From 2e1da1d8154b8f353dc52c0c6f494ca19d894b9d Mon Sep 17 00:00:00 2001 From: Weyert de Boer Date: Sat, 4 Jun 2022 00:06:43 +0100 Subject: [PATCH 1/2] feat(licenses): add command to generate a license compliance report Introduces a new command named `licenses` which generates a license compliance report --- .meta-updater/src/index.ts | 1 + .../plugin-commands-licenses/CHANGELOG.md | 1123 ++++++ packages/plugin-commands-licenses/README.md | 24 + .../plugin-commands-licenses/jest.config.js | 4 + .../plugin-commands-licenses/package.json | 65 + .../plugin-commands-licenses/src/index.ts | 3 + .../src/licenseChecker.ts | 165 + .../plugin-commands-licenses/src/licenses.ts | 136 + .../plugin-commands-licenses/src/types.ts | 62 + .../plugin-commands-licenses/src/utils.ts | 109 + .../test/__snapshots__/index.ts.snap | 984 ++++++ packages/plugin-commands-licenses/test/fix.ts | 52 + .../test/fixtures/.gitignore | 1 + .../test/fixtures/.npmrc | 1 + .../fixtures/has-vulnerabilities/package.json | 13 + .../has-vulnerabilities/pnpm-lock.yaml | 3136 +++++++++++++++++ .../test/fixtures/pnpm-workspace.yaml | 1 + .../plugin-commands-licenses/test/index.ts | 117 + .../all-vulnerabilities-response.json | 1969 +++++++++++ .../dev-vulnerabilities-only-response.json | 278 ++ .../test/utils/responses/index.ts | 9 + .../no-vulnerabilities-response.json | 18 + .../test/utils/responses/update.ts | 36 + .../plugin-commands-licenses/tsconfig.json | 49 + .../tsconfig.lint.json | 8 + packages/pnpm/package.json | 3 +- packages/pnpm/src/cmd/help.ts | 4 + packages/pnpm/src/cmd/index.ts | 2 + packages/pnpm/tsconfig.json | 3 + packages/types/src/package.ts | 1 + pnpm-lock.yaml | 264 +- 31 files changed, 8558 insertions(+), 83 deletions(-) create mode 100644 packages/plugin-commands-licenses/CHANGELOG.md create mode 100644 packages/plugin-commands-licenses/README.md create mode 100644 packages/plugin-commands-licenses/jest.config.js create mode 100644 packages/plugin-commands-licenses/package.json create mode 100644 packages/plugin-commands-licenses/src/index.ts create mode 100644 packages/plugin-commands-licenses/src/licenseChecker.ts create mode 100644 packages/plugin-commands-licenses/src/licenses.ts create mode 100644 packages/plugin-commands-licenses/src/types.ts create mode 100644 packages/plugin-commands-licenses/src/utils.ts create mode 100644 packages/plugin-commands-licenses/test/__snapshots__/index.ts.snap create mode 100644 packages/plugin-commands-licenses/test/fix.ts create mode 100644 packages/plugin-commands-licenses/test/fixtures/.gitignore create mode 100644 packages/plugin-commands-licenses/test/fixtures/.npmrc create mode 100644 packages/plugin-commands-licenses/test/fixtures/has-vulnerabilities/package.json create mode 100644 packages/plugin-commands-licenses/test/fixtures/has-vulnerabilities/pnpm-lock.yaml create mode 100644 packages/plugin-commands-licenses/test/fixtures/pnpm-workspace.yaml create mode 100644 packages/plugin-commands-licenses/test/index.ts create mode 100644 packages/plugin-commands-licenses/test/utils/responses/all-vulnerabilities-response.json create mode 100644 packages/plugin-commands-licenses/test/utils/responses/dev-vulnerabilities-only-response.json create mode 100644 packages/plugin-commands-licenses/test/utils/responses/index.ts create mode 100644 packages/plugin-commands-licenses/test/utils/responses/no-vulnerabilities-response.json create mode 100644 packages/plugin-commands-licenses/test/utils/responses/update.ts create mode 100644 packages/plugin-commands-licenses/tsconfig.json create mode 100644 packages/plugin-commands-licenses/tsconfig.lint.json diff --git a/.meta-updater/src/index.ts b/.meta-updater/src/index.ts index b3110f9dbf2..5c199f3915a 100644 --- a/.meta-updater/src/index.ts +++ b/.meta-updater/src/index.ts @@ -130,6 +130,7 @@ async function updateManifest (workspaceDir: string, manifest: ProjectManifest, case '@pnpm/plugin-commands-import': case '@pnpm/plugin-commands-installation': case '@pnpm/plugin-commands-listing': + case '@pnpm/plugin-commands-licenses': case '@pnpm/plugin-commands-outdated': case '@pnpm/plugin-commands-publishing': case '@pnpm/plugin-commands-rebuild': diff --git a/packages/plugin-commands-licenses/CHANGELOG.md b/packages/plugin-commands-licenses/CHANGELOG.md new file mode 100644 index 00000000000..4795e98aae2 --- /dev/null +++ b/packages/plugin-commands-licenses/CHANGELOG.md @@ -0,0 +1,1123 @@ +# @pnpm/plugin-commands-audit + +## 5.1.45 + +### Patch Changes + +- @pnpm/cli-utils@0.6.53 + +## 5.1.44 + +### Patch Changes + +- Updated dependencies [827007700] + - @pnpm/config@13.13.3 + - @pnpm/cli-utils@0.6.52 + +## 5.1.43 + +### Patch Changes + +- @pnpm/audit@2.2.8 +- @pnpm/cli-utils@0.6.51 + +## 5.1.42 + +### Patch Changes + +- Updated dependencies [70ba51da9] + - @pnpm/error@2.1.0 + - @pnpm/audit@2.2.7 + - @pnpm/cli-utils@0.6.50 + - @pnpm/config@13.13.2 + - @pnpm/lockfile-file@4.3.1 + - @pnpm/read-project-manifest@2.0.13 + +## 5.1.41 + +### Patch Changes + +- Updated dependencies [b138d048c] + - @pnpm/lockfile-file@4.3.0 + - @pnpm/types@7.10.0 + - @pnpm/audit@2.2.6 + - @pnpm/cli-utils@0.6.49 + - @pnpm/config@13.13.1 + - @pnpm/read-project-manifest@2.0.12 + +## 5.1.40 + +### Patch Changes + +- Updated dependencies [334e5340a] + - @pnpm/config@13.13.0 + - @pnpm/cli-utils@0.6.48 + +## 5.1.39 + +### Patch Changes + +- Updated dependencies [b7566b979] + - @pnpm/config@13.12.0 + - @pnpm/cli-utils@0.6.47 + +## 5.1.38 + +### Patch Changes + +- @pnpm/audit@2.2.5 +- @pnpm/config@13.11.0 + +## 5.1.37 + +### Patch Changes + +- Updated dependencies [fff0e4493] + - @pnpm/config@13.11.0 + - @pnpm/cli-utils@0.6.46 + +## 5.1.36 + +### Patch Changes + +- @pnpm/cli-utils@0.6.45 + +## 5.1.35 + +### Patch Changes + +- Updated dependencies [e76151f66] +- Updated dependencies [26cd01b88] + - @pnpm/config@13.10.0 + - @pnpm/types@7.9.0 + - @pnpm/cli-utils@0.6.44 + - @pnpm/audit@2.2.4 + - @pnpm/lockfile-file@4.2.6 + - @pnpm/read-project-manifest@2.0.11 + +## 5.1.34 + +### Patch Changes + +- @pnpm/cli-utils@0.6.43 + +## 5.1.33 + +### Patch Changes + +- Updated dependencies [8fe8f5e55] + - @pnpm/config@13.9.0 + - @pnpm/cli-utils@0.6.42 + +## 5.1.32 + +### Patch Changes + +- Updated dependencies [732d4962f] +- Updated dependencies [a6cf11cb7] + - @pnpm/config@13.8.0 + - @pnpm/cli-utils@0.6.41 + +## 5.1.31 + +### Patch Changes + +- @pnpm/audit@2.2.3 +- @pnpm/cli-utils@0.6.40 +- @pnpm/config@13.7.2 +- @pnpm/lockfile-file@4.2.5 +- @pnpm/read-project-manifest@2.0.10 + +## 5.1.30 + +### Patch Changes + +- Updated dependencies [eb9ebd0f3] +- Updated dependencies [eb9ebd0f3] + - @pnpm/lockfile-file@4.2.4 + - @pnpm/audit@2.2.2 + +## 5.1.29 + +### Patch Changes + +- @pnpm/cli-utils@0.6.39 + +## 5.1.28 + +### Patch Changes + +- @pnpm/audit@2.2.2 +- @pnpm/cli-utils@0.6.38 +- @pnpm/config@13.7.1 +- @pnpm/lockfile-file@4.2.3 +- @pnpm/read-project-manifest@2.0.9 + +## 5.1.27 + +### Patch Changes + +- Updated dependencies [30bfca967] +- Updated dependencies [927c4a089] +- Updated dependencies [10a4bd4db] + - @pnpm/config@13.7.0 + - @pnpm/cli-utils@0.6.37 + - @pnpm/audit@2.2.1 + - @pnpm/lockfile-file@4.2.2 + - @pnpm/read-project-manifest@2.0.8 + +## 5.1.26 + +### Patch Changes + +- Updated dependencies [f1c194ded] +- Updated dependencies [46aaf7108] + - @pnpm/audit@2.2.0 + - @pnpm/config@13.6.1 + - @pnpm/cli-utils@0.6.36 + +## 5.1.25 + +### Patch Changes + +- Updated dependencies [8a99a01ff] + - @pnpm/config@13.6.0 + - @pnpm/audit@2.1.15 + - @pnpm/cli-utils@0.6.35 + +## 5.1.24 + +### Patch Changes + +- @pnpm/cli-utils@0.6.34 + +## 5.1.23 + +### Patch Changes + +- Updated dependencies [a7ff2d5ce] + - @pnpm/config@13.5.1 + - @pnpm/cli-utils@0.6.33 + +## 5.1.22 + +### Patch Changes + +- Updated dependencies [002778559] + - @pnpm/config@13.5.0 + - @pnpm/cli-utils@0.6.32 + - @pnpm/audit@2.1.14 + +## 5.1.21 + +### Patch Changes + +- @pnpm/cli-utils@0.6.31 + +## 5.1.20 + +### Patch Changes + +- @pnpm/config@13.4.2 +- @pnpm/audit@2.1.13 +- @pnpm/cli-utils@0.6.30 +- @pnpm/lockfile-file@4.2.1 +- @pnpm/read-project-manifest@2.0.7 + +## 5.1.19 + +### Patch Changes + +- Updated dependencies [4ab87844a] + - @pnpm/lockfile-file@4.2.0 + - @pnpm/audit@2.1.12 + - @pnpm/cli-utils@0.6.29 + - @pnpm/config@13.4.1 + - @pnpm/read-project-manifest@2.0.6 + +## 5.1.18 + +### Patch Changes + +- @pnpm/audit@2.1.11 + +## 5.1.17 + +### Patch Changes + +- Updated dependencies [b6d74c545] + - @pnpm/config@13.4.0 + - @pnpm/cli-utils@0.6.28 + +## 5.1.16 + +### Patch Changes + +- Updated dependencies [bd7bcdbe8] + - @pnpm/config@13.3.0 + - @pnpm/cli-utils@0.6.27 + - @pnpm/audit@2.1.10 + +## 5.1.15 + +### Patch Changes + +- Updated dependencies [5ee3b2dc7] + - @pnpm/config@13.2.0 + - @pnpm/cli-utils@0.6.26 + +## 5.1.14 + +### Patch Changes + +- @pnpm/cli-utils@0.6.25 + +## 5.1.13 + +### Patch Changes + +- Updated dependencies [4027a3c69] + - @pnpm/config@13.1.0 + - @pnpm/cli-utils@0.6.24 + +## 5.1.12 + +### Patch Changes + +- Updated dependencies [fe5688dc0] +- Updated dependencies [c7081cbb4] +- Updated dependencies [c7081cbb4] + - @pnpm/config@13.0.0 + - @pnpm/cli-utils@0.6.23 + +## 5.1.11 + +### Patch Changes + +- Updated dependencies [d62259d67] + - @pnpm/config@12.6.0 + - @pnpm/cli-utils@0.6.22 + +## 5.1.10 + +### Patch Changes + +- Updated dependencies [6681fdcbc] + - @pnpm/config@12.5.0 + - @pnpm/cli-utils@0.6.21 + - @pnpm/audit@2.1.9 + +## 5.1.9 + +### Patch Changes + +- @pnpm/audit@2.1.8 +- @pnpm/cli-utils@0.6.20 + +## 5.1.8 + +### Patch Changes + +- Updated dependencies [ede519190] + - @pnpm/config@12.4.9 + - @pnpm/cli-utils@0.6.19 + +## 5.1.7 + +### Patch Changes + +- @pnpm/config@12.4.8 +- @pnpm/cli-utils@0.6.18 + +## 5.1.6 + +### Patch Changes + +- Updated dependencies [655af55ba] + - @pnpm/config@12.4.7 + - @pnpm/cli-utils@0.6.17 + +## 5.1.5 + +### Patch Changes + +- Updated dependencies [3fb74c618] + - @pnpm/config@12.4.6 + - @pnpm/cli-utils@0.6.16 + +## 5.1.4 + +### Patch Changes + +- 92ed1272e: If a package has no fixes, do not add it to the overrides. +- Updated dependencies [051296a16] + - @pnpm/config@12.4.5 + - @pnpm/cli-utils@0.6.15 + +## 5.1.3 + +### Patch Changes + +- Updated dependencies [af8b5716e] + - @pnpm/config@12.4.4 + - @pnpm/cli-utils@0.6.14 + +## 5.1.2 + +### Patch Changes + +- @pnpm/audit@2.1.7 +- @pnpm/cli-utils@0.6.13 +- @pnpm/config@12.4.3 +- @pnpm/lockfile-file@4.1.1 +- @pnpm/read-project-manifest@2.0.5 + +## 5.1.1 + +### Patch Changes + +- Updated dependencies [73c1f802e] + - @pnpm/config@12.4.2 + - @pnpm/cli-utils@0.6.12 + +## 5.1.0 + +### Minor Changes + +- a5f698290: New command added: `pnpm audit --fix`. This command adds overrides to `package.json` that force versions of packages that do not have the vulnerabilities. + +### Patch Changes + +- @pnpm/cli-utils@0.6.11 + +## 5.0.1 + +### Patch Changes + +- Updated dependencies [2264bfdf4] + - @pnpm/config@12.4.1 + - @pnpm/cli-utils@0.6.10 + +## 5.0.0 + +### Major Changes + +- 691f64713: New required option added: cacheDir. + +### Patch Changes + +- Updated dependencies [25f6968d4] +- Updated dependencies [5aaf3e3fa] + - @pnpm/config@12.4.0 + - @pnpm/cli-utils@0.6.9 + +## 4.2.2 + +### Patch Changes + +- Updated dependencies [8e76690f4] + - @pnpm/lockfile-file@4.1.0 + - @pnpm/audit@2.1.6 + - @pnpm/cli-utils@0.6.8 + - @pnpm/config@12.3.3 + +## 4.2.1 + +### Patch Changes + +- @pnpm/audit@2.1.5 + +## 4.2.0 + +### Minor Changes + +- 448710f88: New CLI option added: `--ignore-registry-errors`. When used, audit exits with 0 exit code, when the registry responds with a non-200 status code. + +### Patch Changes + +- Updated dependencies [2dc5a7a4c] + - @pnpm/lockfile-file@4.0.4 + - @pnpm/audit@2.1.4 + +## 4.1.6 + +### Patch Changes + +- @pnpm/audit@2.1.4 +- @pnpm/cli-utils@0.6.7 +- @pnpm/config@12.3.2 +- @pnpm/lockfile-file@4.0.3 + +## 4.1.5 + +### Patch Changes + +- a1a03d145: Import only the required functions from ramda. +- Updated dependencies [a1a03d145] + - @pnpm/config@12.3.1 + - @pnpm/lockfile-file@4.0.2 + - @pnpm/cli-utils@0.6.6 + - @pnpm/audit@2.1.3 + +## 4.1.4 + +### Patch Changes + +- Updated dependencies [84ec82e05] +- Updated dependencies [c2a71e4fd] +- Updated dependencies [84ec82e05] + - @pnpm/config@12.3.0 + - @pnpm/cli-utils@0.6.5 + +## 4.1.3 + +### Patch Changes + +- @pnpm/cli-utils@0.6.4 +- @pnpm/audit@2.1.2 + +## 4.1.2 + +### Patch Changes + +- @pnpm/cli-utils@0.6.3 +- @pnpm/config@12.2.0 + +## 4.1.1 + +### Patch Changes + +- Updated dependencies [40b75fbb9] + - @pnpm/audit@2.1.1 + - @pnpm/config@12.2.0 + +## 4.1.0 + +### Minor Changes + +- 05baaa6e7: Add new config setting: `fetch-timeout`. + +### Patch Changes + +- Updated dependencies [05baaa6e7] +- Updated dependencies [dfdf669e6] +- Updated dependencies [05baaa6e7] + - @pnpm/config@12.2.0 + - @pnpm/audit@2.1.0 + - @pnpm/cli-utils@0.6.2 + - @pnpm/lockfile-file@4.0.1 + +## 4.0.2 + +### Patch Changes + +- Updated dependencies [ba5231ccf] + - @pnpm/config@12.1.0 + - @pnpm/cli-utils@0.6.1 + +## 4.0.1 + +### Patch Changes + +- @pnpm/audit@2.0.1 + +## 4.0.0 + +### Major Changes + +- 97b986fbc: Node.js 10 support is dropped. At least Node.js 12.17 is required for the package to work. + +### Patch Changes + +- Updated dependencies [6871d74b2] +- Updated dependencies [97b986fbc] +- Updated dependencies [78470a32d] +- Updated dependencies [155e70597] +- Updated dependencies [9c2a878c3] +- Updated dependencies [aed712455] +- Updated dependencies [8b66f26dc] +- Updated dependencies [f2bb5cbeb] +- Updated dependencies [f7750baed] +- Updated dependencies [aed712455] +- Updated dependencies [9c2a878c3] + - @pnpm/constants@5.0.0 + - @pnpm/audit@2.0.0 + - @pnpm/cli-utils@0.6.0 + - @pnpm/config@12.0.0 + - @pnpm/error@2.0.0 + - @pnpm/lockfile-file@4.0.0 + +## 3.0.6 + +### Patch Changes + +- Updated dependencies [4f1ce907a] + - @pnpm/config@11.14.2 + - @pnpm/cli-utils@0.5.4 + +## 3.0.5 + +### Patch Changes + +- Updated dependencies [4b3852c39] + - @pnpm/config@11.14.1 + - @pnpm/cli-utils@0.5.3 + +## 3.0.4 + +### Patch Changes + +- @pnpm/audit@1.1.24 + +## 3.0.3 + +### Patch Changes + +- @pnpm/config@11.14.0 +- @pnpm/cli-utils@0.5.2 + +## 3.0.2 + +### Patch Changes + +- Updated dependencies [3be2b1773] + - @pnpm/cli-utils@0.5.1 + +## 3.0.1 + +### Patch Changes + +- Updated dependencies [51e1456dd] + - @pnpm/lockfile-file@3.2.1 + - @pnpm/audit@1.1.23 + +## 3.0.0 + +### Major Changes + +- 5175460a0: Filter dependency types via the `dev`/`production`/`optional` options instead of the `included` option. + +## 2.0.43 + +### Patch Changes + +- 0c11e1a07: Audit output should always have a new line at the end. +- Updated dependencies [cb040ae18] + - @pnpm/cli-utils@0.5.0 + - @pnpm/config@11.14.0 + +## 2.0.42 + +### Patch Changes + +- Updated dependencies [c4cc62506] + - @pnpm/config@11.13.0 + - @pnpm/cli-utils@0.4.51 + +## 2.0.41 + +### Patch Changes + +- Updated dependencies [bff84dbca] + - @pnpm/config@11.12.1 + - @pnpm/cli-utils@0.4.50 + +## 2.0.40 + +### Patch Changes + +- @pnpm/cli-utils@0.4.49 + +## 2.0.39 + +### Patch Changes + +- @pnpm/cli-utils@0.4.48 + +## 2.0.38 + +### Patch Changes + +- Updated dependencies [9ad8c27bf] +- Updated dependencies [548f28df9] +- Updated dependencies [548f28df9] + - @pnpm/lockfile-file@3.2.0 + - @pnpm/cli-utils@0.4.47 + - @pnpm/config@11.12.0 + - @pnpm/audit@1.1.23 + +## 2.0.37 + +### Patch Changes + +- @pnpm/config@11.11.1 +- @pnpm/cli-utils@0.4.46 + +## 2.0.36 + +### Patch Changes + +- Updated dependencies [af897c324] + - @pnpm/lockfile-file@3.1.4 + - @pnpm/audit@1.1.22 + +## 2.0.35 + +### Patch Changes + +- Updated dependencies [1e4a3a17a] +- Updated dependencies [f40bc5927] + - @pnpm/lockfile-file@3.1.3 + - @pnpm/config@11.11.0 + - @pnpm/audit@1.1.22 + - @pnpm/cli-utils@0.4.45 + +## 2.0.34 + +### Patch Changes + +- Updated dependencies [425c7547d] + - @pnpm/config@11.10.2 + - @pnpm/cli-utils@0.4.44 + - @pnpm/audit@1.1.22 + +## 2.0.33 + +### Patch Changes + +- Updated dependencies [ea09da716] + - @pnpm/config@11.10.1 + - @pnpm/cli-utils@0.4.43 + +## 2.0.32 + +### Patch Changes + +- Updated dependencies [a8656b42f] + - @pnpm/config@11.10.0 + - @pnpm/cli-utils@0.4.42 + +## 2.0.31 + +### Patch Changes + +- Updated dependencies [041537bc3] + - @pnpm/config@11.9.1 + - @pnpm/cli-utils@0.4.41 + +## 2.0.30 + +### Patch Changes + +- Updated dependencies [fba715512] + - @pnpm/lockfile-file@3.1.2 + - @pnpm/audit@1.1.21 + +## 2.0.29 + +### Patch Changes + +- @pnpm/audit@1.1.20 + +## 2.0.28 + +### Patch Changes + +- Updated dependencies [8698a7060] + - @pnpm/config@11.9.0 + - @pnpm/cli-utils@0.4.40 + - @pnpm/audit@1.1.19 + +## 2.0.27 + +### Patch Changes + +- Updated dependencies [fcc1c7100] + - @pnpm/config@11.8.0 + - @pnpm/cli-utils@0.4.39 + +## 2.0.26 + +### Patch Changes + +- Updated dependencies [0c5f1bcc9] + - @pnpm/error@1.4.0 + - @pnpm/audit@1.1.18 + - @pnpm/cli-utils@0.4.38 + - @pnpm/config@11.7.2 + - @pnpm/lockfile-file@3.1.1 + +## 2.0.25 + +### Patch Changes + +- Updated dependencies [3776b5a52] + - @pnpm/lockfile-file@3.1.0 + - @pnpm/audit@1.1.17 + +## 2.0.24 + +### Patch Changes + +- Updated dependencies [dbcc6c96f] +- Updated dependencies [09492b7b4] + - @pnpm/lockfile-file@3.0.18 + - @pnpm/audit@1.1.17 + - @pnpm/cli-utils@0.4.37 + +## 2.0.23 + +### Patch Changes + +- e70232907: Use @arcanis/slice-ansi instead of slice-ansi. +- Updated dependencies [aa6bc4f95] + - @pnpm/lockfile-file@3.0.17 + - @pnpm/audit@1.1.17 + - @pnpm/cli-utils@0.4.36 + +## 2.0.22 + +### Patch Changes + +- @pnpm/audit@1.1.16 +- @pnpm/lockfile-file@3.0.16 +- @pnpm/cli-utils@0.4.35 +- @pnpm/config@11.7.1 + +## 2.0.21 + +### Patch Changes + +- Updated dependencies [50b360ec1] + - @pnpm/config@11.7.0 + - @pnpm/cli-utils@0.4.34 + +## 2.0.20 + +### Patch Changes + +- Updated dependencies [fcdad632f] + - @pnpm/constants@4.1.0 + - @pnpm/audit@1.1.15 + - @pnpm/lockfile-file@3.0.15 + - @pnpm/cli-utils@0.4.33 + - @pnpm/config@11.6.1 + +## 2.0.19 + +### Patch Changes + +- Updated dependencies [f591fdeeb] + - @pnpm/config@11.6.0 + - @pnpm/cli-utils@0.4.32 + +## 2.0.18 + +### Patch Changes + +- @pnpm/cli-utils@0.4.31 + +## 2.0.17 + +### Patch Changes + +- Updated dependencies [74914c178] + - @pnpm/config@11.5.0 + - @pnpm/cli-utils@0.4.30 + +## 2.0.16 + +### Patch Changes + +- Updated dependencies [23cf3c88b] + - @pnpm/config@11.4.0 + - @pnpm/cli-utils@0.4.29 + +## 2.0.15 + +### Patch Changes + +- Updated dependencies [767212f4e] +- Updated dependencies [092f8dd83] + - @pnpm/config@11.3.0 + - @pnpm/cli-utils@0.4.28 + +## 2.0.14 + +### Patch Changes + +- @pnpm/audit@1.1.14 +- @pnpm/cli-utils@0.4.27 + +## 2.0.13 + +### Patch Changes + +- @pnpm/audit@1.1.13 + +## 2.0.12 + +### Patch Changes + +- @pnpm/cli-utils@0.4.26 + +## 2.0.11 + +### Patch Changes + +- Updated dependencies [75a36deba] +- Updated dependencies [9f1a29ff9] + - @pnpm/error@1.3.1 + - @pnpm/config@11.2.7 + - @pnpm/audit@1.1.12 + - @pnpm/cli-utils@0.4.25 + - @pnpm/lockfile-file@3.0.14 + +## 2.0.10 + +### Patch Changes + +- 6138b56d0: Update table to v6. + +## 2.0.9 + +### Patch Changes + +- Updated dependencies [ac0d3e122] + - @pnpm/config@11.2.6 + - @pnpm/cli-utils@0.4.24 + +## 2.0.8 + +### Patch Changes + +- Updated dependencies [9550b0505] +- Updated dependencies [972864e0d] + - @pnpm/lockfile-file@3.0.13 + - @pnpm/config@11.2.5 + - @pnpm/audit@1.1.11 + - @pnpm/cli-utils@0.4.23 + +## 2.0.7 + +### Patch Changes + +- Updated dependencies [6d480dd7a] + - @pnpm/error@1.3.0 + - @pnpm/audit@1.1.11 + - @pnpm/cli-utils@0.4.22 + - @pnpm/config@11.2.4 + - @pnpm/lockfile-file@3.0.12 + +## 2.0.6 + +### Patch Changes + +- Updated dependencies [13c18e397] + - @pnpm/config@11.2.3 + - @pnpm/cli-utils@0.4.21 + +## 2.0.5 + +### Patch Changes + +- Updated dependencies [3f6d35997] + - @pnpm/config@11.2.2 + - @pnpm/cli-utils@0.4.20 + +## 2.0.4 + +### Patch Changes + +- @pnpm/cli-utils@0.4.19 + +## 2.0.3 + +### Patch Changes + +- @pnpm/cli-utils@0.4.18 + +## 2.0.2 + +### Patch Changes + +- Updated dependencies [a2ef8084f] + - @pnpm/config@11.2.1 + - @pnpm/audit@1.1.10 + - @pnpm/cli-utils@0.4.17 + +## 2.0.1 + +### Patch Changes + +- 8bb015059: `pnpm audit --audit-level high` should not error if the found vulnerabilities are low and/or moderate. + +## 2.0.0 + +### Major Changes + +- a64b7250c: Return `Promise<{ output: string, exitCode: number }>` instead of `Promise<string>`. + + `exitCode` is `1` when there are any packages with vulnerabilities in the dependencies. + +## 1.0.21 + +### Patch Changes + +- Updated dependencies [ad69677a7] + - @pnpm/cli-utils@0.4.16 + - @pnpm/config@11.2.0 + +## 1.0.20 + +### Patch Changes + +- 4e5e22aab: Allow to set a custom registry through the `--registry` option, when running `pnpm audit` (#2689). + +## 1.0.19 + +### Patch Changes + +- @pnpm/audit@1.1.9 +- @pnpm/cli-utils@0.4.15 + +## 1.0.18 + +### Patch Changes + +- Updated dependencies [65b4d07ca] +- Updated dependencies [ab3b8f51d] + - @pnpm/config@11.1.0 + - @pnpm/cli-utils@0.4.14 + - @pnpm/audit@1.1.8 + +## 1.0.17 + +### Patch Changes + +- @pnpm/config@11.0.1 +- @pnpm/cli-utils@0.4.13 + +## 1.0.16 + +### Patch Changes + +- Updated dependencies [71aeb9a38] +- Updated dependencies [915828b46] + - @pnpm/config@11.0.0 + - @pnpm/cli-utils@0.4.12 + - @pnpm/audit@1.1.7 + +## 1.0.15 + +### Patch Changes + +- @pnpm/config@10.0.1 +- @pnpm/cli-utils@0.4.11 + +## 1.0.14 + +### Patch Changes + +- Updated dependencies [db17f6f7b] +- Updated dependencies [1146b76d2] + - @pnpm/config@10.0.0 + - @pnpm/cli-utils@0.4.10 + - @pnpm/audit@1.1.6 + - @pnpm/lockfile-file@3.0.11 + +## 1.0.13 + +### Patch Changes + +- Updated dependencies [71a8c8ce3] + - @pnpm/config@9.2.0 + - @pnpm/audit@1.1.5 + - @pnpm/cli-utils@0.4.9 + - @pnpm/lockfile-file@3.0.10 + +## 1.0.12 + +### Patch Changes + +- e934b1a48: Update chalk to v4.1.0. +- Updated dependencies [e934b1a48] + - @pnpm/cli-utils@0.4.8 + - @pnpm/audit@1.1.4 + +## 1.0.11 + +### Patch Changes + +- @pnpm/audit@1.1.3 +- @pnpm/cli-utils@0.4.7 + +## 1.0.10 + +### Patch Changes + +- Updated dependencies [ffddf34a8] + - @pnpm/config@9.1.0 + - @pnpm/cli-utils@0.4.6 + +## 1.0.9 + +### Patch Changes + +- Updated dependencies [b5f66c0f2] +- Updated dependencies [242cf8737] +- Updated dependencies [ca9f50844] +- Updated dependencies [e11019b89] +- Updated dependencies [802d145fc] +- Updated dependencies [45fdcfde2] +- Updated dependencies [4f5801b1c] + - @pnpm/constants@4.0.0 + - @pnpm/config@9.0.0 + - @pnpm/audit@1.1.2 + - @pnpm/cli-utils@0.4.5 + - @pnpm/error@1.2.1 + - @pnpm/lockfile-file@3.0.9 + +## 1.0.9-alpha.2 + +### Patch Changes + +- Updated dependencies [242cf8737] +- Updated dependencies [ca9f50844] +- Updated dependencies [45fdcfde2] + - @pnpm/config@9.0.0-alpha.2 + - @pnpm/constants@4.0.0-alpha.1 + - @pnpm/cli-utils@0.4.5-alpha.2 + - @pnpm/lockfile-file@3.0.9-alpha.2 + - @pnpm/audit@1.1.2-alpha.2 + +## 1.0.9-alpha.1 + +### Patch Changes + +- @pnpm/audit@1.1.2-alpha.1 +- @pnpm/cli-utils@0.4.5-alpha.1 +- @pnpm/config@8.3.1-alpha.1 +- @pnpm/lockfile-file@3.0.9-alpha.1 + +## 1.0.9-alpha.0 + +### Patch Changes + +- Updated dependencies [b5f66c0f2] + - @pnpm/constants@4.0.0-alpha.0 + - @pnpm/config@8.3.1-alpha.0 + - @pnpm/lockfile-file@3.0.9-alpha.0 + - @pnpm/cli-utils@0.4.5-alpha.0 + - @pnpm/audit@1.1.1-alpha.0 + +## 1.0.8 + +### Patch Changes + +- Updated dependencies [907c63a48] +- Updated dependencies [907c63a48] +- Updated dependencies [907c63a48] + - @pnpm/lockfile-file@3.0.8 + - @pnpm/audit@1.1.0 + - @pnpm/cli-utils@0.4.4 diff --git a/packages/plugin-commands-licenses/README.md b/packages/plugin-commands-licenses/README.md new file mode 100644 index 00000000000..4a9ca6decc4 --- /dev/null +++ b/packages/plugin-commands-licenses/README.md @@ -0,0 +1,24 @@ +# @pnpm/plugin-commands-licenses + +> pnpm commands for creating license compliance report for dependencies + +[![npm version](https://img.shields.io/npm/v/@pnpm/plugin-commands-licenses.svg)](https://www.npmjs.com/package/@pnpm/plugin-commands-licenses) + +## Installation + +```sh +pnpm add @pnpm/plugin-commands-licenses +``` + +## Testing + +In order to have stable tests, the responses from the registry are mocked. +To update the mocks, run: + +``` +pnpm run update-responses +``` + +## License + +MIT diff --git a/packages/plugin-commands-licenses/jest.config.js b/packages/plugin-commands-licenses/jest.config.js new file mode 100644 index 00000000000..2ddfb5f739a --- /dev/null +++ b/packages/plugin-commands-licenses/jest.config.js @@ -0,0 +1,4 @@ +const config = require('../../jest.config.js') + +module.exports = config + diff --git a/packages/plugin-commands-licenses/package.json b/packages/plugin-commands-licenses/package.json new file mode 100644 index 00000000000..e7916fd1c38 --- /dev/null +++ b/packages/plugin-commands-licenses/package.json @@ -0,0 +1,65 @@ +{ + "name": "@pnpm/plugin-commands-licenses", + "version": "5.1.45", + "description": "pnpm commands for licenses compliance checks", + "main": "lib/index.js", + "types": "lib/index.d.ts", + "files": [ + "lib", + "!*.map" + ], + "engines": { + "node": ">=12.17" + }, + "scripts": { + "lint": "eslint src/**/*.ts test/**/*.ts", + "_test": "cross-env PNPM_REGISTRY_MOCK_PORT=7774 pnpm run test:e2e", + "test": "pnpm run compile && pnpm run _test", + "prepublishOnly": "pnpm run compile", + "compile": "tsc --build && pnpm run lint --fix", + "update-responses": "ts-node test/utils/responses/update.ts", + "registry-mock": "registry-mock", + "test:jest": "jest", + "test:e2e": "registry-mock prepare && run-p -r registry-mock test:jest" + }, + "repository": "https://github.com/pnpm/pnpm/blob/main/packages/plugin-commands-licenses", + "keywords": [ + "pnpm6", + "pnpm", + "licenses", + "compliance" + ], + "license": "MIT", + "bugs": { + "url": "https://github.com/pnpm/pnpm/issues" + }, + "homepage": "https://github.com/pnpm/pnpm/blob/main/packages/plugin-commands-licenses#readme", + "devDependencies": { + "@pnpm/plugin-commands-licenses": "workspace:5.1.45", + "@pnpm/test-fixtures": "workspace:*", + "@types/ramda": "0.27.39", + "@types/zkochan__table": "npm:@types/table@6.0.0", + "load-json-file": "^6.2.0", + "nock": "12.0.3", + "strip-ansi": "^6.0.0", + "tempy": "^1.0.0" + }, + "dependencies": { + "@pnpm/audit": "workspace:2.2.8", + "@pnpm/cli-utils": "workspace:0.6.53", + "@pnpm/config": "workspace:13.13.3", + "@pnpm/constants": "workspace:5.0.0", + "@pnpm/error": "workspace:2.1.0", + "@pnpm/lockfile-file": "workspace:*", + "@pnpm/lockfile-utils": "workspace:*", + "@pnpm/lockfile-walker": "workspace:*", + "@pnpm/read-project-manifest": "workspace:2.0.13", + "@pnpm/types": "workspace:7.10.0", + "@zkochan/table": "^1.0.0", + "chalk": "^4.1.0", + "dependency-path": "workspace:*", + "ramda": "^0.27.1", + "render-help": "^1.0.1" + }, + "funding": "https://opencollective.com/pnpm" +} diff --git a/packages/plugin-commands-licenses/src/index.ts b/packages/plugin-commands-licenses/src/index.ts new file mode 100644 index 00000000000..9b5ab8ecd4c --- /dev/null +++ b/packages/plugin-commands-licenses/src/index.ts @@ -0,0 +1,3 @@ +import * as licenses from './licenses' + +export { licenses } diff --git a/packages/plugin-commands-licenses/src/licenseChecker.ts b/packages/plugin-commands-licenses/src/licenseChecker.ts new file mode 100644 index 00000000000..f4c48b08188 --- /dev/null +++ b/packages/plugin-commands-licenses/src/licenseChecker.ts @@ -0,0 +1,165 @@ +/* eslint-disable @typescript-eslint/no-explicit-any */ +import { Lockfile } from '@pnpm/lockfile-file' +import { nameVerFromPkgSnapshot } from '@pnpm/lockfile-utils' +import { lockfileWalkerGroupImporterSteps, LockfileWalkerStep, LockedDependency } from '@pnpm/lockfile-walker' +import { + safeReadProjectManifestOnly, +} from '@pnpm/read-project-manifest' +import * as dp from 'dependency-path' +import { DependenciesField } from '@pnpm/types' +import * as path from 'node:path' +import { AuditNode, AuditTree, LicenseComplianceReport, PackageDetails } from './types' +import { parseLicense } from './utils' + +interface LicenseCheckOptions { + include?: { [dependenciesField in DependenciesField]: boolean } + dir: string + virtualStoreDir: string +} + +/** + * @private + * Returns the details of the package dependency + * @param dep the dependency + * @param options the configuration options + * @returns { name: string, version: string, path: string, manifest: PackageManifest } + */ +async function getPackageDetails (dep: LockedDependency, options: LicenseCheckOptions): Promise { + const { depPath, pkgSnapshot } = dep + const { name, version } = nameVerFromPkgSnapshot(depPath, pkgSnapshot) + + // construct the path the dependency so we have a location were we can + // read the package.json file to later extract the license-field from + const virtualStoreDir = path.join(options.dir, options.virtualStoreDir) + const modules = path.join( + virtualStoreDir, + dp.depPathToFilename(depPath, options.dir), + 'node_modules' + ) + const dir = path.join(modules, name) + + // Read the package manifest file + const manifest = await safeReadProjectManifestOnly(dir) ?? {} + return { + name, + version, + path: dir, + manifest, + } +} + +/** + * + * @param lockfile + * @param opts + * @returns + */ +export default async function licenseCheck (lockfile: Lockfile, opts: LicenseCheckOptions): Promise { + const auditTree = await lockfileToData(lockfile, opts) + console.log('metadata:', JSON.stringify(auditTree.metadata, null, 2)) + + Object.keys(auditTree.dependencies ?? {}).forEach((dependency) => { + const dependencyInfo = auditTree.dependencies![dependency] + console.log(`Dependency Info for ${dependency}`, dependencyInfo) + if (dependencyInfo.dependencies) { + console.log('Children dependency') + Object.keys(dependencyInfo.dependencies).forEach((item) => { + const dependencyData = dependencyInfo.dependencies![item] + console.log(`Item dependency for ${item}:`, dependencyData) + }) + } + }) + + const licenseComplianceReport: LicenseComplianceReport = { + licenses: { + MIT: { + name: 'woef', + version: 'waf', + }, + }, + muted: [], + metadata: { + totalDependencies: 0, + dependencies: 0, + devDependencies: 0, + optionalDependencies: 0, + }, + } + + return licenseComplianceReport +} + +/** + * @internal + * Blah + * + * @param step + * @param options + * @returns + */ +async function lockfileToAuditNode (step: LockfileWalkerStep, options: LicenseCheckOptions) { + const dependencies = {} + for (const dependency of step.dependencies) { + const { depPath, pkgSnapshot, next } = dependency + const { name, version } = nameVerFromPkgSnapshot(depPath, pkgSnapshot) + const subdeps = await lockfileToAuditNode(next(), options) + const packageDetails = await getPackageDetails(dependency, options) + + const licenseInfo = await parseLicense({ + manifest: packageDetails.manifest, + path: packageDetails.path, + }) + + const dep: AuditNode = { + dev: pkgSnapshot.dev === true, + integrity: pkgSnapshot.resolution['integrity'], + licenseInfo, + version, + } + + if (Object.keys(subdeps).length > 0) { + dep.dependencies = subdeps + dep.requires = toRequires(subdeps) + } + dependencies[name] = dep + } + return dependencies +} + +function toRequires (auditNodesByDepName: Record) { + const requires = {} + for (const subdepName of Object.keys(auditNodesByDepName)) { + requires[subdepName] = auditNodesByDepName[subdepName].version + } + return requires +} + +export async function lockfileToData (lockfile: Lockfile, + opts: LicenseCheckOptions): Promise { + const importerWalkers = lockfileWalkerGroupImporterSteps(lockfile, Object.keys(lockfile.importers), { include: opts?.include }) + const dependencies = {} + + for (const importerWalker of importerWalkers) { + const importerDeps = await lockfileToAuditNode(importerWalker.step, opts) + const depName = importerWalker.importerId + dependencies[depName] = { + dependencies: importerDeps, + requires: toRequires(importerDeps), + version: '0.0.0', + } + } + + const auditTree: AuditTree = { + name: undefined, + version: undefined, + dependencies, + dev: false, + install: [], + integrity: undefined, + metadata: {}, + remove: [], + requires: toRequires(dependencies), + } + + return auditTree +} diff --git a/packages/plugin-commands-licenses/src/licenses.ts b/packages/plugin-commands-licenses/src/licenses.ts new file mode 100644 index 00000000000..00286c0fcf2 --- /dev/null +++ b/packages/plugin-commands-licenses/src/licenses.ts @@ -0,0 +1,136 @@ +import { docsUrl } from '@pnpm/cli-utils' +import { Config, types as allTypes, UniversalOptions } from '@pnpm/config' +import { WANTED_LOCKFILE } from '@pnpm/constants' +import PnpmError from '@pnpm/error' +import { readWantedLockfile } from '@pnpm/lockfile-file' +import { Registries } from '@pnpm/types' +import pick from 'ramda/src/pick' +import renderHelp from 'render-help' +import licenseCheck from './licenseChecker' +import { LicenseComplianceReport } from './types' + +export const rcOptionsTypes = cliOptionsTypes + +export function cliOptionsTypes () { + return { + ...pick([ + 'dev', + 'json', + 'only', + 'optional', + 'production', + 'registry', + ], allTypes), + } +} + +export const shorthands = { + D: '--dev', + P: '--production', +} + +export const commandNames = ['licenses'] + +export function help () { + return renderHelp({ + description: 'Checks for license compliance of the installed packages packages.', + descriptionLists: [ + { + title: 'Options', + + list: [ + { + description: 'Output license compliant report in JSON format', + name: '--json', + }, + { + description: 'Only check "devDependencies"', + name: '--dev', + shortAlias: '-D', + }, + { + description: 'Only check "dependencies" and "optionalDependencies"', + name: '--prod', + shortAlias: '-P', + }, + { + description: 'Don\'t check "optionalDependencies"', + name: '--no-optional', + }, + ], + }, + ], + url: docsUrl('licenses'), + usages: ['pnpm licenses [options]'], + }) +} + +export async function handler ( + opts: Pick & { + json?: boolean + lockfileDir?: string + registries: Registries + } & Pick +) { + const lockfile = await readWantedLockfile(opts.lockfileDir ?? opts.dir, { ignoreIncompatible: true }) + if (lockfile == null) { + throw new PnpmError('LICENSES_NO_LOCKFILE', `No ${WANTED_LOCKFILE} found: Cannot license compliance check a project without a lockfile`) + } + + if (!opts.virtualStoreDir) { + throw new PnpmError('LICENSES_NO_VIRTUAL_STORE_DIRECTORY', 'No virtual store directory found: Cannot license compliance check a project without a virtual store directory') + } + + const include = { + dependencies: opts.production !== false, + devDependencies: opts.dev !== false, + optionalDependencies: opts.optional !== false, + } + + let complianceReport!: LicenseComplianceReport + try { + complianceReport = await licenseCheck(lockfile, { + virtualStoreDir: opts.virtualStoreDir, + dir: opts.dir, + include, + }) + } catch (err: unknown) { + return { + exitCode: 0, + output: (err as Error).message, + } + } + console.log('complianceReport:', complianceReport) + + if (opts.json) { + return { + exitCode: 1, + output: JSON.stringify({ test: 'test' }, null, 2), + } + } + + const output = 'test-output-data' + // const auditLevel = AUDIT_LEVEL_NUMBER[opts.auditLevel ?? 