New refactored version using lerna workspaces #30
Conversation
changed nest-server to 1.1.8
added prepare script to container project (builds all exectutables) adjusted .gitignore and .npmignore changed version to 1.2.0
replaced single workspaces with lerna packages moved pkg scripts to sub packages added initial build script (cleanup, copy, rename and compress of init.js) added prepare and package scripts to sub packages added dynamic file name to sub packages executables
| "copy:rename": "npm run copy && npm run rename", | ||
| "copy": "copyfiles -f \"node_modules/@devonfw/ts-merger/dist/ts-merger.umd.js\" \"node_modules/@devonfw/ts-merger/build/\"", | ||
| "rename": "node -e \"require('fs').rename('node_modules/@devonfw/ts-merger/build/ts-merger.umd.js', 'node_modules/@devonfw/ts-merger/build/index.js', function(err) { if (err) console.log(err); console.log('File successfully renamed!') })\"", | ||
| "compress": "terser node_modules/@devonfw/ts-merger/build/index.js --compress --mangle --warn --output node_modules/@devonfw/ts-merger/build/index.js" |
There was a problem hiding this comment.
you programmed all this stuff here by hand. Why didn't you use webpack? https://webpack.js.org/guides/getting-started/
Any reason?
There was a problem hiding this comment.
| "baseUrl": "./" | ||
| }, | ||
| "exclude": ["node_modules"] | ||
| } |
There was a problem hiding this comment.
I think you can easily inherit from the parent's tsconfig to not duplicate all code https://www.typescriptlang.org/docs/handbook/release-notes/typescript-3-2.html#tsconfigjson-inheritance-via-nodejs-packages
| { | ||
| "extends": "./tsconfig.json", | ||
| "exclude": ["node_modules", "test", "**/*spec.ts"] | ||
| } |
There was a problem hiding this comment.
why are there two different ts configurations?
maybeec
added
the
Team_CobiGen_Templates
![sonatype-lift[bot]](https://avatars.githubusercontent.com/in/9843?s=60&v=4){kind=small}
| @@ -1,64 +1,22 @@ | |||
| { | |||
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/[email protected]
1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2022-21944] CWE-59: Improper Link Resolution Before File Access ('Link Following')
A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root. This issue affects: openSUSE Backports SLE-15-SP3 watchman versions prior to 4.9.0. openSUSE Factory watchman versions prior to 4.9.0-9.1.
CVSS Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -1,64 +1,22 @@ | |||
| { | |||
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/%40nestjs/[email protected]
1 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2012-0022] CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
expressjs - HTTP Splitting Attack
The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-113
SEVERE Vulnerabilities (1)
[sonatype-2021-0078] CWE-23: Relative Path Traversal
express + hbs - Local File Read via Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-23
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| tslib "2.3.1" | ||
| uuid "8.3.2" | ||
|
|
||
| "@nestjs/platform-express@^8.4.4": |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/%40nestjs/[email protected]
1 Critical, 2 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 2 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2012-0022] CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
expressjs - HTTP Splitting Attack
The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-113
SEVERE Vulnerabilities (1)
[sonatype-2021-0078] CWE-23: Relative Path Traversal
express + hbs - Local File Read via Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-23
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2016-0121] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
multer - Denial of Service (DoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| jest@^23.5.0: | ||
| version "23.6.0" | ||
| resolved "https://registry.yarnpkg.com/jest/-/jest-23.6.0.tgz#ad5835e923ebf6e19e7a1d7529a432edfee7813d" | ||
| jest@^27.5.1: |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/[email protected]
1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2022-21944] CWE-59: Improper Link Resolution Before File Access ('Link Following')
A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root. This issue affects: openSUSE Backports SLE-15-SP3 watchman versions prior to 4.9.0. openSUSE Factory watchman versions prior to 4.9.0-9.1.
