Skip to content

Update package.json with vulnerable package #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Update package.json with vulnerable package #18

wants to merge 7 commits into from

Conversation

@joshjohanning
Copy link
Collaborator

@joshjohanning joshjohanning commented Dec 9, 2021
edited
Loading

Adding tar 2.2.2

@joshjohanning joshjohanning changed the title Update package.json Update package.json with vulnerable package Dec 13, 2021
@joshjohanning
adding dependency review action (#42)
288ae67 
* adding dependency review action

https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#dependency-review-enforcement

* adding vulnerable tar package

* updating the action version and adding fail-on-severity

* Revert "adding vulnerable tar package"

This reverts commit a3f6163.
@joshjohanning joshjohanning added the demo Good PR's for demos label Jul 29, 2022
@github-actions
Copy link

github-actions bot commented Aug 3, 2023

Dependency Review

The following issues were found:
  • ❌ 1 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ✅ 0 package(s) with unknown licenses.
See the Details below.

Vulnerabilities

frontend/package.json

NameVersionVulnerabilitySeverity
tar2.2.2Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoninghigh
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitizationhigh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic linkshigh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic linkshigh
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitizationhigh

Scanned Manifest Files

.github/workflows/dependency-review.yml
  • actions/dependency-review-action@3
  • actions/dependency-review-action@2
frontend/package.json
  • tar@2.2.2

@joshjohanning joshjohanning reopened this Aug 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

demo Good PR's for demos

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joshjohanning