'low'] + // const advisories = Object.values(auditReport.advisories) + // .filter(({ severity }) => AUDIT_LEVEL_NUMBER[severity] >= auditLevel) + // .sort((a1, a2) => AUDIT_LEVEL_NUMBER[a2.severity] - AUDIT_LEVEL_NUMBER[a1.severity]) + // for (const advisory of advisories) { + // output += table([ + // [AUDIT_COLOR[advisory.severity](advisory.severity), chalk.bold(advisory.title)], + // ['Package', advisory.module_name], + // ['Vulnerable versions', advisory.vulnerable_versions], + // ['Patched versions', advisory.patched_versions], + // ['More info', advisory.url], + // ], TABLE_OPTIONS) + // } + return { + exitCode: output ? 1 : 0, + // output: `${output}${reportSummary(auditReport.metadata.vulnerabilities, totalVulnerabilityCount)}`, + output: `${output}`, + } +} diff --git a/packages/plugin-commands-licenses/src/types.ts b/packages/plugin-commands-licenses/src/types.ts new file mode 100644 index 00000000000..64732aade85 --- /dev/null +++ b/packages/plugin-commands-licenses/src/types.ts @@ -0,0 +1,62 @@ +import { ProjectManifest } from '@pnpm/types' + +export type LICENSE_FAILURE_TYPE = 'missing' | 'incompatible' + +export interface LicenseInfo { + license?: string + licenseFile?: string +} + +export interface PackageDetails { + name: string + version: string + path: string + manifest: ProjectManifest +} + +export interface AuditNode { + version?: string + integrity?: string + licenseInfo?: LicenseInfo + requires?: Record + dependencies?: { [name: string]: AuditNode } + dev: boolean +} + +export type AuditTree = AuditNode & { + name?: string + install: string[] + remove: string[] + metadata: Object +} + +export interface LicenseCompliancePackage { + name: string + version: string +} +export interface LicenseComplianceMetadata { + dependencies: number + devDependencies: number + optionalDependencies: number + totalDependencies: number +} +export interface LicenseComplianceReport { + licenses: {[license: string]: LicenseCompliancePackage} + muted: Object[] + metadata: LicenseComplianceMetadata +} + +export interface LicenseCheckResult { + reason?: LICENSE_FAILURE_TYPE + pass: boolean +} + +export interface Result { + reason?: LICENSE_FAILURE_TYPE + license?: string + repository?: string +} + +export type LicensePredicate = (license: string, isFile: boolean) => boolean + +export type PackageNamePredicate = (packageName: string) => boolean diff --git a/packages/plugin-commands-licenses/src/utils.ts b/packages/plugin-commands-licenses/src/utils.ts new file mode 100644 index 00000000000..eaa174300e4 --- /dev/null +++ b/packages/plugin-commands-licenses/src/utils.ts @@ -0,0 +1,109 @@ +import * as path from 'node:path' +import * as fs from 'node:fs/promises' +import { LicenseInfo, LicensePredicate } from './types' +import { ProjectManifest } from '@pnpm/types' + +/** + * Coerce the given value to a string or a null value + * @param field the string to be converted + * @returns string | null + */ +function coerceToString (field: unknown): string | null { + const string = String(field) + return typeof field === 'string' || field === string ? string : null +} + +/** + * Parse the license field of a package manifest + * @param {*} field the value of the license manifest + * @returns string | null + */ +function parseLicenseManifestField (field: unknown): string | null { + if (Array.isArray(field)) { + // eslint-disable-next-line @typescript-eslint/no-explicit-any + const licenses = field + const licenseTypes = licenses.reduce((listOfLicenseTypes, license) => { + const type = coerceToString(license.type) + if (type) { + listOfLicenseTypes.push(type) + } + return listOfLicenseTypes + }, []) + + if (licenseTypes.length > 1) { + const combinedLicenseTypes = licenseTypes.join(' OR ') as string + return `(${combinedLicenseTypes})` + } + + return licenseTypes[0] ?? null + } + // eslint-disable-next-line @typescript-eslint/no-explicit-any + return (field as any)?.type ?? coerceToString(field) +} + +/** + * @const + * List of typical names for license files + */ +const LICENSE_FILES = ['./LICENSE', './LICENCE'] + +/** + * + * @param {*} packageInfo + * @returns + */ +export async function parseLicense (packageInfo: { + manifest: ProjectManifest + path: string +}): Promise { + const license = parseLicenseManifestField(packageInfo.manifest.license) + + // check if we discovered a license, if not attempt to parse the LICENSE file + if ( + (!license || /see license/i.test(license)) + ) { + for (const filename of LICENSE_FILES) { + try { + const licensePath = path.join(packageInfo.path, filename) + // eslint-disable-next-line no-await-in-loop + const licenseContents = await fs.readFile(licensePath) + return { + licenseFile: licenseContents.toString('utf-8'), + } + } catch (err) { + // NOOP + } + } + } + + return { license: license as string } +} + +/** + * @internal + * Returns whether the license is missing or not + * @param license + * @returns Promise + */ +async function isMissing ({ license }: { license: string }): Promise { + const pattern = /\\b(unknown|see license)\\b/i + return pattern.test(license) +} + +export async function isAllowableLicense ({ + license, + isFile, + isValidLicensePredicate, +}: { + license: string | null + isFile: boolean + isValidLicensePredicate: LicensePredicate +}) { + if (license && !(await isMissing({ license }))) { + if (isValidLicensePredicate(license, isFile)) { + return { pass: true } + } + return { pass: false, reason: 'incompatible' } + } + return { reason: 'missing', pass: false } +} diff --git a/packages/plugin-commands-licenses/test/__snapshots__/index.ts.snap b/packages/plugin-commands-licenses/test/__snapshots__/index.ts.snap new file mode 100644 index 00000000000..90e6223efe8 --- /dev/null +++ b/packages/plugin-commands-licenses/test/__snapshots__/index.ts.snap @@ -0,0 +1,984 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`audit --audit-level 1`] = ` +"┌─────────────────────┬───────────────────────────────────────────────────────┐ +│ critical │ Improper Certificate Validation in xmlhttprequest-ssl │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Package │ xmlhttprequest-ssl │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.6.1 │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.6.1 │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-72mh-269x-7mh5 │ +└─────────────────────┴───────────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ critical │ Command injection in nodemailer │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.4.16 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=6.4.16 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-48ww-j4fc-435p │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ critical │ Insufficient Entropy in cryptiles │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ cryptiles │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.1.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=4.1.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-rq8g-5pc5-wrhr │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ critical │ Improper parsing of octal bytes in netmask │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ netmask │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.1.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.1.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-4c7m-wxvm-r7gc │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Incorrect Comparison in axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.21.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.21.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cph5-m8f7-6c5x │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization │ +├─────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.4.18 │ +├─────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.4.18 │ +├─────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-5955-9wpr-37jh │ +└─────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────┘ +┌─────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.4.18 │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.4.18 │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qq89-hq3f-393p │ +└─────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ +┌─────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.4.16 │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.4.16 │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9r2w-394v-53qc │ +└─────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Code Injection in pac-resolver │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ pac-resolver │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <5.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=5.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9j49-mfvp-vmhm │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Resource exhaustion in socket.io-parser │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ socket.io-parser │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.3.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=3.3.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xfhh-g9f5-x4m4 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Arbitrary Code Injection │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ xmlhttprequest-ssl │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.6.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.6.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-h4j5-c7cj-74xg │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Arbitrary Code Execution in underscore │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ underscore │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=1.3.2 <1.12.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.12.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cf4h-3jhx-xvhq │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Path traversal in url-parse │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.5.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9m6j-fcg5-2442 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Server-Side Request Forgery in Axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.21.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.21.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-4w2v-q235-vp99 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Remote Memory Exposure in bl │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ bl │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.2.3 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.2.3 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pp7h-53gx-mx7r │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Denial of Service in http-proxy │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ http-proxy │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.18.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.18.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-6x33-pw7p-hmpq │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Validation Bypass in kind-of │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ kind-of │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=6.0.0 <6.0.3 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=6.0.3 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-6c8f-qphg-qjgp │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Denial of Service in axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.18.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.18.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-42xw-2xvc-qx8m │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────────┐ +│ high │ Exposure of sensitive information in follow-redirects │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.14.7 │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.14.7 │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-74fj-2j2h-c42q │ +└─────────────────────┴───────────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Regular expression denial of service │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ glob-parent │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <5.1.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=5.1.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-ww39-953v-wcq6 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Command Injection in lodash │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.17.21 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.21 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-35jh-r3h4-6jhm │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Prototype Pollution in lodash │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.17.19 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.19 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-p6mc-m468-83gw │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Resource exhaustion in engine.io │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ engine.io │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=4.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-j4f2-536g-r55m │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Authorization bypass in url-parse │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.5.6 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.6 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-rqff-837h-mm52 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Prototype Pollution in node-jsonpointer │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ jsonpointer │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <5.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=5.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-282f-qqgm-c34q │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Open redirect in url-parse │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.5.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hh27-ffr2-f2jc │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────┐ +│ moderate │ netmask npm package vulnerable to octal input data │ +├─────────────────────┼────────────────────────────────────────────────────┤ +│ Package │ netmask │ +├─────────────────────┼────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pch5-whg9-qr2r │ +└─────────────────────┴────────────────────────────────────────────────────┘ +┌─────────────────────┬─────────────────────────────────────────────────────────────┐ +│ moderate │ Insecure defaults due to CORS misconfiguration in socket.io │ +├─────────────────────┼─────────────────────────────────────────────────────────────┤ +│ Package │ socket.io │ +├─────────────────────┼─────────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.4.0 │ +├─────────────────────┼─────────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.4.0 │ +├─────────────────────┼─────────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-fxwf-4rqh-v8g3 │ +└─────────────────────┴─────────────────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Tmp files readable by other users in sync-exec │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ sync-exec │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.6.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ <0.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-38h8-x697-gh8q │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Prototype Pollution in minimist │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ minimist │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.2.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.2.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-vh95-rmgr-6w4m │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Memory Exposure in tunnel-agent │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ tunnel-agent │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.6.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.6.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xc7v-wxcw-j472 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Prototype Pollution in hoek │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ hoek │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.2.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=4.2.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jp4x-w63m-7wgm │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ json-schema is vulnerable to Prototype Pollution │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ json-schema │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.4.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.4.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-896r-f27r-55mw │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Header injection in nodemailer │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.6.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=6.6.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hwqf-gcqm-7353 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Incorrect Default Permissions in log4js │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ log4js │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.4.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=6.4.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-82v2-mx6x-wq7q │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Regular Expression Denial of Service (ReDoS) in lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.17.21 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.21 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-29mw-wpgm-hmr9 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Cross-site Scripting in karma │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ karma │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.3.14 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=6.3.14 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-7x7c-qm48-pq9c │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Prototype Pollution in Ajv │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ ajv │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.12.3 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=6.12.3 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-v88g-cgmw-v5xw │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────────────────────────────┐ +│ moderate │ Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.14.8 │ +├─────────────────────┼────────────────────────────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.14.8 │ +├─────────────────────┼────────────────────────────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pw2r-vq6v-hr8c │ +└─────────────────────┴────────────────────────────────────────────────────────────────────────────────┘ +46 vulnerabilities found +Severity: 4 low | 17 moderate | 21 high | 4 critical" +`; + +exports[`audit --dev 1`] = ` +"┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Incorrect Comparison in axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.21.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.21.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cph5-m8f7-6c5x │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Server-Side Request Forgery in Axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.21.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.21.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-4w2v-q235-vp99 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Denial of Service in axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.18.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.18.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-42xw-2xvc-qx8m │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────────┐ +│ high │ Exposure of sensitive information in follow-redirects │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.14.7 │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.14.7 │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-74fj-2j2h-c42q │ +└─────────────────────┴───────────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Tmp files readable by other users in sync-exec │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ sync-exec │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.6.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ <0.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-38h8-x697-gh8q │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────────────────────────────┐ +│ moderate │ Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.14.8 │ +├─────────────────────┼────────────────────────────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.14.8 │ +├─────────────────────┼────────────────────────────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pw2r-vq6v-hr8c │ +└─────────────────────┴────────────────────────────────────────────────────────────────────────────────┘ +6 vulnerabilities found +Severity: 2 moderate | 4 high" +`; + +exports[`audit 1`] = ` +"┌─────────────────────┬───────────────────────────────────────────────────────┐ +│ critical │ Improper Certificate Validation in xmlhttprequest-ssl │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Package │ xmlhttprequest-ssl │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.6.1 │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.6.1 │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-72mh-269x-7mh5 │ +└─────────────────────┴───────────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ critical │ Command injection in nodemailer │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.4.16 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=6.4.16 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-48ww-j4fc-435p │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ critical │ Insufficient Entropy in cryptiles │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ cryptiles │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.1.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=4.1.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-rq8g-5pc5-wrhr │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ critical │ Improper parsing of octal bytes in netmask │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ netmask │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.1.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.1.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-4c7m-wxvm-r7gc │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Incorrect Comparison in axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.21.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.21.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cph5-m8f7-6c5x │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬──────────────────────────────────────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization │ +├─────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.4.18 │ +├─────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.4.18 │ +├─────────────────────┼──────────────────────────────────────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-5955-9wpr-37jh │ +└─────────────────────┴──────────────────────────────────────────────────────────────────────────────────────────┘ +┌─────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.4.18 │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.4.18 │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-qq89-hq3f-393p │ +└─────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ +┌─────────────────────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐ +│ high │ Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ Package │ tar │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.4.16 │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.4.16 │ +├─────────────────────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9r2w-394v-53qc │ +└─────────────────────┴─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Code Injection in pac-resolver │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ pac-resolver │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <5.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=5.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9j49-mfvp-vmhm │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Resource exhaustion in socket.io-parser │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ socket.io-parser │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <3.3.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=3.3.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xfhh-g9f5-x4m4 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Arbitrary Code Injection │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ xmlhttprequest-ssl │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.6.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.6.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-h4j5-c7cj-74xg │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Arbitrary Code Execution in underscore │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ underscore │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=1.3.2 <1.12.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.12.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cf4h-3jhx-xvhq │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Path traversal in url-parse │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.5.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-9m6j-fcg5-2442 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Server-Side Request Forgery in Axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.21.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.21.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-4w2v-q235-vp99 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Remote Memory Exposure in bl │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ bl │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.2.3 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.2.3 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pp7h-53gx-mx7r │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Denial of Service in http-proxy │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ http-proxy │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.18.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.18.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-6x33-pw7p-hmpq │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Validation Bypass in kind-of │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ kind-of │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=6.0.0 <6.0.3 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=6.0.3 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-6c8f-qphg-qjgp │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Denial of Service in axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ axios │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.18.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.18.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-42xw-2xvc-qx8m │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────────┐ +│ high │ Exposure of sensitive information in follow-redirects │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.14.7 │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.14.7 │ +├─────────────────────┼───────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-74fj-2j2h-c42q │ +└─────────────────────┴───────────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Regular expression denial of service │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ glob-parent │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <5.1.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=5.1.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-ww39-953v-wcq6 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Command Injection in lodash │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.17.21 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.21 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-35jh-r3h4-6jhm │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Prototype Pollution in lodash │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.17.19 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.19 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-p6mc-m468-83gw │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Resource exhaustion in engine.io │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ engine.io │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=4.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-j4f2-536g-r55m │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ high │ Authorization bypass in url-parse │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.5.6 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.6 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-rqff-837h-mm52 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Prototype Pollution in node-jsonpointer │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ jsonpointer │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <5.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=5.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-282f-qqgm-c34q │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Open redirect in url-parse │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ url-parse │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.5.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=1.5.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hh27-ffr2-f2jc │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────┐ +│ moderate │ netmask npm package vulnerable to octal input data │ +├─────────────────────┼────────────────────────────────────────────────────┤ +│ Package │ netmask │ +├─────────────────────┼────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.0.1 │ +├─────────────────────┼────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pch5-whg9-qr2r │ +└─────────────────────┴────────────────────────────────────────────────────┘ +┌─────────────────────┬─────────────────────────────────────────────────────────────┐ +│ moderate │ Insecure defaults due to CORS misconfiguration in socket.io │ +├─────────────────────┼─────────────────────────────────────────────────────────────┤ +│ Package │ socket.io │ +├─────────────────────┼─────────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.4.0 │ +├─────────────────────┼─────────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.4.0 │ +├─────────────────────┼─────────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-fxwf-4rqh-v8g3 │ +└─────────────────────┴─────────────────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Tmp files readable by other users in sync-exec │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ sync-exec │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=0.6.2 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ <0.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-38h8-x697-gh8q │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Prototype Pollution in minimist │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ minimist │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.2.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.2.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-vh95-rmgr-6w4m │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Memory Exposure in tunnel-agent │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ tunnel-agent │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.6.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.6.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-xc7v-wxcw-j472 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Prototype Pollution in hoek │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ hoek │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.2.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=4.2.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-jp4x-w63m-7wgm │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ json-schema is vulnerable to Prototype Pollution │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ json-schema │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <0.4.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=0.4.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-896r-f27r-55mw │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Header injection in nodemailer │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ nodemailer │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.6.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=6.6.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-hwqf-gcqm-7353 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Incorrect Default Permissions in log4js │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ log4js │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.4.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=6.4.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-82v2-mx6x-wq7q │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ moderate │ Regular Expression Denial of Service (ReDoS) in lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ lodash │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <4.17.21 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=4.17.21 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-29mw-wpgm-hmr9 │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Cross-site Scripting in karma │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ karma │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.3.14 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=6.3.14 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-7x7c-qm48-pq9c │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ moderate │ Prototype Pollution in Ajv │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ ajv │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <6.12.3 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=6.12.3 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-v88g-cgmw-v5xw │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────────────────────────────┐ +│ moderate │ Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────────────────────────────┤ +│ Package │ follow-redirects │ +├─────────────────────┼────────────────────────────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <1.14.8 │ +├─────────────────────┼────────────────────────────────────────────────────────────────────────────────┤ +│ Patched versions │ >=1.14.8 │ +├─────────────────────┼────────────────────────────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-pw2r-vq6v-hr8c │ +└─────────────────────┴────────────────────────────────────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ low │ Potential exponential regex in monitor mode │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ redis │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ >=2.6.0 <3.1.