Skip to content

Bump tar and react-scripts#11

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-c13c37ed46
Open

Bump tar and react-scripts#11
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-c13c37ed46

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 21, 2026

Copy link
Copy Markdown

Removes tar. It's no longer used after updating ancestor dependency react-scripts. These dependencies need to be updated together.

Removes tar

Updates react-scripts from 1.0.13 to 1.1.5

Release notes

Sourced from react-scripts's releases.

v1.0.14

1.0.14 (September 26, 2017)

🐛 Bug Fix

  • react-dev-utils

    • #3098 Always reload the page on next compile after a runtime error. (@​Timer)
  • react-error-overlay

💅 Enhancement

  • react-dev-utils

📝 Documentation

🏠 Internal

... (truncated)

Changelog

Sourced from react-scripts's changelog.

1.1.5 (August 24, 2018)

  • react-scripts

    • Update the webpack-dev-server dependency
  • react-dev-utils

    • #4866 Fix a Windows-only vulnerability (CVE-2018-6342) in the development server (@​acdlite)
    • Update the sockjs-client dependency

Committers: 1

Migrating from 1.1.4 to 1.1.5

Inside any created project that has not been ejected, run:

npm install --save --save-exact react-scripts@1.1.5

or

yarn add --exact react-scripts@1.1.5

1.1.4 (April 3, 2018)

🐛 Bug Fix

Committers: 1

Migrating from 1.1.3 to 1.1.4

Inside any created project that has not been ejected, run:

npm install --save --save-exact react-scripts@1.1.4

or

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Removes [tar](https://github.com/isaacs/node-tar). It's no longer used after updating ancestor dependency [react-scripts](https://github.com/facebook/create-react-app/tree/HEAD/packages/react-scripts). These dependencies need to be updated together.


Removes `tar`

Updates `react-scripts` from 1.0.13 to 1.1.5
- [Release notes](https://github.com/facebook/create-react-app/releases)
- [Changelog](https://github.com/react/create-react-app/blob/main/CHANGELOG-1.x.md)
- [Commits](https://github.com/facebook/create-react-app/commits/v1.1.5/packages/react-scripts)

---
updated-dependencies:
- dependency-name: tar
  dependency-version:
  dependency-type: indirect
- dependency-name: react-scripts
  dependency-version: 1.1.5
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 21, 2026
Comment thread yarn.lock
webpack-dev-server@2.7.1:
version "2.7.1"
resolved "https://registry.yarnpkg.com/webpack-dev-server/-/webpack-dev-server-2.7.1.tgz#21580f5a08cd065c71144cf6f61c345bca59a8b8"
webpack-dev-server@2.11.3:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity vulnerability may affect your project—review required:
Line 8060 lists a dependency (webpack-dev-server) with a known Medium severity vulnerability.

ℹ️ Why this matters

Affected versions of webpack-dev-server are vulnerable to Exposed Dangerous Method or Function. webpack-dev-server serves bundled assets without rejecting cross-origin classic script requests. Because such <script src> requests bypass the same-origin policy, a malicious website visited by a developer running the dev server can load the application bundle cross-origin and, via prototype pollution of the webpack runtime, extract the application source code.

References: GHSA, CVE

To resolve this comment:
Check if you are using webpack dev server CLI setup.

  • If you're affected, upgrade this dependency to at least version 5.2.1 at yarn.lock.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread yarn.lock
webpack-dev-server@2.7.1:
version "2.7.1"
resolved "https://registry.yarnpkg.com/webpack-dev-server/-/webpack-dev-server-2.7.1.tgz#21580f5a08cd065c71144cf6f61c345bca59a8b8"
webpack-dev-server@2.11.3:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity vulnerability may affect your project—review required:
Line 8060 lists a dependency (webpack-dev-server) with a known Medium severity vulnerability.

ℹ️ Why this matters

Affected versions of webpack-dev-server are vulnerable to Origin Validation Error. webpack-dev-server improperly validates the WebSocket connection Origin header, unconditionally accepting any IP-address-based Origin. A malicious website can perform a cross-site WebSocket hijack against a running dev server and exfiltrate the developer source code carried in Hot Module Reloading (HMR) messages. The insecure origin check is the package default and is reached on every WebSocket connection, so any project running an affected version is vulnerable.