CVSS Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| "coverageDirectory": "../coverage", | ||
| "testEnvironment": "node" | ||
| "copyfiles": "^2.4.1", | ||
| "lerna": "^4.0.0", |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/[email protected]
1 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 3 dependencies
Components
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2017-0655] Unknown
request - Weak Authentication Algorithm
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-310
MODERATE Vulnerabilities (1)
[sonatype-2021-0749] CWE-326: Inadequate Encryption Strength
request - Inadequate Encryption Strength
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CVSS Score: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-326
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[CVE-2021-23362] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -1,64 +1,22 @@ | |||
| { | |||
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:npm/%40nestjs/[email protected]
0 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2016-0121] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
multer - Denial of Service (DoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
# Conflicts: # cobigen-nest-server/yarn.lock
|
|
||
| latest-version@^3.0.0: | ||
| lerna@^4.0.0: |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/[email protected]
1 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 3 dependencies
Components
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2017-0655] Unknown
request - Weak Authentication Algorithm
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-310
MODERATE Vulnerabilities (1)
[sonatype-2021-0749] CWE-326: Inadequate Encryption Strength
request - Inadequate Encryption Strength
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CVSS Score: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-326
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[CVE-2021-23362] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| }, | ||
| "coverageDirectory": "../coverage", | ||
| "testEnvironment": "node" | ||
| "copyfiles": "^2.4.1", |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/[email protected]
2 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 2 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-1169] Unknown
ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2021-4879] Unknown
minimatch - Regular Expression Denial of Service (ReDoS)
CVSS Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -1,64 +1,22 @@ | |||
| { | |||
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/[email protected]
1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2022-21944] CWE-59: Improper Link Resolution Before File Access ('Link Following')
A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root. This issue affects: openSUSE Backports SLE-15-SP3 watchman versions prior to 4.9.0. openSUSE Factory watchman versions prior to 4.9.0-9.1.
CVSS Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -1,64 +1,22 @@ | |||
| { | |||
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/%40nestjs/[email protected]
1 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2012-0022] CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
expressjs - HTTP Splitting Attack
The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-113
SEVERE Vulnerabilities (1)
[sonatype-2021-0078] CWE-23: Relative Path Traversal
express + hbs - Local File Read via Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-23
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| tslib "2.3.1" | ||
| uuid "8.3.2" | ||
|
|
||
| "@nestjs/platform-express@^8.4.4": |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/%40nestjs/[email protected]
1 Critical, 2 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 2 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2012-0022] CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
expressjs - HTTP Splitting Attack
The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-113
SEVERE Vulnerabilities (1)
[sonatype-2021-0078] CWE-23: Relative Path Traversal
express + hbs - Local File Read via Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-23
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2016-0121] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
multer - Denial of Service (DoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| jest@^23.5.0: | ||
| version "23.6.0" | ||
| resolved "https://registry.yarnpkg.com/jest/-/jest-23.6.0.tgz#ad5835e923ebf6e19e7a1d7529a432edfee7813d" | ||
| jest@^27.5.1: |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/[email protected]
1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2022-21944] CWE-59: Improper Link Resolution Before File Access ('Link Following')
A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root. This issue affects: openSUSE Backports SLE-15-SP3 watchman versions prior to 4.9.0. openSUSE Factory watchman versions prior to 4.9.0-9.1.
CVSS Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| "coverageDirectory": "../coverage", | ||
| "testEnvironment": "node" | ||
| "copyfiles": "^2.4.1", | ||
| "lerna": "^4.0.0", |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/[email protected]
1 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 3 dependencies
Components
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2017-0655] Unknown
request - Weak Authentication Algorithm
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-310
MODERATE Vulnerabilities (1)
[sonatype-2021-0749] CWE-326: Inadequate Encryption Strength
request - Inadequate Encryption Strength
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CVSS Score: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-326
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[CVE-2021-23362] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -1,64 +1,22 @@ | |||
| { | |||
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:npm/%40nestjs/[email protected]
0 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2016-0121] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
multer - Denial of Service (DoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
|
|
||
| latest-version@^3.0.0: | ||
| lerna@^4.0.0: |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/[email protected]
1 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 3 dependencies
Components
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2017-0655] Unknown
request - Weak Authentication Algorithm
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-310
MODERATE Vulnerabilities (1)
[sonatype-2021-0749] CWE-326: Inadequate Encryption Strength
request - Inadequate Encryption Strength
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CVSS Score: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-326
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[CVE-2021-23362] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -1,64 +1,22 @@ | |||
| { | |||
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/[email protected]
1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2022-21944] CWE-59: Improper Link Resolution Before File Access ('Link Following')
A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root. This issue affects: openSUSE Backports SLE-15-SP3 watchman versions prior to 4.9.0. openSUSE Factory watchman versions prior to 4.9.0-9.1.