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=3.1.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-35q2-47q7-3pc3 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ low │ Regular Expression Denial of Service in timespan │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ timespan │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <=2.3.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ <0.0.0 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-f523-2f5j-gfcg │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬───────────────────────────────────────────────────┐ +│ low │ Regular Expression Denial of Service in braces │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Package │ braces │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.3.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ Patched versions │ >=2.3.1 │ +├─────────────────────┼───────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-g95f-p29q-9xw4 │ +└─────────────────────┴───────────────────────────────────────────────────┘ +┌─────────────────────┬────────────────────────────────────────────────────────┐ +│ low │ Regular Expression Denial of Service (ReDoS) in braces │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Package │ braces │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Vulnerable versions │ <2.3.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ Patched versions │ >=2.3.1 │ +├─────────────────────┼────────────────────────────────────────────────────────┤ +│ More info │ https://github.com/advisories/GHSA-cwfw-4gq5-mrqx │ +└─────────────────────┴────────────────────────────────────────────────────────┘ +46 vulnerabilities found +Severity: 4 low | 17 moderate | 21 high | 4 critical" +`; diff --git a/packages/plugin-commands-licenses/test/fix.ts b/packages/plugin-commands-licenses/test/fix.ts new file mode 100644 index 00000000000..f9e53e83dcd --- /dev/null +++ b/packages/plugin-commands-licenses/test/fix.ts @@ -0,0 +1,52 @@ +import path from 'path' +import fixtures from '@pnpm/test-fixtures' +import { ProjectManifest } from '@pnpm/types' +import { audit } from '@pnpm/plugin-commands-audit' +import loadJsonFile from 'load-json-file' +import nock from 'nock' +import * as responses from './utils/responses' + +const f = fixtures(__dirname) +const registries = { + default: 'https://registry.npmjs.org/', +} + +test('overrides are added for vulnerable dependencies', async () => { + const tmp = f.prepare('has-vulnerabilities') + + nock(registries.default) + .post('/-/npm/v1/security/audits') + .reply(200, responses.ALL_VULN_RESP) + + const { exitCode, output } = await audit.handler({ + auditLevel: 'moderate', + dir: tmp, + fix: true, + registries, + }) + + expect(exitCode).toBe(0) + expect(output).toMatch(/Run "pnpm install"/) + + const manifest = await loadJsonFile(path.join(tmp, 'package.json')) + expect(manifest.pnpm?.overrides?.['axios@<=0.18.0']).toBe('>=0.18.1') + expect(manifest.pnpm?.overrides?.['sync-exec@>=0.0.0']).toBeFalsy() +}) + +test('no overrides are added if no vulnerabilities are found', async () => { + const tmp = f.prepare('fixture') + + nock(registries.default) + .post('/-/npm/v1/security/audits') + .reply(200, responses.NO_VULN_RESP) + + const { exitCode, output } = await audit.handler({ + auditLevel: 'moderate', + dir: tmp, + fix: true, + registries, + }) + + expect(exitCode).toBe(0) + expect(output).toBe('No fixes were made') +}) diff --git a/packages/plugin-commands-licenses/test/fixtures/.gitignore b/packages/plugin-commands-licenses/test/fixtures/.gitignore new file mode 100644 index 00000000000..b25ca904634 --- /dev/null +++ b/packages/plugin-commands-licenses/test/fixtures/.gitignore @@ -0,0 +1 @@ +store diff --git a/packages/plugin-commands-licenses/test/fixtures/.npmrc b/packages/plugin-commands-licenses/test/fixtures/.npmrc new file mode 100644 index 00000000000..a0bf438cc6b --- /dev/null +++ b/packages/plugin-commands-licenses/test/fixtures/.npmrc @@ -0,0 +1 @@ +shared-workspace-lockfile = false diff --git a/packages/plugin-commands-licenses/test/fixtures/has-vulnerabilities/package.json b/packages/plugin-commands-licenses/test/fixtures/has-vulnerabilities/package.json new file mode 100644 index 00000000000..ae4895c2815 --- /dev/null +++ b/packages/plugin-commands-licenses/test/fixtures/has-vulnerabilities/package.json @@ -0,0 +1,13 @@ +{ + "name": "has-vulnerabilities", + "version": "1.0.0", + "dependencies": { + "karma": "~2.0.0" + }, + "devDependencies": { + "axios": "0.15" + }, + "optionalDependencies": { + "sync-exec": "0.6.2" + } +} diff --git a/packages/plugin-commands-licenses/test/fixtures/has-vulnerabilities/pnpm-lock.yaml b/packages/plugin-commands-licenses/test/fixtures/has-vulnerabilities/pnpm-lock.yaml new file mode 100644 index 00000000000..28ef35b0cf7 --- /dev/null +++ b/packages/plugin-commands-licenses/test/fixtures/has-vulnerabilities/pnpm-lock.yaml @@ -0,0 +1,3136 @@ +lockfileVersion: 5.3 + +specifiers: + axios: '0.15' + karma: ~2.0.0 + sync-exec: 0.6.2 + +dependencies: + karma: 2.0.5 + +optionalDependencies: + sync-exec: 0.6.2 + +devDependencies: + axios: 0.15.3 + +packages: + + /abbrev/1.1.1: + resolution: {integrity: sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==} + dev: false + optional: true + + /accepts/1.3.7: + resolution: {integrity: sha512-Il80Qs2WjYlJIBNzNkK6KYqlVMTbZLXgHx2oT0pU/fjRHyEp+PEfEPY0R3WCwAGVOtauxh1hOxNgIf5bv7dQpA==} + engines: {node: '>= 0.6'} + dependencies: + mime-types: 2.1.25 + negotiator: 0.6.2 + dev: false + + /addressparser/1.0.1: + resolution: {integrity: sha1-R6++GiqSYhkdtoOOT9HTm0CCF0Y=} + dev: false + optional: true + + /after/0.8.2: + resolution: {integrity: sha1-/ts5T58OAqqXaOcCvaI7UF+ufh8=} + dev: false + + /agent-base/4.2.1: + resolution: {integrity: sha512-JVwXMr9nHYTUXsBFKUqhJwvlcYU/blreOEUkhNR2eXZIvwd+c+o5V4MgDPKWnMS/56awN3TRzIP+KoPn+roQtg==} + engines: {node: '>= 4.0.0'} + dependencies: + es6-promisify: 5.0.0 + dev: false + optional: true + + /agent-base/4.3.0: + resolution: {integrity: sha512-salcGninV0nPrwpGNn4VTXBb1SOuXQBiqbrNXoeizJsHrsL6ERFM2Ne3JUSBWRE6aeNJI2ROP/WEEIDUiDe3cg==} + engines: {node: '>= 4.0.0'} + dependencies: + es6-promisify: 5.0.0 + dev: false + optional: true + + /ajv/6.10.2: + resolution: {integrity: sha512-TXtUUEYHuaTEbLZWIKUr5pmBuhDLy+8KYtPYdcV8qC+pOZL+NKqYwvWSRrVXHn+ZmRRAu8vJTAznH7Oag6RVRw==} + dependencies: + fast-deep-equal: 2.0.1 + fast-json-stable-stringify: 2.0.0 + json-schema-traverse: 0.4.1 + uri-js: 4.2.2 + dev: false + optional: true + + /amqplib/0.5.5: + resolution: {integrity: sha512-sWx1hbfHbyKMw6bXOK2k6+lHL8TESWxjAx5hG8fBtT7wcxoXNIsFxZMnFyBjxt3yL14vn7WqBDe5U6BGOadtLg==} + engines: {node: '>=0.8 <=12'} + dependencies: + bitsyntax: 0.1.0 + bluebird: 3.7.1 + buffer-more-ints: 1.0.0 + readable-stream: 1.1.14 + safe-buffer: 5.1.2 + url-parse: 1.4.7 + dev: false + optional: true + + /ansi-regex/2.1.1: + resolution: {integrity: sha1-w7M6te42DYbg5ijwRorn7yfWVN8=} + engines: {node: '>=0.10.0'} + dev: false + optional: true + + /ansi-styles/2.2.1: + resolution: {integrity: sha1-tDLdM1i2NM914eRmQ2gkBTPB3b4=} + engines: {node: '>=0.10.0'} + dev: false + optional: true + + /anymatch/2.0.0: + resolution: {integrity: sha512-5teOsQWABXHHBFP9y3skS5P3d/WfWXpv3FUpy+LorMrNYaT9pI4oLMQX7jzQ2KklNpGpWHzdCXTDT2Y3XGlZBw==} + dependencies: + micromatch: 3.1.10 + normalize-path: 2.1.1 + dev: false + + /aproba/1.2.0: + resolution: {integrity: sha512-Y9J6ZjXtoYh8RnXVCMOU/ttDmk1aBjunq9vO0ta5x85WDQiQfUF9sIPBITdbiiIVcBo03Hi3jMxigBtsddlXRw==} + dev: false + optional: true + + /are-we-there-yet/1.1.5: + resolution: {integrity: sha512-5hYdAkZlcG8tOLujVDTgCT+uPX0VnpAH28gWsLfzpXYm7wP6mp5Q/gYyR7YQ0cKVJcXJnl3j2kpBan13PtQf6w==} + dependencies: + delegates: 1.0.0 + readable-stream: 2.3.6 + dev: false + optional: true + + /arr-diff/4.0.0: + resolution: {integrity: sha1-1kYQdP6/7HHn4VI1dhoyml3HxSA=} + engines: {node: '>=0.10.0'} + dev: false + + /arr-flatten/1.1.0: + resolution: {integrity: sha512-L3hKV5R/p5o81R7O02IGnwpDmkp6E982XhtbuwSe3O4qOtMMMtodicASA1Cny2U+aCXcNpml+m4dPsvsJ3jatg==} + engines: {node: '>=0.10.0'} + dev: false + + /arr-union/3.1.0: + resolution: {integrity: sha1-45sJrqne+Gao8gbiiK9jkZuuOcQ=} + engines: {node: '>=0.10.0'} + dev: false + + /array-slice/0.2.3: + resolution: {integrity: sha1-3Tz7gO15c6dRF82sabC5nshhhvU=} + engines: {node: '>=0.10.0'} + dev: false + + /array-unique/0.2.1: + resolution: {integrity: sha1-odl8yvy8JiXMcPrc6zalDFiwGlM=} + engines: {node: '>=0.10.0'} + dev: false + + /array-unique/0.3.2: + resolution: {integrity: sha1-qJS3XUvE9s1nnvMkSp/Y9Gri1Cg=} + engines: {node: '>=0.10.0'} + dev: false + + /arraybuffer.slice/0.0.7: + resolution: {integrity: sha512-wGUIVQXuehL5TCqQun8OW81jGzAWycqzFF8lFp+GOM5BXLYj3bKNsYC4daB7n6XjCqxQA/qgTJ+8ANR3acjrog==} + dev: false + + /asn1/0.2.4: + resolution: {integrity: sha512-jxwzQpLQjSmWXgwaCZE9Nz+glAG01yF1QnWgbhGwHI5A6FRIEY6IVqtHhIepHqI7/kyEyQEagBC5mBEFlIYvdg==} + dependencies: + safer-buffer: 2.1.2 + dev: false + optional: true + + /assert-plus/0.2.0: + resolution: {integrity: sha1-104bh+ev/A24qttwIfP+SBAasjQ=} + engines: {node: '>=0.8'} + dev: false + optional: true + + /assert-plus/1.0.0: + resolution: {integrity: sha1-8S4PPF13sLHN2RRpQuTpbB5N1SU=} + engines: {node: '>=0.8'} + dev: false + optional: true + + /assign-symbols/1.0.0: + resolution: {integrity: sha1-WWZ/QfrdTyDMvCu5a41Pf3jsA2c=} + engines: {node: '>=0.10.0'} + dev: false + + /ast-types/0.13.2: + resolution: {integrity: sha512-uWMHxJxtfj/1oZClOxDEV1sQ1HCDkA4MG8Gr69KKeBjEVH0R84WlejZ0y2DcwyBlpAEMltmVYkVgqfLFb2oyiA==} + engines: {node: '>=4'} + dev: false + optional: true + + /async-each/1.0.3: + resolution: {integrity: sha512-z/WhQ5FPySLdvREByI2vZiTWwCnF0moMJ1hK9YQwDTHKh6I7/uSckMetoRGb5UBZPC1z0jlw+n/XCgjeH7y1AQ==} + dev: false + + /async-limiter/1.0.1: + resolution: {integrity: sha512-csOlWGAcRFJaI6m+F2WKdnMKr4HhdhFVBk0H/QbJFMCr+uO2kwohwXQPxw/9OCxp05r5ghVBFSyioixx3gfkNQ==} + dev: false + + /async/2.6.3: + resolution: {integrity: sha512-zflvls11DCy+dQWzTW2dzuilv8Z5X/pjfmZOWba6TNIVDm+2UDaJmXSOXlasHKfNBs8oo3M0aT50fDEWfKZjXg==} + dependencies: + lodash: 4.17.15 + dev: false + optional: true + + /asynckit/0.4.0: + resolution: {integrity: sha1-x57Zf380y48robyXkLzDZkdLS3k=} + dev: false + optional: true + + /atob/2.1.2: + resolution: {integrity: sha512-Wm6ukoaOGJi/73p/cl2GvLjTI5JM1k/O14isD73YML8StrH/7/lRFgmg8nICZgD3bZZvjwCGxtMOD3wWNAu8cg==} + engines: {node: '>= 4.5.0'} + hasBin: true + dev: false + + /aws-sign2/0.6.0: + resolution: {integrity: sha1-FDQt0428yU0OW4fXY81jYSwOeU8=} + dev: false + optional: true + + /aws-sign2/0.7.0: + resolution: {integrity: sha1-tG6JCTSpWR8tL2+G1+ap8bP+dqg=} + dev: false + optional: true + + /aws4/1.8.0: + resolution: {integrity: sha512-ReZxvNHIOv88FlT7rxcXIIC0fPt4KZqZbOlivyWtXLt8ESx84zd3kMC6iK5jVeS2qt+g7ftS7ye4fi06X5rtRQ==} + dev: false + optional: true + + /axios/0.15.3: + resolution: {integrity: sha1-LJ1jiy4ZGgjqHWzJiOrda6W9wFM=} + dependencies: + follow-redirects: 1.0.0 + + /backo2/1.0.2: + resolution: {integrity: sha1-MasayLEpNjRj41s+u2n038+6eUc=} + dev: false + + /balanced-match/1.0.0: + resolution: {integrity: sha1-ibTRmasr7kneFk6gK4nORi1xt2c=} + dev: false + + /base/0.11.2: + resolution: {integrity: sha512-5T6P4xPgpp0YDFvSWwEZ4NoE3aM4QBQXDzmVbraCkFj8zHM+mba8SyqB5DbZWyR7mYHo6Y7BdQo3MoA4m0TeQg==} + engines: {node: '>=0.10.0'} + dependencies: + cache-base: 1.0.1 + class-utils: 0.3.6 + component-emitter: 1.3.0 + define-property: 1.0.0 + isobject: 3.0.1 + mixin-deep: 1.3.2 + pascalcase: 0.1.1 + dev: false + + /base64-arraybuffer/0.1.5: + resolution: {integrity: sha1-c5JncZI7Whl0etZmqlzUv5xunOg=} + engines: {node: '>= 0.6.0'} + dev: false + + /base64id/1.0.0: + resolution: {integrity: sha1-R2iMuZu2gE8OBtPnY7HDLlfY5rY=} + engines: {node: '>= 0.4.0'} + dev: false + + /bcrypt-pbkdf/1.0.2: + resolution: {integrity: sha1-pDAdOJtqQ/m2f/PKEaP2Y342Dp4=} + dependencies: + tweetnacl: 0.14.5 + dev: false + optional: true + + /better-assert/1.0.2: + resolution: {integrity: sha1-QIZrnhueC1W0gYlDEeaPr/rrxSI=} + dependencies: + callsite: 1.0.0 + dev: false + + /binary-extensions/1.13.1: + resolution: {integrity: sha512-Un7MIEDdUC5gNpcGDV97op1Ywk748MpHcFTHoYs6qnj1Z3j7I53VG3nwZhKzoBZmbdRNnb6WRdFlwl7tSDuZGw==} + engines: {node: '>=0.10.0'} + dev: false + + /bitsyntax/0.1.0: + resolution: {integrity: sha512-ikAdCnrloKmFOugAfxWws89/fPc+nw0OOG1IzIE72uSOg/A3cYptKCjSUhDTuj7fhsJtzkzlv7l3b8PzRHLN0Q==} + engines: {node: '>=0.8'} + dependencies: + buffer-more-ints: 1.0.0 + debug: 2.6.9 + safe-buffer: 5.1.2 + dev: false + optional: true + + /bl/1.1.2: + resolution: {integrity: sha1-/cqHGplxOqANGeO7ukHER4emU5g=} + dependencies: + readable-stream: 2.0.6 + dev: false + optional: true + + /blob/0.0.5: + resolution: {integrity: sha512-gaqbzQPqOoamawKg0LGVd7SzLgXS+JH61oWprSLH+P+abTczqJbhTR8CmJ2u9/bUYNmHTGJx/UEmn6doAvvuig==} + dev: false + + /bluebird/3.7.1: + resolution: {integrity: sha512-DdmyoGCleJnkbp3nkbxTLJ18rjDsE4yCggEwKNXkeV123sPNfOCYeDoeuOY+F2FrSjO1YXcTU+dsy96KMy+gcg==} + dev: false + + /body-parser/1.19.0: + resolution: {integrity: sha512-dhEPs72UPbDnAQJ9ZKMNTP6ptJaionhP5cBb541nXPlW60Jepo9RV/a4fX4XWW9CuFNK22krhrj1+rgzifNCsw==} + engines: {node: '>= 0.8'} + dependencies: + bytes: 3.1.0 + content-type: 1.0.4 + debug: 2.6.9 + depd: 1.1.2 + http-errors: 1.7.2 + iconv-lite: 0.4.24 + on-finished: 2.3.0 + qs: 6.7.0 + raw-body: 2.4.0 + type-is: 1.6.18 + dev: false + + /boom/2.10.1: + resolution: {integrity: sha1-OciRjO/1eZ+D+UkqhI9iWt0Mdm8=} + engines: {node: '>=0.10.40'} + deprecated: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). + dependencies: + hoek: 2.16.3 + dev: false + optional: true + + /brace-expansion/1.1.11: + resolution: {integrity: sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==} + dependencies: + balanced-match: 1.0.0 + concat-map: 0.0.1 + dev: false + + /braces/0.1.5: + resolution: {integrity: sha1-wIVxEIUpHYt1/ddOqw+FlygHEeY=} + engines: {node: '>=0.10.0'} + dependencies: + expand-range: 0.1.1 + dev: false + + /braces/2.3.2: + resolution: {integrity: sha512-aNdbnj9P8PjdXU4ybaWLK2IF3jc/EoDYbC7AazW6to3TRsfXxscC9UXOB5iDiEQrkyIbWp2SLQda4+QAa7nc3w==} + engines: {node: '>=0.10.0'} + dependencies: + arr-flatten: 1.1.0 + array-unique: 0.3.2 + extend-shallow: 2.0.1 + fill-range: 4.0.0 + isobject: 3.0.1 + repeat-element: 1.1.3 + snapdragon: 0.8.2 + snapdragon-node: 2.1.1 + split-string: 3.1.0 + to-regex: 3.0.2 + dev: false + + /buffer-alloc-unsafe/1.1.0: + resolution: {integrity: sha512-TEM2iMIEQdJ2yjPJoSIsldnleVaAk1oW3DBVUykyOLsEsFmEc9kn+SFFPz+gl54KQNxlDnAwCXosOS9Okx2xAg==} + dev: false + + /buffer-alloc/1.2.0: + resolution: {integrity: sha512-CFsHQgjtW1UChdXgbyJGtnm+O/uLQeZdtbDo8mfUgYXCHSM1wgrVxXm6bSyrUuErEb+4sYVGCzASBRot7zyrow==} + dependencies: + buffer-alloc-unsafe: 1.1.0 + buffer-fill: 1.0.0 + dev: false + + /buffer-fill/1.0.0: + resolution: {integrity: sha1-+PeLdniYiO858gXNY39o5wISKyw=} + dev: false + + /buffer-more-ints/1.0.0: + resolution: {integrity: sha512-EMetuGFz5SLsT0QTnXzINh4Ksr+oo4i+UGTXEshiGCQWnsgSs7ZhJ8fzlwQ+OzEMs0MpDAMr1hxnblp5a4vcHg==} + dev: false + optional: true + + /buildmail/4.0.1: + resolution: {integrity: sha1-h393OLeHKYccmhBeO4N9K+EaenI=} + deprecated: This project is unmaintained + dependencies: + addressparser: 1.0.1 + libbase64: 0.1.0 + libmime: 3.0.0 + libqp: 1.1.0 + nodemailer-fetch: 1.6.0 + nodemailer-shared: 1.1.0 + punycode: 1.4.1 + dev: false + optional: true + + /bytes/3.1.0: + resolution: {integrity: sha512-zauLjrfCG+xvoyaqLoV8bLVXXNGC4JqlxFCutSDWA6fJrTo2ZuvLYTqZ7aHBLZSMOopbzwv8f+wZcVzfVTI2Dg==} + engines: {node: '>= 0.8'} + dev: false + + /cache-base/1.0.1: + resolution: {integrity: sha512-AKcdTnFSWATd5/GCPRxr2ChwIJ85CeyrEyjRHlKxQ56d4XJMGym0uAiKn0xbLOGOl3+yRpOTi484dVCEc5AUzQ==} + engines: {node: '>=0.10.0'} + dependencies: + collection-visit: 1.0.0 + component-emitter: 1.3.0 + get-value: 2.0.6 + has-value: 1.0.0 + isobject: 3.0.1 + set-value: 2.0.1 + to-object-path: 0.3.0 + union-value: 1.0.1 + unset-value: 1.0.0 + dev: false + + /callsite/1.0.0: + resolution: {integrity: sha1-KAOY5dZkvXQDi28JBRU+borxvCA=} + dev: false + + /caseless/0.11.0: + resolution: {integrity: sha1-cVuW6phBWTzDMGeSP17GDr2k99c=} + dev: false + optional: true + + /caseless/0.12.0: + resolution: {integrity: sha1-G2gcIf+EAzyCZUMJBolCDRhxUdw=} + dev: false + optional: true + + /chalk/1.1.3: + resolution: {integrity: sha1-qBFcVeSnAv5NFQq9OHKCKn4J/Jg=} + engines: {node: '>=0.10.0'} + dependencies: + ansi-styles: 2.2.1 + escape-string-regexp: 1.0.5 + has-ansi: 2.0.0 + strip-ansi: 3.0.1 + supports-color: 2.0.0 + dev: false + optional: true + + /chokidar/2.1.8: + resolution: {integrity: sha512-ZmZUazfOzf0Nve7duiCKD23PFSCs4JPoYyccjUFF3aQkQadqBhfzhjkwBH2mNOG9cTBwhamM37EIsIkZw3nRgg==} + dependencies: + anymatch: 2.0.0 + async-each: 1.0.3 + braces: 2.3.2 + glob-parent: 3.1.0 + inherits: 2.0.4 + is-binary-path: 1.0.1 + is-glob: 4.0.1 + normalize-path: 3.0.0 + path-is-absolute: 1.0.1 + readdirp: 2.2.1 + upath: 1.2.0 + optionalDependencies: + fsevents: 1.2.9 + dev: false + + /chownr/1.1.4: + resolution: {integrity: sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg==} + dev: false + optional: true + + /circular-json/0.5.9: + resolution: {integrity: sha512-4ivwqHpIFJZBuhN3g/pEcdbnGUywkBblloGbkglyloVjjR3uT6tieI89MVOfbP2tHX5sgb01FuLgAOzebNlJNQ==} + deprecated: CircularJSON is in maintenance only, flatted is its successor. + dev: false + + /class-utils/0.3.6: + resolution: {integrity: sha512-qOhPa/Fj7s6TY8H8esGu5QNpMMQxz79h+urzrNYN6mn+9BnxlDGf5QZ+XeCDsxSjPqsSR56XOZOJmpeurnLMeg==} + engines: {node: '>=0.10.0'} + dependencies: + arr-union: 3.1.0 + define-property: 0.2.5 + isobject: 3.0.1 + static-extend: 0.1.2 + dev: false + + /co/4.6.0: + resolution: {integrity: sha1-bqa989hTrlTMuOR7+gvz+QMfsYQ=} + engines: {iojs: '>= 1.0.0', node: '>= 0.12.0'} + dev: false + optional: true + + /code-point-at/1.1.0: + resolution: {integrity: sha1-DQcLTQQ6W+ozovGkDi7bPZpMz3c=} + engines: {node: '>=0.10.0'} + dev: false + optional: true + + /collection-visit/1.0.0: + resolution: {integrity: sha1-S8A3PBZLwykbTTaMgpzxqApZ3KA=} + engines: {node: '>=0.10.0'} + dependencies: + map-visit: 1.0.0 + object-visit: 1.0.1 + dev: false + + /colors/1.4.0: + resolution: {integrity: sha512-a+UqTh4kgZg/SlGvfbzDHpgRu7AAQOmmqRHJnxhRZICKFUT91brVhNNt58CMWU9PsBbv3PDCZUHbVxuDiH2mtA==} + engines: {node: '>=0.1.90'} + dev: false + + /combine-lists/1.0.1: + resolution: {integrity: sha1-RYwH4J4NkA/Ci3Cj/sLazR0st/Y=} + dependencies: + lodash: 4.17.15 + dev: false + + /combined-stream/1.0.8: + resolution: {integrity: sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==} + engines: {node: '>= 0.8'} + dependencies: + delayed-stream: 1.0.0 + dev: false + optional: true + + /commander/2.20.3: + resolution: {integrity: sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==} + dev: false + optional: true + + /component-bind/1.0.0: + resolution: {integrity: sha1-AMYIq33Nk4l8AAllGx06jh5zu9E=} + dev: false + + /component-emitter/1.2.1: + resolution: {integrity: sha1-E3kY1teCg/ffemt8WmPhQOaUJeY=} + dev: false + + /component-emitter/1.3.0: + resolution: {integrity: sha512-Rd3se6QB+sO1TwqZjscQrurpEPIfO0/yYnSin6Q/rD3mOutHvUrCAhJub3r90uNb+SESBuE0QYoB90YdfatsRg==} + dev: false + + /component-inherit/0.0.3: + resolution: {integrity: sha1-ZF/ErfWLcrZJ1crmUTVhnbJv8UM=} + dev: false + + /concat-map/0.0.1: + resolution: {integrity: sha1-2Klr13/Wjfd5OnMDajug1UBdR3s=} + dev: false + + /connect/3.7.0: + resolution: {integrity: sha512-ZqRXc+tZukToSNmh5C2iWMSoV3X1YUcPbqEM4DkEG5tNQXrQUZCNVGGv3IuicnkMtPfGf3Xtp8WCXs295iQ1pQ==} + engines: {node: '>= 0.10.0'} + dependencies: + debug: 2.6.9 + finalhandler: 1.1.2 + parseurl: 1.3.3 + utils-merge: 1.0.1 + dev: false + + /console-control-strings/1.1.0: + resolution: {integrity: sha1-PXz0Rk22RG6mRL9LOVB/mFEAjo4=} + dev: false + optional: true + + /content-type/1.0.4: + resolution: {integrity: sha512-hIP3EEPs8tB9AT1L+NUqtwOAps4mk2Zob89MWXMHjHWg9milF/j4osnnQLXBCBFBk/tvIG/tUc9mOUJiPBhPXA==} + engines: {node: '>= 0.6'} + dev: false + + /cookie/0.3.1: + resolution: {integrity: sha1-5+Ch+e9DtMi6klxcWpboBtFoc7s=} + engines: {node: '>= 0.6'} + dev: false + + /copy-descriptor/0.1.1: + resolution: {integrity: sha1-Z29us8OZl8LuGsOpJP1hJHSPV40=} + engines: {node: '>=0.10.0'} + dev: false + + /core-js/2.6.10: + resolution: {integrity: sha512-I39t74+4t+zau64EN1fE5v2W31Adtc/REhzWN+gWRRXg6WH5qAsZm62DHpQ1+Yhe4047T55jvzz7MUqF/dBBlA==} + requiresBuild: true + dev: false + + /core-util-is/1.0.2: + resolution: {integrity: sha1-tf1UIgqivFq1eqtxQMlAdUUDwac=} + dev: false + + /cryptiles/2.0.5: + resolution: {integrity: sha1-O9/s3GCBR8HGcgL6KR59ylnqo7g=} + engines: {node: '>=0.10.40'} + deprecated: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). + dependencies: + boom: 2.10.1 + dev: false + optional: true + + /custom-event/1.0.1: + resolution: {integrity: sha1-XQKkaFCt8bSjF5RqOSj8y1v9BCU=} + dev: false + + /dashdash/1.14.1: + resolution: {integrity: sha1-hTz6D3y+L+1d4gMmuN1YEDX24vA=} + engines: {node: '>=0.10'} + dependencies: + assert-plus: 1.0.0 + dev: false + optional: true + + /data-uri-to-buffer/1.2.0: + resolution: {integrity: sha512-vKQ9DTQPN1FLYiiEEOQ6IBGFqvjCa5rSK3cWMy/Nespm5d/x3dGFT9UBZnkLxCwua/IXBi2TYnwTEpsOvhC4UQ==} + dev: false + optional: true + + /date-format/1.2.0: + resolution: {integrity: sha1-YV6CjiM90aubua4JUODOzPpuytg=} + engines: {node: '>=4.0'} + dev: false + + /debug/2.6.9: + resolution: {integrity: sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==} + dependencies: + ms: 2.0.0 + + /debug/3.1.0: + resolution: {integrity: sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==} + dependencies: + ms: 2.0.0 + dev: false + + /debug/3.2.6: + resolution: {integrity: sha512-mel+jf7nrtEl5Pn1Qx46zARXKDpBbvzezse7p7LqINmdoIk8PYP5SySaxEmYv6TZ0JyEKA1hsCId6DIhgITtWQ==} + dependencies: + ms: 2.1.2 + dev: false + + /debug/4.1.1: + resolution: {integrity: sha512-pYAIzeRo8J6KPEaJ0VWOh5Pzkbw/RetuzehGM7QRRX5he4fPHx2rdKMB256ehJCkX+XRQm16eZLqLNS8RSZXZw==} + dependencies: + ms: 2.1.2 + dev: false + optional: true + + /decode-uri-component/0.2.0: + resolution: {integrity: sha1-6zkTMzRYd1y4TNGh+uBiEGu4dUU=} + engines: {node: '>=0.10'} + dev: false + + /deep-extend/0.6.0: + resolution: {integrity: sha512-LOHxIOaPYdHlJRtCQfDIVZtfw/ufM8+rVj649RIHzcm/vGwQRXFt6OPqIFWsm2XEMrNIEtWR64sY1LEKD2vAOA==} + engines: {node: '>=4.0.0'} + dev: false + optional: true + + /deep-is/0.1.3: + resolution: {integrity: sha1-s2nW+128E+7PUk+RsHD+7cNXzzQ=} + dev: false + optional: true + + /define-property/0.2.5: + resolution: {integrity: sha1-w1se+RjsPJkPmlvFe+BKrOxcgRY=} + engines: {node: '>=0.10.0'} + dependencies: + is-descriptor: 0.1.6 + dev: false + + /define-property/1.0.0: + resolution: {integrity: sha1-dp66rz9KY6rTr56NMEybvnm/sOY=} + engines: {node: '>=0.10.0'} + dependencies: + is-descriptor: 1.0.2 + dev: false + + /define-property/2.0.2: + resolution: {integrity: sha512-jwK2UV4cnPpbcG7+VRARKTZPUWowwXA8bzH5NP6ud0oeAxyYPuGZUAC7hMugpCdz4BeSZl2Dl9k66CHJ/46ZYQ==} + engines: {node: '>=0.10.0'} + dependencies: + is-descriptor: 1.0.2 + isobject: 3.0.1 + dev: false + + /degenerator/1.0.4: + resolution: {integrity: sha1-/PSQo37OJmRk2cxDGrmMWBnO0JU=} + dependencies: + ast-types: 0.13.2 + escodegen: 1.12.0 + esprima: 3.1.3 + dev: false + optional: true + + /delayed-stream/1.0.0: + resolution: {integrity: sha1-3zrhmayt+31ECqrgsp4icrJOxhk=} + engines: {node: '>=0.4.0'} + dev: false + optional: true + + /delegates/1.0.0: + resolution: {integrity: sha1-hMbhWbgZBP3KWaDvRM2HDTElD5o=} + dev: false + optional: true + + /depd/1.1.2: + resolution: {integrity: sha1-m81S4UwJd2PnSbJ0xDRu0uVgtak=} + engines: {node: '>= 0.6'} + dev: false + + /detect-libc/1.0.3: + resolution: {integrity: sha1-+hN8S9aY7fVc1c0CrFWfkaTEups=} + engines: {node: '>=0.10'} + hasBin: true + dev: false + optional: true + + /di/0.0.1: + resolution: {integrity: sha1-gGZJMmzqp8qjMG112YXqJ0i6kTw=} + dev: false + + /dom-serialize/2.2.1: + resolution: {integrity: sha1-ViromZ9Evl6jB29UGdzVnrQ6yVs=} + dependencies: + custom-event: 1.0.1 + ent: 2.2.0 + extend: 3.0.2 + void-elements: 2.0.1 + dev: false + + /double-ended-queue/2.1.0-0: + resolution: {integrity: sha1-ED01J/0xUo9AGIEwyEHv3XgmTlw=} + dev: false + optional: true + + /ecc-jsbn/0.1.2: + resolution: {integrity: sha1-OoOpBOVDUyh4dMVkt1SThoSamMk=} + dependencies: + jsbn: 0.1.1 + safer-buffer: 2.1.2 + dev: false + optional: true + + /ee-first/1.1.1: + resolution: {integrity: sha1-WQxhFWsK4vTwJVcyoViyZrxWsh0=} + dev: false + + /encodeurl/1.0.2: + resolution: {integrity: sha1-rT/0yG7C0CkyL1oCw6mmBslbP1k=} + engines: {node: '>= 0.8'} + dev: false + + /engine.io-client/3.1.6: + resolution: {integrity: sha512-hnuHsFluXnsKOndS4Hv6SvUrgdYx1pk2NqfaDMW+GWdgfU3+/V25Cj7I8a0x92idSpa5PIhJRKxPvp9mnoLsfg==} + dependencies: + component-emitter: 1.2.1 + component-inherit: 0.0.3 + debug: 3.1.0 + engine.io-parser: 2.1.3 + has-cors: 1.1.0 + indexof: 0.0.1 + parseqs: 0.0.5 + parseuri: 0.0.5 + ws: 3.3.3 + xmlhttprequest-ssl: 1.5.5 + yeast: 0.1.2 + dev: false + + /engine.io-parser/2.1.3: + resolution: {integrity: sha512-6HXPre2O4Houl7c4g7Ic/XzPnHBvaEmN90vtRO9uLmwtRqQmTOw0QMevL1TOfL2Cpu1VzsaTmMotQgMdkzGkVA==} + dependencies: + after: 0.8.2 + arraybuffer.slice: 0.0.7 + base64-arraybuffer: 0.1.5 + blob: 0.0.5 + has-binary2: 1.0.3 + dev: false + + /engine.io/3.1.5: + resolution: {integrity: sha512-D06ivJkYxyRrcEe0bTpNnBQNgP9d3xog+qZlLbui8EsMr/DouQpf5o9FzJnWYHEYE0YsFHllUv2R1dkgYZXHcA==} + dependencies: + accepts: 1.3.7 + base64id: 1.0.0 + cookie: 0.3.1 + debug: 3.1.0 + engine.io-parser: 2.1.3 + ws: 3.3.3 + optionalDependencies: + uws: 9.14.0 + dev: false + + /ent/2.2.0: + resolution: {integrity: sha1-6WQhkyWiHQX0RGai9obtbOX13R0=} + dev: false + + /es6-promise/4.2.8: + resolution: {integrity: sha512-HJDGx5daxeIvxdBxvG2cb9g4tEvwIk3i8+nhX0yGrYmZUzbkdg8QbDevheDB8gd0//uPj4c1EQua8Q+MViT0/w==} + dev: false + optional: true + + /es6-promisify/5.0.0: + resolution: {integrity: sha1-UQnWLz5W6pZ8S2NQWu8IKRyKUgM=} + dependencies: + es6-promise: 4.2.8 + dev: false + optional: true + + /escape-html/1.0.3: + resolution: {integrity: sha1-Aljq5NPQwJdN4cFpGI7wBR0dGYg=} + dev: false + + /escape-string-regexp/1.0.5: + resolution: {integrity: sha1-G2HAViGQqN/2rjuyzwIAyhMLhtQ=} + engines: {node: '>=0.8.0'} + dev: false + optional: true + + /escodegen/1.12.0: + resolution: {integrity: sha512-TuA+EhsanGcme5T3R0L80u4t8CpbXQjegRmf7+FPTJrtCTErXFeelblRgHQa1FofEzqYYJmJ/OqjTwREp9qgmg==} + engines: {node: '>=4.0'} + hasBin: true + dependencies: + esprima: 3.1.3 + estraverse: 4.3.0 + esutils: 2.0.3 + optionator: 0.8.3 + optionalDependencies: + source-map: 0.6.1 + dev: false + optional: true + + /esprima/3.1.3: + resolution: {integrity: sha1-/cpRzuYTOJXjyI1TXOSdv/YqRjM=} + engines: {node: '>=4'} + hasBin: true + dev: false + optional: true + + /estraverse/4.3.0: + resolution: {integrity: sha512-39nnKffWz8xN1BU/2c79n9nB9HDzo0niYUqx6xyqUnyoAnQyyWpOTdZEeiCch8BBu515t4wp9ZmgVfVhn9EBpw==} + engines: {node: '>=4.0'} + dev: false + optional: true + + /esutils/2.0.3: + resolution: {integrity: sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==} + engines: {node: '>=0.10.0'} + dev: false + optional: true + + /eventemitter3/4.0.0: + resolution: {integrity: sha512-qerSRB0p+UDEssxTtm6EDKcE7W4OaoisfIMl4CngyEhjpYglocpNg6UEqCvemdGhosAsg4sO2dXJOdyBifPGCg==} + dev: false + + /expand-braces/0.1.2: + resolution: {integrity: sha1-SIsdHSRRyz06axks/AMPRMWFX+o=} + engines: {node: '>=0.10.0'} + dependencies: + array-slice: 0.2.3 + array-unique: 0.2.1 + braces: 0.1.5 + dev: false + + /expand-brackets/2.1.4: + resolution: {integrity: sha1-t3c14xXOMPa27/D4OwQVGiJEliI=} + engines: {node: '>=0.10.0'} + dependencies: + debug: 2.6.9 + define-property: 0.2.5 + extend-shallow: 2.0.1 + posix-character-classes: 0.1.1 + regex-not: 1.0.2 + snapdragon: 0.8.2 + to-regex: 3.0.2 + dev: false + + /expand-range/0.1.1: + resolution: {integrity: sha1-TLjtoJk8pW+k9B/ELzy7TMrf8EQ=} + engines: {node: '>=0.10.0'} + dependencies: + is-number: 0.1.1 + repeat-string: 0.2.2 + dev: false + + /extend-shallow/2.0.1: + resolution: {integrity: sha1-Ua99YUrZqfYQ6huvu5idaxxWiQ8=} + engines: {node: '>=0.10.0'} + dependencies: + is-extendable: 0.1.1 + dev: false + + /extend-shallow/3.0.2: + resolution: {integrity: sha1-Jqcarwc7OfshJxcnRhMcJwQCjbg=} + engines: {node: '>=0.10.0'} + dependencies: + assign-symbols: 1.0.0 + is-extendable: 1.0.1 + dev: false + + /extend/3.0.2: + resolution: {integrity: sha512-fjquC59cD7CyW6urNXK0FBufkZcoiGG80wTuPujX590cB5Ttln20E2UB4S/WARVqhXffZl2LNgS+gQdPIIim/g==} + dev: false + + /extglob/2.0.4: + resolution: {integrity: sha512-Nmb6QXkELsuBr24CJSkilo6UHHgbekK5UiZgfE6UHD3Eb27YC6oD+bhcT+tJ6cl8dmsgdQxnWlcry8ksBIBLpw==} + engines: {node: '>=0.10.0'} + dependencies: + array-unique: 0.3.2 + define-property: 1.0.0 + expand-brackets: 2.1.4 + extend-shallow: 2.0.1 + fragment-cache: 0.2.1 + regex-not: 1.0.2 + snapdragon: 0.8.2 + to-regex: 3.0.2 + dev: false + + /extsprintf/1.3.0: + resolution: {integrity: sha1-lpGEQOMEGnpBT4xS48V06zw+HgU=} + engines: {'0': node >=0.6.0} + dev: false + optional: true + + /fast-deep-equal/2.0.1: + resolution: {integrity: sha1-ewUhjd+WZ79/Nwv3/bLLFf3Qqkk=} + dev: false + optional: true + + /fast-json-stable-stringify/2.0.0: + resolution: {integrity: sha1-1RQsDK7msRifh9OnYREGT4bIu/I=} + dev: false + optional: true + + /fast-levenshtein/2.0.6: + resolution: {integrity: sha1-PYpcZog6FqMMqGQ+hR8Zuqd5eRc=} + dev: false + optional: true + + /file-uri-to-path/1.0.0: + resolution: {integrity: sha512-0Zt+s3L7Vf1biwWZ29aARiVYLx7iMGnEUl9x33fbB/j3jR81u/O2LbqK+Bm1CDSNDKVtJ/YjwY7TUd5SkeLQLw==} + dev: false + optional: true + + /fill-range/4.0.0: + resolution: {integrity: sha1-1USBHUKPmOsGpj3EAtJAPDKMOPc=} + engines: {node: '>=0.10.0'} + dependencies: + extend-shallow: 2.0.1 + is-number: 3.0.0 + repeat-string: 1.6.1 + to-regex-range: 2.1.1 + dev: false + + /finalhandler/1.1.2: + resolution: {integrity: sha512-aAWcW57uxVNrQZqFXjITpW3sIUQmHGG3qSb9mUah9MgMC4NeWhNOlNjXEYq3HjRAvL6arUviZGGJsBg6z0zsWA==} + engines: {node: '>= 0.8'} + dependencies: + debug: 2.6.9 + encodeurl: 1.0.2 + escape-html: 1.0.3 + on-finished: 2.3.0 + parseurl: 1.3.3 + statuses: 1.5.0 + unpipe: 1.0.0 + dev: false + + /follow-redirects/1.0.0: + resolution: {integrity: sha1-jjQpjL0uF28lTv/sdaHHjMhJ/Tc=} + dependencies: + debug: 2.6.9 + + /follow-redirects/1.9.0: + resolution: {integrity: sha512-CRcPzsSIbXyVDl0QI01muNDu69S8trU4jArW9LpOt2WtC6LyUJetcIrmfHsRBx7/Jb6GHJUiuqyYxPooFfNt6A==} + engines: {node: '>=4.0'} + dependencies: + debug: 3.2.6 + dev: false + + /for-in/1.0.2: + resolution: {integrity: sha1-gQaNKVqBQuwKxybG4iAMMPttXoA=} + engines: {node: '>=0.10.0'} + dev: false + + /forever-agent/0.6.1: + resolution: {integrity: sha1-+8cfDEGt6zf5bFd60e1C2P2sypE=} + dev: false + optional: true + + /form-data/2.0.0: + resolution: {integrity: sha1-bwrrrcxdoWwT4ezBETfYX5uIOyU=} + engines: {node: '>= 0.12'} + dependencies: + asynckit: 0.4.0 + combined-stream: 1.0.8 + mime-types: 2.1.25 + dev: false + optional: true + + /form-data/2.3.3: + resolution: {integrity: sha512-1lLKB2Mu3aGP1Q/2eCOx0fNbRMe7XdwktwOruhfqqd0rIJWwN4Dh+E3hrPSlDCXnSR7UtZ1N38rVXm+6+MEhJQ==} + engines: {node: '>= 0.12'} + dependencies: + asynckit: 0.4.0 + combined-stream: 1.0.8 + mime-types: 2.1.25 + dev: false + optional: true + + /fragment-cache/0.2.1: + resolution: {integrity: sha1-QpD60n8T6Jvn8zeZxrxaCr//DRk=} + engines: {node: '>=0.10.0'} + dependencies: + map-cache: 0.2.2 + dev: false + + /fs-minipass/1.2.7: + resolution: {integrity: sha512-GWSSJGFy4e9GUeCcbIkED+bgAoFyj7XF1mV8rma3QW4NIqX9Kyx79N/PF61H5udOV3aY1IaMLs6pGbH71nlCTA==} + dependencies: + minipass: 2.9.0 + dev: false + optional: true + + /fs.realpath/1.0.0: + resolution: {integrity: sha1-FQStJSMVjKpA20onh8sBQRmU6k8=} + dev: false + + /fsevents/1.2.9: + resolution: {integrity: sha512-oeyj2H3EjjonWcFjD5NvZNE9Rqe4UW+nQBU2HNeKw0koVLEFIhtyETyAakeAM3de7Z/SW5kcA+fZUait9EApnw==} + engines: {node: '>=4.0'} + os: [darwin] + deprecated: 'One of your dependencies needs to upgrade to fsevents v2: 1) Proper nodejs v10+ support 2) No more fetching binaries from AWS, smaller package size' + requiresBuild: true + dependencies: + nan: 2.14.0 + node-pre-gyp: 0.12.0 + dev: false + optional: true + bundledDependencies: + - node-pre-gyp + + /ftp/0.3.10: + resolution: {integrity: sha1-kZfYYa2BQvPmPVqDv+TFn3MwiF0=} + engines: {node: '>=0.8.0'} + dependencies: + readable-stream: 1.1.14 + xregexp: 2.0.0 + dev: false + optional: true + + /gauge/2.7.4: + resolution: {integrity: sha1-LANAXHU4w51+s3sxcCLjJfsBi/c=} + dependencies: + aproba: 1.2.0 + console-control-strings: 1.1.0 + has-unicode: 2.0.1 + object-assign: 4.1.1 + signal-exit: 3.0.3 + string-width: 1.0.2 + strip-ansi: 3.0.1 + wide-align: 1.1.3 + dev: false + optional: true + + /generate-function/2.3.1: + resolution: {integrity: sha512-eeB5GfMNeevm/GRYq20ShmsaGcmI81kIX2K9XQx5miC8KdHaC6Jm0qQ8ZNeGOi7wYB8OsdxKs+Y2oVuTFuVwKQ==} + dependencies: + is-property: 1.0.2 + dev: false + optional: true + + /generate-object-property/1.2.0: + resolution: {integrity: sha1-nA4cQDCM6AT0eDYYuTf6iPmdUNA=} + dependencies: + is-property: 1.0.2 + dev: false + optional: true + + /get-uri/2.0.4: + resolution: {integrity: sha512-v7LT/s8kVjs+Tx0ykk1I+H/rbpzkHvuIq87LmeXptcf5sNWm9uQiwjNAt94SJPA1zOlCntmnOlJvVWKmzsxG8Q==} + dependencies: + data-uri-to-buffer: 1.2.0 + debug: 2.6.9 + extend: 3.0.2 + file-uri-to-path: 1.0.0 + ftp: 0.3.10 + readable-stream: 2.3.6 + dev: false + optional: true + + /get-value/2.0.6: + resolution: {integrity: sha1-3BXKHGcjh8p2vTesCjlbogQqLCg=} + engines: {node: '>=0.10.0'} + dev: false + + /getpass/0.1.7: + resolution: {integrity: sha1-Xv+OPmhNVprkyysSgmBOi6YhSfo=} + dependencies: + assert-plus: 1.0.0 + dev: false + optional: true + + /glob-parent/3.1.0: + resolution: {integrity: sha1-nmr2KZ2NO9K9QEMIMr0RPfkGxa4=} + dependencies: + is-glob: 3.1.0 + path-dirname: 1.0.2 + dev: false + + /glob/7.1.6: + resolution: {integrity: sha512-LwaxwyZ72Lk7vZINtNNrywX0ZuLyStrdDtabefZKAY5ZGJhVtgdznluResxNmPitE0SAO+O26sWTHeKSI2wMBA==} + dependencies: + fs.realpath: 1.0.0 + inflight: 1.0.6 + inherits: 2.0.4 + minimatch: 3.0.4 + once: 1.4.0 + path-is-absolute: 1.0.1 + dev: false + + /graceful-fs/4.2.3: + resolution: {integrity: sha512-a30VEBm4PEdx1dRB7MFK7BejejvCvBronbLjht+sHuGYj8PHs7M/5Z+rt5lw551vZ7yfTCj4Vuyy3mSJytDWRQ==} + dev: false + + /har-schema/2.0.0: + resolution: {integrity: sha1-qUwiJOvKwEeCoNkDVSHyRzW37JI=} + engines: {node: '>=4'} + dev: false + optional: true + + /har-validator/2.0.6: + resolution: {integrity: sha1-zcvAgYgmWtEZtqWnyKtw7s+10n0=} + engines: {node: '>=0.10'} + hasBin: true + dependencies: + chalk: 1.1.3 + commander: 2.20.3 + is-my-json-valid: 2.20.0 + pinkie-promise: 2.0.1 + dev: false + optional: true + + /har-validator/5.1.3: + resolution: {integrity: sha512-sNvOCzEQNr/qrvJgc3UG/kD4QtlHycrzwS+6mfTrrSq97BvaYcPZZI1ZSqGSPR73Cxn4LKTD4PttRwfU7jWq5g==} + engines: {node: '>=6'} + dependencies: + ajv: 6.10.2 + har-schema: 2.0.0 + dev: false + optional: true + + /has-ansi/2.0.0: + resolution: {integrity: sha1-NPUEnOHs3ysGSa8+8k5F7TVBbZE=} + engines: {node: '>=0.10.0'} + dependencies: + ansi-regex: 2.1.1 + dev: false + optional: true + + /has-binary2/1.0.3: + resolution: {integrity: sha512-G1LWKhDSvhGeAQ8mPVQlqNcOB2sJdwATtZKl2pDKKHfpf/rYj24lkinxf69blJbnsvtqqNU+L3SL50vzZhXOnw==} + dependencies: + isarray: 2.0.1 + dev: false + + /has-cors/1.1.0: + resolution: {integrity: sha1-XkdHk/fqmEPRu5nCPu9J/xJv/zk=} + dev: false + + /has-unicode/2.0.1: + resolution: {integrity: sha1-4Ob+aijPUROIVeCG0Wkedx3iqLk=} + dev: false + optional: true + + /has-value/0.3.1: + resolution: {integrity: sha1-ex9YutpiyoJ+wKIHgCVlSEWZXh8=} + engines: {node: '>=0.10.0'} + dependencies: + get-value: 2.0.6 + has-values: 0.1.4 + isobject: 2.1.0 + dev: false + + /has-value/1.0.0: + resolution: {integrity: sha1-GLKB2lhbHFxR3vJMkw7SmgvmsXc=} + engines: {node: '>=0.10.0'} + dependencies: + get-value: 2.0.6 + has-values: 1.0.0 + isobject: 3.0.1 + dev: false + + /has-values/0.1.4: + resolution: {integrity: sha1-bWHeldkd/Km5oCCJrThL/49it3E=} + engines: {node: '>=0.10.0'} + dev: false + + /has-values/1.0.0: + resolution: {integrity: sha1-lbC2P+whRmGab+V/51Yo1aOe/k8=} + engines: {node: '>=0.10.0'} + dependencies: + is-number: 3.0.0 + kind-of: 4.0.0 + dev: false + + /hawk/3.1.3: + resolution: {integrity: sha1-B4REvXwWQLD+VA0sm3PVlnjo4cQ=} + engines: {node: '>=0.10.32'} + deprecated: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues. + dependencies: + boom: 2.10.1 + cryptiles: 2.0.5 + hoek: 2.16.3 + sntp: 1.0.9 + dev: false + optional: true + + /hipchat-notifier/1.1.0: + resolution: {integrity: sha1-ttJJdVQ3wZEII2d5nTupoPI7Ix4=} + dependencies: + lodash: 4.17.15 + request: 2.88.0 + dev: false + optional: true + + /hoek/2.16.3: + resolution: {integrity: sha1-ILt0A9POo5jpHcRxCo/xuCdKJe0=} + engines: {node: '>=0.10.40'} + deprecated: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). + dev: false + optional: true + + /http-errors/1.7.2: + resolution: {integrity: sha512-uUQBt3H/cSIVfch6i1EuPNy/YsRSOUBXTVfZ+yR7Zjez3qjBz6i9+i4zjNaoqcoFVI4lQJ5plg63TvGfRSDCRg==} + engines: {node: '>= 0.6'} + dependencies: + depd: 1.1.2 + inherits: 2.0.3 + setprototypeof: 1.1.1 + statuses: 1.5.0 + toidentifier: 1.0.0 + dev: false + + /http-errors/1.7.3: + resolution: {integrity: sha512-ZTTX0MWrsQ2ZAhA1cejAwDLycFsd7I7nVtnkT3Ol0aqodaKW+0CTZDQ1uBv5whptCnc8e8HeRRJxRs0kmm/Qfw==} + engines: {node: '>= 0.6'} + dependencies: + depd: 1.1.2 + inherits: 2.0.4 + setprototypeof: 1.1.1 + statuses: 1.5.0 + toidentifier: 1.0.0 + dev: false + optional: true + + /http-proxy-agent/2.1.0: + resolution: {integrity: sha512-qwHbBLV7WviBl0rQsOzH6o5lwyOIvwp/BdFnvVxXORldu5TmjFfjzBcWUWS5kWAZhmv+JtiDhSuQCp4sBfbIgg==} + engines: {node: '>= 4.5.0'} + dependencies: + agent-base: 4.3.0 + debug: 3.1.0 + dev: false + optional: true + + /http-proxy/1.18.0: + resolution: {integrity: sha512-84I2iJM/n1d4Hdgc6y2+qY5mDaz2PUVjlg9znE9byl+q0uC3DeByqBGReQu5tpLK0TAqTIXScRUV+dg7+bUPpQ==} + engines: {node: '>=6.0.0'} + dependencies: + eventemitter3: 4.0.0 + follow-redirects: 1.9.0 + requires-port: 1.0.0 + dev: false + + /http-signature/1.1.1: + resolution: {integrity: sha1-33LiZwZs0Kxn+3at+OE0qPvPkb8=} + engines: {node: '>=0.8', npm: '>=1.3.7'} + dependencies: + assert-plus: 0.2.0 + jsprim: 1.4.1 + sshpk: 1.16.1 + dev: false + optional: true + + /http-signature/1.2.0: + resolution: {integrity: sha1-muzZJRFHcvPZW2WmCruPfBj7rOE=} + engines: {node: '>=0.8', npm: '>=1.3.7'} + dependencies: + assert-plus: 1.0.0 + jsprim: 1.4.1 + sshpk: 1.16.1 + dev: false + optional: true + + /httpntlm/1.6.1: + resolution: {integrity: sha1-rQFScUOi6Hc8+uapb1hla7UqNLI=} + engines: {node: '>=0.8.0'} + dependencies: + httpreq: 0.4.24 + underscore: 1.7.0 + dev: false + optional: true + + /httpreq/0.4.24: + resolution: {integrity: sha1-QzX/2CzZaWaKOUZckprGHWOTYn8=} + engines: {node: '>= 0.8.0'} + dev: false + optional: true + + /https-proxy-agent/2.2.4: + resolution: {integrity: sha512-OmvfoQ53WLjtA9HeYP9RNrWMJzzAz1JGaSFr1nijg0PVR1JaD/xbJq1mdEIIlxGpXp9eSe/O2LgU9DJmTPd0Eg==} + engines: {node: '>= 4.5.0'} + dependencies: + agent-base: 4.3.0 + debug: 3.2.6 + dev: false + optional: true + + /https-proxy-agent/3.0.1: + resolution: {integrity: sha512-+ML2Rbh6DAuee7d07tYGEKOEi2voWPUGan+ExdPbPW6Z3svq+JCqr0v8WmKPOkz1vOVykPCBSuobe7G8GJUtVg==} + engines: {node: '>= 4.5.0'} + dependencies: + agent-base: 4.3.0 + debug: 3.2.6 + dev: false + optional: true + + /iconv-lite/0.4.15: + resolution: {integrity: sha1-/iZaIYrGpXz+hUkn6dBMGYJe3es=} + engines: {node: '>=0.10.0'} + dev: false + optional: true + + /iconv-lite/0.4.24: + resolution: {integrity: sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==} + engines: {node: '>=0.10.0'} + dependencies: + safer-buffer: 2.1.2 + dev: false + + /ignore-walk/3.0.4: + resolution: {integrity: sha512-PY6Ii8o1jMRA1z4F2hRkH/xN59ox43DavKvD3oDpfurRlOJyAHpifIwpbdv1n4jt4ov0jSpw3kQ4GhJnpBL6WQ==} + dependencies: + minimatch: 3.0.4 + dev: false + optional: true + + /indexof/0.0.1: + resolution: {integrity: sha1-gtwzbSMrkGIXnQWrMpOmYFn9Q10=} + dev: false + + /inflection/1.12.0: + resolution: {integrity: sha1-ogCTVlbW9fa8TcdQLhrstwMihBY=} + engines: {'0': node >= 0.4.0} + dev: false + optional: true + + /inflection/1.3.8: + resolution: {integrity: sha1-y9Fg2p91sUw8xjV41POWeEvzAU4=} + engines: {'0': node >= 0.4.0} + dev: false + optional: true + + /inflight/1.0.6: + resolution: {integrity: sha1-Sb1jMdfQLQwJvJEKEHW6gWW1bfk=} + dependencies: + once: 1.4.0 + wrappy: 1.0.2 + dev: false + + /inherits/2.0.3: + resolution: {integrity: sha1-Yzwsg+PaQqUC9SRmAiSA9CCCYd4=} + dev: false + + /inherits/2.0.4: + resolution: {integrity: sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==} + dev: false + + /ini/1.3.8: + resolution: {integrity: sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==} + dev: false + optional: true + + /ip/1.1.5: + resolution: {integrity: sha1-vd7XARQpCCjAoDnnLvJfWq7ENUo=} + dev: false + optional: true + + /is-accessor-descriptor/0.1.6: + resolution: {integrity: sha1-qeEss66Nh2cn7u84Q/igiXtcmNY=} + engines: {node: '>=0.10.0'} + dependencies: + kind-of: 3.2.2 + dev: false + + /is-accessor-descriptor/1.0.0: + resolution: {integrity: sha512-m5hnHTkcVsPfqx3AKlyttIPb7J+XykHvJP2B9bZDjlhLIoEq4XoK64Vg7boZlVWYK6LUY94dYPEE7Lh0ZkZKcQ==} + engines: {node: '>=0.10.0'} + dependencies: + kind-of: 6.0.2 + dev: false + + /is-binary-path/1.0.1: + resolution: {integrity: sha1-dfFmQrSA8YenEcgUFh/TpKdlWJg=} + engines: {node: '>=0.10.0'} + dependencies: + binary-extensions: 1.13.1 + dev: false + + /is-buffer/1.1.6: + resolution: {integrity: sha512-NcdALwpXkTm5Zvvbk7owOUSvVvBKDgKP5/ewfXEznmQFfs4ZRmanOeKBTjRVjka3QFoN6XJ+9F3USqfHqTaU5w==} + dev: false + + /is-data-descriptor/0.1.4: + resolution: {integrity: sha1-C17mSDiOLIYCgueT8YVv7D8wG1Y=} + engines: {node: '>=0.10.0'} + dependencies: + kind-of: 3.2.2 + dev: false + + /is-data-descriptor/1.0.0: + resolution: {integrity: sha512-jbRXy1FmtAoCjQkVmIVYwuuqDFUbaOeDjmed1tOGPrsMhtJA4rD9tkgA0F1qJ3gRFRXcHYVkdeaP50Q5rE/jLQ==} + engines: {node: '>=0.10.0'} + dependencies: + kind-of: 6.0.2 + dev: false + + /is-descriptor/0.1.6: + resolution: {integrity: sha512-avDYr0SB3DwO9zsMov0gKCESFYqCnE4hq/4z3TdUlukEy5t9C0YRq7HLrsN52NAcqXKaepeCD0n+B0arnVG3Hg==} + engines: {node: '>=0.10.0'} + dependencies: + is-accessor-descriptor: 0.1.6 + is-data-descriptor: 0.1.4 + kind-of: 5.1.0 + dev: false + + /is-descriptor/1.0.2: + resolution: {integrity: sha512-2eis5WqQGV7peooDyLmNEPUrps9+SXX5c9pL3xEB+4e9HnGuDa7mB7kHxHw4CbqS9k1T2hOH3miL8n8WtiYVtg==} + engines: {node: '>=0.10.0'} + dependencies: + is-accessor-descriptor: 1.0.0 + is-data-descriptor: 1.0.0 + kind-of: 6.0.2 + dev: false + + /is-extendable/0.1.1: + resolution: {integrity: sha1-YrEQ4omkcUGOPsNqYX1HLjAd/Ik=} + engines: {node: '>=0.10.0'} + dev: false + + /is-extendable/1.0.1: + resolution: {integrity: sha512-arnXMxT1hhoKo9k1LZdmlNyJdDDfy2v0fXjFlmok4+i8ul/6WlbVge9bhM74OpNPQPMGUToDtz+KXa1PneJxOA==} + engines: {node: '>=0.10.0'} + dependencies: + is-plain-object: 2.0.4 + dev: false + + /is-extglob/2.1.1: + resolution: {integrity: sha1-qIwCU1eR8C7TfHahueqXc8gz+MI=} + engines: {node: '>=0.10.0'} + dev: false + + /is-fullwidth-code-point/1.0.0: + resolution: {integrity: sha1-754xOG8DGn8NZDr4L95QxFfvAMs=} + engines: {node: '>=0.10.0'} + dependencies: + number-is-nan: 1.0.1 + dev: false + optional: true + + /is-glob/3.1.0: + resolution: {integrity: sha1-e6WuJCF4BKxwcHuWkiVnSGzD6Eo=} + engines: {node: '>=0.10.0'} + dependencies: + is-extglob: 2.1.1 + dev: false + + /is-glob/4.0.1: + resolution: {integrity: sha512-5G0tKtBTFImOqDnLB2hG6Bp2qcKEFduo4tZu9MT/H6NQv/ghhy30o55ufafxJ/LdH79LLs2Kfrn85TLKyA7BUg==} + engines: {node: '>=0.10.0'} + dependencies: + is-extglob: 2.1.1 + dev: false + + /is-my-ip-valid/1.0.0: + resolution: {integrity: sha512-gmh/eWXROncUzRnIa1Ubrt5b8ep/MGSnfAUI3aRp+sqTCs1tv1Isl8d8F6JmkN3dXKc3ehZMrtiPN9eL03NuaQ==} + dev: false + optional: true + + /is-my-json-valid/2.20.0: + resolution: {integrity: sha512-XTHBZSIIxNsIsZXg7XB5l8z/OBFosl1Wao4tXLpeC7eKU4Vm/kdop2azkPqULwnfGQjmeDIyey9g7afMMtdWAA==} + dependencies: + generate-function: 2.3.1 + generate-object-property: 1.2.0 + is-my-ip-valid: 1.0.0 + jsonpointer: 4.0.1 + xtend: 4.0.2 + dev: false + optional: true + + /is-number/0.1.1: + resolution: {integrity: sha1-aaevEWlj1HIG7JvZtIoUIW8eOAY=} + engines: {node: '>=0.10.0'} + dev: false + + /is-number/3.0.0: + resolution: {integrity: sha1-JP1iAaR4LPUFYcgQJ2r8fRLXEZU=} + engines: {node: '>=0.10.0'} + dependencies: + kind-of: 3.2.2 + dev: false + + /is-plain-object/2.0.4: + resolution: {integrity: sha512-h5PpgXkWitc38BBMYawTYMWJHFZJVnBquFE57xFpjB8pJFiF6gZ+bU+WyI/yqXiFR5mdLsgYNaPe8uao6Uv9Og==} + engines: {node: '>=0.10.0'} + dependencies: + isobject: 3.0.1 + dev: false + + /is-property/1.0.2: + resolution: {integrity: sha1-V/4cTkhHTt1lsJkR8msc1Ald2oQ=} + dev: false + optional: true + + /is-stream/1.1.0: + resolution: {integrity: sha1-EtSj3U5o4Lec6428hBc66A2RykQ=} + engines: {node: '>=0.10.0'} + dev: false + optional: true + + /is-typedarray/1.0.0: + resolution: {integrity: sha1-5HnICFjfDBsR3dppQPlgEfzaSpo=} + dev: false + optional: true + + /is-windows/1.0.2: + resolution: {integrity: sha512-eXK1UInq2bPmjyX6e3VHIzMLobc4J94i4AWn+Hpq3OU5KkrRC96OAcR3PRJ/pGu6m8TRnBHP9dkXQVsT/COVIA==} + engines: {node: '>=0.10.0'} + dev: false + + /isarray/0.0.1: + resolution: {integrity: sha1-ihis/Kmo9Bd+Cav8YDiTmwXR7t8=} + dev: false + optional: true + + /isarray/1.0.0: + resolution: {integrity: sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE=} + dev: false + + /isarray/2.0.1: + resolution: {integrity: sha1-o32U7ZzaLVmGXJ92/llu4fM4dB4=} + dev: false + + /isbinaryfile/3.0.3: + resolution: {integrity: sha512-8cJBL5tTd2OS0dM4jz07wQd5g0dCCqIhUxPIGtZfa5L6hWlvV5MHTITy/DBAsF+Oe2LS1X3krBUhNwaGUWpWxw==} + engines: {node: '>=0.6.0'} + dependencies: + buffer-alloc: 1.2.0 + dev: false + + /isobject/2.1.0: + resolution: {integrity: sha1-8GVWEJaj8dou9GJy+BXIQNh+DIk=} + engines: {node: '>=0.10.0'} + dependencies: + isarray: 1.0.0 + dev: false + + /isobject/3.0.1: + resolution: {integrity: sha1-TkMekrEalzFjaqH5yNHMvP2reN8=} + engines: {node: '>=0.10.0'} + dev: false + + /isstream/0.1.2: + resolution: {integrity: sha1-R+Y/evVa+m+S4VAOaQ64uFKcCZo=} + dev: false + optional: true + + /jsbn/0.1.1: + resolution: {integrity: sha1-peZUwuWi3rXyAdls77yoDA7y9RM=} + dev: false + optional: true + + /json-schema-traverse/0.4.1: + resolution: {integrity: sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==} + dev: false + optional: true + + /json-schema/0.2.3: + resolution: {integrity: sha1-tIDIkuWaLwWVTOcnvT8qTogvnhM=} + dev: false + optional: true + + /json-stringify-safe/5.0.1: + resolution: {integrity: sha1-Epai1Y/UXxmg9s4B1lcB4sc1tus=} + dev: false + optional: true + + /jsonpointer/4.0.1: + resolution: {integrity: sha1-T9kss04OnbPInIYi7PUfm5eMbLk=} + engines: {node: '>=0.10.0'} + dev: false + optional: true + + /jsprim/1.4.1: + resolution: {integrity: sha1-MT5mvB5cwG5Di8G3SZwuXFastqI=} + engines: {'0': node >=0.6.0} + dependencies: + assert-plus: 1.0.0 + extsprintf: 1.3.0 + json-schema: 0.2.3 + verror: 1.10.0 + dev: false + optional: true + + /karma/2.0.5: + resolution: {integrity: sha512-rECezBeY7mjzGUWhFlB7CvPHgkHJLXyUmWg+6vHCEsdWNUTnmiS6jRrIMcJEWgU2DUGZzGWG0bTRVky8fsDTOA==} + engines: {node: '>= 4'} + hasBin: true + dependencies: + bluebird: 3.7.1 + body-parser: 1.19.0 + chokidar: 2.1.8 + colors: 1.4.0 + combine-lists: 1.0.1 + connect: 3.7.0 + core-js: 2.6.10 + di: 0.0.1 + dom-serialize: 2.2.1 + expand-braces: 0.1.2 + glob: 7.1.6 + graceful-fs: 4.2.3 + http-proxy: 1.18.0 + isbinaryfile: 3.0.3 + lodash: 4.17.15 + log4js: 2.11.0 + mime: 1.6.0 + minimatch: 3.0.4 + optimist: 0.6.1 + qjobs: 1.2.0 + range-parser: 1.2.1 + rimraf: 2.7.1 + safe-buffer: 5.2.0 + socket.io: 2.0.4 + source-map: 0.6.1 + tmp: 0.0.33 + useragent: 2.2.1 + dev: false + + /kind-of/3.2.2: + resolution: {integrity: sha1-MeohpzS6ubuw8yRm2JOupR5KPGQ=} + engines: {node: '>=0.10.0'} + dependencies: + is-buffer: 1.1.6 + dev: false + + /kind-of/4.0.0: + resolution: {integrity: sha1-IIE989cSkosgc3hpGkUGb65y3Vc=} + engines: {node: '>=0.10.0'} + dependencies: + is-buffer: 1.1.6 + dev: false + + /kind-of/5.1.0: + resolution: {integrity: sha512-NGEErnH6F2vUuXDh+OlbcKW7/wOcfdRHaZ7VWtqCztfHri/++YKmP51OdWeGPuqCOba6kk2OTe5d02VmTB80Pw==} + engines: {node: '>=0.10.0'} + dev: false + + /kind-of/6.0.2: + resolution: {integrity: sha512-s5kLOcnH0XqDO+FvuaLX8DDjZ18CGFk7VygH40QoKPUQhW4e2rvM0rwUq0t8IQDOwYSeLK01U90OjzBTme2QqA==} + engines: {node: '>=0.10.0'} + dev: false + + /levn/0.3.0: + resolution: {integrity: sha1-OwmSTt+fCDwEkP3UwLxEIeBHZO4=} + engines: {node: '>= 0.8.0'} + dependencies: + prelude-ls: 1.1.2 + type-check: 0.3.2 + dev: false + optional: true + + /libbase64/0.1.0: + resolution: {integrity: sha1-YjUag5VjrF/1vSbxL2Dpgwu3UeY=} + dev: false + optional: true + + /libmime/3.0.0: + resolution: {integrity: sha1-UaGp50SOy9Ms2lRCFnW7IbwJPaY=} + dependencies: + iconv-lite: 0.4.15 + libbase64: 0.1.0 + libqp: 1.1.0 + dev: false + optional: true + + /libqp/1.1.0: + resolution: {integrity: sha1-9ebgatdLeU+1tbZpiL9yjvHe2+g=} + dev: false + optional: true + + /lodash/4.17.15: + resolution: {integrity: sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==} + dev: false + + /log4js/2.11.0: + resolution: {integrity: sha512-z1XdwyGFg8/WGkOyF6DPJjivCWNLKrklGdViywdYnSKOvgtEBo2UyEMZS5sD2mZrQlU3TvO8wDWLc8mzE1ncBQ==} + engines: {node: '>=4.0'} + dependencies: + circular-json: 0.5.9 + date-format: 1.2.0 + debug: 3.2.6 + semver: 5.7.1 + streamroller: 0.7.0 + optionalDependencies: + amqplib: 0.5.5 + axios: 0.15.3 + hipchat-notifier: 1.1.0 + loggly: 1.1.1 + mailgun-js: 0.18.1 + nodemailer: 2.7.2 + redis: 2.8.0 + slack-node: 0.2.0 + dev: false + + /loggly/1.1.1: + resolution: {integrity: sha1-Cg/B0/o6XsRP3HuJe+uipGlc6+4=} + engines: {node: '>= 0.8.0'} + dependencies: + json-stringify-safe: 5.0.1 + request: 2.75.0 + timespan: 2.3.0 + dev: false + optional: true + + /lru-cache/2.2.4: + resolution: {integrity: sha1-bGWGGb7PFAMdDQtZSxYELOTcBj0=} + dev: false + + /lru-cache/4.1.5: + resolution: {integrity: sha512-sWZlbEP2OsHNkXrMl5GYk/jKk70MBng6UU4YI/qGDYbgf6YbP4EvmqISbXCoJiRKs+1bSpFHVgQxvJ17F2li5g==} + dependencies: + pseudomap: 1.0.2 + yallist: 2.1.2 + dev: false + optional: true + + /mailcomposer/4.0.1: + resolution: {integrity: sha1-DhxEsqB890DuF9wUm6AJ8Zyt/rQ=} + deprecated: This project is unmaintained + dependencies: + buildmail: 4.0.1 + libmime: 3.0.0 + dev: false + optional: true + + /mailgun-js/0.18.1: + resolution: {integrity: sha512-lvuMP14u24HS2uBsJEnzSyPMxzU2b99tQsIx1o6QNjqxjk8b3WvR+vq5oG1mjqz/IBYo+5gF+uSoDS0RkMVHmg==} + engines: {node: '>=6.0.0'} + dependencies: + async: 2.6.3 + debug: 3.1.0 + form-data: 2.3.3 + inflection: 1.12.0 + is-stream: 1.1.0 + path-proxy: 1.0.0 + promisify-call: 2.0.4 + proxy-agent: 3.0.3 + tsscmp: 1.0.6 + dev: false + optional: true + + /map-cache/0.2.2: + resolution: {integrity: sha1-wyq9C9ZSXZsFFkW7TyasXcmKDb8=} + engines: {node: '>=0.10.0'} + dev: false + + /map-visit/1.0.0: + resolution: {integrity: sha1-7Nyo8TFE5mDxtb1B8S80edmN+48=} + engines: {node: '>=0.10.0'} + dependencies: + object-visit: 1.0.1 + dev: false + + /media-typer/0.3.0: + resolution: {integrity: sha1-hxDXrwqmJvj/+hzgAWhUUmMlV0g=} + engines: {node: '>= 0.6'} + dev: false + + /micromatch/3.1.10: + resolution: {integrity: sha512-MWikgl9n9M3w+bpsY3He8L+w9eF9338xRl8IAO5viDizwSzziFEyUzo2xrrloB64ADbTf8uA8vRqqttDTOmccg==} + engines: {node: '>=0.10.0'} + dependencies: + arr-diff: 4.0.0 + array-unique: 0.3.2 + braces: 2.3.2 + define-property: 2.0.2 + extend-shallow: 3.0.2 + extglob: 2.0.4 + fragment-cache: 0.2.1 + kind-of: 6.0.2 + nanomatch: 1.2.13 + object.pick: 1.3.0 + regex-not: 1.0.2 + snapdragon: 0.8.2 + to-regex: 3.0.2 + dev: false + + /mime-db/1.42.0: + resolution: {integrity: sha512-UbfJCR4UAVRNgMpfImz05smAXK7+c+ZntjaA26ANtkXLlOe947Aag5zdIcKQULAiF9Cq4WxBi9jUs5zkA84bYQ==} + engines: {node: '>= 0.6'} + dev: false + + /mime-types/2.1.25: + resolution: {integrity: sha512-5KhStqB5xpTAeGqKBAMgwaYMnQik7teQN4IAzC7npDv6kzeU6prfkR67bc87J1kWMPGkoaZSq1npmexMgkmEVg==} + engines: {node: '>= 0.6'} + dependencies: + mime-db: 1.42.0 + dev: false + + /mime/1.6.0: + resolution: {integrity: sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==} + engines: {node: '>=4'} + hasBin: true + dev: false + + /minimatch/3.0.4: + resolution: {integrity: sha512-yJHVQEhyqPLUTgt9B83PXu6W3rx4MvvHvSUvToogpwoGDOUQ+yDrR0HRot+yOCdCO7u4hX3pWft6kWBBcqh0UA==} + dependencies: + brace-expansion: 1.1.11 + dev: false + + /minimist/0.0.10: + resolution: {integrity: sha1-3j+YVD2/lggr5IrRoMfNqDYwHc8=} + dev: false + + /minimist/0.0.8: + resolution: {integrity: sha1-hX/Kv8M5fSYluCKCYuhqp6ARsF0=} + dev: false + + /minimist/1.2.5: + resolution: {integrity: sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==} + dev: false + optional: true + + /minipass/2.9.0: + resolution: {integrity: sha512-wxfUjg9WebH+CUDX/CdbRlh5SmfZiy/hpkxaRI16Y9W56Pa75sWgd/rvFilSgrauD9NyFymP/+JFV3KwzIsJeg==} + dependencies: + safe-buffer: 5.2.0 + yallist: 3.1.1 + dev: false + optional: true + + /minizlib/1.3.3: + resolution: {integrity: sha512-6ZYMOEnmVsdCeTJVE0W9ZD+pVnE8h9Hma/iOwwRDsdQoePpoX56/8B6z3P9VNwppJuBKNRuFDRNRqRWexT9G9Q==} + dependencies: + minipass: 2.9.0 + dev: false + optional: true + + /mixin-deep/1.3.2: + resolution: {integrity: sha512-WRoDn//mXBiJ1H40rqa3vH0toePwSsGb45iInWlTySa+Uu4k3tYUSxa2v1KqAiLtvlrSzaExqS1gtk96A9zvEA==} + engines: {node: '>=0.10.0'} + dependencies: + for-in: 1.0.2 + is-extendable: 1.0.1 + dev: false + + /mkdirp/0.5.1: + resolution: {integrity: sha1-MAV0OOrGz3+MR2fzhkjWaX11yQM=} + hasBin: true + dependencies: + minimist: 0.0.8 + dev: false + + /ms/2.0.0: + resolution: {integrity: sha1-VgiurfwAvmwpAd9fmGF4jeDVl8g=} + + /ms/2.1.2: + resolution: {integrity: sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==} + dev: false + + /nan/2.14.0: + resolution: {integrity: sha512-INOFj37C7k3AfaNTtX8RhsTw7qRy7eLET14cROi9+5HAVbbHuIWUHEauBv5qT4Av2tWasiTY1Jw6puUNqRJXQg==} + dev: false + optional: true + + /nanomatch/1.2.13: + resolution: {integrity: sha512-fpoe2T0RbHwBTBUOftAfBPaDEi06ufaUai0mE6Yn1kacc3SnTErfb/h+X94VXzI64rKFHYImXSvdwGGCmwOqCA==} + engines: {node: '>=0.10.0'} + dependencies: + arr-diff: 4.0.0 + array-unique: 0.3.2 + define-property: 2.0.2 + extend-shallow: 3.0.2 + fragment-cache: 0.2.1 + is-windows: 1.0.2 + kind-of: 6.0.2 + object.pick: 1.3.0 + regex-not: 1.0.2 + snapdragon: 0.8.2 + to-regex: 3.0.2 + dev: false + + /needle/2.8.0: + resolution: {integrity: sha512-ZTq6WYkN/3782H1393me3utVYdq2XyqNUFBsprEE3VMAT0+hP/cItpnITpqsY6ep2yeFE4Tqtqwc74VqUlUYtw==} + engines: {node: '>= 4.4.x'} + hasBin: true + dependencies: + debug: 3.2.6 + iconv-lite: 0.4.24 + sax: 1.2.4 + dev: false + optional: true + + /negotiator/0.6.2: + resolution: {integrity: sha512-hZXc7K2e+PgeI1eDBe/10Ard4ekbfrrqG8Ep+8Jmf4JID2bNg7NvCPOZN+kfF574pFQI7mum2AUqDidoKqcTOw==} + engines: {node: '>= 0.6'} + dev: false + + /netmask/1.0.6: + resolution: {integrity: sha1-ICl+idhvb2QA8lDZ9Pa0wZRfzTU=} + engines: {node: '>= 0.4.0'} + dev: false + optional: true + + /node-pre-gyp/0.12.0: + resolution: {integrity: sha512-4KghwV8vH5k+g2ylT+sLTjy5wmUOb9vPhnM8NHvRf9dHmnW/CndrFXy2aRPaPST6dugXSdHXfeaHQm77PIz/1A==} + deprecated: 'Please upgrade to @mapbox/node-pre-gyp: the non-scoped node-pre-gyp package is deprecated and only the @mapbox scoped package will recieve updates in the future' + hasBin: true + dependencies: + detect-libc: 1.0.3 + mkdirp: 0.5.1 + needle: 2.8.0 + nopt: 4.0.3 + npm-packlist: 1.4.8 + npmlog: 4.1.2 + rc: 1.2.8 + rimraf: 2.7.1 + semver: 5.7.1 + tar: 4.4.15 + dev: false + optional: true + + /node-uuid/1.4.8: + resolution: {integrity: sha1-sEDrCSOWivq/jTL7HxfxFn/auQc=} + deprecated: Use uuid module instead + hasBin: true + dev: false + optional: true + + /nodemailer-direct-transport/3.3.2: + resolution: {integrity: sha1-6W+vuQNYVglH5WkBfZfmBzilCoY=} + dependencies: + nodemailer-shared: 1.1.0 + smtp-connection: 2.12.0 + dev: false + optional: true + + /nodemailer-fetch/1.6.0: + resolution: {integrity: sha1-ecSQihwPXzdbc/6IjamCj23JY6Q=} + dev: false + optional: true + + /nodemailer-shared/1.1.0: + resolution: {integrity: sha1-z1mU4v0mjQD1zw+nZ6CBae2wfsA=} + dependencies: + nodemailer-fetch: 1.6.0 + dev: false + optional: true + + /nodemailer-smtp-pool/2.8.2: + resolution: {integrity: sha1-LrlNbPhXgLG0clzoU7nL1ejajHI=} + dependencies: + nodemailer-shared: 1.1.0 + nodemailer-wellknown: 0.1.10 + smtp-connection: 2.12.0 + dev: false + optional: true + + /nodemailer-smtp-transport/2.7.2: + resolution: {integrity: sha1-A9ccdjFPFKx9vHvwM6am0W1n+3c=} + dependencies: + nodemailer-shared: 1.1.0 + nodemailer-wellknown: 0.1.10 + smtp-connection: 2.12.0 + dev: false + optional: true + + /nodemailer-wellknown/0.1.10: + resolution: {integrity: sha1-WG24EB2zDLRDjrVGc3pBqtDPE9U=} + dev: false + optional: true + + /nodemailer/2.7.2: + resolution: {integrity: sha1-8kLmSa7q45tsftdA73sGHEBNMPk=} + engines: {node: '>=0.10.0'} + deprecated: All versions below 4.0.1 of Nodemailer are deprecated. See https://nodemailer.com/status/ + dependencies: + libmime: 3.0.0 + mailcomposer: 4.0.1 + nodemailer-direct-transport: 3.3.2 + nodemailer-shared: 1.1.0 + nodemailer-smtp-pool: 2.8.2 + nodemailer-smtp-transport: 2.7.2 + socks: 1.1.9 + dev: false + optional: true + + /nopt/4.0.3: + resolution: {integrity: sha512-CvaGwVMztSMJLOeXPrez7fyfObdZqNUK1cPAEzLHrTybIua9pMdmmPR5YwtfNftIOMv3DPUhFaxsZMNTQO20Kg==} + hasBin: true + dependencies: + abbrev: 1.1.1 + osenv: 0.1.5 + dev: false + optional: true + + /normalize-path/2.1.1: + resolution: {integrity: sha1-GrKLVW4Zg2Oowab35vogE3/mrtk=} + engines: {node: '>=0.10.0'} + dependencies: + remove-trailing-separator: 1.1.0 + dev: false + + /normalize-path/3.0.0: + resolution: {integrity: sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==} + engines: {node: '>=0.10.0'} + dev: false + + /npm-bundled/1.1.2: + resolution: {integrity: sha512-x5DHup0SuyQcmL3s7Rx/YQ8sbw/Hzg0rj48eN0dV7hf5cmQq5PXIeioroH3raV1QC1yh3uTYuMThvEQF3iKgGQ==} + dependencies: + npm-normalize-package-bin: 1.0.1 + dev: false + optional: true + + /npm-normalize-package-bin/1.0.1: + resolution: {integrity: sha512-EPfafl6JL5/rU+ot6P3gRSCpPDW5VmIzX959Ob1+ySFUuuYHWHekXpwdUZcKP5C+DS4GEtdJluwBjnsNDl+fSA==} + dev: false + optional: true + + /npm-packlist/1.4.8: + resolution: {integrity: sha512-5+AZgwru5IevF5ZdnFglB5wNlHG1AOOuw28WhUq8/8emhBmLv6jX5by4WJCh7lW0uSYZYS6DXqIsyZVIXRZU9A==} + dependencies: + ignore-walk: 3.0.4 + npm-bundled: 1.1.2 + npm-normalize-package-bin: 1.0.1 + dev: false + optional: true + + /npmlog/4.1.2: + resolution: {integrity: sha512-2uUqazuKlTaSI/dC8AzicUck7+IrEaOnN/e0jd3Xtt1KcGpwx30v50mL7oPyr/h9bL3E4aZccVwpwP+5W9Vjkg==} + dependencies: + are-we-there-yet: 1.1.5 + console-control-strings: 1.1.0 + gauge: 2.7.4 + set-blocking: 2.0.0 + dev: false + optional: true + + /number-is-nan/1.0.1: + resolution: {integrity: sha1-CXtgK1NCKlIsGvuHkDGDNpQaAR0=} + engines: {node: '>=0.10.0'} + dev: false + optional: true + + /oauth-sign/0.8.2: + resolution: {integrity: sha1-Rqarfwrq2N6unsBWV4C31O/rnUM=} + dev: false + optional: true + + /oauth-sign/0.9.0: + resolution: {integrity: sha512-fexhUFFPTGV8ybAtSIGbV6gOkSv8UtRbDBnAyLQw4QPKkgNlsH2ByPGtMUqdWkos6YCRmAqViwgZrJc/mRDzZQ==} + dev: false + optional: true + + /object-assign/4.1.1: + resolution: {integrity: sha1-IQmtx5ZYh8/AXLvUQsrIv7s2CGM=} + engines: {node: '>=0.10.0'} + dev: false + optional: true + + /object-component/0.0.3: + resolution: {integrity: sha1-8MaapQ78lbhmwYb0AKM3acsvEpE=} + dev: false + + /object-copy/0.1.0: + resolution: {integrity: sha1-fn2Fi3gb18mRpBupde04EnVOmYw=} + engines: {node: '>=0.10.0'} + dependencies: + copy-descriptor: 0.1.1 + define-property: 0.2.5 + kind-of: 3.2.2 + dev: false + + /object-visit/1.0.1: + resolution: {integrity: sha1-95xEk68MU3e1n+OdOV5BBC3QRbs=} + engines: {node: '>=0.10.0'} + dependencies: + isobject: 3.0.1 + dev: false + + /object.pick/1.3.0: + resolution: {integrity: sha1-h6EKxMFpS9Lhy/U1kaZhQftd10c=} + engines: {node: '>=0.10.0'} + dependencies: + isobject: 3.0.1 + dev: false + + /on-finished/2.3.0: + resolution: {integrity: sha1-IPEzZIGwg811M3mSoWlxqi2QaUc=} + engines: {node: '>= 0.8'} + dependencies: + ee-first: 1.1.1 + dev: false + + /once/1.4.0: + resolution: {integrity: sha1-WDsap3WWHUsROsF9nFC6753Xa9E=} + dependencies: + wrappy: 1.0.2 + dev: false + + /optimist/0.6.1: + resolution: {integrity: sha1-2j6nRob6IaGaERwybpDrFaAZZoY=} + dependencies: + minimist: 0.0.10 + wordwrap: 0.0.3 + dev: false + + /optionator/0.8.3: + resolution: {integrity: sha512-+IW9pACdk3XWmmTXG8m3upGUJst5XRGzxMRjXzAuJ1XnIFNvfhjjIuYkDvysnPQ7qzqVzLt78BCruntqRhWQbA==} + engines: {node: '>= 0.8.0'} + dependencies: + deep-is: 0.1.3 + fast-levenshtein: 2.0.6 + levn: 0.3.0 + prelude-ls: 1.1.2 + type-check: 0.3.2 + word-wrap: 1.2.3 + dev: false + optional: true + + /os-homedir/1.0.2: + resolution: {integrity: sha1-/7xJiDNuDoM94MFox+8VISGqf7M=} + engines: {node: '>=0.10.0'} + dev: false + optional: true + + /os-tmpdir/1.0.2: + resolution: {integrity: sha1-u+Z0BseaqFxc/sdm/lc0VV36EnQ=} + engines: {node: '>=0.10.0'} + dev: false + + /osenv/0.1.5: + resolution: {integrity: sha512-0CWcCECdMVc2Rw3U5w9ZjqX6ga6ubk1xDVKxtBQPK7wis/0F2r9T6k4ydGYhecl7YUBxBVxhL5oisPsNxAPe2g==} + dependencies: + os-homedir: 1.0.2 + os-tmpdir: 1.0.2 + dev: false + optional: true + + /pac-proxy-agent/3.0.1: + resolution: {integrity: sha512-44DUg21G/liUZ48dJpUSjZnFfZro/0K5JTyFYLBcmh9+T6Ooi4/i4efwUiEy0+4oQusCBqWdhv16XohIj1GqnQ==} + dependencies: + agent-base: 4.3.0 + debug: 4.1.1 + get-uri: 2.0.4 + http-proxy-agent: 2.1.0 + https-proxy-agent: 3.0.1 + pac-resolver: 3.0.0 + raw-body: 2.4.1 + socks-proxy-agent: 4.0.2 + dev: false + optional: true + + /pac-resolver/3.0.0: + resolution: {integrity: sha512-tcc38bsjuE3XZ5+4vP96OfhOugrX+JcnpUbhfuc4LuXBLQhoTthOstZeoQJBDnQUDYzYmdImKsbz0xSl1/9qeA==} + dependencies: + co: 4.6.0 + degenerator: 1.0.4 + ip: 1.1.5 + netmask: 1.0.6 + thunkify: 2.1.2 + dev: false + optional: true + + /parseqs/0.0.5: + resolution: {integrity: sha1-1SCKNzjkZ2bikbouoXNoSSGouJ0=} + dependencies: + better-assert: 1.0.2 + dev: false + + /parseuri/0.0.5: + resolution: {integrity: sha1-gCBKUNTbt3m/3G6+J3jZDkvOMgo=} + dependencies: + better-assert: 1.0.2 + dev: false + + /parseurl/1.3.3: + resolution: {integrity: sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==} + engines: {node: '>= 0.8'} + dev: false + + /pascalcase/0.1.1: + resolution: {integrity: sha1-s2PlXoAGym/iF4TS2yK9FdeRfxQ=} + engines: {node: '>=0.10.0'} + dev: false + + /path-dirname/1.0.2: + resolution: {integrity: sha1-zDPSTVJeCZpTiMAzbG4yuRYGCeA=} + dev: false + + /path-is-absolute/1.0.1: + resolution: {integrity: sha1-F0uSaHNVNP+8es5r9TpanhtcX18=} + engines: {node: '>=0.10.0'} + dev: false + + /path-proxy/1.0.0: + resolution: {integrity: sha1-GOijaFn8nS8aU7SN7hOFQ8Ag3l4=} + dependencies: + inflection: 1.3.8 + dev: false + optional: true + + /performance-now/2.1.0: + resolution: {integrity: sha1-Ywn04OX6kT7BxpMHrjZLSzd8nns=} + dev: false + optional: true + + /pinkie-promise/2.0.1: + resolution: {integrity: sha1-ITXW36ejWMBprJsXh3YogihFD/o=} + engines: {node: '>=0.10.0'} + dependencies: + pinkie: 2.0.4 + dev: false + optional: true + + /pinkie/2.0.4: + resolution: {integrity: sha1-clVrgM+g1IqXToDnckjoDtT3+HA=} + engines: {node: '>=0.10.0'} + dev: false + optional: true + + /posix-character-classes/0.1.1: + resolution: {integrity: sha1-AerA/jta9xoqbAL+q7jB/vfgDqs=} + engines: {node: '>=0.10.0'} + dev: false + + /prelude-ls/1.1.2: + resolution: {integrity: sha1-IZMqVJ9eUv/ZqCf1cOBL5iqX2lQ=} + engines: {node: '>= 0.8.0'} + dev: false + optional: true + + /process-nextick-args/1.0.7: + resolution: {integrity: sha1-FQ4gt1ZZCtP5EJPyWk8q2L/zC6M=} + dev: false + optional: true + + /process-nextick-args/2.0.1: + resolution: {integrity: sha512-3ouUOpQhtgrbOa17J7+uxOTpITYWaGP7/AhoR3+A+/1e9skrzelGi/dXzEYyvbxubEF6Wn2ypscTKiKJFFn1ag==} + dev: false + + /promisify-call/2.0.4: + resolution: {integrity: sha1-1IwtRWUszM1SgB3ey9UzptS9X7o=} + engines: {node: '>=4.0'} + dependencies: + with-callback: 1.0.2 + dev: false + optional: true + + /proxy-agent/3.0.3: + resolution: {integrity: sha512-PXVVVuH9tiQuxQltFJVSnXWuDtNr+8aNBP6XVDDCDiUuDN8eRCm+ii4/mFWmXWEA0w8jjJSlePa4LXlM4jIzNA==} + engines: {node: '>=6'} + dependencies: + agent-base: 4.3.0 + debug: 3.1.0 + http-proxy-agent: 2.1.0 + https-proxy-agent: 2.2.4 + lru-cache: 4.1.5 + pac-proxy-agent: 3.0.1 + proxy-from-env: 1.0.0 + socks-proxy-agent: 4.0.2 + dev: false + optional: true + + /proxy-from-env/1.0.0: + resolution: {integrity: sha1-M8UDmPcOp+uW0h97gXYwpVeRx+4=} + dev: false + optional: true + + /pseudomap/1.0.2: + resolution: {integrity: sha1-8FKijacOYYkX7wqKw0wa5aaChrM=} + dev: false + optional: true + + /psl/1.4.0: + resolution: {integrity: sha512-HZzqCGPecFLyoRj5HLfuDSKYTJkAfB5thKBIkRHtGjWwY7p1dAyveIbXIq4tO0KYfDF2tHqPUgY9SDnGm00uFw==} + dev: false + optional: true + + /punycode/1.4.1: + resolution: {integrity: sha1-wNWmOycYgArY4esPpSachN1BhF4=} + dev: false + optional: true + + /punycode/2.1.1: + resolution: {integrity: sha512-XRsRjdf+j5ml+y/6GKHPZbrF/8p2Yga0JPtdqTIY2Xe5ohJPD9saDJJLPvp9+NSBprVvevdXZybnj2cv8OEd0A==} + engines: {node: '>=6'} + dev: false + optional: true + + /qjobs/1.2.0: + resolution: {integrity: sha512-8YOJEHtxpySA3fFDyCRxA+UUV+fA+rTWnuWvylOK/NCjhY+b4ocCtmu8TtsWb+mYeU+GCHf/S66KZF/AsteKHg==} + engines: {node: '>=0.9'} + dev: false + + /qs/6.2.3: + resolution: {integrity: sha1-HPyyXBCpsrSDBT/zn138kjOQjP4=} + engines: {node: '>=0.6'} + dev: false + optional: true + + /qs/6.5.2: + resolution: {integrity: sha512-N5ZAX4/LxJmF+7wN74pUD6qAh9/wnvdQcjq9TZjevvXzSUo7bfmw91saqMjzGS2xq91/odN2dW/WOl7qQHNDGA==} + engines: {node: '>=0.6'} + dev: false + optional: true + + /qs/6.7.0: + resolution: {integrity: sha512-VCdBRNFTX1fyE7Nb6FYoURo/SPe62QCaAyzJvUjwRaIsc+NePBEniHlvxFmmX56+HZphIGtV0XeCirBtpDrTyQ==} + engines: {node: '>=0.6'} + dev: false + + /querystringify/2.1.1: + resolution: {integrity: sha512-w7fLxIRCRT7U8Qu53jQnJyPkYZIaR4n5151KMfcJlO/A9397Wxb1amJvROTK6TOnp7PfoAmg/qXiNHI+08jRfA==} + dev: false + optional: true + + /range-parser/1.2.1: + resolution: {integrity: sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==} + engines: {node: '>= 0.6'} + dev: false + + /raw-body/2.4.0: + resolution: {integrity: sha512-4Oz8DUIwdvoa5qMJelxipzi/iJIi40O5cGV1wNYp5hvZP8ZN0T+jiNkL0QepXs+EsQ9XJ8ipEDoiH70ySUJP3Q==} + engines: {node: '>= 0.8'} + dependencies: + bytes: 3.1.0 + http-errors: 1.7.2 + iconv-lite: 0.4.24 + unpipe: 1.0.0 + dev: false + + /raw-body/2.4.1: + resolution: {integrity: sha512-9WmIKF6mkvA0SLmA2Knm9+qj89e+j1zqgyn8aXGd7+nAduPoqgI9lO57SAZNn/Byzo5P7JhXTyg9PzaJbH73bA==} + engines: {node: '>= 0.8'} + dependencies: + bytes: 3.1.0 + http-errors: 1.7.3 + iconv-lite: 0.4.24 + unpipe: 1.0.0 + dev: false + optional: true + + /rc/1.2.8: + resolution: {integrity: sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==} + hasBin: true + dependencies: + deep-extend: 0.6.0 + ini: 1.3.8 + minimist: 1.2.5 + strip-json-comments: 2.0.1 + dev: false + optional: true + + /readable-stream/1.1.14: + resolution: {integrity: sha1-fPTFTvZI44EwhMY23SB54WbAgdk=} + dependencies: + core-util-is: 1.0.2 + inherits: 2.0.4 + isarray: 0.0.1 + string_decoder: 0.10.31 + dev: false + optional: true + + /readable-stream/2.0.6: + resolution: {integrity: sha1-j5A0HmilPMySh4jaz80Rs265t44=} + dependencies: + core-util-is: 1.0.2 + inherits: 2.0.4 + isarray: 1.0.0 + process-nextick-args: 1.0.7 + string_decoder: 0.10.31 + util-deprecate: 1.0.2 + dev: false + optional: true + + /readable-stream/2.3.6: + resolution: {integrity: sha512-tQtKA9WIAhBF3+VLAseyMqZeBjW0AHJoxOtYqSUZNJxauErmLbVm2FW1y+J/YA9dUrAC39ITejlZWhVIwawkKw==} + dependencies: + core-util-is: 1.0.2 + inherits: 2.0.4 + isarray: 1.0.0 + process-nextick-args: 2.0.1 + safe-buffer: 5.1.2 + string_decoder: 1.1.1 + util-deprecate: 1.0.2 + dev: false + + /readdirp/2.2.1: + resolution: {integrity: sha512-1JU/8q+VgFZyxwrJ+SVIOsh+KywWGpds3NTqikiKpDMZWScmAYyKIgqkO+ARvNWJfXeXR1zxz7aHF4u4CyH6vQ==} + engines: {node: '>=0.10'} + dependencies: + graceful-fs: 4.2.3 + micromatch: 3.1.10 + readable-stream: 2.3.6 + dev: false + + /redis-commands/1.5.0: + resolution: {integrity: sha512-6KxamqpZ468MeQC3bkWmCB1fp56XL64D4Kf0zJSwDZbVLLm7KFkoIcHrgRvQ+sk8dnhySs7+yBg94yIkAK7aJg==} + dev: false + optional: true + + /redis-parser/2.6.0: + resolution: {integrity: sha1-Uu0J2srBCPGmMcB+m2mUHnoZUEs=} + engines: {node: '>=0.10.0'} + dev: false + optional: true + + /redis/2.8.0: + resolution: {integrity: sha512-M1OkonEQwtRmZv4tEWF2VgpG0JWJ8Fv1PhlgT5+B+uNq2cA3Rt1Yt/ryoR+vQNOQcIEgdCdfH0jr3bDpihAw1A==} + engines: {node: '>=0.10.0'} + dependencies: + double-ended-queue: 2.1.0-0 + redis-commands: 1.5.0 + redis-parser: 2.6.0 + dev: false + optional: true + + /regex-not/1.0.2: + resolution: {integrity: sha512-J6SDjUgDxQj5NusnOtdFxDwN/+HWykR8GELwctJ7mdqhcyy1xEc4SRFHUXvxTp661YaVKAjfRLZ9cCqS6tn32A==} + engines: {node: '>=0.10.0'} + dependencies: + extend-shallow: 3.0.2 + safe-regex: 1.1.0 + dev: false + + /remove-trailing-separator/1.1.0: + resolution: {integrity: sha1-wkvOKig62tW8P1jg1IJJuSN52O8=} + dev: false + + /repeat-element/1.1.3: + resolution: {integrity: sha512-ahGq0ZnV5m5XtZLMb+vP76kcAM5nkLqk0lpqAuojSKGgQtn4eRi4ZZGm2olo2zKFH+sMsWaqOCW1dqAnOru72g==} + engines: {node: '>=0.10.0'} + dev: false + + /repeat-string/0.2.2: + resolution: {integrity: sha1-x6jTI2BoNiBZp+RlH8aITosftK4=} + engines: {node: '>=0.10'} + dev: false + + /repeat-string/1.6.1: + resolution: {integrity: sha1-jcrkcOHIirwtYA//Sndihtp15jc=} + engines: {node: '>=0.10'} + dev: false + + /request/2.75.0: + resolution: {integrity: sha1-0rgmiihtoT6qXQGt9dGMyQ9lfZM=} + engines: {node: '>=0.8.0'} + dependencies: + aws-sign2: 0.6.0 + aws4: 1.8.0 + bl: 1.1.2 + caseless: 0.11.0 + combined-stream: 1.0.8 + extend: 3.0.2 + forever-agent: 0.6.1 + form-data: 2.0.0 + har-validator: 2.0.6 + hawk: 3.1.3 + http-signature: 1.1.1 + is-typedarray: 1.0.0 + isstream: 0.1.2 + json-stringify-safe: 5.0.1 + mime-types: 2.1.25 + node-uuid: 1.4.8 + oauth-sign: 0.8.2 + qs: 6.2.3 + stringstream: 0.0.6 + tough-cookie: 2.3.4 + tunnel-agent: 0.4.3 + dev: false + optional: true + + /request/2.88.0: + resolution: {integrity: sha512-NAqBSrijGLZdM0WZNsInLJpkJokL72XYjUpnB0iwsRgxh7dB6COrHnTBNwN0E+lHDAJzu7kLAkDeY08z2/A0hg==} + engines: {node: '>= 4'} + dependencies: + aws-sign2: 0.7.0 + aws4: 1.8.0 + caseless: 0.12.0 + combined-stream: 1.0.8 + extend: 3.0.2 + forever-agent: 0.6.1 + form-data: 2.3.3 + har-validator: 5.1.3 + http-signature: 1.2.0 + is-typedarray: 1.0.0 + isstream: 0.1.2 + json-stringify-safe: 5.0.1 + mime-types: 2.1.25 + oauth-sign: 0.9.0 + performance-now: 2.1.0 + qs: 6.5.2 + safe-buffer: 5.2.0 + tough-cookie: 2.4.3 + tunnel-agent: 0.6.0 + uuid: 3.3.3 + dev: false + optional: true + + /requestretry/1.13.0: + resolution: {integrity: sha512-Lmh9qMvnQXADGAQxsXHP4rbgO6pffCfuR8XUBdP9aitJcLQJxhp7YZK4xAVYXnPJ5E52mwrfiKQtKonPL8xsmg==} + dependencies: + extend: 3.0.2 + lodash: 4.17.15 + request: 2.88.0 + when: 3.7.8 + dev: false + optional: true + + /requires-port/1.0.0: + resolution: {integrity: sha1-kl0mAdOaxIXgkc8NpcbmlNw9yv8=} + dev: false + + /resolve-url/0.2.1: + resolution: {integrity: sha1-LGN/53yJOv0qZj/iGqkIAGjiBSo=} + dev: false + + /ret/0.1.15: + resolution: {integrity: sha512-TTlYpa+OL+vMMNG24xSlQGEJ3B/RzEfUlLct7b5G/ytav+wPrplCpVMFuwzXbkecJrb6IYo1iFb0S9v37754mg==} + engines: {node: '>=0.12'} + dev: false + + /rimraf/2.7.1: + resolution: {integrity: sha512-uWjbaKIK3T1OSVptzX7Nl6PvQ3qAGtKEtVRjRuazjfL3Bx5eI409VZSqgND+4UNnmzLVdPj9FqFJNPqBZFve4w==} + hasBin: true + dependencies: + glob: 7.1.6 + dev: false + + /safe-buffer/5.1.2: + resolution: {integrity: sha512-Gd2UZBJDkXlY7GbJxfsE8/nvKkUEU1G38c1siN6QP6a9PT9MmHB8GnpscSmMJSoF8LOIrt8ud/wPtojys4G6+g==} + dev: false + + /safe-buffer/5.2.0: + resolution: {integrity: sha512-fZEwUGbVl7kouZs1jCdMLdt95hdIv0ZeHg6L7qPeciMZhZ+/gdesW4wgTARkrFWEpspjEATAzUGPG8N2jJiwbg==} + dev: false + + /safe-regex/1.1.0: + resolution: {integrity: sha1-QKNmnzsHfR6UPURinhV91IAjvy4=} + dependencies: + ret: 0.1.15 + dev: false + + /safer-buffer/2.1.2: + resolution: {integrity: sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==} + dev: false + + /sax/1.2.4: + resolution: {integrity: sha512-NqVDv9TpANUjFm0N8uM5GxL36UgKi9/atZw+x7YFnQ8ckwFGKrl4xX4yWtrey3UJm5nP1kUbnYgLopqWNSRhWw==} + dev: false + optional: true + + /semver/5.7.1: + resolution: {integrity: sha512-sauaDf/PZdVgrLTNYHRtpXa1iRiKcaebiKQ1BJdpQlWH2lCvexQdX55snPFyK7QzpudqbCI0qXFfOasHdyNDGQ==} + hasBin: true + dev: false + + /set-blocking/2.0.0: + resolution: {integrity: sha1-BF+XgtARrppoA93TgrJDkrPYkPc=} + dev: false + optional: true + + /set-value/2.0.1: + resolution: {integrity: sha512-JxHc1weCN68wRY0fhCoXpyK55m/XPHafOmK4UWD7m2CI14GMcFypt4w/0+NV5f/ZMby2F6S2wwA7fgynh9gWSw==} + engines: {node: '>=0.10.0'} + dependencies: + extend-shallow: 2.0.1 + is-extendable: 0.1.1 + is-plain-object: 2.0.4 + split-string: 3.1.0 + dev: false + + /setprototypeof/1.1.1: + resolution: {integrity: sha512-JvdAWfbXeIGaZ9cILp38HntZSFSo3mWg6xGcJJsd+d4aRMOqauag1C63dJfDw7OaMYwEbHMOxEZ1lqVRYP2OAw==} + dev: false + + /signal-exit/3.0.3: + resolution: {integrity: sha512-VUJ49FC8U1OxwZLxIbTTrDvLnf/6TDgxZcK8wxR8zs13xpx7xbG60ndBlhNrFi2EMuFRoeDoJO7wthSLq42EjA==} + dev: false + optional: true + + /slack-node/0.2.0: + resolution: {integrity: sha1-3kuN3aqLeT9h29KTgQT9q/N9+jA=} + dependencies: + requestretry: 1.13.0 + dev: false + optional: true + + /smart-buffer/1.1.15: + resolution: {integrity: sha1-fxFLW2X6s+KjWqd1uxLw0cZJvxY=} + engines: {node: '>= 0.10.15', npm: '>= 1.3.5'} + dev: false + optional: true + + /smart-buffer/4.1.0: + resolution: {integrity: sha512-iVICrxOzCynf/SNaBQCw34eM9jROU/s5rzIhpOvzhzuYHfJR/DhZfDkXiZSgKXfgv26HT3Yni3AV/DGw0cGnnw==} + engines: {node: '>= 6.0.0', npm: '>= 3.0.0'} + dev: false + optional: true + + /smtp-connection/2.12.0: + resolution: {integrity: sha1-1275EnyyPCJZ7bHoNJwujV4tdME=} + dependencies: + httpntlm: 1.6.1 + nodemailer-shared: 1.1.0 + dev: false + optional: true + + /snapdragon-node/2.1.1: + resolution: {integrity: sha512-O27l4xaMYt/RSQ5TR3vpWCAB5Kb/czIcqUFOM/C4fYcLnbZUc1PkjTAMjof2pBWaSTwOUd6qUHcFGVGj7aIwnw==} + engines: {node: '>=0.10.0'} + dependencies: + define-property: 1.0.0 + isobject: 3.0.1 + snapdragon-util: 3.0.1 + dev: false + + /snapdragon-util/3.0.1: + resolution: {integrity: sha512-mbKkMdQKsjX4BAL4bRYTj21edOf8cN7XHdYUJEe+Zn99hVEYcMvKPct1IqNe7+AZPirn8BCDOQBHQZknqmKlZQ==} + engines: {node: '>=0.10.0'} + dependencies: + kind-of: 3.2.2 + dev: false + + /snapdragon/0.8.2: + resolution: {integrity: sha512-FtyOnWN/wCHTVXOMwvSv26d+ko5vWlIDD6zoUJ7LW8vh+ZBC8QdljveRP+crNrtBwioEUWy/4dMtbBjA4ioNlg==} + engines: {node: '>=0.10.0'} + dependencies: + base: 0.11.2 + debug: 2.6.9 + define-property: 0.2.5 + extend-shallow: 2.0.1 + map-cache: 0.2.2 + source-map: 0.5.7 + source-map-resolve: 0.5.2 + use: 3.1.1 + dev: false + + /sntp/1.0.9: + resolution: {integrity: sha1-ZUEYTMkK7qbG57NeJlkIJEPGYZg=} + engines: {node: '>=0.8.0'} + deprecated: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues. + dependencies: + hoek: 2.16.3 + dev: false + optional: true + + /socket.io-adapter/1.1.1: + resolution: {integrity: sha1-KoBeihTWNyEk3ZFZrUUC+MsH8Gs=} + dev: false + + /socket.io-client/2.0.4: + resolution: {integrity: sha1-CRilUkBtxeVAs4Dc2Xr8SmQzL44=} + dependencies: + backo2: 1.0.2 + base64-arraybuffer: 0.1.5 + component-bind: 1.0.0 + component-emitter: 1.2.1 + debug: 2.6.9 + engine.io-client: 3.1.6 + has-cors: 1.1.0 + indexof: 0.0.1 + object-component: 0.0.3 + parseqs: 0.0.5 + parseuri: 0.0.5 + socket.io-parser: 3.1.3 + to-array: 0.1.4 + dev: false + + /socket.io-parser/3.1.3: + resolution: {integrity: sha512-g0a2HPqLguqAczs3dMECuA1RgoGFPyvDqcbaDEdCWY9g59kdUAz3YRmaJBNKXflrHNwB7Q12Gkf/0CZXfdHR7g==} + dependencies: + component-emitter: 1.2.1 + debug: 3.1.0 + has-binary2: 1.0.3 + isarray: 2.0.1 + dev: false + + /socket.io/2.0.4: + resolution: {integrity: sha1-waRZDO/4fs8TxyZS8Eb3FrKeYBQ=} + dependencies: + debug: 2.6.9 + engine.io: 3.1.5 + socket.io-adapter: 1.1.1 + socket.io-client: 2.0.4 + socket.io-parser: 3.1.3 + dev: false + + /socks-proxy-agent/4.0.2: + resolution: {integrity: sha512-NT6syHhI9LmuEMSK6Kd2V7gNv5KFZoLE7V5udWmn0de+3Mkj3UMA/AJPLyeNUVmElCurSHtUdM3ETpR3z770Wg==} + engines: {node: '>= 6'} + dependencies: + agent-base: 4.2.1 + socks: 2.3.3 + dev: false + optional: true + + /socks/1.1.9: + resolution: {integrity: sha1-Yo1+TQSRJDVEWsC25Fk3bLPm1pE=} + engines: {node: '>= 0.10.0', npm: '>= 1.3.5'} + deprecated: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0 + dependencies: + ip: 1.1.5 + smart-buffer: 1.1.15 + dev: false + optional: true + + /socks/2.3.3: + resolution: {integrity: sha512-o5t52PCNtVdiOvzMry7wU4aOqYWL0PeCXRWBEiJow4/i/wr+wpsJQ9awEu1EonLIqsfGd5qSgDdxEOvCdmBEpA==} + engines: {node: '>= 6.0.0', npm: '>= 3.0.0'} + dependencies: + ip: 1.1.5 + smart-buffer: 4.1.0 + dev: false + optional: true + + /source-map-resolve/0.5.2: + resolution: {integrity: sha512-MjqsvNwyz1s0k81Goz/9vRBe9SZdB09Bdw+/zYyO+3CuPk6fouTaxscHkgtE8jKvf01kVfl8riHzERQ/kefaSA==} + dependencies: + atob: 2.1.2 + decode-uri-component: 0.2.0 + resolve-url: 0.2.1 + source-map-url: 0.4.0 + urix: 0.1.0 + dev: false + + /source-map-url/0.4.0: + resolution: {integrity: sha1-PpNdfd1zYxuXZZlW1VEo6HtQhKM=} + dev: false + + /source-map/0.5.7: + resolution: {integrity: sha1-igOdLRAh0i0eoUyA2OpGi6LvP8w=} + engines: {node: '>=0.10.0'} + dev: false + + /source-map/0.6.1: + resolution: {integrity: sha512-UjgapumWlbMhkBgzT7Ykc5YXUT46F0iKu8SGXq0bcwP5dz/h0Plj6enJqjz1Zbq2l5WaqYnrVbwWOWMyF3F47g==} + engines: {node: '>=0.10.0'} + dev: false + + /split-string/3.1.0: + resolution: {integrity: sha512-NzNVhJDYpwceVVii8/Hu6DKfD2G+NrQHlS/V/qgv763EYudVwEcMQNxd2lh+0VrUByXN/oJkl5grOhYWvQUYiw==} + engines: {node: '>=0.10.0'} + dependencies: + extend-shallow: 3.0.2 + dev: false + + /sshpk/1.16.1: + resolution: {integrity: sha512-HXXqVUq7+pcKeLqqZj6mHFUMvXtOJt1uoUx09pFW6011inTMxqI8BA8PM95myrIyyKwdnzjdFjLiE6KBPVtJIg==} + engines: {node: '>=0.10.0'} + hasBin: true + dependencies: + asn1: 0.2.4 + assert-plus: 1.0.0 + bcrypt-pbkdf: 1.0.2 + dashdash: 1.14.1 + ecc-jsbn: 0.1.2 + getpass: 0.1.7 + jsbn: 0.1.1 + safer-buffer: 2.1.2 + tweetnacl: 0.14.5 + dev: false + optional: true + + /static-extend/0.1.2: + resolution: {integrity: sha1-YICcOcv/VTNyJv1eC1IPNB8ftcY=} + engines: {node: '>=0.10.0'} + dependencies: + define-property: 0.2.5 + object-copy: 0.1.0 + dev: false + + /statuses/1.5.0: + resolution: {integrity: sha1-Fhx9rBd2Wf2YEfQ3cfqZOBR4Yow=} + engines: {node: '>= 0.6'} + dev: false + + /streamroller/0.7.0: + resolution: {integrity: sha512-WREzfy0r0zUqp3lGO096wRuUp7ho1X6uo/7DJfTlEi0Iv/4gT7YHqXDjKC2ioVGBZtE8QzsQD9nx1nIuoZ57jQ==} + engines: {node: '>=0.12.0'} + dependencies: + date-format: 1.2.0 + debug: 3.2.6 + mkdirp: 0.5.1 + readable-stream: 2.3.6 + dev: false + + /string-width/1.0.2: + resolution: {integrity: sha1-EYvfW4zcUaKn5w0hHgfisLmxB9M=} + engines: {node: '>=0.10.0'} + dependencies: + code-point-at: 1.1.0 + is-fullwidth-code-point: 1.0.0 + strip-ansi: 3.0.1 + dev: false + optional: true + + /string_decoder/0.10.31: + resolution: {integrity: sha1-YuIDvEF2bGwoyfyEMB2rHFMQ+pQ=} + dev: false + optional: true + + /string_decoder/1.1.1: + resolution: {integrity: sha512-n/ShnvDi6FHbbVfviro+WojiFzv+s8MPMHBczVePfUpDJLwoLT0ht1l4YwBCbi8pJAveEEdnkHyPyTP/mzRfwg==} + dependencies: + safe-buffer: 5.1.2 + dev: false + + /stringstream/0.0.6: + resolution: {integrity: sha512-87GEBAkegbBcweToUrdzf3eLhWNg06FJTebl4BVJz/JgWy8CvEr9dRtX5qWphiynMSQlxxi+QqN0z5T32SLlhA==} + dev: false + optional: true + + /strip-ansi/3.0.1: + resolution: {integrity: sha1-ajhfuIU9lS1f8F0Oiq+UJ43GPc8=} + engines: {node: '>=0.10.0'} + dependencies: + ansi-regex: 2.1.1 + dev: false + optional: true + + /strip-json-comments/2.0.1: + resolution: {integrity: sha1-PFMZQukIwml8DsNEhYwobHygpgo=} + engines: {node: '>=0.10.0'} + dev: false + optional: true + + /supports-color/2.0.0: + resolution: {integrity: sha1-U10EXOa2Nj+kARcIRimZXp3zJMc=} + engines: {node: '>=0.8.0'} + dev: false + optional: true + + /sync-exec/0.6.2: + resolution: {integrity: sha1-cX0izFPwzh3vVZQ2LzqJouu5EQU=} + dev: false + optional: true + + /tar/4.4.15: + resolution: {integrity: sha512-ItbufpujXkry7bHH9NpQyTXPbJ72iTlXgkBAYsAjDXk3Ds8t/3NfO5P4xZGy7u+sYuQUbimgzswX4uQIEeNVOA==} + engines: {node: '>=4.5'} + dependencies: + chownr: 1.1.4 + fs-minipass: 1.2.7 + minipass: 2.9.0 + minizlib: 1.3.3 + mkdirp: 0.5.1 + safe-buffer: 5.2.0 + yallist: 3.1.1 + dev: false + optional: true + + /thunkify/2.1.2: + resolution: {integrity: sha1-+qDp0jDFGsyVyhOjYawFyn4EVT0=} + dev: false + optional: true + + /timespan/2.3.0: + resolution: {integrity: sha1-SQLOBAvRPYRcj1myfp1ZutbzmSk=} + engines: {node: '>= 0.2.0'} + dev: false + optional: true + + /tmp/0.0.33: + resolution: {integrity: sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==} + engines: {node: '>=0.6.0'} + dependencies: + os-tmpdir: 1.0.2 + dev: false + + /to-array/0.1.4: + resolution: {integrity: sha1-F+bBH3PdTz10zaek/zI46a2b+JA=} + dev: false + + /to-object-path/0.3.0: + resolution: {integrity: sha1-KXWIt7Dn4KwI4E5nL4XB9JmeF68=} + engines: {node: '>=0.10.0'} + dependencies: + kind-of: 3.2.2 + dev: false + + /to-regex-range/2.1.1: + resolution: {integrity: sha1-fIDBe53+vlmeJzZ+DU3VWQFB2zg=} + engines: {node: '>=0.10.0'} + dependencies: + is-number: 3.0.0 + repeat-string: 1.6.1 + dev: false + + /to-regex/3.0.2: + resolution: {integrity: sha512-FWtleNAtZ/Ki2qtqej2CXTOayOH9bHDQF+Q48VpWyDXjbYxA4Yz8iDB31zXOBUlOHHKidDbqGVrTUvQMPmBGBw==} + engines: {node: '>=0.10.0'} + dependencies: + define-property: 2.0.2 + extend-shallow: 3.0.2 + regex-not: 1.0.2 + safe-regex: 1.1.0 + dev: false + + /toidentifier/1.0.0: + resolution: {integrity: sha512-yaOH/Pk/VEhBWWTlhI+qXxDFXlejDGcQipMlyxda9nthulaxLZUNcUqFxokp0vcYnvteJln5FNQDRrxj3YcbVw==} + engines: {node: '>=0.6'} + dev: false + + /tough-cookie/2.3.4: + resolution: {integrity: sha512-TZ6TTfI5NtZnuyy/Kecv+CnoROnyXn2DN97LontgQpCwsX2XyLYCC0ENhYkehSOwAp8rTQKc/NUIF7BkQ5rKLA==} + engines: {node: '>=0.8'} + dependencies: + punycode: 1.4.1 + dev: false + optional: true + + /tough-cookie/2.4.3: + resolution: {integrity: sha512-Q5srk/4vDM54WJsJio3XNn6K2sCG+CQ8G5Wz6bZhRZoAe/+TxjWB/GlFAnYEbkYVlON9FMk/fE3h2RLpPXo4lQ==} + engines: {node: '>=0.8'} + dependencies: + psl: 1.4.0 + punycode: 1.4.1 + dev: false + optional: true + + /tsscmp/1.0.6: + resolution: {integrity: sha512-LxhtAkPDTkVCMQjt2h6eBVY28KCjikZqZfMcC15YBeNjkgUpdCfBu5HoiOTDu86v6smE8yOjyEktJ8hlbANHQA==} + engines: {node: '>=0.6.x'} + dev: false + optional: true + + /tunnel-agent/0.4.3: + resolution: {integrity: sha1-Y3PbdpCf5XDgjXNYM2Xtgop07us=} + dev: false + optional: true + + /tunnel-agent/0.6.0: + resolution: {integrity: sha1-J6XeoGs2sEoKmWZ3SykIaPD8QP0=} + dependencies: + safe-buffer: 5.2.0 + dev: false + optional: true + + /tweetnacl/0.14.5: + resolution: {integrity: sha1-WuaBd/GS1EViadEIr6k/+HQ/T2Q=} + dev: false + optional: true + + /type-check/0.3.2: + resolution: {integrity: sha1-WITKtRLPHTVeP7eE8wgEsrUg23I=} + engines: {node: '>= 0.8.0'} + dependencies: + prelude-ls: 1.1.2 + dev: false + optional: true + + /type-is/1.6.18: + resolution: {integrity: sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==} + engines: {node: '>= 0.6'} + dependencies: + media-typer: 0.3.0 + mime-types: 2.1.25 + dev: false + + /ultron/1.1.1: + resolution: {integrity: sha512-UIEXBNeYmKptWH6z8ZnqTeS8fV74zG0/eRU9VGkpzz+LIJNs8W/zM/L+7ctCkRrgbNnnR0xxw4bKOr0cW0N0Og==} + dev: false + + /underscore/1.7.0: + resolution: {integrity: sha1-a7rwh3UA02vjTsqlhODbn+8DUgk=} + dev: false + optional: true + + /union-value/1.0.1: + resolution: {integrity: sha512-tJfXmxMeWYnczCVs7XAEvIV7ieppALdyepWMkHkwciRpZraG/xwT+s2JN8+pr1+8jCRf80FFzvr+MpQeeoF4Xg==} + engines: {node: '>=0.10.0'} + dependencies: + arr-union: 3.1.0 + get-value: 2.0.6 + is-extendable: 0.1.1 + set-value: 2.0.1 + dev: false + + /unpipe/1.0.0: + resolution: {integrity: sha1-sr9O6FFKrmFltIF4KdIbLvSZBOw=} + engines: {node: '>= 0.8'} + dev: false + + /unset-value/1.0.0: + resolution: {integrity: sha1-g3aHP30jNRef+x5vw6jtDfyKtVk=} + engines: {node: '>=0.10.0'} + dependencies: + has-value: 0.3.1 + isobject: 3.0.1 + dev: false + + /upath/1.2.0: + resolution: {integrity: sha512-aZwGpamFO61g3OlfT7OQCHqhGnW43ieH9WZeP7QxN/G/jS4jfqUkZxoryvJgVPEcrl5NL/ggHsSmLMHuH64Lhg==} + engines: {node: '>=4'} + dev: false + + /uri-js/4.2.2: + resolution: {integrity: sha512-KY9Frmirql91X2Qgjry0Wd4Y+YTdrdZheS8TFwvkbLWf/G5KNJDCh6pKL5OZctEW4+0Baa5idK2ZQuELRwPznQ==} + dependencies: + punycode: 2.1.1 + dev: false + optional: true + + /urix/0.1.0: + resolution: {integrity: sha1-2pN/emLiH+wf0Y1Js1wpNQZ6bHI=} + dev: false + + /url-parse/1.4.7: + resolution: {integrity: sha512-d3uaVyzDB9tQoSXFvuSUNFibTd9zxd2bkVrDRvF5TmvWWQwqE4lgYJ5m+x1DbecWkw+LK4RNl2CU1hHuOKPVlg==} + dependencies: + querystringify: 2.1.1 + requires-port: 1.0.0 + dev: false + optional: true + + /use/3.1.1: + resolution: {integrity: sha512-cwESVXlO3url9YWlFW/TA9cshCEhtu7IKJ/p5soJ/gGpj7vbvFrAY/eIioQ6Dw23KjZhYgiIo8HOs1nQ2vr/oQ==} + engines: {node: '>=0.10.0'} + dev: false + + /useragent/2.2.1: + resolution: {integrity: sha1-z1k+9PLRdYdei7ZY6pLhik/QbY4=} + dependencies: + lru-cache: 2.2.4 + tmp: 0.0.33 + dev: false + + /util-deprecate/1.0.2: + resolution: {integrity: sha1-RQ1Nyfpw3nMnYvvS1KKJgUGaDM8=} + dev: false + + /utils-merge/1.0.1: + resolution: {integrity: sha1-n5VxD1CiZ5R7LMwSR0HBAoQn5xM=} + engines: {node: '>= 0.4.0'} + dev: false + + /uuid/3.3.3: + resolution: {integrity: sha512-pW0No1RGHgzlpHJO1nsVrHKpOEIxkGg1xB+v0ZmdNH5OAeAwzAVrCnI2/6Mtx+Uys6iaylxa+D3g4j63IKKjSQ==} + hasBin: true + dev: false + optional: true + + /uws/9.14.0: + resolution: {integrity: sha512-HNMztPP5A1sKuVFmdZ6BPVpBQd5bUjNC8EFMFiICK+oho/OQsAJy5hnIx4btMHiOk8j04f/DbIlqnEZ9d72dqg==} + engines: {node: '>=4'} + deprecated: New code is available at github.com/uNetworking/uWebSockets.js + requiresBuild: true + dev: false + optional: true + + /verror/1.10.0: + resolution: {integrity: sha1-OhBcoXBTr1XW4nDB+CiGguGNpAA=} + engines: {'0': node >=0.6.0} + dependencies: + assert-plus: 1.0.0 + core-util-is: 1.0.2 + extsprintf: 1.3.0 + dev: false + optional: true + + /void-elements/2.0.1: + resolution: {integrity: sha1-wGavtYK7HLQSjWDqkjkulNXp2+w=} + engines: {node: '>=0.10.0'} + dev: false + + /when/3.7.8: + resolution: {integrity: sha1-xxMLan6gRpPoQs3J56Hyqjmjn4I=} + dev: false + optional: true + + /wide-align/1.1.3: + resolution: {integrity: sha512-QGkOQc8XL6Bt5PwnsExKBPuMKBxnGxWWW3fU55Xt4feHozMUhdUMaBCk290qpm/wG5u/RSKzwdAC4i51YigihA==} + dependencies: + string-width: 1.0.2 + dev: false + optional: true + + /with-callback/1.0.2: + resolution: {integrity: sha1-oJYpuakgAo1yFAT7Q1vc/1yRvCE=} + engines: {node: '>=4'} + dev: false + optional: true + + /word-wrap/1.2.3: + resolution: {integrity: sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==} + engines: {node: '>=0.10.0'} + dev: false + optional: true + + /wordwrap/0.0.3: + resolution: {integrity: sha1-o9XabNXAvAAI03I0u68b7WMFkQc=} + engines: {node: '>=0.4.0'} + dev: false + + /wrappy/1.0.2: + resolution: {integrity: sha1-tSQ9jz7BqjXxNkYFvA0QNuMKtp8=} + dev: false + + /ws/3.3.3: + resolution: {integrity: sha512-nnWLa/NwZSt4KQJu51MYlCcSQ5g7INpOrOMt4XV8j4dqTXdmlUmSHQ8/oLC069ckre0fRsgfvsKwbTdtKLCDkA==} + dependencies: + async-limiter: 1.0.1 + safe-buffer: 5.1.2 + ultron: 1.1.1 + dev: false + + /xmlhttprequest-ssl/1.5.5: + resolution: {integrity: sha1-wodrBhaKrcQOV9l+gRkayPQ5iz4=} + engines: {node: '>=0.4.0'} + dev: false + + /xregexp/2.0.0: + resolution: {integrity: sha1-UqY+VsoLhKfzpfPWGHLxJq16WUM=} + dev: false + optional: true + + /xtend/4.0.2: + resolution: {integrity: sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==} + engines: {node: '>=0.4'} + dev: false + optional: true + + /yallist/2.1.2: + resolution: {integrity: sha1-HBH5IY8HYImkfdUS+TxmmaaoHVI=} + dev: false + optional: true + + /yallist/3.1.1: + resolution: {integrity: sha512-a4UGQaWPH59mOXUYnAG2ewncQS4i4F43Tv3JoAM+s2VDAmS9NsK8GpDMLrCHPksFT7h3K6TOoUNn2pb7RoXx4g==} + dev: false + optional: true + + /yeast/0.1.2: + resolution: {integrity: sha1-AI4G2AlDIMNy28L47XagymyKxBk=} + dev: false diff --git a/packages/plugin-commands-licenses/test/fixtures/pnpm-workspace.yaml b/packages/plugin-commands-licenses/test/fixtures/pnpm-workspace.yaml new file mode 100644 index 00000000000..9a3cd4defa9 --- /dev/null +++ b/packages/plugin-commands-licenses/test/fixtures/pnpm-workspace.yaml @@ -0,0 +1 @@ +# This file is only created so that tests don't look up the pnpm-workspace.yaml in the root diff --git a/packages/plugin-commands-licenses/test/index.ts b/packages/plugin-commands-licenses/test/index.ts new file mode 100644 index 00000000000..992cf4e0038 --- /dev/null +++ b/packages/plugin-commands-licenses/test/index.ts @@ -0,0 +1,117 @@ +import path from 'path' +import { audit } from '@pnpm/plugin-commands-audit' +import nock from 'nock' +import stripAnsi from 'strip-ansi' +import * as responses from './utils/responses' + +const registries = { + default: 'https://registry.npmjs.org/', +} + +test('audit', async () => { + nock(registries.default) + .post('/-/npm/v1/security/audits') + .reply(200, responses.ALL_VULN_RESP) + + const { output, exitCode } = await audit.handler({ + dir: path.join(__dirname, 'fixtures/has-vulnerabilities'), + registries, + }) + expect(exitCode).toBe(1) + expect(stripAnsi(output)).toMatchSnapshot() +}) + +test('audit --dev', async () => { + nock(registries.default) + .post('/-/npm/v1/security/audits') + .reply(200, responses.DEV_VULN_ONLY_RESP) + + const { output, exitCode } = await audit.handler({ + dir: path.join(__dirname, 'fixtures/has-vulnerabilities'), + dev: true, + production: false, + registries, + }) + + expect(exitCode).toBe(1) + expect(stripAnsi(output)).toMatchSnapshot() +}) + +test('audit --audit-level', async () => { + nock(registries.default) + .post('/-/npm/v1/security/audits') + .reply(200, responses.ALL_VULN_RESP) + + const { output, exitCode } = await audit.handler({ + auditLevel: 'moderate', + dir: path.join(__dirname, 'fixtures/has-vulnerabilities'), + registries, + }) + + expect(exitCode).toBe(1) + expect(stripAnsi(output)).toMatchSnapshot() +}) + +test('audit: no vulnerabilities', async () => { + nock(registries.default) + .post('/-/npm/v1/security/audits') + .reply(200, responses.NO_VULN_RESP) + + const { output, exitCode } = await audit.handler({ + dir: path.join(__dirname, '../../../fixtures/has-outdated-deps'), + registries, + }) + + expect(stripAnsi(output)).toBe('No known vulnerabilities found\n') + expect(exitCode).toBe(0) +}) + +test('audit --json', async () => { + nock(registries.default) + .post('/-/npm/v1/security/audits') + .reply(200, responses.ALL_VULN_RESP) + + const { output, exitCode } = await audit.handler({ + dir: path.join(__dirname, 'fixtures/has-vulnerabilities'), + json: true, + registries, + }) + + const json = JSON.parse(output) + expect(json.metadata).toBeTruthy() + expect(exitCode).toBe(1) +}) + +test.skip('audit does not exit with code 1 if the found vulnerabilities are having lower severity then what we asked for', async () => { + nock(registries.default) + .post('/-/npm/v1/security/audits') + .reply(200, responses.DEV_VULN_ONLY_RESP) + + const { output, exitCode } = await audit.handler({ + auditLevel: 'high', + dir: path.join(__dirname, 'fixtures/has-vulnerabilities'), + dev: true, + registries, + }) + + expect(exitCode).toBe(0) + expect(stripAnsi(output)).toBe(`1 vulnerabilities found +Severity: 1 moderate`) +}) + +test('audit does not exit with code 1 if the registry responds with a non-200 reponse and ignoreRegistryErrors is used', async () => { + nock(registries.default) + .post('/-/npm/v1/security/audits') + .reply(500, { message: 'Something bad happened' }) + const { output, exitCode } = await audit.handler({ + dir: path.join(__dirname, 'fixtures/has-vulnerabilities'), + dev: true, + fetchRetries: 0, + ignoreRegistryErrors: true, + production: false, + registries, + }) + + expect(exitCode).toBe(0) + expect(stripAnsi(output)).toBe(`The audit endpoint (at ${registries.default}-/npm/v1/security/audits) responded with 500: {"message":"Something bad happened"}`) +}) diff --git a/packages/plugin-commands-licenses/test/utils/responses/all-vulnerabilities-response.json b/packages/plugin-commands-licenses/test/utils/responses/all-vulnerabilities-response.json new file mode 100644 index 00000000000..89c5fffd71f --- /dev/null +++ b/packages/plugin-commands-licenses/test/utils/responses/all-vulnerabilities-response.json @@ -0,0 +1,1969 @@ +{ + "actions": [ + { + "action": "update", + "resolves": [ + { + "id": 1005586, + "path": ".>karma>http-proxy", + "dev": false, + "optional": false, + "bundled": false + } + ], + "module": "http-proxy", + "target": "1.18.1", + "depth": 3 + }, + { + "action": "update", + "resolves": [ + { + "id": 1006110, + "path": ".>karma>chokidar>anymatch>micromatch>kind-of", + "dev": false, + "optional": false, + "bundled": false + } + ], + "module": "kind-of", + "target": "6.0.3", + "depth": 6 + }, + { + "action": "update", + "resolves": [ + { + "id": 1006724, + "path": ".>karma>log4js>hipchat-notifier>request>http-signature>jsprim>json-schema", + "dev": false, + "optional": false, + "bundled": false + } + ], + "module": "jsprim", + "target": "1.4.2", + "depth": 7 + }, + { + "action": "update", + "resolves": [ + { + "id": 1006865, + "path": ".>karma>http-proxy>follow-redirects", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1007026, + "path": ".>karma>http-proxy>follow-redirects", + "dev": false, + "optional": false, + "bundled": false + } + ], + "module": "follow-redirects", + "target": "1.14.9", + "depth": 4 + }, + { + "action": "update", + "resolves": [ + { + "id": 1006948, + "path": ".>karma>lodash", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1006949, + "path": ".>karma>lodash", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1006952, + "path": ".>karma>lodash", + "dev": false, + "optional": false, + "bundled": false + } + ], + "module": "lodash", + "target": "4.17.21", + "depth": 3 + }, + { + "action": "review", + "module": "jsonpointer", + "resolves": [ + { + "id": 1004869, + "path": ".>karma>log4js>loggly>request>har-validator>is-my-json-valid>jsonpointer", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "axios", + "resolves": [ + { + "id": 1005018, + "path": ".>axios", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1005506, + "path": ".>axios", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1006349, + "path": ".>axios", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "tar", + "resolves": [ + { + "id": 1005040, + "path": ".>karma>chokidar>fsevents>node-pre-gyp>tar", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1005043, + "path": ".>karma>chokidar>fsevents>node-pre-gyp>tar", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1005046, + "path": ".>karma>chokidar>fsevents>node-pre-gyp>tar", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "pac-resolver", + "resolves": [ + { + "id": 1005062, + "path": ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "url-parse", + "resolves": [ + { + "id": 1005084, + "path": ".>karma>log4js>amqplib>url-parse", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1005404, + "path": ".>karma>log4js>amqplib>url-parse", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1007030, + "path": ".>karma>log4js>amqplib>url-parse", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "socket.io-parser", + "resolves": [ + { + "id": 1005107, + "path": ".>karma>socket.io>socket.io-parser", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "xmlhttprequest-ssl", + "resolves": [ + { + "id": 1005175, + "path": ".>karma>socket.io>socket.io-client>engine.io-client>xmlhttprequest-ssl", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1005260, + "path": ".>karma>socket.io>socket.io-client>engine.io-client>xmlhttprequest-ssl", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "redis", + "resolves": [ + { + "id": 1005277, + "path": ".>karma>log4js>redis", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "nodemailer", + "resolves": [ + { + "id": 1005307, + "path": ".>karma>log4js>nodemailer", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1006788, + "path": ".>karma>log4js>nodemailer", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "underscore", + "resolves": [ + { + "id": 1005367, + "path": ".>karma>log4js>nodemailer>nodemailer-direct-transport>smtp-connection>httpntlm>underscore", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "netmask", + "resolves": [ + { + "id": 1005392, + "path": ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>netmask", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1006822, + "path": ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>netmask", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "socket.io", + "resolves": [ + { + "id": 1005490, + "path": ".>karma>socket.io", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "bl", + "resolves": [ + { + "id": 1005563, + "path": ".>karma>log4js>loggly>request>bl", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "timespan", + "resolves": [ + { + "id": 1005745, + "path": ".>karma>log4js>loggly>timespan", + "dev": false, + "bundled": false, + "optional": false + } + ] + }, + { + "action": "review", + "module": "sync-exec", + "resolves": [ + { + "id": 1005902, + "path": ".>sync-exec", + "dev": false, + "bundled": false, + "optional": false + } + ] + }, + { + "action": "review", + "module": "minimist", + "resolves": [ + { + "id": 1006180, + "path": ".>karma>chokidar>fsevents>node-pre-gyp>mkdirp>minimist", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1006180, + "path": ".>karma>optimist>minimist", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "braces", + "resolves": [ + { + "id": 1006342, + "path": ".>karma>expand-braces>braces", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1006837, + "path": ".>karma>expand-braces>braces", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "tunnel-agent", + "resolves": [ + { + "id": 1006373, + "path": ".>karma>log4js>loggly>request>tunnel-agent", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "cryptiles", + "resolves": [ + { + "id": 1006603, + "path": ".>karma>log4js>loggly>request>hawk>cryptiles", + "dev": false, + "bundled": false, + "optional": false + } + ] + }, + { + "action": "review", + "module": "hoek", + "resolves": [ + { + "id": 1006659, + "path": ".>karma>log4js>loggly>request>hawk>hoek", + "dev": false, + "bundled": false, + "optional": false + } + ] + }, + { + "action": "review", + "module": "follow-redirects", + "resolves": [ + { + "id": 1006865, + "path": ".>axios>follow-redirects", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1007026, + "path": ".>axios>follow-redirects", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "log4js", + "resolves": [ + { + "id": 1006902, + "path": ".>karma>log4js", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "glob-parent", + "resolves": [ + { + "id": 1006947, + "path": ".>karma>chokidar>glob-parent", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "engine.io", + "resolves": [ + { + "id": 1006975, + "path": ".>karma>socket.io>engine.io", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "karma", + "resolves": [ + { + "id": 1006997, + "path": ".>karma", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "ajv", + "resolves": [ + { + "id": 1007017, + "path": ".>karma>log4js>hipchat-notifier>request>har-validator>ajv", + "dev": false, + "optional": false, + "bundled": false + } + ] + } + ], + "advisories": { + "1004869": { + "findings": [ + { + "version": "4.0.1", + "paths": [ + ".>karma>log4js>loggly>request>har-validator>is-my-json-valid>jsonpointer" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<5.0.0", + "module_name": "jsonpointer", + "severity": "moderate", + "github_advisory_id": "GHSA-282f-qqgm-c34q", + "cves": [ + "CVE-2021-23807" + ], + "access": "public", + "patched_versions": ">=5.0.0", + "updated": "2021-11-04T16:58:08.000Z", + "recommendation": "Upgrade to version 5.0.0 or later", + "cwe": "CWE-843", + "found_by": null, + "deleted": null, + "id": 1004869, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23807\n- https://github.com/janl/node-jsonpointer/pull/51\n- https://github.com/janl/node-jsonpointer/commit/a0345f3550cd9c4d89f33b126390202b89510ad4\n- https://snyk.io/vuln/SNYK-JS-JSONPOINTER-1577288\n- https://github.com/advisories/GHSA-282f-qqgm-c34q", + "created": "2021-11-18T16:00:48.459Z", + "reported_by": null, + "title": "Prototype Pollution in node-jsonpointer", + "npm_advisory_id": null, + "overview": "This affects the package `jsonpointer` before `5.0.0`. A type confusion vulnerability can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays.", + "url": "https://github.com/advisories/GHSA-282f-qqgm-c34q" + }, + "1005018": { + "findings": [ + { + "version": "0.15.3", + "paths": [ + ".>axios" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<=0.21.1", + "module_name": "axios", + "severity": "high", + "github_advisory_id": "GHSA-cph5-m8f7-6c5x", + "cves": [ + "CVE-2021-3749" + ], + "access": "public", + "patched_versions": ">=0.21.2", + "updated": "2021-09-08T16:46:47.000Z", + "recommendation": "Upgrade to version 0.21.2 or later", + "cwe": "CWE-697", + "found_by": null, + "deleted": null, + "id": 1005018, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3749\n- https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929\n- https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31\n- https://www.npmjs.com/package/axios\n- https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a@%3Cdev.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103@%3Ccommits.druid.apache.org%3E\n- https://github.com/advisories/GHSA-cph5-m8f7-6c5x", + "created": "2021-11-18T16:00:48.489Z", + "reported_by": null, + "title": "Incorrect Comparison in axios", + "npm_advisory_id": null, + "overview": "axios is vulnerable to Inefficient Regular Expression Complexity", + "url": "https://github.com/advisories/GHSA-cph5-m8f7-6c5x" + }, + "1005040": { + "findings": [ + { + "version": "4.4.15", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>tar" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<4.4.18", + "module_name": "tar", + "severity": "high", + "github_advisory_id": "GHSA-5955-9wpr-37jh", + "cves": [ + "CVE-2021-37713" + ], + "access": "public", + "patched_versions": ">=4.4.18", + "updated": "2021-08-31T16:02:33.000Z", + "recommendation": "Upgrade to version 4.4.18 or later", + "cwe": "CWE-22", + "found_by": null, + "deleted": null, + "id": 1005040, + "references": "- https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh\n- https://www.npmjs.com/package/tar\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37713\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://github.com/advisories/GHSA-5955-9wpr-37jh", + "created": "2021-11-18T16:00:48.492Z", + "reported_by": null, + "title": "Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization", + "npm_advisory_id": null, + "overview": "### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\nnode-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain `..` path portions, and resolving the sanitized paths against the extraction target directory.\n\nThis logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as `C:some\\path`. If the drive letter does not match the extraction target, for example `D:\\extraction\\dir`, then the result of `path.resolve(extractionDirectory, entryPath)` would resolve against the current working directory on the `C:` drive, rather than the extraction target directory.\n\nAdditionally, a `..` portion of the path could occur immediately after the drive letter, such as `C:../foo`, and was not properly sanitized by the logic that checked for `..` within the normalized and split portions of the path.\n\nThis only affects users of `node-tar` on Windows systems.\n\n### Patches\n\n4.4.18 || 5.0.10 || 6.1.9\n\n### Workarounds\n\nThere is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does.\n\nUsers are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.\n\n### Fix\n\nThe fixed versions strip path roots from all paths prior to being resolved against the extraction target folder, even if such paths are not \"absolute\".\n\nAdditionally, a path starting with a drive letter and then two dots, like `c:../`, would bypass the check for `..` path portions. This is checked properly in the patched versions.\n\nFinally, a defense in depth check is added, such that if the `entry.absolute` is outside of the extraction taret, and we are not in preservePaths:true mode, a warning is raised on that entry, and it is skipped. Currently, it is believed that this check is redundant, but it did catch some oversights in development.