Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Préconisations de mise a jour de dépendances pour raisons de sécurité #552

Open
nimdanor opened this issue May 7, 2024 · 0 comments
Open

Préconisations de mise a jour de dépendances pour raisons de sécurité #552

nimdanor opened this issue May 7, 2024 · 0 comments
Labels
Bug Something isn't working

Comments

@nimdanor
Copy link
Member

nimdanor commented May 7, 2024

Requirements.txt
django-celery-results >2.4.0

package-lock.json
canvas >= 1.6.10
minimist >= 0.2.1
yargs-parser >13.1.2
webpack-subresource-integrity >1.5.1
ini > 1.3.6
socket.io >2.4.0
xmlhttprequest-ssl >1.6.2

etc
Dependency
django-celery-results
Version
< 2.4.0
Upgrade to
~> 2.4.0
Defined in
requirements.txt
Suggested update
#497
Vulnerabilities
CVE-2020-17495 High severity
Dependency
canvas
Version
< 1.6.10
Upgrade to
~> 1.6.10
Defined in
package-lock.json
Vulnerabilities
CVE-2020-8215 High severity
GHSA-vpq5-4rc8-c222 Moderate severity
Dependency
minimist
Version
< 0.2.1
Upgrade to
~> 0.2.1
Defined in
package-lock.json
Vulnerabilities
CVE-2021-44906 Critical severity
CVE-2021-44906 Critical severity
CVE-2021-44906 Critical severity
CVE-2020-7598 Moderate severity
CVE-2020-7598 Moderate severity
Dependency
yargs-parser
Version

