Fix security vulnerabilities reported by GitHub

1 kind-of vulnerability

found in yarn.lock 18 hours ago

Remediation

Upgrade kind-of to version 6.0.3 or later. For example:

Always verify the validity and compatibility of suggestions with your codebase.

Details

CVE-2019-20149

moderate severity

*Vulnerable versions:* < 6.0.3

*Patched version:* 6.0.3

ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.

1 ecstatic vulnerability

found in yarn.lock yesterday

Remediation

No patched version is available.

Details

CVE-2019-10775

moderate severity

*Vulnerable versions:* <= 4.1.2

*Patched version:* No fix

ecstatic have a denial of service vulnerability. Successful exploitation could lead to crash of an application.

1 minimist vulnerability

found in yarn.lock 19 days ago

h3 Remediation

Upgrade minimist to version 1.2.2 or later. For example:

Always verify the validity and compatibility of suggestions with your codebase.

Details

GHSA-7fhm-mqm4-2wp7

moderate severity

*Vulnerable versions:* < 1.2.2

*Patched version:* 1.2.2

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "*proto*" payload.

1 acorn vulnerability

found in yarn.lock 20 days ago

Remediation

Upgrade acorn to version 6.4.1 or later. For example:

Always verify the validity and compatibility of suggestions with your codebase.

Details

GHSA-7fhm-mqm4-2wp7

moderate severity

*Vulnerable versions:* >= 6.0.0, < 6.4.1

*Patched version:* 6.4.1

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "*proto*" payload.