References: GHSA, CVE

To resolve this comment:
Check if you are using webpack dev server CLI setup and access untrusted web site with non-Chromium based browser.

  • If you're affected, upgrade this dependency to at least version 5.2.1 at yarn.lock.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread yarn.lock
@@ -2723,13 +3248,20 @@ fs.realpath@^1.0.0:
version "1.0.0"
resolved "https://registry.yarnpkg.com/fs.realpath/-/fs.realpath-1.0.0.tgz#1504ad2523158caa40db4a2787cb01411994ea4f"

fsevents@1.1.2, fsevents@^1.0.0:
fsevents@^1.0.0:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👿 Malicious dependency detected—remove immediately

The version 1.1.2 of fsevents contains malicious code and is a critical security risk. Upgrade
to 1.2.11 to resolve this issue.

ℹ️ Why this matters

This specific version of fsevents contains malicious code. Upgrade to the safe version immediately.

References: https://osv.dev/vulnerability/MAL-2023-462

To resolve this comment:
Upgrade this dependency to at least version 1.2.11 at yarn.lock.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread yarn.lock
webpack-dev-server@2.7.1:
version "2.7.1"
resolved "https://registry.yarnpkg.com/webpack-dev-server/-/webpack-dev-server-2.7.1.tgz#21580f5a08cd065c71144cf6f61c345bca59a8b8"
webpack-dev-server@2.11.3:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability may affect your project—review required:
Line 8060 lists a dependency (webpack-dev-server) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of webpack-dev-server are vulnerable to Improper Input Validation. Missing origin validation on webpack-dev-server's Hot Module Replacement websocket allows any webpage to connect to the dev server's socket, access in‐memory compiled assets and source code, and exfiltrate a developer's source files.

References: GHSA, CVE

To resolve this comment:
Check if you are using webpack-dev-server with Hot Module Replacement enabled (i.e. using the --hot argument).

  • If you're affected, upgrade this dependency to at least version 3.1.11 at yarn.lock.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread yarn.lock
@@ -995,7 +1076,7 @@ babel-template@^6.16.0, babel-template@^6.24.1, babel-template@^6.25.0, babel-te
babylon "^6.18.0"
lodash "^4.17.4"

babel-traverse@^6.18.0, babel-traverse@^6.23.1, babel-traverse@^6.24.1, babel-traverse@^6.25.0, babel-traverse@^6.26.0:
babel-traverse@^6.18.0, babel-traverse@^6.23.1, babel-traverse@^6.24.1, babel-traverse@^6.26.0:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical severity vulnerability may affect your project—review required:
Line 1079 lists a dependency (babel-traverse) with a known Critical severity vulnerability.

ℹ️ Why this matters

Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.

References: GHSA, CVE

To resolve this comment:
Check if you use Babel to compile untrusted JavaScript.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

@semgrep-code-auth0-samples

Copy link
Copy Markdown

Semgrep found 1 ssc-918a81a4-b70b-4c7a-8ce1-f999ac30e3dc finding:

Risk: Affected versions of bootstrap and bootstrap-sass are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's affix plugin passes its target option straight into the jQuery $() constructor, so a target/data-target value containing HTML is parsed as markup and can execute arbitrary JavaScript (DOM-based XSS).

Manual Review Advice: A vulnerability from this advisory is reachable if you are calling affix plugin via JavaScript

Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:1882.

Reference(s): GHSA-ph58-4vrj-w6hr, CVE-2018-20677

Semgrep found 2 ssc-73ec66a4-4e01-47d3-b50c-2ea6b9e3c844 findings:

Risk: Affected versions of js-yaml are vulnerable to Uncontrolled Resource Consumption. js-yaml is vulnerable to denial of service when parsing untrusted YAML: a document that uses nested arrays as mapping keys combined with anchors and aliases triggers exponential string expansion during parsing, stalling the Node.js process and exhausting memory. Any call to a js-yaml load function (load, loadAll, safeLoad, safeLoadAll) on attacker-controlled input is affected.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using js-yaml on the CLI

Fix: Upgrade this library to at least version 3.13.0 at react-redux-embedded-login/package-lock.json:4633.