= 6.0.0 < 13.1.2
Upgrade to
~> 13.1.2
Defined in
package-lock.json
Vulnerabilities
CVE-2020-7608 Moderate severity
CVE-2020-7608 Moderate severity
Dependency
webpack-subresource-integrity
Version
< 1.5.1
Upgrade to
~> 1.5.1
Defined in
package-lock.json
Vulnerabilities
CVE-2020-15262 Low severity
CVE-2020-15262 Low severity
Dependency
ini
Version
< 1.3.6
Upgrade to
~> 1.3.6
Defined in
package-lock.json
Vulnerabilities
CVE-2020-7788 High severity
CVE-2020-7788 High severity
Dependency
socket.io
Version
< 2.4.0
Upgrade to
~> 2.4.0
Defined in
package-lock.json
Vulnerabilities
CVE-2020-28481 Moderate severity
CVE-2020-28481 Moderate severity
Dependency
xmlhttprequest-ssl
Version
< 1.6.2
Upgrade to
~> 1.6.2
Defined in
package-lock.json
Vulnerabilities
CVE-2020-28502 Critical severity
CVE-2021-31597 Critical severity
CVE-2020-28502 Critical severity
CVE-2021-31597 Critical severity
Dependency
trim-newlines
Version
< 3.0.1
Upgrade to
~> 3.0.1
Defined in
package-lock.json
Vulnerabilities
CVE-2021-33623 High severity
CVE-2021-33623 High severity
Dependency
tar
Version
< 3.2.2
Upgrade to
~> 3.2.2
Defined in
package-lock.json
Vulnerabilities
CVE-2021-32804 High severity
CVE-2021-37713 High severity
CVE-2021-32803 High severity
CVE-2021-32803 High severity
CVE-2021-32804 High severity
View 8 more
Dependency
node-forge
Version
< 1.0.0
Upgrade to
~> 1.0.0
Defined in
package-lock.json
Vulnerabilities
CVE-2022-24771 High severity
CVE-2022-24772 High severity
CVE-2022-24771 High severity
CVE-2022-24772 High severity
GHSA-gf8q-jrpm-jvxq Low severity
View 7 more
Dependency
marked
Version
< 4.0.10
Upgrade to
~> 4.0.10
Defined in
package-lock.json
Vulnerabilities
CVE-2022-21680 High severity
CVE-2022-21681 High severity
CVE-2022-21680 High severity
CVE-2022-21681 High severity
Dependency
log4js
Version
< 6.4.0
Upgrade to
~> 6.4.0
Defined in
package-lock.json
Vulnerabilities
CVE-2022-21704 Moderate severity
CVE-2022-21704 Moderate severity
Dependency
karma
Version
< 6.3.14
Upgrade to
~> 6.3.14
Defined in
package-lock.json
Vulnerabilities
CVE-2022-0437 Moderate severity
CVE-2021-23495 Moderate severity
CVE-2022-0437 Moderate severity
CVE-2021-23495 Moderate severity
Dependency
node-sass
Version
= 2.0.0 < 7.0.0
Upgrade to
~> 7.0.0
Defined in
package-lock.json
Vulnerabilities
CVE-2020-24025 Moderate severity
CVE-2020-24025 Moderate severity
Dependency
scss-tokenizer
Version
<= 0.4.2
Upgrade to
~> 0.4.3
Defined in
package-lock.json
Vulnerabilities
CVE-2022-25758 High severity
CVE-2022-25758 High severity
Dependency
prismjs
Version
< 1.23.0
Upgrade to
~> 1.23.0
Defined in
package-lock.json
Vulnerabilities
CVE-2021-23341 High severity
CVE-2021-32723 High severity
CVE-2022-23647 High severity
CVE-2021-3801 Moderate severity
Dependency
elliptic
Version
< 6.5.4
Upgrade to
~> 6.5.4
Defined in
package-lock.json
Vulnerabilities
CVE-2020-28498 Moderate severity
Dependency
lodash
Version
< 4.17.21
Upgrade to
~> 4.17.21
Defined in
package-lock.json
Vulnerabilities
CVE-2021-23337 High severity
CVE-2020-28500 Moderate severity
Dependency
url-parse
Version
< 1.5.0
Upgrade to
~> 1.5.0
Defined in
package-lock.json
Vulnerabilities
CVE-2022-0686 Critical severity
CVE-2021-27515 Moderate severity
CVE-2021-3664 Moderate severity
CVE-2022-0512 Moderate severity
CVE-2022-0639 Moderate severity
View 1 more
Dependency
hosted-git-info
Version
< 2.8.9
Upgrade to
~> 2.8.9
Defined in
package-lock.json
Vulnerabilities
CVE-2021-23362 Moderate severity
Dependency
dns-packet
Version
< 1.3.2
Upgrade to
~> 1.3.2
Defined in
package-lock.json
Vulnerabilities
CVE-2021-23386 High severity
Dependency
ws
Version
= 6.0.0 < 6.2.2
Upgrade to
~> 6.2.2
Defined in
package-lock.json
Vulnerabilities
CVE-2021-32640 Moderate severity
Dependency
path-parse
Version
< 1.0.7
Upgrade to
~> 1.0.7
Defined in
package-lock.json
Vulnerabilities
CVE-2021-23343 Moderate severity
Dependency
json-schema
Version
< 0.4.0
Upgrade to
~> 0.4.0
Defined in
package-lock.json
Vulnerabilities
CVE-2021-3918 Critical severity
Dependency
follow-redirects
Version
< 1.14.7
Upgrade to
~> 1.14.7
Defined in
package-lock.json
Vulnerabilities
CVE-2022-0155 High severity
CVE-2022-0536 Moderate severity
CVE-2023-26159 Moderate severity
CVE-2023-26159 Moderate severity
CVE-2024-28849 Moderate severity
View 1 more
Dependency
ansi-regex
Version
= 5.0.0 < 5.0.1
Upgrade to
~> 5.0.1