\n", + "url": "https://github.com/advisories/GHSA-5955-9wpr-37jh" + }, + "1005043": { + "findings": [ + { + "version": "4.4.15", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>tar" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<4.4.18", + "module_name": "tar", + "severity": "high", + "github_advisory_id": "GHSA-qq89-hq3f-393p", + "cves": [ + "CVE-2021-37712" + ], + "access": "public", + "patched_versions": ">=4.4.18", + "updated": "2021-08-31T16:02:05.000Z", + "recommendation": "Upgrade to version 4.4.18 or later", + "cwe": "CWE-22", + "found_by": null, + "deleted": null, + "id": 1005043, + "references": "- https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p\n- https://www.npmjs.com/package/tar\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37712\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.debian.org/security/2021/dsa-5008\n- https://github.com/advisories/GHSA-qq89-hq3f-393p", + "created": "2021-11-18T16:00:48.493Z", + "reported_by": null, + "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", + "npm_advisory_id": null, + "overview": "### Impact\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\nnode-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained two directories and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 \"short path\" counterparts. A specially crafted tar archive could thus include directories with two forms of the path that resolve to the same file system entity, followed by a symbolic link with a name in the first form, lastly followed by a file using the second form. It led to bypassing node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nThe v3 branch of `node-tar` has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of `node-tar`. If this is not possible, a workaround is available below.\n\n### Patches\n\n6.1.9 || 5.0.10 || 4.4.18\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n filter: (file, entry) => {\n if (entry.type === 'SymbolicLink') {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.\n\n#### Fix\n\nThe problem is addressed in the following ways, when comparing paths in the directory cache and path reservation systems:\n\n1. The `String.normalize('NFKD')` method is used to first normalize all unicode to its maximally compatible and multi-code-point form.\n2. All slashes are normalized to `/` on Windows systems (on posix systems, `\\` is a valid filename character, and thus left intact).\n3. When a symbolic link is encountered on Windows systems, the entire directory cache is cleared. Collisions related to use of 8.3 short names to replace directories with other (non-symlink) types of entries may make archives fail to extract properly, but will not result in arbitrary file writes.\n", + "url": "https://github.com/advisories/GHSA-qq89-hq3f-393p" + }, + "1005046": { + "findings": [ + { + "version": "4.4.15", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>tar" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<4.4.16", + "module_name": "tar", + "severity": "high", + "github_advisory_id": "GHSA-9r2w-394v-53qc", + "cves": [ + "CVE-2021-37701" + ], + "access": "public", + "patched_versions": ">=4.4.16", + "updated": "2021-08-31T16:01:51.000Z", + "recommendation": "Upgrade to version 4.4.16 or later", + "cwe": "CWE-22", + "found_by": null, + "deleted": null, + "id": 1005046, + "references": "- https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc\n- https://www.npmjs.com/package/tar\n- https://nvd.nist.gov/vuln/detail/CVE-2021-37701\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.debian.org/security/2021/dsa-5008\n- https://github.com/advisories/GHSA-9r2w-394v-53qc", + "created": "2021-11-18T16:00:48.493Z", + "reported_by": null, + "title": "Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links", + "npm_advisory_id": null, + "overview": "### Impact\n\nArbitrary File Creation, Arbitrary File Overwrite, Arbitrary Code Execution\n\n`node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created.\n\nThis logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both `\\` and `/` characters as path separators, however `\\` is a valid filename character on posix systems.\n\nBy first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite.\n\nAdditionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at `FOO`, followed by a symbolic link named `foo`, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but _not_ from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the `FOO` directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. \n\nThese issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7.\n\nThe v3 branch of `node-tar` has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of `node-tar`. If this is not possible, a workaround is available below.\n\n### Patches\n\n4.4.16 || 5.0.8 || 6.1.7\n\n### Workarounds\n\nUsers may work around this vulnerability without upgrading by creating a custom filter method which prevents the extraction of symbolic links.\n\n```js\nconst tar = require('tar')\n\ntar.x({\n file: 'archive.tgz',\n filter: (file, entry) => {\n if (entry.type === 'SymbolicLink') {\n return false\n } else {\n return true\n }\n }\n})\n```\n\nUsers are encouraged to upgrade to the latest patched versions, rather than attempt to sanitize tar input themselves.\n\n### Fix\n\nThe problem is addressed in the following ways:\n\n1. All paths are normalized to use `/` as a path separator, replacing `\\` with `/` on Windows systems, and leaving `\\` intact in the path on posix systems. This is performed in depth, at every level of the program where paths are consumed.\n2. Directory cache pruning is performed case-insensitively. This _may_ result in undue cache misses on case-sensitive file systems, but the performance impact is negligible.\n\n#### Caveat\n\nNote that this means that the `entry` objects exposed in various parts of tar's API will now always use `/` as a path separator, even on Windows systems. This is not expected to cause problems, as `/` is a valid path separator on Windows systems, but _may_ result in issues if `entry.path` is compared against a path string coming from some other API such as `fs.realpath()` or `path.resolve()`.\n\nUsers are encouraged to always normalize paths using a well-tested method such as `path.resolve()` before comparing paths to one another.", + "url": "https://github.com/advisories/GHSA-9r2w-394v-53qc" + }, + "1005062": { + "findings": [ + { + "version": "3.0.0", + "paths": [ + ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<5.0.0", + "module_name": "pac-resolver", + "severity": "high", + "github_advisory_id": "GHSA-9j49-mfvp-vmhm", + "cves": [ + "CVE-2021-23406" + ], + "access": "public", + "patched_versions": ">=5.0.0", + "updated": "2021-08-25T19:28:31.000Z", + "recommendation": "Upgrade to version 5.0.0 or later", + "cwe": "CWE-94", + "found_by": null, + "deleted": null, + "id": 1005062, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23406\n- https://github.com/TooTallNate/node-degenerator/commit/9d25bb67d957bc2e5425fea7bf7a58b3fc64ff9e\n- https://github.com/TooTallNate/node-degenerator/commit/ccc3445354135398b6eb1a04c7d27c13b833f2d5\n- https://github.com/TooTallNate/node-pac-resolver/releases/tag/5.0.0\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1568506\n- https://snyk.io/vuln/SNYK-JS-PACRESOLVER-1564857\n- https://github.com/advisories/GHSA-9j49-mfvp-vmhm", + "created": "2021-11-18T16:00:48.495Z", + "reported_by": null, + "title": "Code Injection in pac-resolver", + "npm_advisory_id": null, + "overview": "This affects the package pac-resolver before 5.0.0. This can occur when used with untrusted input, due to unsafe PAC file handling. **NOTE:** The fix for this vulnerability is applied in the node-degenerator library, a dependency written by the same maintainer.", + "url": "https://github.com/advisories/GHSA-9j49-mfvp-vmhm" + }, + "1005084": { + "findings": [ + { + "version": "1.4.7", + "paths": [ + ".>karma>log4js>amqplib>url-parse" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<1.5.2", + "module_name": "url-parse", + "severity": "moderate", + "github_advisory_id": "GHSA-hh27-ffr2-f2jc", + "cves": [ + "CVE-2021-3664" + ], + "access": "public", + "patched_versions": ">=1.5.2", + "updated": "2021-08-02T21:28:22.000Z", + "recommendation": "Upgrade to version 1.5.2 or later", + "cwe": "CWE-601", + "found_by": null, + "deleted": null, + "id": 1005084, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3664\n- https://github.com/unshiftio/url-parse/issues/205\n- https://github.com/unshiftio/url-parse/issues/206\n- https://github.com/unshiftio/url-parse/commit/81ab967889b08112d3356e451bf03e6aa0cbb7e0\n- https://huntr.dev/bounties/1625557993985-unshiftio/url-parse\n- https://github.com/advisories/GHSA-hh27-ffr2-f2jc", + "created": "2021-11-18T16:00:48.498Z", + "reported_by": null, + "title": "Open redirect in url-parse", + "npm_advisory_id": null, + "overview": "# Overview\n\nAffected versions of npm `url-parse` are vulnerable to URL Redirection to Untrusted Site.\n\n# Impact\n\nDepending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.", + "url": "https://github.com/advisories/GHSA-hh27-ffr2-f2jc" + }, + "1005107": { + "findings": [ + { + "version": "3.1.3", + "paths": [ + ".>karma>socket.io>socket.io-parser" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<3.3.2", + "module_name": "socket.io-parser", + "severity": "high", + "github_advisory_id": "GHSA-xfhh-g9f5-x4m4", + "cves": [ + "CVE-2020-36049" + ], + "access": "public", + "patched_versions": ">=3.3.2", + "updated": "2021-06-30T16:54:43.000Z", + "recommendation": "Upgrade to version 3.3.2 or later", + "cwe": "CWE-400", + "found_by": null, + "deleted": null, + "id": 1005107, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-36049\n- https://github.com/socketio/socket.io-parser/commit/dcb942d24db97162ad16a67c2a0cf30875342d55\n- https://blog.caller.xyz/socketio-engineio-dos/\n- https://github.com/bcaller/kill-engine-io\n- https://github.com/socketio/socket.io-parser/releases/tag/3.3.2\n- https://github.com/socketio/socket.io-parser/releases/tag/3.4.1\n- https://www.npmjs.com/package/socket.io-parser\n- https://github.com/advisories/GHSA-xfhh-g9f5-x4m4", + "created": "2021-11-18T16:00:48.501Z", + "reported_by": null, + "title": "Resource exhaustion in socket.io-parser", + "npm_advisory_id": null, + "overview": "The `socket.io-parser` npm package before versions 3.3.2 and 3.4.1 allows attackers to cause a denial of service (memory consumption) via a large packet because a concatenation approach is used.", + "url": "https://github.com/advisories/GHSA-xfhh-g9f5-x4m4" + }, + "1005175": { + "findings": [ + { + "version": "1.5.5", + "paths": [ + ".>karma>socket.io>socket.io-client>engine.io-client>xmlhttprequest-ssl" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<1.6.1", + "module_name": "xmlhttprequest-ssl", + "severity": "critical", + "github_advisory_id": "GHSA-72mh-269x-7mh5", + "cves": [ + "CVE-2021-31597" + ], + "access": "public", + "patched_versions": ">=1.6.1", + "updated": "2021-05-20T21:59:29.000Z", + "recommendation": "Upgrade to version 1.6.1 or later", + "cwe": "CWE-295", + "found_by": null, + "deleted": null, + "id": 1005175, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-31597\n- https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2\n- https://github.com/mjwwit/node-XMLHttpRequest/compare/v1.6.0...1.6.1\n- https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt\n- https://security.netapp.com/advisory/ntap-20210618-0004/\n- https://github.com/advisories/GHSA-72mh-269x-7mh5", + "created": "2021-11-18T16:00:48.519Z", + "reported_by": null, + "title": "Improper Certificate Validation in xmlhttprequest-ssl", + "npm_advisory_id": null, + "overview": "The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.", + "url": "https://github.com/advisories/GHSA-72mh-269x-7mh5" + }, + "1005260": { + "findings": [ + { + "version": "1.5.5", + "paths": [ + ".>karma>socket.io>socket.io-client>engine.io-client>xmlhttprequest-ssl" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<1.6.2", + "module_name": "xmlhttprequest-ssl", + "severity": "high", + "github_advisory_id": "GHSA-h4j5-c7cj-74xg", + "cves": [ + "CVE-2020-28502" + ], + "access": "public", + "patched_versions": ">=1.6.2", + "updated": "2021-05-04T18:00:49.000Z", + "recommendation": "Upgrade to version 1.6.2 or later", + "cwe": "CWE-94", + "found_by": null, + "deleted": null, + "id": 1005260, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28502\n- https://github.com/driverdan/node-XMLHttpRequest/commit/983cfc244c7567ad6a59e366e55a8037e0497fe6\n- https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js#L480\n- https://github.com/driverdan/node-XMLHttpRequest/blob/1.6.0/lib/XMLHttpRequest.js%23L480\n- https://github.com/mjwwit/node-XMLHttpRequest/blob/ae38832a0f1347c5e96dda665402509a3458e302/lib/XMLHttpRequest.js#L531\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082937\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1082938\n- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUEST-1082935\n- https://snyk.io/vuln/SNYK-JS-XMLHTTPREQUESTSSL-1082936\n- https://github.com/mjwwit/node-XMLHttpRequest/commit/ee1e81fc67729c7c0eba5537ed7fe1e30a6b3291\n- https://github.com/advisories/GHSA-h4j5-c7cj-74xg", + "created": "2021-11-18T16:00:48.526Z", + "reported_by": null, + "title": "Arbitrary Code Injection", + "npm_advisory_id": null, + "overview": "This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.", + "url": "https://github.com/advisories/GHSA-h4j5-c7cj-74xg" + }, + "1005277": { + "findings": [ + { + "version": "2.8.0", + "paths": [ + ".>karma>log4js>redis" + ] + } + ], + "metadata": null, + "vulnerable_versions": ">=2.6.0 <3.1.1", + "module_name": "redis", + "severity": "low", + "github_advisory_id": "GHSA-35q2-47q7-3pc3", + "cves": [ + "CVE-2021-29469" + ], + "access": "public", + "patched_versions": ">=3.1.1", + "updated": "2021-04-23T18:11:39.000Z", + "recommendation": "Upgrade to version 3.1.1 or later", + "cwe": "CWE-400", + "found_by": null, + "deleted": null, + "id": 1005277, + "references": "- https://github.com/NodeRedis/node-redis/security/advisories/GHSA-35q2-47q7-3pc3\n- https://nvd.nist.gov/vuln/detail/CVE-2021-29469\n- https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e\n- https://github.com/NodeRedis/node-redis/releases/tag/v3.1.1\n- https://security.netapp.com/advisory/ntap-20210611-0010/\n- https://github.com/advisories/GHSA-35q2-47q7-3pc3", + "created": "2021-11-18T16:00:48.528Z", + "reported_by": null, + "title": "Potential exponential regex in monitor mode", + "npm_advisory_id": null, + "overview": "### Impact\nWhen a client is in monitoring mode, the regex begin used to detected monitor messages could cause exponential backtracking on some strings. This issue could lead to a denial of service.\n\n### Patches\nThe problem was fixed in commit [`2d11b6d`](https://github.com/NodeRedis/node-redis/commit/2d11b6dc9b9774464a91fb4b448bad8bf699629e) and was released in version `3.1.1`.\n\n### References\n#1569 (GHSL-2021-026)", + "url": "https://github.com/advisories/GHSA-35q2-47q7-3pc3" + }, + "1005307": { + "findings": [ + { + "version": "2.7.2", + "paths": [ + ".>karma>log4js>nodemailer" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<6.4.16", + "module_name": "nodemailer", + "severity": "critical", + "github_advisory_id": "GHSA-48ww-j4fc-435p", + "cves": [ + "CVE-2020-7769" + ], + "access": "public", + "patched_versions": ">=6.4.16", + "updated": "2021-04-19T22:42:20.000Z", + "recommendation": "Upgrade to version 6.4.16 or later", + "cwe": "CWE-88", + "found_by": null, + "deleted": null, + "id": 1005307, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-7769\n- https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa54\n- https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js#L75\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742\n- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834\n- https://www.npmjs.com/package/nodemailer\n- https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js%23L75\n- https://github.com/advisories/GHSA-48ww-j4fc-435p", + "created": "2021-11-18T16:00:48.531Z", + "reported_by": null, + "title": "Command injection in nodemailer", + "npm_advisory_id": null, + "overview": "This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.", + "url": "https://github.com/advisories/GHSA-48ww-j4fc-435p" + }, + "1005367": { + "findings": [ + { + "version": "1.7.0", + "paths": [ + ".>karma>log4js>nodemailer>nodemailer-direct-transport>smtp-connection>httpntlm>underscore" + ] + } + ], + "metadata": null, + "vulnerable_versions": ">=1.3.2 <1.12.1", + "module_name": "underscore", + "severity": "high", + "github_advisory_id": "GHSA-cf4h-3jhx-xvhq", + "cves": [ + "CVE-2021-23358" + ], + "access": "public", + "patched_versions": ">=1.12.1", + "updated": "2021-03-31T21:59:01.000Z", + "recommendation": "Upgrade to version 1.12.1 or later", + "cwe": "CWE-94", + "found_by": null, + "deleted": null, + "id": 1005367, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23358\n- https://github.com/jashkenas/underscore/pull/2917\n- https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66\n- https://github.com/jashkenas/underscore/releases/tag/1.12.1\n- https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984\n- https://www.npmjs.com/package/underscore\n- https://github.com/jashkenas/underscore/blob/master/modules/template.js%23L71\n- https://lists.debian.org/debian-lts-announce/2021/03/msg00038.html\n- https://www.debian.org/security/2021/dsa-4883\n- https://lists.apache.org/thread.html/r5df90c46f7000c4aab246e947f62361ecfb849c5a553dcdb0ef545e1@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/r770f910653772317b117ab4472b0a32c266ee4abbafda28b8a6f9306@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/raae088abdfa4fbd84e1d19d7a7ffe52bf8e426b83e6599ea9a734dba@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/rbc84926bacd377503a3f5c37b923c1931f9d343754488d94e6f08039@%3Cissues.cordova.apache.org%3E\n- https://lists.apache.org/thread.html/re69ee408b3983b43e9c4a82a9a17cbbf8681bb91a4b61b46f365aeaf@%3Cissues.cordova.apache.org%3E\n- https://www.tenable.com/security/tns-2021-14\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EOKATXXETD2PF3OR36Q5PD2VSVAR6J5Z/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FGEE7U4Z655A2MK5EW4UQQZ7B64XJWBV/\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503\n- https://github.com/advisories/GHSA-cf4h-3jhx-xvhq", + "created": "2021-11-18T16:00:48.535Z", + "reported_by": null, + "title": "Arbitrary Code Execution in underscore", + "npm_advisory_id": null, + "overview": "The package `underscore` from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.", + "url": "https://github.com/advisories/GHSA-cf4h-3jhx-xvhq" + }, + "1005392": { + "findings": [ + { + "version": "1.0.6", + "paths": [ + ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>netmask" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<2.0.1", + "module_name": "netmask", + "severity": "moderate", + "github_advisory_id": "GHSA-pch5-whg9-qr2r", + "cves": [ + "CVE-2021-29418" + ], + "access": "public", + "patched_versions": ">=2.0.1", + "updated": "2021-03-29T21:31:25.000Z", + "recommendation": "Upgrade to version 2.0.1 or later", + "cwe": "CWE-20", + "found_by": null, + "deleted": null, + "id": 1005392, + "references": "- https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4\n- https://sick.codes/sick-2021-011\n- https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918/\n- https://www.npmjs.com/package/netmask\n- https://nvd.nist.gov/vuln/detail/CVE-2021-29418\n- https://vuln.ryotak.me/advisories/6\n- https://security.netapp.com/advisory/ntap-20210604-0001/\n- https://github.com/advisories/GHSA-pch5-whg9-qr2r", + "created": "2021-11-18T16:00:48.537Z", + "reported_by": null, + "title": "netmask npm package vulnerable to octal input data", + "npm_advisory_id": null, + "overview": "The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.", + "url": "https://github.com/advisories/GHSA-pch5-whg9-qr2r" + }, + "1005404": { + "findings": [ + { + "version": "1.4.7", + "paths": [ + ".>karma>log4js>amqplib>url-parse" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<1.5.0", + "module_name": "url-parse", + "severity": "high", + "github_advisory_id": "GHSA-9m6j-fcg5-2442", + "cves": [ + "CVE-2021-27515" + ], + "access": "public", + "patched_versions": ">=1.5.0", + "updated": "2021-03-22T21:04:52.000Z", + "recommendation": "Upgrade to version 1.5.0 or later", + "cwe": "CWE-23", + "found_by": null, + "deleted": null, + "id": 1005404, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-27515\n- https://github.com/unshiftio/url-parse/pull/197\n- https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0\n- https://github.com/unshiftio/url-parse/compare/1.4.7...1.5.0\n- https://advisory.checkmarx.net/advisory/CX-2021-4306\n- https://github.com/advisories/GHSA-9m6j-fcg5-2442", + "created": "2021-11-18T16:00:48.538Z", + "reported_by": null, + "title": "Path traversal in url-parse", + "npm_advisory_id": null, + "overview": "url-parse before 1.5.0 mishandles certain uses of backslash such as http:\\/ and interprets the URI as a relative path.", + "url": "https://github.com/advisories/GHSA-9m6j-fcg5-2442" + }, + "1005490": { + "findings": [ + { + "version": "2.0.4", + "paths": [ + ".>karma>socket.io" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<2.4.0", + "module_name": "socket.io", + "severity": "moderate", + "github_advisory_id": "GHSA-fxwf-4rqh-v8g3", + "cves": [ + "CVE-2020-28481" + ], + "access": "public", + "patched_versions": ">=2.4.0", + "updated": "2021-01-20T05:39:25.000Z", + "recommendation": "Upgrade to version 2.4.0 or later", + "cwe": "CWE-346", + "found_by": null, + "deleted": null, + "id": 1005490, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28481\n- https://github.com/socketio/socket.io/issues/3671\n- https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357\n- https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859\n- https://github.com/advisories/GHSA-fxwf-4rqh-v8g3", + "created": "2021-11-18T16:00:48.545Z", + "reported_by": null, + "title": "Insecure defaults due to CORS misconfiguration in socket.io", + "npm_advisory_id": null, + "overview": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.", + "url": "https://github.com/advisories/GHSA-fxwf-4rqh-v8g3" + }, + "1005506": { + "findings": [ + { + "version": "0.15.3", + "paths": [ + ".>axios" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<0.21.1", + "module_name": "axios", + "severity": "high", + "github_advisory_id": "GHSA-4w2v-q235-vp99", + "cves": [ + "CVE-2020-28168" + ], + "access": "public", + "patched_versions": ">=0.21.1", + "updated": "2021-01-04T20:58:17.000Z", + "recommendation": "Upgrade to version 0.21.1 or later", + "cwe": "CWE-918", + "found_by": null, + "deleted": null, + "id": 1005506, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28168\n- https://github.com/axios/axios/issues/3369\n- https://github.com/axios/axios/commit/c7329fefc890050edd51e40e469a154d0117fc55\n- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255\n- https://www.npmjs.com/package/axios\n- https://www.npmjs.com/advisories/1594\n- https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E\n- https://github.com/advisories/GHSA-4w2v-q235-vp99", + "created": "2021-11-18T16:00:48.546Z", + "reported_by": null, + "title": "Server-Side Request Forgery in Axios", + "npm_advisory_id": null, + "overview": "Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.", + "url": "https://github.com/advisories/GHSA-4w2v-q235-vp99" + }, + "1005563": { + "findings": [ + { + "version": "1.1.2", + "paths": [ + ".>karma>log4js>loggly>request>bl" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<1.2.3", + "module_name": "bl", + "severity": "high", + "github_advisory_id": "GHSA-pp7h-53gx-mx7r", + "cves": [ + "CVE-2020-8244" + ], + "access": "public", + "patched_versions": ">=1.2.3", + "updated": "2020-09-08T19:01:38.000Z", + "recommendation": "Upgrade to version 1.2.3 or later", + "cwe": "CWE-125", + "found_by": null, + "deleted": null, + "id": 1005563, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-8244\n- https://github.com/rvagg/bl/commit/8a8c13c880e2bef519133ea43e0e9b78b5d0c91e\n- https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190\n- https://github.com/rvagg/bl/commit/dacc4ac7d5fcd6201bcf26fbd886951be9537466\n- https://hackerone.com/reports/966347\n- https://github.com/advisories/GHSA-pp7h-53gx-mx7r", + "created": "2021-11-18T16:00:48.550Z", + "reported_by": null, + "title": "Remote Memory Exposure in bl", + "npm_advisory_id": null, + "overview": "A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1, <2.2.1, and <1.2.3 which could allow an attacker to supply user input (even typed) that if it ends up in consume() argument and can become negative, the BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.", + "url": "https://github.com/advisories/GHSA-pp7h-53gx-mx7r" + }, + "1005586": { + "findings": [ + { + "version": "1.18.0", + "paths": [ + ".>karma>http-proxy" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<1.18.1", + "module_name": "http-proxy", + "severity": "high", + "github_advisory_id": "GHSA-6x33-pw7p-hmpq", + "cves": [], + "access": "public", + "patched_versions": ">=1.18.1", + "updated": "2020-08-31T19:01:07.000Z", + "recommendation": "Upgrade to version 1.18.1 or later", + "cwe": "", + "found_by": null, + "deleted": null, + "id": 1005586, + "references": "- https://github.com/http-party/node-http-proxy/pull/1447/files\n- https://www.npmjs.com/advisories/1486\n- https://github.com/advisories/GHSA-6x33-pw7p-hmpq", + "created": "2021-11-18T16:00:48.552Z", + "reported_by": null, + "title": "Denial of Service in http-proxy", + "npm_advisory_id": null, + "overview": "Versions of `http-proxy` prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an `ERR_HTTP_HEADERS_SENT` unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the `proxyReq.setHeader` function. \n\nFor a proxy server running on `http://localhost:3000`, the following curl request triggers the unhandled exception: \n```curl -XPOST http://localhost:3000 -d \"$(python -c 'print(\"x\"*1025)')\"```\n\n\n## Recommendation\n\nUpgrade to version 1.18.1 or later", + "url": "https://github.com/advisories/GHSA-6x33-pw7p-hmpq" + }, + "1005745": { + "findings": [ + { + "version": "2.3.0", + "paths": [ + ".>karma>log4js>loggly>timespan" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<=2.3.0", + "module_name": "timespan", + "severity": "low", + "github_advisory_id": "GHSA-f523-2f5j-gfcg", + "cves": [ + "CVE-2017-16115" + ], + "access": "public", + "patched_versions": "<0.0.0", + "updated": "2020-08-31T18:26:45.000Z", + "recommendation": "None", + "cwe": "CWE-400", + "found_by": null, + "deleted": null, + "id": 1005745, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2017-16115\n- https://github.com/indexzero/TimeSpan.js/issues/10\n- https://github.com/advisories/GHSA-f523-2f5j-gfcg\n- https://www.npmjs.com/advisories/533\n- https://nodesecurity.io/advisories/533", + "created": "2021-11-18T16:00:48.567Z", + "reported_by": null, + "title": "Regular Expression Denial of Service in timespan", + "npm_advisory_id": null, + "overview": "Affected versions of `timespan` are vulnerable to a regular expression denial of service when parsing dates.\n\nThe amplification for this vulnerability is significant, with 50,000 characters resulting in the event loop being blocked for around 10 seconds.\n\n\n## Recommendation\n\nNo direct patch is available for this vulnerability.\n\nCurrently, the best available solution is to use a functionally equivalent alternative package.\n\nIt is also sufficient to ensure that user input is not being passed into `timespan`, or that the maximum length of such user input is drastically reduced. Limiting the input length to 150 characters should be sufficient in most cases.", + "url": "https://github.com/advisories/GHSA-f523-2f5j-gfcg" + }, + "1005902": { + "findings": [ + { + "version": "0.6.2", + "paths": [ + ".>sync-exec" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<=0.6.2", + "module_name": "sync-exec", + "severity": "moderate", + "github_advisory_id": "GHSA-38h8-x697-gh8q", + "cves": [ + "CVE-2017-16024" + ], + "access": "public", + "patched_versions": "<0.0.0", + "updated": "2020-08-31T18:18:48.000Z", + "recommendation": "None", + "cwe": "CWE-377", + "found_by": null, + "deleted": null, + "id": 1005902, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2017-16024\n- https://github.com/gvarsanyi/sync-exec/issues/17\n- https://cwe.mitre.org/data/definitions/377.html\n- https://github.com/advisories/GHSA-38h8-x697-gh8q\n- https://www.npmjs.com/advisories/310\n- https://nodesecurity.io/advisories/310\n- https://www.owasp.org/index.php/Insecure_Temporary_File", + "created": "2021-11-18T16:00:48.581Z", + "reported_by": null, + "title": "Tmp files readable by other users in sync-exec", + "npm_advisory_id": null, + "overview": "Affected versions of `sync-exec` use files located in `/tmp/` to buffer command results before returning values. As `/tmp/` is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run via `sync-exec` under a higher privilege user.\n\n\n## Recommendation\n\nThere is currently no direct patch for `sync-exec`, as the `child_process.execSync` function provided in Node.js v0.12.0 and later provides the same functionality natively. \n\nThe best mitigation currently is to update to Node.js v0.12.0 or later, and migrate all uses of `sync-exec` to `child_process.execSync()`.", + "url": "https://github.com/advisories/GHSA-38h8-x697-gh8q" + }, + "1006110": { + "findings": [ + { + "version": "6.0.2", + "paths": [ + ".>karma>chokidar>anymatch>micromatch>kind-of" + ] + } + ], + "metadata": null, + "vulnerable_versions": ">=6.0.0 <6.0.3", + "module_name": "kind-of", + "severity": "high", + "github_advisory_id": "GHSA-6c8f-qphg-qjgp", + "cves": [ + "CVE-2019-20149" + ], + "access": "public", + "patched_versions": ">=6.0.3", + "updated": "2020-07-01T18:33:47.000Z", + "recommendation": "Upgrade to version 6.0.3 or later", + "cwe": "CWE-668", + "found_by": null, + "deleted": null, + "id": 1006110, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2019-20149\n- https://github.com/jonschlinkert/kind-of/issues/30\n- https://github.com/jonschlinkert/kind-of/pull/31\n- https://github.com/jonschlinkert/kind-of/commit/1df992ce6d5a1292048e5fe9c52c5382f941ee0b\n- https://snyk.io/vuln/SNYK-JS-KINDOF-537849\n- https://www.npmjs.com/advisories/1490\n- https://github.com/advisories/GHSA-6c8f-qphg-qjgp", + "created": "2021-11-18T16:00:48.599Z", + "reported_by": null, + "title": "Validation Bypass in kind-of", + "npm_advisory_id": null, + "overview": "Versions of `kind-of` 6.x prior to 6.0.3 are vulnerable to a Validation Bypass. A maliciously crafted object can alter the result of the type check, allowing attackers to bypass the type checking validation. \n\n\n## Recommendation\n\nUpgrade to versions 6.0.3 or later.", + "url": "https://github.com/advisories/GHSA-6c8f-qphg-qjgp" + }, + "1006180": { + "findings": [ + { + "version": "0.0.8", + "paths": [ + ".>karma>chokidar>fsevents>node-pre-gyp>mkdirp>minimist" + ] + }, + { + "version": "0.0.10", + "paths": [ + ".>karma>optimist>minimist" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<0.2.1", + "module_name": "minimist", + "severity": "moderate", + "github_advisory_id": "GHSA-vh95-rmgr-6w4m", + "cves": [ + "CVE-2020-7598" + ], + "access": "public", + "patched_versions": ">=0.2.1", + "updated": "2020-04-03T21:42:10.000Z", + "recommendation": "Upgrade to version 0.2.1 or later", + "cwe": "CWE-915", + "found_by": null, + "deleted": null, + "id": 1006180, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-7598\n- https://github.com/substack/minimist/commit/38a4d1caead72ef99e824bb420a2528eec03d9ab\n- https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94\n- https://snyk.io/vuln/SNYK-JS-MINIMIST-559764\n- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00024.html\n- https://github.com/substack/minimist/commit/4cf1354839cb972e38496d35e12f806eea92c11f#diff-a1e0ee62c91705696ddb71aa30ad4f95\n- https://www.npmjs.com/advisories/1179\n- https://github.com/advisories/GHSA-vh95-rmgr-6w4m", + "created": "2021-11-18T16:00:48.604Z", + "reported_by": null, + "title": "Prototype Pollution in minimist", + "npm_advisory_id": null, + "overview": "Affected versions of `minimist` are vulnerable to prototype pollution. Arguments are not properly sanitized, allowing an attacker to modify the prototype of `Object`, causing the addition or modification of an existing property that will exist on all objects. \nParsing the argument `--__proto__.y=Polluted` adds a `y` property with value `Polluted` to all objects. The argument `--__proto__=Polluted` raises and uncaught error and crashes the application. \nThis is exploitable if attackers have control over the arguments being passed to `minimist`.\n\n\n\n## Recommendation\n\nUpgrade to versions 0.2.1, 1.2.3 or later.", + "url": "https://github.com/advisories/GHSA-vh95-rmgr-6w4m" + }, + "1006342": { + "findings": [ + { + "version": "0.1.5", + "paths": [ + ".>karma>expand-braces>braces" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<2.3.1", + "module_name": "braces", + "severity": "low", + "github_advisory_id": "GHSA-g95f-p29q-9xw4", + "cves": [], + "access": "public", + "patched_versions": ">=2.3.1", + "updated": "2019-06-06T09:40:52.000Z", + "recommendation": "Upgrade to version 2.3.1 or later", + "cwe": "CWE-185", + "found_by": null, + "deleted": null, + "id": 1006342, + "references": "- https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451\n- https://www.npmjs.com/advisories/786\n- https://snyk.io/vuln/npm:braces:20180219\n- https://github.com/advisories/GHSA-g95f-p29q-9xw4", + "created": "2021-11-18T16:00:48.617Z", + "reported_by": null, + "title": "Regular Expression Denial of Service in braces", + "npm_advisory_id": null, + "overview": "Versions of `braces` prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to version 2.3.1 or higher.", + "url": "https://github.com/advisories/GHSA-g95f-p29q-9xw4" + }, + "1006349": { + "findings": [ + { + "version": "0.15.3", + "paths": [ + ".>axios" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<=0.18.0", + "module_name": "axios", + "severity": "high", + "github_advisory_id": "GHSA-42xw-2xvc-qx8m", + "cves": [ + "CVE-2019-10742" + ], + "access": "public", + "patched_versions": ">=0.18.1", + "updated": "2019-06-05T16:22:11.000Z", + "recommendation": "Upgrade to version 0.18.1 or later", + "cwe": "CWE-20", + "found_by": null, + "deleted": null, + "id": 1006349, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2019-10742\n- https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505\n- https://github.com/axios/axios/issues/1098\n- https://github.com/axios/axios/pull/1485\n- https://snyk.io/vuln/SNYK-JS-AXIOS-174505\n- https://www.npmjs.com/advisories/880\n- https://github.com/advisories/GHSA-42xw-2xvc-qx8m", + "created": "2021-11-18T16:00:48.617Z", + "reported_by": null, + "title": "Denial of Service in axios", + "npm_advisory_id": null, + "overview": "Versions of `axios` prior to 0.18.1 are vulnerable to Denial of Service. If a request exceeds the `maxContentLength` property, the package prints an error but does not stop the request. This may cause high CPU usage and lead to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to 0.18.1 or later.", + "url": "https://github.com/advisories/GHSA-42xw-2xvc-qx8m" + }, + "1006373": { + "findings": [ + { + "version": "0.4.3", + "paths": [ + ".