Reference(s): GHSA-2pr6-76vf-7546

Semgrep found 2 ssc-ace67ff4-0843-40f4-a8d3-13e050943589 findings:

Risk: Affected versions of js-yaml are vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). js-yaml is vulnerable to prototype pollution through its YAML merge key (<<) handling. When parsing untrusted YAML with load, loadAll, safeLoad, or safeLoadAll, a crafted document containing a __proto__ key inside a merged mapping can modify the prototype of the resulting object, leading to integrity violations in the application.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using js-yaml on the CLI

Fix: Upgrade this library to at least version 3.14.2 at react-redux-embedded-login/package-lock.json:4633.

Reference(s): GHSA-mh29-5h37-fv8m, CVE-2025-64718

Semgrep found 1 ssc-484bb776-a960-4899-8ddd-675885fe6a95 finding:

Risk: Affected versions of webpack-dev-server are vulnerable to Exposed Dangerous Method or Function. webpack-dev-server serves bundled assets without rejecting cross-origin classic script requests. Because such <script src> requests bypass the same-origin policy, a malicious website visited by a developer running the dev server can load the application bundle cross-origin and, via prototype pollution of the webpack runtime, extract the application source code.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using webpack dev server CLI setup

Fix: Upgrade this library to at least version 5.2.1 at react-redux-embedded-login/package-lock.json:14938.

Reference(s): GHSA-4v9v-hfq4-rm2v, CVE-2025-30359

Semgrep found 1 ssc-013ecbde-4597-4af3-bcc3-06920828d5cc finding:

Risk: Affected versions of webpack-dev-server are vulnerable to Origin Validation Error. webpack-dev-server improperly validates the WebSocket connection Origin header, unconditionally accepting any IP-address-based Origin. A malicious website can perform a cross-site WebSocket hijack against a running dev server and exfiltrate the developer source code carried in Hot Module Reloading (HMR) messages. The insecure origin check is the package default and is reached on every WebSocket connection, so any project running an affected version is vulnerable.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using webpack dev server CLI setup and access untrusted web site with non-Chromium based browser

Fix: Upgrade this library to at least version 5.2.1 at react-redux-embedded-login/package-lock.json:14938.

Reference(s): GHSA-9jgg-88mc-972h, CVE-2025-30360

Semgrep found 1 ssc-9f75fd94-e484-4842-ba51-a6da2e792bae finding:

Risk: Affected versions of bootstrap are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's collapse plugin passes the data-parent HTML attribute value to jQuery's $() constructor without sanitization, allowing an attacker who can influence that attribute to inject and execute arbitrary JavaScript in a victim's browser (XSS).

Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:1882.

Reference(s): GHSA-3wqf-4x89-9g79, CVE-2018-14040

Semgrep found 1 ssc-11b5542a-cf1c-4aac-809a-ed44a7e0a895 finding:

Risk: Affected versions of bootstrap and bootstrap-sass are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's JavaScript plugins (Alert, Carousel, Collapse, Dropdown, Modal, Tab) pass the data-target attribute value directly to jQuery's $() constructor without sanitization. Because jQuery parses HTML strings as live DOM nodes, an attacker who can control a data-target (or href) attribute on a Bootstrap trigger element can inject arbitrary HTML and execute JavaScript in the victim's browser, leading to session hijacking or sensitive data exposure.

Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:1882.

Reference(s): GHSA-4p24-vmcr-4gqj, CVE-2016-10735

Semgrep found 1 ssc-4759c514-b537-20ef-d52f-ebb0a5c388fa finding:

Risk: Affected versions of axios are vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') / Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Server-Side Request Forgery (SSRF). Axios can be used as a gadget for header injection: if another dependency enables prototype pollution, polluted properties can be merged into Axios request headers and written without CRLF sanitization, allowing request smuggling/SSRF that can reach internal services such as AWS IMDSv2 and potentially lead to credential theft or broader compromise.