Defined in
package-lock.json
Vulnerabilities
CVE-2021-3807 High severity
CVE-2021-3807 High severity
CVE-2021-3807 High severity
Dependency
eventsource
Version
< 1.1.1
Upgrade to
~> 1.1.1
Defined in
package-lock.json
Suggested update
#504
Vulnerabilities
CVE-2022-1650 Critical severity
Dependency
async
Version
= 2.0.0 < 2.6.4
Upgrade to
~> 2.6.4
Defined in
package-lock.json
Suggested update
#503
Vulnerabilities
CVE-2021-43138 High severity
Dependency
jszip
Version
= 3.0.0 < 3.7.0
Upgrade to
~> 3.7.0
Defined in
package-lock.json
Vulnerabilities
CVE-2022-48285 High severity
CVE-2021-23413 Moderate severity
Dependency
d3-color
Version
< 3.1.0
Upgrade to
~> 3.1.0
Defined in
package-lock.json
Vulnerabilities
GHSA-36jr-mh4h-2g58 High severity
Dependency
loader-utils
Version
= 2.0.0 < 2.0.3
Upgrade to
~> 2.0.3
Defined in
package-lock.json
Suggested update
#516
Vulnerabilities
CVE-2022-37601 Critical severity
CVE-2022-37601 Critical severity
CVE-2022-37601 Critical severity
CVE-2022-37601 Critical severity
Dependency
socket.io-parser
Version
< 3.3.3
Upgrade to
~> 3.3.3
Defined in
package-lock.json
Vulnerabilities
CVE-2022-2421 Critical severity
CVE-2022-2421 Critical severity
Dependency
minimatch
Version
< 3.0.5
Upgrade to
~> 3.0.5
Defined in
package-lock.json
Vulnerabilities
CVE-2022-3517 High severity
Dependency
decode-uri-component
Version
< 0.2.1
Upgrade to
~> 0.2.1
Defined in
package-lock.json
Suggested update
#522
Vulnerabilities
CVE-2022-38900 High severity
CVE-2022-38900 High severity
Dependency
qs
Version
= 6.7.0 < 6.7.3
Upgrade to
~> 6.7.3
Defined in
package-lock.json
Suggested update
#524
Vulnerabilities
CVE-2022-24999 High severity
CVE-2022-24999 High severity
Dependency
json5
Version
= 2.0.0 < 2.2.2
Upgrade to
~> 2.2.2
Defined in
package-lock.json
Suggested update
#526
Vulnerabilities
CVE-2022-46175 High severity
CVE-2022-46175 High severity
CVE-2022-46175 High severity
CVE-2022-46175 High severity
Dependency
request
Version
<= 2.88.2
Defined in
package-lock.json
Vulnerabilities
Dependency
xml2js
Version
< 0.5.0
Upgrade to
~> 0.5.0
Defined in
package-lock.json
Vulnerabilities
CVE-2023-0842 Moderate severity
CVE-2023-0842 Moderate severity
Dependency
tough-cookie
Version
< 4.1.3
Upgrade to
~> 4.1.3
Defined in
package-lock.json
Vulnerabilities
CVE-2023-26136 Moderate severity
CVE-2023-26136 Moderate severity
Dependency
postcss
Version
< 8.4.31
Upgrade to
~> 8.4.31
Defined in
package-lock.json
Vulnerabilities
CVE-2023-44270 Moderate severity
CVE-2023-44270 Moderate severity
Dependency
@angular/core
Version
< 10.2.5
Upgrade to
~> 10.2.5
Defined in
package-lock.json
Vulnerabilities
CVE-2021-4231 Moderate severity
CVE-2021-4231 Moderate severity
Dependency
@babel/traverse
Version
< 7.23.2
Upgrade to
~> 7.23.2
Defined in
package-lock.json
Vulnerabilities
CVE-2023-45133 Critical severity
CVE-2023-45133 Critical severity
Dependency
browserify-sign
Version
= 2.6.0 <= 4.2.1
Upgrade to
~> 4.2.2
Defined in
package-lock.json
Vulnerabilities
CVE-2023-46234 High severity
CVE-2023-46234 High severity
Dependency
jinja2
Version
< 3.1.3
Upgrade to
~> 3.1.3
Defined in
requirements.txt
Vulnerabilities
CVE-2024-22195 Moderate severity
Dependency
django
Version
< 3.2.24
Upgrade to
~> 3.2.24
Defined in
requirements.txt
Vulnerabilities
CVE-2024-24680 Moderate severity
Dependency
ip
Version
< 1.1.9
Upgrade to
~> 1.1.9
Defined in
package-lock.json
Vulnerabilities
CVE-2023-42282 Moderate severity
CVE-2023-42282 Moderate severity
Dependency
webpack-dev-middleware
Version
<= 5.3.3
Upgrade to
~> 5.3.4
Defined in
package-lock.json
Vulnerabilities
CVE-2024-29180 High severity
CVE-2024-29180 High severity
Dependency
katex
Version
= 0.11.0 < 0.16.10
Upgrade to
~> 0.16.10
Defined in
package-lock.json
Vulnerabilities
CVE-2024-28246 Moderate severity
CVE-2024-28246 Moderate severity
CVE-2024-28245 Moderate severity
CVE-2024-28245 Moderate severity
CVE-2024-28243 Moderate severity
View 1 more
Dependency
express
Version
< 4.19.2
Upgrade to
~> 4.19.2
Defined in
package-lock.json
Vulnerabilities
CVE-2024-29041 Moderate severity
CVE-2024-29041 Moderate severity
Dependency
Jinja2
Version
< 3.1.4
Upgrade to
~> 3.1.4
Defined in
requirements.txt
Vulnerabilities
CVE-2024-34064 Moderate severity
@nimdanor nimdanor added the Bug Something isn't working label May 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nimdanor