>karma>log4js>loggly>request>tunnel-agent" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<0.6.0", + "module_name": "tunnel-agent", + "severity": "moderate", + "github_advisory_id": "GHSA-xc7v-wxcw-j472", + "cves": [], + "access": "public", + "patched_versions": ">=0.6.0", + "updated": "2019-06-03T17:08:06.000Z", + "recommendation": "Upgrade to version 0.6.0 or later", + "cwe": "CWE-200", + "found_by": null, + "deleted": null, + "id": 1006373, + "references": "- https://github.com/request/tunnel-agent/commit/9ca95ec7219daface8a6fc2674000653de0922c0\n- https://www.npmjs.com/advisories/598\n- https://gist.github.com/ChALkeR/fd6b2c445834244e7d440a043f9d2ff4\n- https://github.com/advisories/GHSA-xc7v-wxcw-j472", + "created": "2021-11-18T16:00:48.619Z", + "reported_by": null, + "title": "Memory Exposure in tunnel-agent", + "npm_advisory_id": null, + "overview": "Versions of `tunnel-agent` before 0.6.0 are vulnerable to memory exposure.\n\nThis is exploitable if user supplied input is provided to the auth value and is a number.\n\nProof-of-concept:\n```js\nrequire('request')({\n method: 'GET',\n uri: 'http://www.example.com',\n tunnel: true,\n proxy:{\n protocol: 'http:',\n host:'127.0.0.1',\n port:8080,\n auth:USERSUPPLIEDINPUT // number\n }\n});\n```\n\n\n## Recommendation\n\nUpdate to version 0.6.0 or later.", + "url": "https://github.com/advisories/GHSA-xc7v-wxcw-j472" + }, + "1006603": { + "findings": [ + { + "version": "2.0.5", + "paths": [ + ".>karma>log4js>loggly>request>hawk>cryptiles" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<4.1.2", + "module_name": "cryptiles", + "severity": "critical", + "github_advisory_id": "GHSA-rq8g-5pc5-wrhr", + "cves": [ + "CVE-2018-1000620" + ], + "access": "public", + "patched_versions": ">=4.1.2", + "updated": "2018-09-11T18:22:44.000Z", + "recommendation": "Upgrade to version 4.1.2 or later", + "cwe": "CWE-331", + "found_by": null, + "deleted": null, + "id": 1006603, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-1000620\n- https://github.com/hapijs/cryptiles/issues/34\n- https://github.com/advisories/GHSA-rq8g-5pc5-wrhr\n- https://github.com/nodejs/security-wg/blob/master/vuln/npm/476.json\n- https://www.npmjs.com/advisories/720\n- https://www.npmjs.com/advisories/1464", + "created": "2021-11-18T16:00:48.639Z", + "reported_by": null, + "title": "Insufficient Entropy in cryptiles", + "npm_advisory_id": null, + "overview": "Versions of `cryptiles` prior to 4.1.2 are vulnerable to Insufficient Entropy. The `randomDigits()` method does not provide sufficient entropy and its generates digits that are not evenly distributed.\n\n\n## Recommendation\n\nUpgrade to version 4.1.2. The package is deprecated and has been moved to `@hapi/cryptiles` and it is strongly recommended to use the maintained package.", + "url": "https://github.com/advisories/GHSA-rq8g-5pc5-wrhr" + }, + "1006659": { + "findings": [ + { + "version": "2.16.3", + "paths": [ + ".>karma>log4js>loggly>request>hawk>hoek" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<4.2.1", + "module_name": "hoek", + "severity": "moderate", + "github_advisory_id": "GHSA-jp4x-w63m-7wgm", + "cves": [ + "CVE-2018-3728" + ], + "access": "public", + "patched_versions": ">=4.2.1", + "updated": "2018-04-27T13:38:53.000Z", + "recommendation": "Upgrade to version 4.2.1 or later", + "cwe": "CWE-471", + "found_by": null, + "deleted": null, + "id": 1006659, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-3728\n- https://hackerone.com/reports/310439\n- https://github.com/advisories/GHSA-jp4x-w63m-7wgm\n- https://www.npmjs.com/advisories/566\n- https://github.com/hapijs/hoek/commit/32ed5c9413321fbc37da5ca81a7cbab693786dee\n- https://access.redhat.com/errata/RHSA-2018:1263\n- https://access.redhat.com/errata/RHSA-2018:1264\n- https://nodesecurity.io/advisories/566\n- https://snyk.io/vuln/npm:hoek:20180212\n- http://www.securityfocus.com/bid/103108", + "created": "2021-11-18T16:00:48.643Z", + "reported_by": null, + "title": "Prototype Pollution in hoek", + "npm_advisory_id": null, + "overview": "Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.\n\nThe `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing the `__proto__` property.\n\nThis can be demonstrated like so:\n\n```javascript\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n```\n\nThis type of attack can be used to overwrite existing properties causing a potential denial of service.\n\n\n## Recommendation\n\nUpdate to version 4.2.1, 5.0.3 or later.", + "url": "https://github.com/advisories/GHSA-jp4x-w63m-7wgm" + }, + "1006724": { + "findings": [ + { + "version": "0.2.3", + "paths": [ + ".>karma>log4js>hipchat-notifier>request>http-signature>jsprim>json-schema" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<0.4.0", + "module_name": "json-schema", + "severity": "moderate", + "github_advisory_id": "GHSA-896r-f27r-55mw", + "cves": [ + "CVE-2021-3918" + ], + "access": "public", + "patched_versions": ">=0.4.0", + "updated": "2021-11-15T22:44:28.000Z", + "recommendation": "Upgrade to version 0.4.0 or later", + "cwe": "CWE-915", + "found_by": null, + "deleted": null, + "id": 1006724, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3918\n- https://github.com/kriszyp/json-schema/commit/22f146111f541d9737e832823699ad3528ca7741\n- https://huntr.dev/bounties/bb6ccd63-f505-4e3a-b55f-cd2662c261a9\n- https://github.com/kriszyp/json-schema/commit/b62f1da1ff5442f23443d6be6a92d00e65cba93a\n- https://github.com/kriszyp/json-schema/commit/f6f6a3b02d667aa4ba2d5d50cc19208c4462abfa\n- https://github.com/advisories/GHSA-896r-f27r-55mw", + "created": "2021-11-19T21:00:41.916Z", + "reported_by": null, + "title": "json-schema is vulnerable to Prototype Pollution", + "npm_advisory_id": null, + "overview": "json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", + "url": "https://github.com/advisories/GHSA-896r-f27r-55mw" + }, + "1006788": { + "findings": [ + { + "version": "2.7.2", + "paths": [ + ".>karma>log4js>nodemailer" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<6.6.1", + "module_name": "nodemailer", + "severity": "moderate", + "github_advisory_id": "GHSA-hwqf-gcqm-7353", + "cves": [ + "CVE-2021-23400" + ], + "access": "public", + "patched_versions": ">=6.6.1", + "updated": "2021-06-30T17:38:02.000Z", + "recommendation": "Upgrade to version 6.6.1 or later", + "cwe": "CWE-74", + "found_by": null, + "deleted": null, + "id": 1006788, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23400\n- https://github.com/nodemailer/nodemailer/issues/1289\n- https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737\n- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415\n- https://github.com/advisories/GHSA-hwqf-gcqm-7353", + "created": "2021-12-10T19:00:45.984Z", + "reported_by": null, + "title": "Header injection in nodemailer", + "npm_advisory_id": null, + "overview": "The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.", + "url": "https://github.com/advisories/GHSA-hwqf-gcqm-7353" + }, + "1006822": { + "findings": [ + { + "version": "1.0.6", + "paths": [ + ".>karma>log4js>mailgun-js>proxy-agent>pac-proxy-agent>pac-resolver>netmask" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<1.1.0", + "module_name": "netmask", + "severity": "critical", + "github_advisory_id": "GHSA-4c7m-wxvm-r7gc", + "cves": [ + "CVE-2021-28918" + ], + "access": "public", + "patched_versions": ">=1.1.0", + "updated": "2021-04-13T16:13:23.000Z", + "recommendation": "Upgrade to version 1.1.0 or later", + "cwe": "CWE-20", + "found_by": null, + "deleted": null, + "id": 1006822, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-28918\n- https://github.com/rs/node-netmask/blob/98294cb20695f2c6c36219a4fbcd4744fb8d0682/CHANGELOG.md#v110-mar-18-2021\n- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md\n- https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/\n- https://www.npmjs.com/package/netmask\n- https://github.com/advisories/GHSA-pch5-whg9-qr2r\n- https://security.netapp.com/advisory/ntap-20210528-0010/\n- https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/\n- https://github.com/advisories/GHSA-4c7m-wxvm-r7gc", + "created": "2022-01-04T20:00:43.966Z", + "reported_by": null, + "title": "Improper parsing of octal bytes in netmask", + "npm_advisory_id": null, + "overview": "Improper input validation of octal strings in netmask npm package v1.0.6 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many of the dependent packages. A remote unauthenticated attacker can bypass packages relying on netmask to filter IPs and reach critical VPN or LAN hosts.\n\n:exclamation: NOTE: The fix for this issue was incomplete. A subsequent fix was made in version `2.0.1` which was assigned [CVE-2021-29418 / GHSA-pch5-whg9-qr2r](https://github.com/advisories/GHSA-pch5-whg9-qr2r). For complete protection from this vulnerability an upgrade to version 2.0.1 or later is recommended.", + "url": "https://github.com/advisories/GHSA-4c7m-wxvm-r7gc" + }, + "1006837": { + "findings": [ + { + "version": "0.1.5", + "paths": [ + ".>karma>expand-braces>braces" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<2.3.1", + "module_name": "braces", + "severity": "low", + "github_advisory_id": "GHSA-cwfw-4gq5-mrqx", + "cves": [ + "CVE-2018-1109" + ], + "access": "public", + "patched_versions": ">=2.3.1", + "updated": "2021-03-31T21:35:00.000Z", + "recommendation": "Upgrade to version 2.3.1 or later", + "cwe": "CWE-400", + "found_by": null, + "deleted": null, + "id": 1006837, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2018-1109\n- https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451\n- https://bugzilla.redhat.com/show_bug.cgi?id=1547272\n- https://snyk.io/vuln/npm:braces:20180219\n- https://github.com/advisories/GHSA-cwfw-4gq5-mrqx", + "created": "2022-01-06T21:00:43.096Z", + "reported_by": null, + "title": "Regular Expression Denial of Service (ReDoS) in braces", + "npm_advisory_id": null, + "overview": "A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.", + "url": "https://github.com/advisories/GHSA-cwfw-4gq5-mrqx" + }, + "1006865": { + "findings": [ + { + "version": "1.0.0", + "paths": [ + ".>axios>follow-redirects" + ] + }, + { + "version": "1.9.0", + "paths": [ + ".>karma>http-proxy>follow-redirects" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<1.14.7", + "module_name": "follow-redirects", + "severity": "high", + "github_advisory_id": "GHSA-74fj-2j2h-c42q", + "cves": [ + "CVE-2022-0155" + ], + "access": "public", + "patched_versions": ">=1.14.7", + "updated": "2022-01-11T18:41:09.000Z", + "recommendation": "Upgrade to version 1.14.7 or later", + "cwe": "CWE-359", + "found_by": null, + "deleted": null, + "id": 1006865, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0155\n- https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22\n- https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406\n- https://github.com/advisories/GHSA-74fj-2j2h-c42q", + "created": "2022-01-12T23:00:43.967Z", + "reported_by": null, + "title": "Exposure of sensitive information in follow-redirects", + "npm_advisory_id": null, + "overview": "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor", + "url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q" + }, + "1006902": { + "findings": [ + { + "version": "2.11.0", + "paths": [ + ".>karma>log4js" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<6.4.0", + "module_name": "log4js", + "severity": "moderate", + "github_advisory_id": "GHSA-82v2-mx6x-wq7q", + "cves": [ + "CVE-2022-21704" + ], + "access": "public", + "patched_versions": ">=6.4.0", + "updated": "2022-01-19T22:47:15.000Z", + "recommendation": "Upgrade to version 6.4.0 or later", + "cwe": "CWE-276", + "found_by": null, + "deleted": null, + "id": 1006902, + "references": "- https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q\n- https://github.com/log4js-node/log4js-node/pull/1141/commits/8042252861a1b65adb66931fdf702ead34fa9b76\n- https://github.com/log4js-node/streamroller/pull/87\n- https://github.com/log4js-node/log4js-node/blob/v6.4.0/CHANGELOG.md#640\n- https://nvd.nist.gov/vuln/detail/CVE-2022-21704\n- https://github.com/advisories/GHSA-82v2-mx6x-wq7q", + "created": "2022-01-25T20:00:44.170Z", + "reported_by": null, + "title": "Incorrect Default Permissions in log4js", + "npm_advisory_id": null, + "overview": "### Impact\r\nDefault file permissions for log files created by the file, fileSync and dateFile appenders are world-readable (in unix). This could cause problems if log files contain sensitive information. This would affect any users that have not supplied their own permissions for the files via the mode parameter in the config.\r\n\r\n### Patches\r\nFixed by:\r\n* https://github.com/log4js-node/log4js-node/pull/1141\r\n* https://github.com/log4js-node/streamroller/pull/87\r\n\r\nReleased to NPM in log4js@6.4.0\r\n\r\n### Workarounds\r\nEvery version of log4js published allows passing the mode parameter to the configuration of file appenders, see the documentation for details.\r\n\r\n### References\r\n\r\nThanks to [ranjit-git](https://www.huntr.dev/users/ranjit-git) for raising the issue, and to @peteriman for fixing the problem.\r\n\r\n### For more information\r\nIf you have any questions or comments about this advisory:\r\n* Open an issue in [logj4s-node](https://github.com/log4js-node/log4js-node)\r\n* Ask a question in the [slack channel](https://join.slack.com/t/log4js-node/shared_invite/enQtODkzMDQ3MzExMDczLWUzZmY0MmI0YWI1ZjFhODY0YjI0YmU1N2U5ZTRkOTYyYzg3MjY5NWI4M2FjZThjYjdiOGM0NjU2NzBmYTJjOGI)\r\n* Email us at [gareth.nomiddlename@gmail.com](mailto:gareth.nomiddlename@gmail.com)\r\n", + "url": "https://github.com/advisories/GHSA-82v2-mx6x-wq7q" + }, + "1006947": { + "findings": [ + { + "version": "3.1.0", + "paths": [ + ".>karma>chokidar>glob-parent" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<5.1.2", + "module_name": "glob-parent", + "severity": "high", + "github_advisory_id": "GHSA-ww39-953v-wcq6", + "cves": [ + "CVE-2020-28469" + ], + "access": "public", + "patched_versions": ">=5.1.2", + "updated": "2021-06-04T18:30:46.000Z", + "recommendation": "Upgrade to version 5.1.2 or later", + "cwe": "CWE-400", + "found_by": null, + "deleted": null, + "id": 1006947, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28469\n- https://github.com/gulpjs/glob-parent/pull/36\n- https://github.com/gulpjs/glob-parent/blob/6ce8d11f2f1ed8e80a9526b1dc8cf3aa71f43474/index.js%23L9\n- https://github.com/gulpjs/glob-parent/releases/tag/v5.1.2\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBES128-1059093\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1059092\n- https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-ww39-953v-wcq6", + "created": "2022-02-08T22:00:42.497Z", + "reported_by": null, + "title": "Regular expression denial of service", + "npm_advisory_id": null, + "overview": "This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.", + "url": "https://github.com/advisories/GHSA-ww39-953v-wcq6" + }, + "1006948": { + "findings": [ + { + "version": "4.17.15", + "paths": [ + ".>karma>lodash" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<4.17.21", + "module_name": "lodash", + "severity": "high", + "github_advisory_id": "GHSA-35jh-r3h4-6jhm", + "cves": [ + "CVE-2021-23337" + ], + "access": "public", + "patched_versions": ">=4.17.21", + "updated": "2021-03-31T23:59:26.000Z", + "recommendation": "Upgrade to version 4.17.21 or later", + "cwe": "CWE-77", + "found_by": null, + "deleted": null, + "id": 1006948, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-23337\n- https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1040724\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js#L14851\n- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-35jh-r3h4-6jhm", + "created": "2022-02-08T22:00:42.498Z", + "reported_by": null, + "title": "Command Injection in lodash", + "npm_advisory_id": null, + "overview": "`lodash` versions prior to 4.17.21 are vulnerable to Command Injection via the template function.", + "url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm" + }, + "1006949": { + "findings": [ + { + "version": "4.17.15", + "paths": [ + ".>karma>lodash" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<4.17.21", + "module_name": "lodash", + "severity": "moderate", + "github_advisory_id": "GHSA-29mw-wpgm-hmr9", + "cves": [ + "CVE-2020-28500" + ], + "access": "public", + "patched_versions": ">=4.17.21", + "updated": "2021-03-19T22:45:29.000Z", + "recommendation": "Upgrade to version 4.17.21 or later", + "cwe": "CWE-400", + "found_by": null, + "deleted": null, + "id": 1006949, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28500\n- https://github.com/lodash/lodash/pull/5065\n- https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7\n- https://github.com/lodash/lodash/blob/npm/trimEnd.js%23L8\n- https://security.netapp.com/advisory/ntap-20210312-0006/\n- https://snyk.io/vuln/SNYK-JS-LODASH-1018905\n- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074896\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074894\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074892\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074895\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074893\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-29mw-wpgm-hmr9", + "created": "2022-02-08T22:00:42.498Z", + "reported_by": null, + "title": "Regular Expression Denial of Service (ReDoS) in lodash", + "npm_advisory_id": null, + "overview": "All versions of package lodash prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = \"1\" for (var i = 0; i < n; i++) { ret += \" \" } return ret + \"1\"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log(\"time_cost0: \" + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log(\"time_cost1: \" + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log(\"time_cost2: \" + time_cost2)", + "url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9" + }, + "1006952": { + "findings": [ + { + "version": "4.17.15", + "paths": [ + ".>karma>lodash" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<4.17.19", + "module_name": "lodash", + "severity": "high", + "github_advisory_id": "GHSA-p6mc-m468-83gw", + "cves": [ + "CVE-2020-8203" + ], + "access": "public", + "patched_versions": ">=4.17.19", + "updated": "2020-07-15T19:15:01.000Z", + "recommendation": "Upgrade to version 4.17.19 or later", + "cwe": "CWE-770", + "found_by": null, + "deleted": null, + "id": 1006952, + "references": "- https://github.com/lodash/lodash/issues/4744\n- https://github.com/lodash/lodash/commit/c84fe82760fb2d3e03a63379b297a1cc1a2fce12\n- https://www.npmjs.com/advisories/1523\n- https://nvd.nist.gov/vuln/detail/CVE-2020-8203\n- https://hackerone.com/reports/712065\n- https://security.netapp.com/advisory/ntap-20200724-0006/\n- https://github.com/lodash/lodash/issues/4874\n- https://www.oracle.com/security-alerts/cpuApr2021.html\n- https://www.oracle.com//security-alerts/cpujul2021.html\n- https://www.oracle.com/security-alerts/cpuoct2021.html\n- https://www.oracle.com/security-alerts/cpujan2022.html\n- https://github.com/advisories/GHSA-p6mc-m468-83gw", + "created": "2022-02-08T23:00:41.860Z", + "reported_by": null, + "title": "Prototype Pollution in lodash", + "npm_advisory_id": null, + "overview": "Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The function zipObjectDeep allows a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires zipping objects based on user-provided property arrays.\n\nThis vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.", + "url": "https://github.com/advisories/GHSA-p6mc-m468-83gw" + }, + "1006975": { + "findings": [ + { + "version": "3.1.5", + "paths": [ + ".>karma>socket.io>engine.io" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<4.0.0", + "module_name": "engine.io", + "severity": "high", + "github_advisory_id": "GHSA-j4f2-536g-r55m", + "cves": [ + "CVE-2020-36048" + ], + "access": "public", + "patched_versions": ">=4.0.0", + "updated": "2021-04-06T22:58:34.000Z", + "recommendation": "Upgrade to version 4.0.0 or later", + "cwe": "CWE-400", + "found_by": null, + "deleted": null, + "id": 1006975, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-36048\n- https://github.com/socketio/engine.io/commit/734f9d1268840722c41219e69eb58318e0b2ac6b\n- https://blog.caller.xyz/socketio-engineio-dos/\n- https://github.com/bcaller/kill-engine-io\n- https://github.com/advisories/GHSA-j4f2-536g-r55m", + "created": "2022-02-09T23:00:44.110Z", + "reported_by": null, + "title": "Resource exhaustion in engine.io ", + "npm_advisory_id": null, + "overview": "Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.", + "url": "https://github.com/advisories/GHSA-j4f2-536g-r55m" + }, + "1006997": { + "findings": [ + { + "version": "2.0.5", + "paths": [ + ".>karma" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<6.3.14", + "module_name": "karma", + "severity": "moderate", + "github_advisory_id": "GHSA-7x7c-qm48-pq9c", + "cves": [ + "CVE-2022-0437" + ], + "access": "public", + "patched_versions": ">=6.3.14", + "updated": "2022-02-07T21:57:21.000Z", + "recommendation": "Upgrade to version 6.3.14 or later", + "cwe": "CWE-79", + "found_by": null, + "deleted": null, + "id": 1006997, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0437\n- https://github.com/karma-runner/karma/commit/839578c45a8ac42fbc1d72105f97eab77dd3eb8a\n- https://huntr.dev/bounties/64b67ea1-5487-4382-a5f6-e8a95f798885\n- https://github.com/karma-runner/karma/releases/tag/v6.3.14\n- https://github.com/advisories/GHSA-7x7c-qm48-pq9c", + "created": "2022-02-11T00:00:43.705Z", + "reported_by": null, + "title": "Cross-site Scripting in karma", + "npm_advisory_id": null, + "overview": "karma prior to version 6.3.14 contains a cross-site scripting vulnerability.", + "url": "https://github.com/advisories/GHSA-7x7c-qm48-pq9c" + }, + "1007017": { + "findings": [ + { + "version": "6.10.2", + "paths": [ + ".>karma>log4js>hipchat-notifier>request>har-validator>ajv" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<6.12.3", + "module_name": "ajv", + "severity": "moderate", + "github_advisory_id": "GHSA-v88g-cgmw-v5xw", + "cves": [ + "CVE-2020-15366" + ], + "access": "public", + "patched_versions": ">=6.12.3", + "updated": "2021-05-10T21:23:42.000Z", + "recommendation": "Upgrade to version 6.12.3 or later", + "cwe": "CWE-915", + "found_by": null, + "deleted": null, + "id": 1007017, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-15366\n- https://github.com/ajv-validator/ajv/commit/65b2f7d76b190ac63a0d4e9154c712d7aa37049f\n- https://github.com/ajv-validator/ajv/releases/tag/v6.12.3\n- https://hackerone.com/bugs?subject=user&report_id=894259\n- https://github.com/ajv-validator/ajv/tags\n- https://github.com/advisories/GHSA-v88g-cgmw-v5xw", + "created": "2022-02-11T00:00:43.707Z", + "reported_by": null, + "title": "Prototype Pollution in Ajv", + "npm_advisory_id": null, + "overview": "An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)", + "url": "https://github.com/advisories/GHSA-v88g-cgmw-v5xw" + }, + "1007026": { + "findings": [ + { + "version": "1.0.0", + "paths": [ + ".>axios>follow-redirects" + ] + }, + { + "version": "1.9.0", + "paths": [ + ".>karma>http-proxy>follow-redirects" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<1.14.8", + "module_name": "follow-redirects", + "severity": "moderate", + "github_advisory_id": "GHSA-pw2r-vq6v-hr8c", + "cves": [ + "CVE-2022-0536" + ], + "access": "public", + "patched_versions": ">=1.14.8", + "updated": "2022-02-11T21:18:03.000Z", + "recommendation": "Upgrade to version 1.14.8 or later", + "cwe": "CWE-200", + "found_by": null, + "deleted": null, + "id": 1007026, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0536\n- https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445\n- https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db\n- https://github.com/advisories/GHSA-pw2r-vq6v-hr8c", + "created": "2022-02-14T23:00:43.878Z", + "reported_by": null, + "title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects", + "npm_advisory_id": null, + "overview": "Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.", + "url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c" + }, + "1007030": { + "findings": [ + { + "version": "1.4.7", + "paths": [ + ".>karma>log4js>amqplib>url-parse" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<1.5.6", + "module_name": "url-parse", + "severity": "high", + "github_advisory_id": "GHSA-rqff-837h-mm52", + "cves": [ + "CVE-2022-0512" + ], + "access": "public", + "patched_versions": ">=1.5.6", + "updated": "2022-02-16T22:37:40.000Z", + "recommendation": "Upgrade to version 1.5.6 or later", + "cwe": "CWE-639", + "found_by": null, + "deleted": null, + "id": 1007030, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0512\n- https://github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40\n- https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b\n- https://github.com/advisories/GHSA-rqff-837h-mm52", + "created": "2022-02-17T14:00:45.711Z", + "reported_by": null, + "title": "Authorization bypass in url-parse", + "npm_advisory_id": null, + "overview": "Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.6.", + "url": "https://github.com/advisories/GHSA-rqff-837h-mm52" + } + }, + "muted": [], + "metadata": { + "vulnerabilities": { + "info": 0, + "low": 4, + "moderate": 17, + "high": 21, + "critical": 4 + }, + "dependencies": 439, + "devDependencies": 0, + "optionalDependencies": 0, + "totalDependencies": 439 + } +} \ No newline at end of file diff --git a/packages/plugin-commands-licenses/test/utils/responses/dev-vulnerabilities-only-response.json b/packages/plugin-commands-licenses/test/utils/responses/dev-vulnerabilities-only-response.json new file mode 100644 index 00000000000..deccf7b0584 --- /dev/null +++ b/packages/plugin-commands-licenses/test/utils/responses/dev-vulnerabilities-only-response.json @@ -0,0 +1,278 @@ +{ + "actions": [ + { + "action": "review", + "module": "axios", + "resolves": [ + { + "id": 1005018, + "path": ".>axios", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1005506, + "path": ".>axios", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1006349, + "path": ".>axios", + "dev": false, + "optional": false, + "bundled": false + } + ] + }, + { + "action": "review", + "module": "sync-exec", + "resolves": [ + { + "id": 1005902, + "path": ".>sync-exec", + "dev": false, + "bundled": false, + "optional": false + } + ] + }, + { + "action": "review", + "module": "follow-redirects", + "resolves": [ + { + "id": 1006865, + "path": ".>axios>follow-redirects", + "dev": false, + "optional": false, + "bundled": false + }, + { + "id": 1007026, + "path": ".>axios>follow-redirects", + "dev": false, + "optional": false, + "bundled": false + } + ] + } + ], + "advisories": { + "1005018": { + "findings": [ + { + "version": "0.15.3", + "paths": [ + ".>axios" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<=0.21.1", + "module_name": "axios", + "severity": "high", + "github_advisory_id": "GHSA-cph5-m8f7-6c5x", + "cves": [ + "CVE-2021-3749" + ], + "access": "public", + "patched_versions": ">=0.21.2", + "updated": "2021-09-08T16:46:47.000Z", + "recommendation": "Upgrade to version 0.21.2 or later", + "cwe": "CWE-697", + "found_by": null, + "deleted": null, + "id": 1005018, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3749\n- https://github.com/axios/axios/commit/5b457116e31db0e88fede6c428e969e87f290929\n- https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31\n- https://www.npmjs.com/package/axios\n- https://lists.apache.org/thread.html/r075d464dce95cd13c03ff9384658edcccd5ab2983b82bfc72b62bb10@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r216f0fd0a3833856d6a6a1fada488cadba45f447d87010024328ccf2@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r3ae6d2654f92c5851bdb73b35e96b0e4e3da39f28ac7a1b15ae3aab8@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r4bf1b32983f50be00f9752214c1b53738b621be1c2b0dbd68c7f2391@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r7324ecc35b8027a51cb6ed629490fcd3b2d7cf01c424746ed5744bf1@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r74d0b359408fff31f87445261f0ee13bdfcac7d66f6b8e846face321@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/ra15d63c54dc6474b29f72ae4324bcb03038758545b3ab800845de7a1@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rc263bfc5b53afcb7e849605478d73f5556eb0c00d1f912084e407289@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rfa094029c959da0f7c8cd7dc9c4e59d21b03457bf0cedf6c93e1bb0a@%3Cdev.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rfc5c478053ff808671aef170f3d9fc9d05cc1fab8fb64431edc66103@%3Ccommits.druid.apache.org%3E\n- https://github.com/advisories/GHSA-cph5-m8f7-6c5x", + "created": "2021-11-18T16:00:48.489Z", + "reported_by": null, + "title": "Incorrect Comparison in axios", + "npm_advisory_id": null, + "overview": "axios is vulnerable to Inefficient Regular Expression Complexity", + "url": "https://github.com/advisories/GHSA-cph5-m8f7-6c5x" + }, + "1005506": { + "findings": [ + { + "version": "0.15.3", + "paths": [ + ".>axios" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<0.21.1", + "module_name": "axios", + "severity": "high", + "github_advisory_id": "GHSA-4w2v-q235-vp99", + "cves": [ + "CVE-2020-28168" + ], + "access": "public", + "patched_versions": ">=0.21.1", + "updated": "2021-01-04T20:58:17.000Z", + "recommendation": "Upgrade to version 0.21.1 or later", + "cwe": "CWE-918", + "found_by": null, + "deleted": null, + "id": 1005506, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2020-28168\n- https://github.com/axios/axios/issues/3369\n- https://github.com/axios/axios/commit/c7329fefc890050edd51e40e469a154d0117fc55\n- https://snyk.io/vuln/SNYK-JS-AXIOS-1038255\n- https://www.npmjs.com/package/axios\n- https://www.npmjs.com/advisories/1594\n- https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%3Ccommits.druid.apache.org%3E\n- https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E\n- https://github.com/advisories/GHSA-4w2v-q235-vp99", + "created": "2021-11-18T16:00:48.546Z", + "reported_by": null, + "title": "Server-Side Request Forgery in Axios", + "npm_advisory_id": null, + "overview": "Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.", + "url": "https://github.com/advisories/GHSA-4w2v-q235-vp99" + }, + "1005902": { + "findings": [ + { + "version": "0.6.2", + "paths": [ + ".>sync-exec" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<=0.6.2", + "module_name": "sync-exec", + "severity": "moderate", + "github_advisory_id": "GHSA-38h8-x697-gh8q", + "cves": [ + "CVE-2017-16024" + ], + "access": "public", + "patched_versions": "<0.0.0", + "updated": "2020-08-31T18:18:48.000Z", + "recommendation": "None", + "cwe": "CWE-377", + "found_by": null, + "deleted": null, + "id": 1005902, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2017-16024\n- https://github.com/gvarsanyi/sync-exec/issues/17\n- https://cwe.mitre.org/data/definitions/377.html\n- https://github.com/advisories/GHSA-38h8-x697-gh8q\n- https://www.npmjs.com/advisories/310\n- https://nodesecurity.io/advisories/310\n- https://www.owasp.org/index.php/Insecure_Temporary_File", + "created": "2021-11-18T16:00:48.581Z", + "reported_by": null, + "title": "Tmp files readable by other users in sync-exec", + "npm_advisory_id": null, + "overview": "Affected versions of `sync-exec` use files located in `/tmp/` to buffer command results before returning values. As `/tmp/` is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run via `sync-exec` under a higher privilege user.\n\n\n## Recommendation\n\nThere is currently no direct patch for `sync-exec`, as the `child_process.execSync` function provided in Node.js v0.12.0 and later provides the same functionality natively. \n\nThe best mitigation currently is to update to Node.js v0.12.0 or later, and migrate all uses of `sync-exec` to `child_process.execSync()`.", + "url": "https://github.com/advisories/GHSA-38h8-x697-gh8q" + }, + "1006349": { + "findings": [ + { + "version": "0.15.3", + "paths": [ + ".>axios" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<=0.18.0", + "module_name": "axios", + "severity": "high", + "github_advisory_id": "GHSA-42xw-2xvc-qx8m", + "cves": [ + "CVE-2019-10742" + ], + "access": "public", + "patched_versions": ">=0.18.1", + "updated": "2019-06-05T16:22:11.000Z", + "recommendation": "Upgrade to version 0.18.1 or later", + "cwe": "CWE-20", + "found_by": null, + "deleted": null, + "id": 1006349, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2019-10742\n- https://app.snyk.io/vuln/SNYK-JS-AXIOS-174505\n- https://github.com/axios/axios/issues/1098\n- https://github.com/axios/axios/pull/1485\n- https://snyk.io/vuln/SNYK-JS-AXIOS-174505\n- https://www.npmjs.com/advisories/880\n- https://github.com/advisories/GHSA-42xw-2xvc-qx8m", + "created": "2021-11-18T16:00:48.617Z", + "reported_by": null, + "title": "Denial of Service in axios", + "npm_advisory_id": null, + "overview": "Versions of `axios` prior to 0.18.1 are vulnerable to Denial of Service. If a request exceeds the `maxContentLength` property, the package prints an error but does not stop the request. This may cause high CPU usage and lead to Denial of Service.\n\n\n## Recommendation\n\nUpgrade to 0.18.1 or later.", + "url": "https://github.com/advisories/GHSA-42xw-2xvc-qx8m" + }, + "1006865": { + "findings": [ + { + "version": "1.0.0", + "paths": [ + ".>axios>follow-redirects" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<1.14.7", + "module_name": "follow-redirects", + "severity": "high", + "github_advisory_id": "GHSA-74fj-2j2h-c42q", + "cves": [ + "CVE-2022-0155" + ], + "access": "public", + "patched_versions": ">=1.14.7", + "updated": "2022-01-11T18:41:09.000Z", + "recommendation": "Upgrade to version 1.14.7 or later", + "cwe": "CWE-359", + "found_by": null, + "deleted": null, + "id": 1006865, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0155\n- https://github.com/follow-redirects/follow-redirects/commit/8b347cbcef7c7b72a6e9be20f5710c17d6163c22\n- https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406\n- https://github.com/advisories/GHSA-74fj-2j2h-c42q", + "created": "2022-01-12T23:00:43.967Z", + "reported_by": null, + "title": "Exposure of sensitive information in follow-redirects", + "npm_advisory_id": null, + "overview": "follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor", + "url": "https://github.com/advisories/GHSA-74fj-2j2h-c42q" + }, + "1007026": { + "findings": [ + { + "version": "1.0.0", + "paths": [ + ".