Fix: Upgrade this library to at least version 0.31.0 at react-redux-embedded-login/package-lock.json:706.

Reference(s): GHSA-fvcv-3m26-pcqx, CVE-2026-40175

Semgrep found 1 ssc-5ea2c631-7cef-a4e0-e641-d179af079827 finding:

Risk: Affected versions of axios are vulnerable to Server-Side Request Forgery (SSRF) / Unintended Proxy or Intermediary ('Confused Deputy'). Axios does not normalize hostnames before applying NO_PROXY, so requests to loopback or internal hosts such as localhost. or [::1] can be sent through a configured proxy instead of bypassing it. If an attacker can influence request URLs, they may force local/internal Axios traffic through an attacker-controlled proxy, undermining SSRF protections and exposing sensitive responses.

Manual Review Advice: A vulnerability from this advisory is reachable if you have NO_PROXY configured in your environment

Fix: Upgrade this library to at least version 0.31.0 at react-redux-embedded-login/package-lock.json:706.

Reference(s): GHSA-3p68-rc4w-qgx5, CVE-2025-62718

Semgrep found 1 ssc-b1111744-f54b-4966-b3a9-9dfcb0019bac finding:

Risk: Affected versions of axios are vulnerable to Inefficient Regular Expression Complexity / Uncontrolled Resource Consumption. axios is vulnerable to a regular expression denial of service (ReDoS). The internal cookies.read() helper in lib/helpers/cookies.js builds a regular expression by concatenating the cookie name directly into the pattern without escaping regex metacharacters. When the cookie name flowing into the XSRF cookie read (e.g. via xsrfCookieName) contains a catastrophic-backtracking payload, evaluating the regex against document.cookie can freeze the JavaScript event loop, causing a denial of service in the browser tab or in Node.js/SSR applications. The affected code path is reached during ordinary axios request processing, so any importer of an affected version is exposed. Upgrade to a patched version (0.32.0 or 1.16.0), or set xsrfCookieName: null to disable XSRF cookie reading.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using axios in browser with untrusted xsrfCookieName value

Fix: Upgrade this library to at least version 0.32.0 at react-redux-embedded-login/package-lock.json:706.

Reference(s): GHSA-hfxv-24rg-xrqf

Semgrep found 1 ssc-7655e34f-47d3-43f6-b687-32e02f3c8005 finding:

Risk: Affected versions of handlebars are vulnerable to Improper Control of Generation of Code ('Code Injection') / Improper Encoding or Escaping of Output / Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). The Handlebars CLI precompiler allows arbitrary JavaScript injection by embedding unescaped template filenames and CLI option values such as --namespace, --commonjs, and --handlebarPath directly into generated output. An attacker who can control these inputs can cause malicious code to execute when the precompiled bundle is loaded in Node.js or a browser.

Manual Review Advice: A vulnerability from this advisory is reachable if you execute templates through the Handlebars CLI precompiler

Fix: Upgrade this library to at least version 4.7.9 at react-redux-embedded-login/package-lock.json:5859.

Reference(s): GHSA-xjpj-3mr7-gcpf, CVE-2026-33941

Semgrep found 1 ssc-2b10eb66-0d71-4a46-ace0-cd5ab36d3141 finding:

Risk: Affected versions of acorn are vulnerable to Uncontrolled Resource Consumption. A regular-expression denial-of-service exists in Acorn's RegExp parser: a pattern like /[x-\ud800]/u (an invalid UTF-16 range) causes the parser to spin in an infinite loop. If an application feeds untrusted code directly into Acorn, an attacker can supply such a regex to trigger a CPU-hogging infinite loop and achieve Denial of Service.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using acorn on the CLI

Fix: Upgrade this library to at least version 5.7.4 at react-redux-embedded-login/package-lock.json:94.