CVSS Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -1,64 +1,22 @@ | |||
| { | |||
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/%40nestjs/[email protected]
1 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2012-0022] CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
expressjs - HTTP Splitting Attack
The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-113
SEVERE Vulnerabilities (1)
[sonatype-2021-0078] CWE-23: Relative Path Traversal
express + hbs - Local File Read via Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-23
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| tslib "2.3.1" | ||
| uuid "8.3.2" | ||
|
|
||
| "@nestjs/platform-express@^8.4.4": |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/%40nestjs/[email protected]
1 Critical, 2 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 2 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[sonatype-2012-0022] CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
expressjs - HTTP Splitting Attack
The software receives data from an upstream component, but does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-113
SEVERE Vulnerabilities (1)
[sonatype-2021-0078] CWE-23: Relative Path Traversal
express + hbs - Local File Read via Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-23
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2016-0121] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
multer - Denial of Service (DoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| jest@^23.5.0: | ||
| version "23.6.0" | ||
| resolved "https://registry.yarnpkg.com/jest/-/jest-23.6.0.tgz#ad5835e923ebf6e19e7a1d7529a432edfee7813d" | ||
| jest@^27.5.1: |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/[email protected]
1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2022-21944] CWE-59: Improper Link Resolution Before File Access ('Link Following')
A UNIX Symbolic Link (Symlink) Following vulnerability in the systemd service file for watchman of openSUSE Backports SLE-15-SP3, Factory allows local attackers to escalate to root. This issue affects: openSUSE Backports SLE-15-SP3 watchman versions prior to 4.9.0. openSUSE Factory watchman versions prior to 4.9.0-9.1.
CVSS Score: 7.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-59
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| "coverageDirectory": "../coverage", | ||
| "testEnvironment": "node" | ||
| "copyfiles": "^2.4.1", | ||
| "lerna": "^4.0.0", |
There was a problem hiding this comment.
Critical OSS Vulnerability:
pkg:npm/[email protected]
1 Critical, 2 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 3 dependencies
Components
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2017-0655] Unknown
request - Weak Authentication Algorithm
CVSS Score: 5.9
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-310
MODERATE Vulnerabilities (1)
[sonatype-2021-0749] CWE-326: Inadequate Encryption Strength
request - Inadequate Encryption Strength
The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
CVSS Score: 3.7
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-326
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[CVE-2021-23362] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
The package hosted-git-info before 3.0.8 are vulnerable to Regular Expression Denial of Service (ReDoS) via regular expression shortcutMatch in the fromUrl function in index.js. The affected regular expression exhibits polynomial worst-case time complexity.
CVSS Score: 5.3
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
pkg:npm/[email protected]
CRITICAL Vulnerabilities (1)
[CVE-2021-23337] CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
CVSS Score: 7.2
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
| @@ -1,64 +1,22 @@ | |||
| { | |||
There was a problem hiding this comment.
Severe OSS Vulnerability:
pkg:npm/%40nestjs/[email protected]
0 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies
Components
pkg:npm/[email protected]
SEVERE Vulnerabilities (1)
[sonatype-2016-0121] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
multer - Denial of Service (DoS)
The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended.
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
(at-me in a reply with help or ignore)
Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]
Implements: #29
Features:
Current workflow:
yarn run build (cleanups dist folders, creates proper index.js)
yarn lerna run build (creates dist folder for each sub-package)
yarn lerna run prepare (creates executable for each sub-package)