>axios>follow-redirects" + ] + } + ], + "metadata": null, + "vulnerable_versions": "<1.14.8", + "module_name": "follow-redirects", + "severity": "moderate", + "github_advisory_id": "GHSA-pw2r-vq6v-hr8c", + "cves": [ + "CVE-2022-0536" + ], + "access": "public", + "patched_versions": ">=1.14.8", + "updated": "2022-02-11T21:18:03.000Z", + "recommendation": "Upgrade to version 1.14.8 or later", + "cwe": "CWE-200", + "found_by": null, + "deleted": null, + "id": 1007026, + "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0536\n- https://github.com/follow-redirects/follow-redirects/commit/62e546a99c07c3ee5e4e0718c84a6ca127c5c445\n- https://huntr.dev/bounties/7cf2bf90-52da-4d59-8028-a73b132de0db\n- https://github.com/advisories/GHSA-pw2r-vq6v-hr8c", + "created": "2022-02-14T23:00:43.878Z", + "reported_by": null, + "title": "Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects", + "npm_advisory_id": null, + "overview": "Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.", + "url": "https://github.com/advisories/GHSA-pw2r-vq6v-hr8c" + } + }, + "muted": [], + "metadata": { + "vulnerabilities": { + "info": 0, + "low": 0, + "moderate": 2, + "high": 4, + "critical": 0 + }, + "dependencies": 6, + "devDependencies": 0, + "optionalDependencies": 0, + "totalDependencies": 6 + } +} \ No newline at end of file diff --git a/packages/plugin-commands-licenses/test/utils/responses/index.ts b/packages/plugin-commands-licenses/test/utils/responses/index.ts new file mode 100644 index 00000000000..a9dfa6046f8 --- /dev/null +++ b/packages/plugin-commands-licenses/test/utils/responses/index.ts @@ -0,0 +1,9 @@ +import path from 'path' +import loadJsonFile from 'load-json-file' + +// eslint-disable-next-line +export const DEV_VULN_ONLY_RESP = loadJsonFile.sync(path.join(__dirname, 'dev-vulnerabilities-only-response.json')) +// eslint-disable-next-line +export const ALL_VULN_RESP = loadJsonFile.sync(path.join(__dirname, 'all-vulnerabilities-response.json')) +// eslint-disable-next-line +export const NO_VULN_RESP = loadJsonFile.sync(path.join(__dirname, 'no-vulnerabilities-response.json')) diff --git a/packages/plugin-commands-licenses/test/utils/responses/no-vulnerabilities-response.json b/packages/plugin-commands-licenses/test/utils/responses/no-vulnerabilities-response.json new file mode 100644 index 00000000000..d1bb849c520 --- /dev/null +++ b/packages/plugin-commands-licenses/test/utils/responses/no-vulnerabilities-response.json @@ -0,0 +1,18 @@ +{ + "actions": [], + "advisories": {}, + "muted": [], + "metadata": { + "vulnerabilities": { + "info": 0, + "low": 0, + "moderate": 0, + "high": 0, + "critical": 0 + }, + "dependencies": 4, + "devDependencies": 0, + "optionalDependencies": 0, + "totalDependencies": 4 + } +} \ No newline at end of file diff --git a/packages/plugin-commands-licenses/test/utils/responses/update.ts b/packages/plugin-commands-licenses/test/utils/responses/update.ts new file mode 100644 index 00000000000..bc328c43e01 --- /dev/null +++ b/packages/plugin-commands-licenses/test/utils/responses/update.ts @@ -0,0 +1,36 @@ +import fs from 'fs' +import path from 'path' +import audit from '@pnpm/audit' +import { readWantedLockfile } from '@pnpm/lockfile-file' +import fixtures from '@pnpm/test-fixtures' + +const f = fixtures(__dirname) + +async function writeResponse (lockfileDir: string, filename: string, opts: { + production?: boolean + dev?: boolean + optional?: boolean +}) { + const lockfile = await readWantedLockfile(lockfileDir, { ignoreIncompatible: true }) + const include = { + dependencies: opts.production !== false, + devDependencies: opts.dev !== false, + optionalDependencies: opts.optional !== false, + } + const auditReport = await audit(lockfile!, { + agentOptions: {}, + include, + registry: 'https://registry.npmjs.org/', + }) + fs.writeFileSync(path.join(__dirname, filename), JSON.stringify(auditReport, null, 2)) +} + +// eslint-disable-next-line +; (async () => { + await writeResponse(f.find('has-vulnerabilities'), 'dev-vulnerabilities-only-response.json', { + dev: true, + production: false, + }) + await writeResponse(f.find('has-vulnerabilities'), 'all-vulnerabilities-response.json', {}) + await writeResponse(f.find('has-outdated-deps'), 'no-vulnerabilities-response.json', {}) +})() diff --git a/packages/plugin-commands-licenses/tsconfig.json b/packages/plugin-commands-licenses/tsconfig.json new file mode 100644 index 00000000000..bf4c3d606d2 --- /dev/null +++ b/packages/plugin-commands-licenses/tsconfig.json @@ -0,0 +1,49 @@ +{ + "extends": "@pnpm/tsconfig", + "compilerOptions": { + "outDir": "lib", + "rootDir": "src" + }, + "include": [ + "src/**/*.ts", + "../../typings/**/*.d.ts" + ], + "references": [ + { + "path": "../../privatePackages/test-fixtures" + }, + { + "path": "../audit" + }, + { + "path": "../cli-utils" + }, + { + "path": "../config" + }, + { + "path": "../constants" + }, + { + "path": "../dependency-path" + }, + { + "path": "../error" + }, + { + "path": "../lockfile-file" + }, + { + "path": "../lockfile-utils" + }, + { + "path": "../lockfile-walker" + }, + { + "path": "../read-project-manifest" + }, + { + "path": "../types" + } + ] +} diff --git a/packages/plugin-commands-licenses/tsconfig.lint.json b/packages/plugin-commands-licenses/tsconfig.lint.json new file mode 100644 index 00000000000..0dc5add6b7b --- /dev/null +++ b/packages/plugin-commands-licenses/tsconfig.lint.json @@ -0,0 +1,8 @@ +{ + "extends": "./tsconfig.json", + "include": [ + "src/**/*.ts", + "test/**/*.ts", + "../../typings/**/*.d.ts" + ] +} diff --git a/packages/pnpm/package.json b/packages/pnpm/package.json index 994a338e390..05e96f1ebcd 100644 --- a/packages/pnpm/package.json +++ b/packages/pnpm/package.json @@ -43,6 +43,7 @@ "@pnpm/plugin-commands-audit": "workspace:5.1.45", "@pnpm/plugin-commands-env": "workspace:1.4.18", "@pnpm/plugin-commands-installation": "workspace:8.4.10", + "@pnpm/plugin-commands-licenses": "workspace:*", "@pnpm/plugin-commands-listing": "workspace:4.1.14", "@pnpm/plugin-commands-outdated": "workspace:5.1.13", "@pnpm/plugin-commands-publishing": "workspace:4.5.5", @@ -155,7 +156,7 @@ "test:jest": "jest", "pretest:e2e": "rimraf node_modules/.bin/pnpm", "test:e2e": "registry-mock prepare && run-p -r registry-mock test:jest", - "_test": "cross-env PNPM_REGISTRY_MOCK_PORT=7780 pnpm run test:e2e", + "_test": "cross-env PNPM_REGISTRY_MOCK_PORT=7781 pnpm run test:e2e", "test": "pnpm run compile && pnpm run _test", "prepublishOnly": "pnpm compile && npm cache clear --force && publish-packed --prune --npm-client=pnpm --dest=dist", "postpublish": "publish-packed", diff --git a/packages/pnpm/src/cmd/help.ts b/packages/pnpm/src/cmd/help.ts index ee2c7dd73ca..9e1109f3439 100644 --- a/packages/pnpm/src/cmd/help.ts +++ b/packages/pnpm/src/cmd/help.ts @@ -80,6 +80,10 @@ function getHelpText () { description: 'Checks for known security issues with the installed packages', name: 'audit', }, + { + description: 'Checks for license compliance issues with the installed packages and its dependencies', + name: 'licenses', + }, { description: 'Print all the versions of packages that are installed, as well as their dependencies, in a tree-structure', name: 'list', diff --git a/packages/pnpm/src/cmd/index.ts b/packages/pnpm/src/cmd/index.ts index 5f8e1743598..2143b7eb1f2 100644 --- a/packages/pnpm/src/cmd/index.ts +++ b/packages/pnpm/src/cmd/index.ts @@ -4,6 +4,7 @@ import { audit } from '@pnpm/plugin-commands-audit' import { env } from '@pnpm/plugin-commands-env' import { add, fetch, install, link, prune, remove, unlink, update, importCommand } from '@pnpm/plugin-commands-installation' import { list, ll, why } from '@pnpm/plugin-commands-listing' +import { licenses } from '@pnpm/plugin-commands-licenses' import { outdated } from '@pnpm/plugin-commands-outdated' import { pack, publish } from '@pnpm/plugin-commands-publishing' import { rebuild } from '@pnpm/plugin-commands-rebuild' @@ -76,6 +77,7 @@ const commands: Array<{ installTest, link, list, + licenses, ll, outdated, pack, diff --git a/packages/pnpm/tsconfig.json b/packages/pnpm/tsconfig.json index 52a60390a8b..e4f6ff992f1 100644 --- a/packages/pnpm/tsconfig.json +++ b/packages/pnpm/tsconfig.json @@ -81,6 +81,9 @@ { "path": "../plugin-commands-installation" }, + { + "path": "../plugin-commands-licenses" + }, { "path": "../plugin-commands-listing" }, diff --git a/packages/types/src/package.ts b/packages/types/src/package.ts index f4312b4b2f2..72d322c1f35 100644 --- a/packages/types/src/package.ts +++ b/packages/types/src/package.ts @@ -75,6 +75,7 @@ export interface BaseManifest { bundleDependencies?: string[] bundledDependencies?: string[] homepage?: string + license?: string repository?: string | { url: string } scripts?: PackageScripts config?: object diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index a207bc64ea2..b91f7d95a82 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -81,7 +81,7 @@ importers: cross-env: 7.0.3 eslint: 8.13.0 husky: 7.0.4 - jest: 27.5.1_thkb7flajne3af5uumql4ipniu + jest: 27.5.1_ts-node@10.7.0 lcov-result-merger: 3.1.0 npm-run-all: 4.1.5 publish-packed: 4.1.1 @@ -2269,6 +2269,57 @@ importers: write-pkg: 4.0.0 write-yaml-file: 4.2.0 + packages/plugin-commands-licenses: + specifiers: + '@pnpm/audit': workspace:2.2.8 + '@pnpm/cli-utils': workspace:0.6.53 + '@pnpm/config': workspace:13.13.3 + '@pnpm/constants': workspace:5.0.0 + '@pnpm/error': workspace:2.1.0 + '@pnpm/lockfile-file': workspace:* + '@pnpm/lockfile-utils': workspace:* + '@pnpm/lockfile-walker': workspace:* + '@pnpm/plugin-commands-licenses': workspace:5.1.45 + '@pnpm/read-project-manifest': workspace:2.0.13 + '@pnpm/test-fixtures': workspace:* + '@pnpm/types': workspace:7.10.0 + '@types/ramda': 0.27.39 + '@types/zkochan__table': npm:@types/table@6.0.0 + '@zkochan/table': ^1.0.0 + chalk: ^4.1.0 + dependency-path: workspace:* + load-json-file: ^6.2.0 + nock: 12.0.3 + ramda: ^0.27.1 + render-help: ^1.0.1 + strip-ansi: ^6.0.0 + tempy: ^1.0.0 + dependencies: + '@pnpm/audit': link:../audit + '@pnpm/cli-utils': link:../cli-utils + '@pnpm/config': link:../config + '@pnpm/constants': link:../constants + '@pnpm/error': link:../error + '@pnpm/lockfile-file': link:../lockfile-file + '@pnpm/lockfile-utils': link:../lockfile-utils + '@pnpm/lockfile-walker': link:../lockfile-walker + '@pnpm/read-project-manifest': link:../read-project-manifest + '@pnpm/types': link:../types + '@zkochan/table': 1.0.0 + chalk: 4.1.2 + dependency-path: link:../dependency-path + ramda: 0.27.2 + render-help: 1.0.2 + devDependencies: + '@pnpm/plugin-commands-licenses': 'link:' + '@pnpm/test-fixtures': link:../../privatePackages/test-fixtures + '@types/ramda': 0.27.39 + '@types/zkochan__table': /@types/table/6.0.0 + load-json-file: 6.2.0 + nock: 12.0.3 + strip-ansi: 6.0.1 + tempy: 1.0.1 + packages/plugin-commands-listing: specifiers: '@pnpm/cli-utils': workspace:0.6.53 @@ -2787,6 +2838,7 @@ importers: '@pnpm/plugin-commands-audit': workspace:5.1.45 '@pnpm/plugin-commands-env': workspace:1.4.18 '@pnpm/plugin-commands-installation': workspace:8.4.10 + '@pnpm/plugin-commands-licenses': workspace:* '@pnpm/plugin-commands-listing': workspace:4.1.14 '@pnpm/plugin-commands-outdated': workspace:5.1.13 '@pnpm/plugin-commands-publishing': workspace:4.5.5 @@ -2877,6 +2929,7 @@ importers: '@pnpm/plugin-commands-audit': link:../plugin-commands-audit '@pnpm/plugin-commands-env': link:../plugin-commands-env '@pnpm/plugin-commands-installation': link:../plugin-commands-installation + '@pnpm/plugin-commands-licenses': link:../plugin-commands-licenses '@pnpm/plugin-commands-listing': link:../plugin-commands-listing '@pnpm/plugin-commands-outdated': link:../plugin-commands-outdated '@pnpm/plugin-commands-publishing': link:../plugin-commands-publishing @@ -3564,7 +3617,7 @@ importers: '@typescript-eslint/parser': 5.19.0_vuy5uymv5ap7vexonlrz7jyzcq eslint: 8.13.0 eslint-config-standard-with-typescript: 21.0.1_2aoyl5xr6dbh5xzuz6m6cgueei - eslint-plugin-import: 2.26.0_eslint@8.13.0 + eslint-plugin-import: 2.26.0_dgzv6anmedwsgjqqjbmjombm7i eslint-plugin-node: 11.1.0_eslint@8.13.0 eslint-plugin-promise: 5.2.0_eslint@8.13.0 typescript: 4.6.2 @@ -3649,7 +3702,7 @@ packages: '@babel/helper-compilation-targets': 7.17.7_@babel+core@7.17.9 '@babel/helper-module-transforms': 7.17.7 '@babel/helpers': 7.17.9 - '@babel/parser': 7.17.9_@babel+types@7.17.0 + '@babel/parser': 7.17.9 '@babel/template': 7.16.7 '@babel/traverse': 7.17.9 '@babel/types': 7.17.0 @@ -3828,22 +3881,18 @@ packages: chalk: 2.4.2 js-tokens: 4.0.0 - /@babel/parser/7.13.13_@babel+types@7.13.12: + /@babel/parser/7.13.13: resolution: {integrity: sha512-OhsyMrqygfk5v8HmWwOzlYjJrtLaFhF34MrfG/Z73DgYCI6ojNUTUp2TYbtnjo8PegeJp12eamsNettCQjKjVw==} engines: {node: '>=6.0.0'} hasBin: true - peerDependencies: - '@babel/types': '*' dependencies: - '@babel/types': 7.13.12 + '@babel/types': 7.17.0 dev: true - /@babel/parser/7.17.9_@babel+types@7.17.0: + /@babel/parser/7.17.9: resolution: {integrity: sha512-vqUSBLP8dQHFPdPi9bc5GK9vRkYHJ49fsZdtoJ8EQ8ibpwk5rPKfvNIwChB0KVXcIjcepEBBd2VHC5r9Gy8ueg==} engines: {node: '>=6.0.0'} hasBin: true - peerDependencies: - '@babel/types': '*' dependencies: '@babel/types': 7.17.0 dev: true @@ -4055,7 +4104,7 @@ packages: engines: {node: '>=6.9.0'} dependencies: '@babel/code-frame': 7.16.7 - '@babel/parser': 7.17.9_@babel+types@7.17.0 + '@babel/parser': 7.17.9 '@babel/types': 7.17.0 dev: true @@ -4069,7 +4118,7 @@ packages: '@babel/helper-function-name': 7.17.9 '@babel/helper-hoist-variables': 7.16.7 '@babel/helper-split-export-declaration': 7.16.7 - '@babel/parser': 7.17.9_@babel+types@7.17.0 + '@babel/parser': 7.17.9 '@babel/types': 7.17.0 debug: 4.3.4 globals: 11.12.0 @@ -4547,7 +4596,7 @@ packages: slash: 3.0.0 dev: true - /@jest/core/27.5.1_thkb7flajne3af5uumql4ipniu: + /@jest/core/27.5.1_ts-node@10.7.0: resolution: {integrity: sha512-AK6/UTrvQD0Cd24NSqmIA6rKsu0tKIxfiCducZvqxYdmMisOYAsdItspT+fQDQYARPf8XgjAFZi0ogW2agH5nQ==} engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0} peerDependencies: @@ -4557,9 +4606,9 @@ packages: optional: true dependencies: '@jest/console': 27.5.1 - '@jest/reporters': 27.5.1_@babel+types@7.17.0 + '@jest/reporters': 27.5.1 '@jest/test-result': 27.5.1 - '@jest/transform': 27.5.1_@babel+types@7.17.0 + '@jest/transform': 27.5.1 '@jest/types': 27.5.1 '@types/node': 14.18.13 ansi-escapes: 4.3.2 @@ -4568,14 +4617,14 @@ packages: exit: 0.1.2 graceful-fs: 4.2.10 jest-changed-files: 27.5.1 - jest-config: 27.5.1_thkb7flajne3af5uumql4ipniu + jest-config: 27.5.1_ts-node@10.7.0 jest-haste-map: 27.5.1 jest-message-util: 27.5.1 jest-regex-util: 27.5.1 jest-resolve: 27.5.1 jest-resolve-dependencies: 27.5.1 - jest-runner: 27.5.1_@babel+types@7.17.0 - jest-runtime: 27.5.1_@babel+types@7.17.0 + jest-runner: 27.5.1 + jest-runtime: 27.5.1 jest-snapshot: 27.5.1 jest-util: 27.5.1 jest-validate: 27.5.1 @@ -4585,7 +4634,6 @@ packages: slash: 3.0.0 strip-ansi: 6.0.1 transitivePeerDependencies: - - '@babel/types' - bufferutil - canvas - supports-color @@ -4624,7 +4672,7 @@ packages: expect: 27.5.1 dev: true - /@jest/reporters/27.5.1_@babel+types@7.17.0: + /@jest/reporters/27.5.1: resolution: {integrity: sha512-cPXh9hWIlVJMQkVk84aIvXuBB4uQQmFqZiacloFuGiP3ah1sbCxCosidXFDfqG8+6fO1oR2dTJTlsOy4VFmUfw==} engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0} peerDependencies: @@ -4636,7 +4684,7 @@ packages: '@bcoe/v8-coverage': 0.2.3 '@jest/console': 27.5.1 '@jest/test-result': 27.5.1 - '@jest/transform': 27.5.1_@babel+types@7.17.0 + '@jest/transform': 27.5.1 '@jest/types': 27.5.1 '@types/node': 14.18.13 chalk: 4.1.2 @@ -4645,7 +4693,7 @@ packages: glob: 7.2.0 graceful-fs: 4.2.10 istanbul-lib-coverage: 3.2.0 - istanbul-lib-instrument: 5.1.0_@babel+types@7.17.0 + istanbul-lib-instrument: 5.1.0 istanbul-lib-report: 3.0.0 istanbul-lib-source-maps: 4.0.1 istanbul-reports: /@zkochan/istanbul-reports/3.0.2 @@ -4659,7 +4707,6 @@ packages: terminal-link: 2.1.1 v8-to-istanbul: 8.1.1 transitivePeerDependencies: - - '@babel/types' - supports-color dev: true @@ -4682,26 +4729,25 @@ packages: collect-v8-coverage: 1.0.1 dev: true - /@jest/test-sequencer/27.5.1_@babel+types@7.17.0: + /@jest/test-sequencer/27.5.1: resolution: {integrity: sha512-LCheJF7WB2+9JuCS7VB/EmGIdQuhtqjRNI9A43idHv3E4KltCTsPsLxvdaubFHSYwY/fNjMWjl6vNRhDiN7vpQ==} engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0} dependencies: '@jest/test-result': 27.5.1 graceful-fs: 4.2.10 jest-haste-map: 27.5.1 - jest-runtime: 27.5.1_@babel+types@7.17.0 + jest-runtime: 27.5.1 transitivePeerDependencies: - - '@babel/types' - supports-color dev: true - /@jest/transform/27.5.1_@babel+types@7.17.0: + /@jest/transform/27.5.1: resolution: {integrity: sha512-ipON6WtYgl/1329g5AIJVbUuEh0wZVbdpGwC99Jw4LwuoBNS95MVphU6zOeD9pDkon+LLbFL7lOQRapbB8SCHw==} engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0} dependencies: '@babel/core': 7.17.9 '@jest/types': 27.5.1 - babel-plugin-istanbul: 6.1.1_@babel+types@7.17.0 + babel-plugin-istanbul: 6.1.1 chalk: 4.1.2 convert-source-map: 1.8.0 fast-json-stable-stringify: 2.1.0 @@ -4715,7 +4761,6 @@ packages: source-map: 0.6.1 write-file-atomic: 3.0.3 transitivePeerDependencies: - - '@babel/types' - supports-color dev: true @@ -5026,6 +5071,7 @@ packages: umask: 1.1.0 which: 2.0.2 transitivePeerDependencies: + - bluebird - supports-color dev: false @@ -5235,7 +5281,7 @@ packages: /@types/babel__core/7.1.19: resolution: {integrity: sha512-WEOTgRsbYkvA/KCsDwVEGkd7WAr1e3g31VHQ8zy5gul/V1qKullU/BU5I68X5v7V3GnB9eotmom4v5a5gjxorw==} dependencies: - '@babel/parser': 7.17.9_@babel+types@7.17.0 + '@babel/parser': 7.17.9 '@babel/types': 7.17.0 '@types/babel__generator': 7.6.4 '@types/babel__template': 7.4.1 @@ -5251,7 +5297,7 @@ packages: /@types/babel__template/7.4.1: resolution: {integrity: sha512-azBFKemX6kMg5Io+/rdGT0dkGreboUVR0Cdm3fz9QJWpaQGJRQXl7C+6hOTCZcMll7KFyEQpgbYI2lHdsS4U7g==} dependencies: - '@babel/parser': 7.17.9_@babel+types@7.17.0 + '@babel/parser': 7.17.9 '@babel/types': 7.17.0 dev: true @@ -6038,7 +6084,7 @@ packages: node-notifier: optional: true dependencies: - '@babel/parser': 7.13.13_@babel+types@7.13.12 + '@babel/parser': 7.13.13 '@babel/types': 7.13.12 chalk: 4.1.2 escodegen: 2.0.0 @@ -6472,23 +6518,22 @@ packages: /aws4/1.11.0: resolution: {integrity: sha512-xh1Rl34h6Fi1DC2WWKfxUTVqRsNnr6LsKz2+hfwDxQJWmrx8+c7ylaqBMcHfl1U1r2dsifOvKX3LQuLNZ+XSvA==} - /babel-jest/27.5.1_cttb3t4gouksutsq235xyffmky: + /babel-jest/27.5.1_@babel+core@7.17.9: resolution: {integrity: sha512-cdQ5dXjGRd0IBRATiQ4mZGlGlRE8kJpjPOixdNRdT+m3UcNqmYWN6rK6nvtXYfY3D76cb8s/O1Ss8ea24PIwcg==} engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0} peerDependencies: '@babel/core': ^7.8.0 dependencies: '@babel/core': 7.17.9 - '@jest/transform': 27.5.1_@babel+types@7.17.0 + '@jest/transform': 27.5.1 '@jest/types': 27.5.1 '@types/babel__core': 7.1.19 - babel-plugin-istanbul: 6.1.1_@babel+types@7.17.0 + babel-plugin-istanbul: 6.1.1 babel-preset-jest: 27.5.1_@babel+core@7.17.9 chalk: 4.1.2 graceful-fs: 4.2.10 slash: 3.0.0 transitivePeerDependencies: - - '@babel/types' - supports-color dev: true @@ -6498,17 +6543,16 @@ packages: object.assign: 4.1.2 dev: true - /babel-plugin-istanbul/6.1.1_@babel+types@7.17.0: + /babel-plugin-istanbul/6.1.1: resolution: {integrity: sha512-Y1IQok9821cC9onCx5otgFfRm7Lm+I+wwxOx738M/WLPZ9Q42m4IG5W0FNX8WLL2gYMZo3JkuXIH2DOpWM+qwA==} engines: {node: '>=8'} dependencies: '@babel/helper-plugin-utils': 7.16.7 '@istanbuljs/load-nyc-config': 1.1.0 '@istanbuljs/schema': 0.1.3 - istanbul-lib-instrument: 5.1.0_@babel+types@7.17.0 + istanbul-lib-instrument: 5.1.0 test-exclude: 6.0.0 transitivePeerDependencies: - - '@babel/types' - supports-color dev: true @@ -6623,6 +6667,8 @@ packages: qs: 6.9.6 raw-body: 2.4.2 type-is: 1.6.18 + transitivePeerDependencies: + - supports-color /body-parser/1.19.2: resolution: {integrity: sha512-SAAwOxgoCKMGs9uUAUFHygfLAyaniaoun6I8mFY9pRAJL9+Kec34aU+oIjDhTycub1jozEfEwx1W1IuOYxVSFw==} @@ -6638,6 +6684,8 @@ packages: qs: 6.9.7 raw-body: 2.4.3 type-is: 1.6.18 + transitivePeerDependencies: + - supports-color /bole/4.0.0: resolution: {integrity: sha512-Bk/2qoyOSlwU1dnDFk/oPM2FCNKAlYlBHfpAgwGX+K9HUtxSvmIAQCmMWMOvE6BlHHRCwsH1MxJe/r1ieodxqQ==} @@ -6815,6 +6863,8 @@ packages: ssri: 8.0.1 tar: 6.1.11 unique-filename: 1.1.1 + transitivePeerDependencies: + - bluebird dev: false /cache-base/1.0.1: @@ -7217,6 +7267,8 @@ packages: on-headers: 1.0.2 safe-buffer: 5.1.2 vary: 1.1.2 + transitivePeerDependencies: + - supports-color /comver-to-semver/1.0.0: resolution: {integrity: sha512-gcGtbRxjwROQOdXLUWH1fQAXqThUVRZ219aAwgtX3KfYw429/Zv6EIJRf5TBSzWdAGwePmqH7w70WTaX4MDqag==} @@ -7551,11 +7603,21 @@ packages: /debug/2.6.9: resolution: {integrity: sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==} + peerDependencies: + supports-color: '*' + peerDependenciesMeta: + supports-color: + optional: true dependencies: ms: 2.0.0 /debug/3.2.7: resolution: {integrity: sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==} + peerDependencies: + supports-color: '*' + peerDependenciesMeta: + supports-color: + optional: true dependencies: ms: 2.1.3 @@ -8280,7 +8342,7 @@ packages: '@typescript-eslint/parser': 4.33.0_vuy5uymv5ap7vexonlrz7jyzcq eslint: 8.13.0 eslint-config-standard: 16.0.3_nfqmbqqokimg3ub2vtfvqzwrge - eslint-plugin-import: 2.26.0_eslint@8.13.0 + eslint-plugin-import: 2.26.0_dgzv6anmedwsgjqqjbmjombm7i eslint-plugin-node: 11.1.0_eslint@8.13.0 eslint-plugin-promise: 5.2.0_eslint@8.13.0 typescript: 4.6.2 @@ -8297,7 +8359,7 @@ packages: eslint-plugin-promise: ^4.2.1 || ^5.0.0 dependencies: eslint: 8.13.0 - eslint-plugin-import: 2.26.0_eslint@8.13.0 + eslint-plugin-import: 2.26.0_dgzv6anmedwsgjqqjbmjombm7i eslint-plugin-node: 11.1.0_eslint@8.13.0 eslint-plugin-promise: 5.2.0_eslint@8.13.0 dev: false @@ -8307,13 +8369,33 @@ packages: dependencies: debug: 3.2.7 resolve: 1.22.0 + transitivePeerDependencies: + - supports-color - /eslint-module-utils/2.7.3: + /eslint-module-utils/2.7.3_dqkeudtgo7g2au7qomz6ni6voe: resolution: {integrity: sha512-088JEC7O3lDZM9xGe0RerkOMd0EjFl+Yvd1jPWIkMT5u3H9+HC34mWWPnqPrN13gieT9pBOO+Qt07Nb/6TresQ==} engines: {node: '>=4'} + peerDependencies: + '@typescript-eslint/parser': '*' + eslint-import-resolver-node: '*' + eslint-import-resolver-typescript: '*' + eslint-import-resolver-webpack: '*' + peerDependenciesMeta: + '@typescript-eslint/parser': + optional: true + eslint-import-resolver-node: + optional: true + eslint-import-resolver-typescript: + optional: true + eslint-import-resolver-webpack: + optional: true dependencies: + '@typescript-eslint/parser': 5.19.0_vuy5uymv5ap7vexonlrz7jyzcq debug: 3.2.7 + eslint-import-resolver-node: 0.3.6 find-up: 2.1.0 + transitivePeerDependencies: + - supports-color dev: false /eslint-plugin-es/3.0.1_eslint@8.13.0: @@ -8327,19 +8409,24 @@ packages: regexpp: 3.2.0 dev: false - /eslint-plugin-import/2.26.0_eslint@8.13.0: + /eslint-plugin-import/2.26.0_dgzv6anmedwsgjqqjbmjombm7i: resolution: {integrity: sha512-hYfi3FXaM8WPLf4S1cikh/r4IxnO6zrhZbEGz2b660EJRbuxgpDS5gkCuYgGWg2xxh2rBuIr4Pvhve/7c31koA==} engines: {node: '>=4'} peerDependencies: + '@typescript-eslint/parser': '*' eslint: '*' + peerDependenciesMeta: + '@typescript-eslint/parser': + optional: true dependencies: + '@typescript-eslint/parser': 5.19.0_vuy5uymv5ap7vexonlrz7jyzcq array-includes: 3.1.4 array.prototype.flat: 1.3.0 debug: 2.6.9 doctrine: 2.1.0 eslint: 8.13.0 eslint-import-resolver-node: 0.3.6 - eslint-module-utils: 2.7.3 + eslint-module-utils: 2.7.3_dqkeudtgo7g2au7qomz6ni6voe has: 1.0.3 is-core-module: 2.8.1 is-glob: 4.0.3 @@ -8347,6 +8434,10 @@ packages: object.values: 1.1.5 resolve: 1.22.0 tsconfig-paths: 3.14.1 + transitivePeerDependencies: + - eslint-import-resolver-typescript + - eslint-import-resolver-webpack + - supports-color dev: false /eslint-plugin-node/11.1.0_eslint@8.13.0: @@ -8616,6 +8707,8 @@ packages: type-is: 1.6.18 utils-merge: 1.0.1 vary: 1.1.2 + transitivePeerDependencies: + - supports-color /express/4.17.3: resolution: {integrity: sha512-yuSQpz5I+Ch7gFrPCk4/c+dIBKlQUxtgwqzph132bsT6qhuzss6I8cLJQz7B3rFblzd6wtcI0ZbGltH/C4LjUg==} @@ -8651,6 +8744,8 @@ packages: type-is: 1.6.18 utils-merge: 1.0.1 vary: 1.1.2 + transitivePeerDependencies: + - supports-color /ext/1.6.0: resolution: {integrity: sha512-sdBImtzkq2HpkdRLtlLWDa6w4DX22ijZLKx8BMPUuKe1c5lbN6xwQDQCxSfxBQnHZ13ls/FH0MQZx/q/gr6FQg==} @@ -8830,6 +8925,8 @@ packages: parseurl: 1.3.3 statuses: 1.5.0 unpipe: 1.0.0 + transitivePeerDependencies: + - supports-color /find-cache-dir/2.1.0: resolution: {integrity: sha512-Tq6PixE0w/VMFfCgbONnkiQIVol/JJL7nRMi20fqzA4NRs9AfeqMGeRdPi3wIhYkxjeBaWh2rxwapn5Tu3IqOQ==} @@ -8855,7 +8952,7 @@ packages: dev: true /find-up/2.1.0: - resolution: {integrity: sha1-RdG35QbHF93UgndaK3eSCjwMV6c=} + resolution: {integrity: sha512-NWzkk0jSJtTt08+FBFMvXoeZnOJD+jTtsRmBYbAIzJdX6l7dLgR7CTubCM5/eDdPUBvLCeVasP1brfVR/9/EZQ==} engines: {node: '>=4'} dependencies: locate-path: 2.0.0 @@ -10133,17 +10230,16 @@ packages: engines: {node: '>=8'} dev: true - /istanbul-lib-instrument/5.1.0_@babel+types@7.17.0: + /istanbul-lib-instrument/5.1.0: resolution: {integrity: sha512-czwUz525rkOFDJxfKK6mYfIs9zBKILyrZQxjz3ABhjQXhbhFsSbo1HW/BFcsDnfJYJWA6thRR5/TUY2qs5W99Q==} engines: {node: '>=8'} dependencies: '@babel/core': 7.17.9 - '@babel/parser': 7.17.9_@babel+types@7.17.0 + '@babel/parser': 7.17.9 '@istanbuljs/schema': 0.1.3 istanbul-lib-coverage: 3.2.0 semver: 6.3.0 transitivePeerDependencies: - - '@babel/types' - supports-color dev: true @@ -10176,7 +10272,7 @@ packages: throat: 6.0.1 dev: true - /jest-circus/27.5.1_@babel+types@7.17.0: + /jest-circus/27.5.1: resolution: {integrity: sha512-D95R7x5UtlMA5iBYsOHFFbMD/GVA4R/Kdq15f7xYWUfWHBto9NYRsOvnSauTgdF+ogCpJ4tyKOXhUifxS65gdw==} engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0} dependencies: @@ -10192,7 +10288,7 @@ packages: jest-each: 27.5.1 jest-matcher-utils: 27.5.1 jest-message-util: 27.5.1 - jest-runtime: 27.5.1_@babel+types@7.17.0 + jest-runtime: 27.5.1 jest-snapshot: 27.5.1 jest-util: 27.5.1 pretty-format: 27.5.1 @@ -10200,11 +10296,10 @@ packages: stack-utils: 2.0.5 throat: 6.0.1 transitivePeerDependencies: - - '@babel/types' - supports-color dev: true - /jest-cli/27.5.1_thkb7flajne3af5uumql4ipniu: + /jest-cli/27.5.1_ts-node@10.7.0: resolution: {integrity: sha512-Hc6HOOwYq4/74/c62dEE3r5elx8wjYqxY0r0G/nFrLDPMFRu6RA/u8qINOIkvhxG7mMQ5EJsOGfRpI8L6eFUVw==} engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0} hasBin: true @@ -10214,20 +10309,19 @@ packages: node-notifier: optional: true dependencies: - '@jest/core': 27.5.1_thkb7flajne3af5uumql4ipniu + '@jest/core': 27.5.1_ts-node@10.7.0 '@jest/test-result': 27.5.1 '@jest/types': 27.5.1 chalk: 4.1.2 exit: 0.1.2 graceful-fs: 4.2.10 import-local: 3.1.0 - jest-config: 27.5.1_thkb7flajne3af5uumql4ipniu + jest-config: 27.5.1_ts-node@10.7.0 jest-util: 27.5.1 jest-validate: 27.5.1 prompts: 2.4.2 yargs: 16.2.0 transitivePeerDependencies: - - '@babel/types' - bufferutil - canvas - supports-color @@ -10235,7 +10329,7 @@ packages: - utf-8-validate dev: true - /jest-config/27.5.1_thkb7flajne3af5uumql4ipniu: + /jest-config/27.5.1_ts-node@10.7.0: resolution: {integrity: sha512-5sAsjm6tGdsVbW9ahcChPAFCk4IlkQUknH5AvKjuLTSlcO/wCZKyFdn7Rg0EkC+OGgWODEy2hDpWB1PgzH0JNA==} engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0} peerDependencies: @@ -10245,22 +10339,22 @@ packages: optional: true dependencies: '@babel/core': 7.17.9 - '@jest/test-sequencer': 27.5.1_@babel+types@7.17.0 + '@jest/test-sequencer': 27.5.1 '@jest/types': 27.5.1 - babel-jest: 27.5.1_cttb3t4gouksutsq235xyffmky + babel-jest: 27.5.1_@babel+core@7.17.9 chalk: 4.1.2 ci-info: 3.3.0 deepmerge: 4.2.2 glob: 7.2.0 graceful-fs: 4.2.10 - jest-circus: 27.5.1_@babel+types@7.17.0 + jest-circus: 27.5.1 jest-environment-jsdom: 27.5.1 jest-environment-node: 27.5.1 jest-get-type: 27.5.1 - jest-jasmine2: 27.5.1_@babel+types@7.17.0 + jest-jasmine2: 27.5.1 jest-regex-util: 27.5.1 jest-resolve: 27.5.1 - jest-runner: 27.5.1_@babel+types@7.17.0 + jest-runner: 27.5.1 jest-util: 27.5.1 jest-validate: 27.5.1 micromatch: 4.0.5 @@ -10270,7 +10364,6 @@ packages: strip-json-comments: 3.1.1 ts-node: 10.7.0_4ieffbwf3zkcfagprw2gacb7je transitivePeerDependencies: - - '@babel/types' - bufferutil - canvas - supports-color @@ -10360,7 +10453,7 @@ packages: fsevents: 2.3.2 dev: true - /jest-jasmine2/27.5.1_@babel+types@7.17.0: + /jest-jasmine2/27.5.1: resolution: {integrity: sha512-jtq7VVyG8SqAorDpApwiJJImd0V2wv1xzdheGHRGyuT7gZm6gG47QEskOlzsN1PG/6WNaCo5pmwMHDf3AkG2pQ==} engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0} dependencies: @@ -10376,13 +10469,12 @@ packages: jest-each: 27.5.1 jest-matcher-utils: 27.5.1 jest-message-util: 27.5.1 - jest-runtime: 27.5.1_@babel+types@7.17.0 + jest-runtime: 27.5.1 jest-snapshot: 27.5.1 jest-util: 27.5.1 pretty-format: 27.5.1 throat: 6.0.1 transitivePeerDependencies: - - '@babel/types' - supports-color dev: true @@ -10471,14 +10563,14 @@ packages: slash: 3.0.0 dev: true - /jest-runner/27.5.1_@babel+types@7.17.0: + /jest-runner/27.5.1: resolution: {integrity: sha512-g4NPsM4mFCOwFKXO4p/H/kWGdJp9V8kURY2lX8Me2drgXqG7rrZAx5kv+5H7wtt/cdFIjhqYx1HrlqWHaOvDaQ==} engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0} dependencies: '@jest/console': 27.5.1 '@jest/environment': 27.5.1 '@jest/test-result': 27.5.1 - '@jest/transform': 27.5.1_@babel+types@7.17.0 + '@jest/transform': 27.5.1 '@jest/types': 27.5.1 '@types/node': 14.18.13 chalk: 4.1.2 @@ -10491,20 +10583,19 @@ packages: jest-leak-detector: 27.5.1 jest-message-util: 27.5.1 jest-resolve: 27.5.1 - jest-runtime: 27.5.1_@babel+types@7.17.0 + jest-runtime: 27.5.1 jest-util: 27.5.1 jest-worker: 27.5.1 source-map-support: 0.5.21 throat: 6.0.1 transitivePeerDependencies: - - '@babel/types' - bufferutil - canvas - supports-color - utf-8-validate dev: true - /jest-runtime/27.5.1_@babel+types@7.17.0: + /jest-runtime/27.5.1: resolution: {integrity: sha512-o7gxw3Gf+H2IGt8fv0RiyE1+r83FJBRruoA+FXrlHw6xEyBsU8ugA6IPfTdVyA0w8HClpbK+DGJxH59UrNMx8A==} engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0} dependencies: @@ -10513,7 +10604,7 @@ packages: '@jest/globals': 27.5.1 '@jest/source-map': 27.5.1 '@jest/test-result': 27.5.1 - '@jest/transform': 27.5.1_@babel+types@7.17.0 + '@jest/transform': 27.5.1 '@jest/types': 27.5.1 chalk: 4.1.2 cjs-module-lexer: 1.2.2 @@ -10531,7 +10622,6 @@ packages: slash: 3.0.0 strip-bom: 4.0.0 transitivePeerDependencies: - - '@babel/types' - supports-color dev: true @@ -10552,7 +10642,7 @@ packages: '@babel/plugin-syntax-typescript': 7.16.7_@babel+core@7.17.9 '@babel/traverse': 7.17.9 '@babel/types': 7.17.0 - '@jest/transform': 27.5.1_@babel+types@7.17.0 + '@jest/transform': 27.5.1 '@jest/types': 27.5.1 '@types/babel__traverse': 7.17.0 '@types/prettier': 2.6.0 @@ -10619,7 +10709,7 @@ packages: supports-color: 8.1.1 dev: true - /jest/27.5.1_thkb7flajne3af5uumql4ipniu: + /jest/27.5.1_ts-node@10.7.0: resolution: {integrity: sha512-Yn0mADZB89zTtjkPJEXwrac3LHudkQMR+Paqa8uxJHCBr9agxztUifWCyiYrjhMPBoUVBjyny0I7XH6ozDr7QQ==} engines: {node: ^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0} hasBin: true @@ -10629,11 +10719,10 @@ packages: node-notifier: optional: true dependencies: - '@jest/core': 27.5.1_thkb7flajne3af5uumql4ipniu + '@jest/core': 27.5.1_ts-node@10.7.0 import-local: 3.1.0 - jest-cli: 27.5.1_thkb7flajne3af5uumql4ipniu + jest-cli: 27.5.1_ts-node@10.7.0 transitivePeerDependencies: - - '@babel/types' - bufferutil - canvas - supports-color @@ -10978,7 +11067,7 @@ packages: strip-bom: 3.0.0 /locate-path/2.0.0: - resolution: {integrity: sha1-K1aLJl7slExtnA3pw9u7ygNUzY4=} + resolution: {integrity: sha512-NCI2kiDkyR7VeEKm27Kda/iQHyKJe1Bu0FlTbYp3CqJu+9IFe9bLyAjMxf5ZDDbEg+iMPzB5zYyUTSm8wVTKmA==} engines: {node: '>=4'} dependencies: p-locate: 2.0.0 @@ -11197,6 +11286,7 @@ packages: socks-proxy-agent: 6.1.1 ssri: 8.0.1 transitivePeerDependencies: + - bluebird - supports-color dev: false @@ -11779,6 +11869,7 @@ packages: tar: 6.1.11 which: 2.0.2 transitivePeerDependencies: + - bluebird - supports-color dev: false @@ -12153,7 +12244,7 @@ packages: yocto-queue: 0.1.0 /p-locate/2.0.0: - resolution: {integrity: sha1-IKAQOyIqcMj9OcwuWAaA893l7EM=} + resolution: {integrity: sha512-nQja7m7gSKuewoVRen45CtVfODR3crN3goVQ0DDZ9N3yHxgpkuBhZqsaiotSQRrADUrne346peY7kT3TSACykg==} engines: {node: '>=4'} dependencies: p-limit: 1.3.0 @@ -12239,7 +12330,7 @@ packages: p-finally: 1.0.0 /p-try/1.0.0: - resolution: {integrity: sha1-y8ec26+P1CKOE/Yh8rGiN8GyB7M=} + resolution: {integrity: sha512-U1etNYuMJoIz3ZXSrrySFjsXQTWOx2/jdi86L+2pRvph/qMKL6sbcCYdH23fqsbm8TH2Gn0OybpT4eSFlCVHww==} engines: {node: '>=4'} dev: false @@ -12324,7 +12415,7 @@ packages: engines: {node: '>=4'} /path-exists/3.0.0: - resolution: {integrity: sha1-zg6+ql94yxiSXqfYENe1mwEP1RU=} + resolution: {integrity: sha512-bpC7GYwiDYQ4wYLe+FA8lhRjhQCMcQGuSgGGqDkg/QerRWw9CmGRT0iSOVRSZJ29NMLZgIzqaljJ63oaL4NIJQ==} engines: {node: '>=4'} /path-exists/4.0.0: @@ -12619,6 +12710,11 @@ packages: /promise-inflight/1.0.1: resolution: {integrity: sha1-mEcocL8igTL8vdhoEputEsPAKeM=} + peerDependencies: + bluebird: '*' + peerDependenciesMeta: + bluebird: + optional: true dev: false /promise-retry/2.0.1: @@ -13376,6 +13472,8 @@ packages: on-finished: 2.3.0 range-parser: 1.2.1 statuses: 1.5.0 + transitivePeerDependencies: + - supports-color /serve-static/1.14.2: resolution: {integrity: sha512-+TMNA9AFxUEGuC0z2mevogSnn9MXKb4fa7ngeRMJaaGv8vTwnIEkKi+QGvPt33HSnf8pRS+WGM0EbMtCJLKMBQ==} @@ -13385,6 +13483,8 @@ packages: escape-html: 1.0.3 parseurl: 1.3.3 send: 0.17.2 + transitivePeerDependencies: + - supports-color /set-blocking/2.0.0: resolution: {integrity: sha1-BF+XgtARrppoA93TgrJDkrPYkPc=} @@ -14314,7 +14414,7 @@ packages: '@types/jest': 27.4.1 bs-logger: 0.2.6 fast-json-stable-stringify: 2.1.0 - jest: 27.5.1_thkb7flajne3af5uumql4ipniu + jest: 27.5.1_ts-node@10.7.0 jest-util: 27.5.1 json5: 2.2.1 lodash.memoize: 4.1.2 From 8020655f00342feb7dc93f915d3cb9ed1c6ddd08 Mon Sep 17 00:00:00 2001 From: Weyert de Boer Date: Sat, 4 Jun 2022 00:09:44 +0100 Subject: [PATCH 2/2] chore: update port number --- packages/plugin-commands-licenses/package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/plugin-commands-licenses/package.json b/packages/plugin-commands-licenses/package.json index e7916fd1c38..94aa6ac6424 100644 --- a/packages/plugin-commands-licenses/package.json +++ b/packages/plugin-commands-licenses/package.json @@ -13,7 +13,7 @@ }, "scripts": { "lint": "eslint src/**/*.ts test/**/*.ts", - "_test": "cross-env PNPM_REGISTRY_MOCK_PORT=7774 pnpm run test:e2e", + "_test": "cross-env PNPM_REGISTRY_MOCK_PORT=7775 pnpm run test:e2e", "test": "pnpm run compile && pnpm run _test", "prepublishOnly": "pnpm run compile", "compile": "tsc --build && pnpm run lint --fix",