https://github.com/advisories/GHSA-fvm3-cfvj-gxqq) GHSA-hfrx-6qgj-fp6c: Apache Commons FileUpload denial of service vulnerability (https://github.com/advisories/GHSA-hfrx-6qgj-fp6c) GHSA-qx6h-9567-5fqw: Arbitrary file write in Apache Commons Fileupload (https://github.com/advisories/GHSA-qx6h-9567-5fqw) - GHSA-xx68-jfcg-xmmf: High severity vulnerability that affects commons-fileupload:commons-fileupload (https://github.com/advisories/GHSA-xx68-jfcg-xmmf) + GHSA-xx68-jfcg-xmmf: Commons FileUpload Denial of service vulnerability (https://github.com/advisories/GHSA-xx68-jfcg-xmmf) org.jsoup:jsoup@1.8.1 is affected by the following vulnerabilities: GHSA-48rh-qgjr-xfj6: Improper Neutralization of Input During Web Page Generation in Jsoup (https://github.com/advisories/GHSA-48rh-qgjr-xfj6) GHSA-gp7f-rwcx-9369: jsoup may not sanitize code injection XSS attempts if SafeList.preserveRelativeLinks is enabled (https://github.com/advisories/GHSA-gp7f-rwcx-9369) diff --git a/fixtures/locks-e2e/2-yarn.lock.out.txt b/fixtures/locks-e2e/2-yarn.lock.out.txt index c97b443a..9180382c 100644 --- a/fixtures/locks-e2e/2-yarn.lock.out.txt +++ b/fixtures/locks-e2e/2-yarn.lock.out.txt @@ -18,12 +18,18 @@ fixtures/locks-e2e/2-yarn.lock: found 1991 packages GHSA-fwr7-v2mv-hh25: Prototype Pollution in async (https://github.com/advisories/GHSA-fwr7-v2mv-hh25) async@3.2.0 is affected by the following vulnerabilities: GHSA-fwr7-v2mv-hh25: Prototype Pollution in async (https://github.com/advisories/GHSA-fwr7-v2mv-hh25) + debug@3.2.6 is affected by the following vulnerabilities: + GHSA-gxpj-cx7g-858c: Regular Expression Denial of Service in debug (https://github.com/advisories/GHSA-gxpj-cx7g-858c) + debug@4.1.1 is affected by the following vulnerabilities: + GHSA-gxpj-cx7g-858c: Regular Expression Denial of Service in debug (https://github.com/advisories/GHSA-gxpj-cx7g-858c) decode-uri-component@0.2.0 is affected by the following vulnerabilities: GHSA-w573-4hg7-7wgq: decode-uri-component vulnerable to Denial of Service (DoS) (https://github.com/advisories/GHSA-w573-4hg7-7wgq) ejs@3.1.5 is affected by the following vulnerabilities: GHSA-phwq-j96m-2c2q: ejs template injection vulnerability (https://github.com/advisories/GHSA-phwq-j96m-2c2q) eventsource@1.0.7 is affected by the following vulnerabilities: GHSA-6h5x-7c5m-7cr7: Exposure of Sensitive Information in eventsource (https://github.com/advisories/GHSA-6h5x-7c5m-7cr7) + get-func-name@2.0.0 is affected by the following vulnerabilities: + GHSA-4q6p-r6v2-jvc5: Chaijs/get-func-name vulnerable to ReDoS (https://github.com/advisories/GHSA-4q6p-r6v2-jvc5) glob-parent@3.1.0 is affected by the following vulnerabilities: GHSA-ww39-953v-wcq6: glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex (https://github.com/advisories/GHSA-ww39-953v-wcq6) glob-parent@5.1.1 is affected by the following vulnerabilities: @@ -73,6 +79,8 @@ fixtures/locks-e2e/2-yarn.lock: found 1991 packages GHSA-5fw9-fq32-wv5p: OS Command Injection in node-notifier (https://github.com/advisories/GHSA-5fw9-fq32-wv5p) nth-check@1.0.2 is affected by the following vulnerabilities: GHSA-rp65-9cf3-cjxr: Inefficient Regular Expression Complexity in nth-check (https://github.com/advisories/GHSA-rp65-9cf3-cjxr) + postcss@7.0.39 is affected by the following vulnerabilities: + GHSA-7fh5-64p2-3v2j: PostCSS line return parsing error (https://github.com/advisories/GHSA-7fh5-64p2-3v2j) qs@6.5.2 is affected by the following vulnerabilities: GHSA-hrpp-h998-j3pp: qs vulnerable to Prototype Pollution (https://github.com/advisories/GHSA-hrpp-h998-j3pp) qs@6.7.0 is affected by the following vulnerabilities: @@ -105,4 +113,4 @@ fixtures/locks-e2e/2-yarn.lock: found 1991 packages word-wrap@1.2.3 is affected by the following vulnerabilities: GHSA-j8xg-fqg3-53r7: word-wrap vulnerable to Regular Expression Denial of Service (https://github.com/advisories/GHSA-j8xg-fqg3-53r7) - 58 known vulnerabilities found in fixtures/locks-e2e/2-yarn.lock + 62 known vulnerabilities found in fixtures/locks-e2e/2-yarn.lock