Reference(s): GHSA-6chw-6frg-f759

Semgrep found 1 ssc-c5a69759-0cfc-41b4-aa6c-ae584bd301a6 finding:

Risk: Affected versions of webpack-dev-server are vulnerable to Improper Input Validation. Missing origin validation on webpack-dev-server's Hot Module Replacement websocket allows any webpage to connect to the dev server's socket, access in‐memory compiled assets and source code, and exfiltrate a developer's source files.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using webpack-dev-server with Hot Module Replacement enabled (i.e. using the --hot argument)

Fix: Upgrade this library to at least version 3.1.11 at react-redux-embedded-login/package-lock.json:14938.

Reference(s): GHSA-cf66-xwfp-gvc4, CVE-2018-14732

Semgrep found 1 ssc-ae0261cf-6ee1-4026-8199-9d51d98e7718 finding:

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js uses a vulnerable regular expression to parse User-Agent headers. A malicious header can trigger catastrophic backtracking in the regex, resulting in prolonged processing times and potential denial of service.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.24 at react-redux-embedded-login/package-lock.json:14363.

Reference(s): GHSA-78cj-fxph-m83p, CVE-2021-27292

Semgrep found 1 ssc-00f64d4f-00eb-4fb4-845e-f30d8f6ed59e finding:

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. A specially crafted user agent string can trigger catastrophic backtracking in the regex designed for Redmi Phones and Mi Pad Tablets. This may result in a Regular Expression Denial of Service, causing resource exhaustion when ua-parser-js attempts to parse the malicious input.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.22 at react-redux-embedded-login/package-lock.json:14363.

Reference(s): GHSA-662x-fhqg-9p8v, CVE-2020-7733

Semgrep found 1 ssc-dbb9eafa-1a18-4071-96d8-a06789849c96 finding:

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js is vulnerable to Regular Expression Denial of Service (ReDoS) attacks. Maliciously crafted user agent strings can trigger inefficient regex patterns, leading to excessive backtracking and high CPU consumption, which may ultimately cause service degradation or a denial of service.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.23 at react-redux-embedded-login/package-lock.json:14363.

Reference(s): GHSA-394c-5j6w-4xmx, CVE-2020-7793

Semgrep found 1 ssc-6b25e01f-0c74-4dc1-a6c4-3d650baba180 finding:

Risk: tmpl versions before 1.0.5 are vulnerable to Uncontrolled Resource Consumption when formatting a string.

Fix: Upgrade this library to at least version 1.0.5 at react-redux-embedded-login/package-lock.json:14121.

Reference(s): GHSA-jgrx-mgxx-jf9v, CVE-2021-3777

Semgrep found 1 ssc-17eda294-146f-4ed3-91f7-5ef1b349d687 finding:

Risk: Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.

Manual Review Advice: A vulnerability from this advisory is reachable if you use Babel to compile untrusted JavaScript

Fix: There are no safe versions of this library available for upgrade. Library included at react-redux-embedded-login/package-lock.json:1624.

Reference(s): GHSA-67hx-6x53-jw92, CVE-2023-45133

Semgrep found 1 ssc-1606921e-eb4c-4a25-bcec-3cbfbc985ee1 finding:

Risk: Affected version of deep-extend is vulnerable to Prototype Pollution. Malicious input passed to deep-extend allows an attacker to overwrite the prototype of Object, polluting all JavaScript objects with arbitrary properties. This can lead to Denial of Service or even Remote Code Execution.

Fix: Upgrade this library to at least version 0.5.1 at react-redux-embedded-login/package-lock.json:3460.

Reference(s): GHSA-hr2v-3952-633q, CVE-2018-3750

Semgrep found 2 ssc-0df1d23c-17f9-4a9b-956f-dc8a9d741e65 findings:

Risk: Affected versions of set-value and set-value are vulnerable to Improperly Controlled Modification Of Object Prototype Attributes ('Prototype Pollution'). The set function fails to validate which Object properties it updates. This allows attackers to modify the prototype of Object, causing the addition or modification of an existing property on all objects.

Fix: Upgrade this library to at least version 2.0.1 at react-redux-embedded-login/package-lock.json:13059.

Reference(s): GHSA-4g88-fppr-53pp, CVE-2019-10747

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants