This PR contains the following updates:
GitHub Vulnerability Alerts
Impact
Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.
When a user of Express performs a redirect using a user-provided URL Express performs an encode using encodeurl on the contents before passing it to the location header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.
The main method impacted is res.location() but this is also called from within res.redirect().
Patches
https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd
https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94
An initial fix went out with [email protected], we then patched a feature regression in 4.19.1 and added improved handling for the bypass in 4.19.2.
Workarounds
The fix for this involves pre-parsing the url string with either require('node:url').parse or new URL. These are steps you can take on your own before passing the user input string to res.location or res.redirect.
References
https://github.com/expressjs/express/pull/5539
https://github.com/koajs/koa/issues/1800
https://expressjs.com/en/4x/api.html#res.location
Impact
In express <4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code
Patches
this issue is patched in express 4.20.0
Workarounds
users are encouraged to upgrade to the patched version of express, but otherwise can workaround this issue by making sure any untrusted inputs are safe, ideally by validating them against an explicit allowlist
Details
successful exploitation of this vector requires the following:
- The attacker MUST control the input to response.redirect()
- express MUST NOT redirect before the template appears
- the browser MUST NOT complete redirection before:
- the user MUST click on the link in the template
Release Notes
expressjs/express (express)
Compare Source
==========
- deps: [email protected]
- Remove link renderization in html while redirecting
- deps: [email protected]
- Remove link renderization in html while redirecting
- deps: [email protected]
- add
depth option to customize the depth level in the parser
- IMPORTANT: The default
depth level for parsing URL-encoded data is now 32 (previously was Infinity)
- Remove link renderization in html while using
res.redirect
- deps: [email protected]
- Adds support for named matching groups in the routes using a regex
- Adds backtracking protection to parameters without regexes defined
- deps: encodeurl@~2.0.0
- Removes encoding of
\, |, and ^ to align better with URL spec
- Deprecate passing
options.maxAge and options.expires to res.clearCookie
- Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie
Compare Source
==========
- Improved fix for open redirect allow list bypass
Compare Source
==========
- Allow passing non-strings to res.location with new encoding handling checks
Compare Source
==========
Compare Source
==========
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Renovate Bot.
Thanks for your contribution @renovate[bot] !
When your pull-request is ready to be merged, check the box below to merge it
Pull Request Report
PR Title
:white_check_mark: Title follows the conventional commit spec.
Dependency Review
The following issues were found:
- ❌ 1 vulnerable package(s)
- ✅ 0 package(s) with incompatible licenses
- ✅ 0 package(s) with invalid SPDX license definitions
- ✅ 0 package(s) with unknown licenses.
See the Details below.
Vulnerabilities
package-lock.json
Only included vulnerabilities with severity high or higher.
OpenSSF Scorecard
Scorecard details
| Package | Version | Score | Details |
|---|
| npm/path-to-regexp | 0.1.10 |
:green_circle: 5.2 | Details| Check | Score | Reason |
|---|
| Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Branch-Protection | :warning: 0 | branch protection not enabled on development/release branches | | CI-Tests | :green_circle: 10 | 3 out of 3 merged PRs checked by a CI test -- score normalized to 10 | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Code-Review | :warning: 1 | found 27 unreviewed changesets out of 30 -- score normalized to 1 | | Contributors | :green_circle: 10 | 27 different organizations found -- score normalized to 10 | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Dependency-Update-Tool | :warning: 0 | no update tool detected | | Fuzzing | :warning: 0 | project is not fuzzed | | License | :green_circle: 10 | license file detected | | Maintained | :green_circle: 4 | 2 commit(s) out of 30 and 3 issue activity out of 30 found in the last 90 days -- score normalized to 4 | | Packaging | :warning: -1 | no published package detected | | Pinned-Dependencies | :green_circle: 6 | dependency not pinned by hash detected -- score normalized to 6 | | SAST | :warning: 0 | SAST tool is not run on all commits -- score normalized to 0 | | Security-Policy | :green_circle: 10 | security policy file detected | | Signed-Releases | :warning: -1 | no releases found | | Token-Permissions | :green_circle: 10 | GitHub workflow tokens follow principle of least privilege | | Vulnerabilities | :green_circle: 5 | 5 existing vulnerabilities detected |
|
| npm/cookie | 0.6.0 |
:green_circle: 5.7 | Details| Check | Score | Reason |
|---|
| Code-Review | :green_circle: 3 | Found 10/30 approved changesets -- score normalized to 3 | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Maintained | :green_circle: 3 | 1 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 3 | | Pinned-Dependencies | :green_circle: 4 | dependency not pinned by hash detected -- score normalized to 4 | | Packaging | :warning: -1 | packaging workflow not detected | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Token-Permissions | :green_circle: 9 | detected GitHub workflow tokens with excessive permissions | | Fuzzing | :warning: 0 | project is not fuzzed | | License | :green_circle: 10 | license file detected | | Branch-Protection | :warning: -1 | internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration | | Security-Policy | :green_circle: 10 | security policy file detected | | Signed-Releases | :warning: -1 | no releases found | | SAST | :warning: 0 | SAST tool is not run on all commits -- score normalized to 0 | | Vulnerabilities | :green_circle: 4 | 6 existing vulnerabilities detected |
|
| npm/body-parser | 1.20.3 |
:green_circle: 7.1 | Details| Check | Score | Reason |
|---|
| Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Branch-Protection | :green_circle: 3 | branch protection is not maximal on development and all release branches | | CI-Tests | :green_circle: 10 | 25 out of 25 merged PRs checked by a CI test -- score normalized to 10 | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Code-Review | :green_circle: 8 | found 6 unreviewed changesets out of 30 -- score normalized to 8 | | Contributors | :green_circle: 10 | 33 different organizations found -- score normalized to 10 | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Dependency-Update-Tool | :warning: 0 | no update tool detected | | Fuzzing | :warning: 0 | project is not fuzzed | | License | :green_circle: 10 | license file detected | | Maintained | :green_circle: 10 | 19 commit(s) out of 30 and 5 issue activity out of 30 found in the last 90 days -- score normalized to 10 | | Packaging | :warning: -1 | no published package detected | | Pinned-Dependencies | :green_circle: 3 | dependency not pinned by hash detected -- score normalized to 3 | | SAST | :green_circle: 7 | SAST tool detected but not run on all commits | | Security-Policy | :green_circle: 10 | security policy file detected | | Signed-Releases | :warning: -1 | no releases found | | Token-Permissions | :green_circle: 10 | GitHub workflow tokens follow principle of least privilege | | Vulnerabilities | :green_circle: 10 | no vulnerabilities detected |
|
| npm/call-bind-apply-helpers | 1.0.2 |
Unknown | Unknown |
| npm/call-bound | 1.0.4 |
Unknown | Unknown |
| npm/dunder-proto | 1.0.1 |
Unknown | Unknown |
| npm/encodeurl | 2.0.0 |
:green_circle: 4.6 | Details| Check | Score | Reason |
|---|
| Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Branch-Protection | :warning: 0 | branch protection not enabled on development/release branches | | CI-Tests | :warning: 0 | 0 out of 3 merged PRs checked by a CI test -- score normalized to 0 | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Code-Review | :warning: 0 | found 28 unreviewed changesets out of 30 -- score normalized to 0 | | Contributors | :green_circle: 10 | 6 different organizations found -- score normalized to 10 | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Dependency-Update-Tool | :warning: 0 | no update tool detected | | Fuzzing | :warning: 0 | project is not fuzzed | | License | :green_circle: 10 | license file detected | | Maintained | :warning: 0 | 0 commit(s) out of 30 and 0 issue activity out of 1 found in the last 90 days -- score normalized to 0 | | Packaging | :warning: -1 | no published package detected | | Pinned-Dependencies | :green_circle: 10 | all dependencies are pinned | | SAST | :warning: 0 | SAST tool is not run on all commits -- score normalized to 0 | | Security-Policy | :warning: 0 | security policy file not detected | | Signed-Releases | :warning: -1 | no releases found | | Token-Permissions | :green_circle: 10 | GitHub workflow tokens follow principle of least privilege | | Vulnerabilities | :green_circle: 10 | no vulnerabilities detected |
|
| npm/es-define-property | 1.0.1 |
Unknown | Unknown |
| npm/es-errors | 1.3.0 |
Unknown | Unknown |
| npm/es-object-atoms | 1.1.1 |
Unknown | Unknown |
| npm/express | 4.20.0 |
:green_circle: 8.5 | Details| Check | Score | Reason |
|---|
| Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Branch-Protection | :warning: -1 | internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration | | CI-Tests | :green_circle: 10 | 29 out of 29 merged PRs checked by a CI test -- score normalized to 10 | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Code-Review | :green_circle: 9 | Found 29/30 approved changesets -- score normalized to 9 | | Contributors | :green_circle: 10 | project has 119 contributing companies or organizations | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Dependency-Update-Tool | :green_circle: 10 | update tool detected | | Fuzzing | :warning: 0 | project is not fuzzed | | License | :green_circle: 10 | license file detected | | Maintained | :green_circle: 10 | 30 commit(s) and 13 issue activity found in the last 90 days -- score normalized to 10 | | Packaging | :warning: -1 | packaging workflow not detected | | Pinned-Dependencies | :warning: 2 | dependency not pinned by hash detected -- score normalized to 2 | | SAST | :green_circle: 9 | SAST tool detected but not run on all commits | | Security-Policy | :green_circle: 10 | security policy file detected | | Signed-Releases | :warning: -1 | no releases found | | Token-Permissions | :green_circle: 10 | GitHub workflow tokens follow principle of least privilege | | Vulnerabilities | :green_circle: 10 | 0 existing vulnerabilities detected |
|
| npm/function-bind | 1.1.2 |
:green_circle: 5 | Details| Check | Score | Reason |
|---|
| Packaging | :warning: -1 | packaging workflow not detected | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Security-Policy | :green_circle: 9 | security policy file detected | | Pinned-Dependencies | :warning: 0 | dependency not pinned by hash detected -- score normalized to 0 | | Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Code-Review | :warning: 1 | Found 3/29 approved changesets -- score normalized to 1 | | Maintained | :warning: 0 | 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 | | Token-Permissions | :green_circle: 10 | GitHub workflow tokens follow principle of least privilege | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Fuzzing | :warning: 0 | project is not fuzzed | | Vulnerabilities | :green_circle: 10 | 0 existing vulnerabilities detected | | License | :green_circle: 10 | license file detected | | Signed-Releases | :warning: -1 | no releases found | | Branch-Protection | :warning: 0 | branch protection not enabled on development/release branches | | SAST | :warning: 0 | SAST tool is not run on all commits -- score normalized to 0 |
|
| npm/get-intrinsic | 1.3.0 |
:green_circle: 5.1 | Details| Check | Score | Reason |
|---|
| Maintained | :green_circle: 7 | 8 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 7 | | Packaging | :warning: -1 | packaging workflow not detected | | Pinned-Dependencies | :warning: 0 | dependency not pinned by hash detected -- score normalized to 0 | | Code-Review | :warning: 0 | Found 0/30 approved changesets -- score normalized to 0 | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | SAST | :warning: 0 | no SAST tool detected | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | License | :green_circle: 10 | license file detected | | Fuzzing | :warning: 0 | project is not fuzzed | | Vulnerabilities | :green_circle: 10 | 0 existing vulnerabilities detected | | Signed-Releases | :warning: -1 | no releases found | | Branch-Protection | :warning: -1 | internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration | | Security-Policy | :green_circle: 9 | security policy file detected |
|
| npm/get-proto | 1.0.1 |
Unknown | Unknown |
| npm/gopd | 1.2.0 |
:green_circle: 4.4 | Details| Check | Score | Reason |
|---|
| Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Packaging | :warning: -1 | packaging workflow not detected | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Maintained | :warning: 0 | 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 | | Pinned-Dependencies | :warning: 0 | dependency not pinned by hash detected -- score normalized to 0 | | Code-Review | :warning: 0 | Found 0/23 approved changesets -- score normalized to 0 | | SAST | :warning: 0 | no SAST tool detected | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions | | Fuzzing | :warning: 0 | project is not fuzzed | | License | :green_circle: 10 | license file detected | | Vulnerabilities | :green_circle: 10 | 0 existing vulnerabilities detected | | Signed-Releases | :warning: -1 | no releases found | | Branch-Protection | :warning: -1 | internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration | | Security-Policy | :green_circle: 9 | security policy file detected |
|
| npm/has-symbols | 1.1.0 |
:green_circle: 4.4 | Details| Check | Score | Reason |
|---|
| Maintained | :warning: 0 | 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 | | Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Code-Review | :warning: 0 | Found 0/30 approved changesets -- score normalized to 0 | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Packaging | :warning: -1 | packaging workflow not detected | | License | :green_circle: 10 | license file detected | | Fuzzing | :warning: 0 | project is not fuzzed | | Vulnerabilities | :green_circle: 10 | 0 existing vulnerabilities detected | | Pinned-Dependencies | :warning: 0 | dependency not pinned by hash detected -- score normalized to 0 | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | SAST | :warning: 0 | no SAST tool detected | | Signed-Releases | :warning: -1 | no releases found | | Branch-Protection | :warning: -1 | internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration | | Security-Policy | :green_circle: 9 | security policy file detected | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions |
|
| npm/hasown | 2.0.2 |
Unknown | Unknown |
| npm/math-intrinsics | 1.1.0 |
Unknown | Unknown |
| npm/merge-descriptors | 1.0.3 |
:green_circle: 4.1 | Details| Check | Score | Reason |
|---|
| Pinned-Dependencies | :warning: 0 | dependency not pinned by hash detected -- score normalized to 0 | | Security-Policy | :green_circle: 10 | security policy file detected | | Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Code-Review | :warning: 0 | Found 0/30 approved changesets -- score normalized to 0 | | Packaging | :warning: -1 | packaging workflow not detected | | Maintained | :warning: 0 | 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 | | SAST | :warning: 0 | no SAST tool detected | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Vulnerabilities | :green_circle: 10 | 0 existing vulnerabilities detected | | License | :green_circle: 10 | license file detected | | Fuzzing | :warning: 0 | project is not fuzzed | | Signed-Releases | :warning: -1 | no releases found | | Branch-Protection | :warning: 0 | branch protection not enabled on development/release branches |
|
| npm/object-inspect | 1.13.4 |
:green_circle: 4.8 | Details| Check | Score | Reason |
|---|
| Code-Review | :warning: 0 | Found 1/30 approved changesets -- score normalized to 0 | | Packaging | :warning: -1 | packaging workflow not detected | | Maintained | :green_circle: 4 | 4 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 4 | | Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Pinned-Dependencies | :warning: 0 | dependency not pinned by hash detected -- score normalized to 0 | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions | | Vulnerabilities | :green_circle: 10 | 0 existing vulnerabilities detected | | License | :green_circle: 10 | license file detected | | Fuzzing | :warning: 0 | project is not fuzzed | | Signed-Releases | :warning: -1 | no releases found | | Branch-Protection | :warning: -1 | internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration | | Security-Policy | :green_circle: 9 | security policy file detected | | SAST | :warning: 0 | SAST tool is not run on all commits -- score normalized to 0 |
|
| npm/qs | 6.13.0 |
:green_circle: 5.7 | Details| Check | Score | Reason |
|---|
| Code-Review | :warning: 1 | Found 3/30 approved changesets -- score normalized to 1 | | Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Packaging | :warning: -1 | packaging workflow not detected | | Maintained | :green_circle: 10 | 10 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions | | Vulnerabilities | :green_circle: 10 | 0 existing vulnerabilities detected | | CII-Best-Practices | :green_circle: 5 | badge detected: Passing | | License | :green_circle: 10 | license file detected | | Fuzzing | :warning: 0 | project is not fuzzed | | Pinned-Dependencies | :warning: 0 | dependency not pinned by hash detected -- score normalized to 0 | | Signed-Releases | :warning: -1 | no releases found | | Branch-Protection | :warning: -1 | internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration | | Security-Policy | :green_circle: 9 | security policy file detected | | SAST | :warning: 0 | SAST tool is not run on all commits -- score normalized to 0 |
|
| npm/send | 0.19.0 |
:green_circle: 4.9 | Details| Check | Score | Reason |
|---|
| Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Branch-Protection | :warning: 0 | branch protection not enabled on development/release branches | | CI-Tests | :green_circle: 7 | 11 out of 14 merged PRs checked by a CI test -- score normalized to 7 | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Code-Review | :green_circle: 6 | found 6 unreviewed changesets out of 17 -- score normalized to 6 | | Contributors | :green_circle: 10 | 29 different organizations found -- score normalized to 10 | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Dependency-Update-Tool | :warning: 0 | no update tool detected | | Fuzzing | :warning: 0 | project is not fuzzed | | License | :green_circle: 10 | license file detected | | Maintained | :green_circle: 3 | 3 commit(s) out of 30 and 1 issue activity out of 30 found in the last 90 days -- score normalized to 3 | | Packaging | :warning: -1 | no published package detected | | Pinned-Dependencies | :green_circle: 3 | dependency not pinned by hash detected -- score normalized to 3 | | SAST | :warning: 0 | SAST tool is not run on all commits -- score normalized to 0 | | Security-Policy | :green_circle: 10 | security policy file detected | | Signed-Releases | :warning: -1 | no releases found | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions | | Vulnerabilities | :green_circle: 10 | no vulnerabilities detected |
|
| npm/serve-static | 1.16.0 |
:green_circle: 5.4 | Details| Check | Score | Reason |
|---|
| Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Branch-Protection | :warning: 0 | branch protection not enabled on development/release branches | | CI-Tests | :green_circle: 8 | 11 out of 13 merged PRs checked by a CI test -- score normalized to 8 | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Code-Review | :green_circle: 4 | found 10 unreviewed changesets out of 19 -- score normalized to 4 | | Contributors | :green_circle: 10 | 16 different organizations found -- score normalized to 10 | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Dependency-Update-Tool | :warning: 0 | no update tool detected | | Fuzzing | :warning: 0 | project is not fuzzed | | License | :green_circle: 10 | license file detected | | Maintained | :green_circle: 6 | 5 commit(s) out of 30 and 3 issue activity out of 30 found in the last 90 days -- score normalized to 6 | | Packaging | :warning: -1 | no published package detected | | Pinned-Dependencies | :green_circle: 4 | dependency not pinned by hash detected -- score normalized to 4 | | SAST | :green_circle: 7 | SAST tool detected but not run on all commits | | Security-Policy | :green_circle: 10 | security policy file detected | | Signed-Releases | :warning: -1 | no releases found | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions | | Vulnerabilities | :green_circle: 10 | no vulnerabilities detected |
|
| npm/side-channel | 1.1.0 |
:green_circle: 4.4 | Details| Check | Score | Reason |
|---|
| Packaging | :warning: -1 | packaging workflow not detected | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Pinned-Dependencies | :warning: 0 | dependency not pinned by hash detected -- score normalized to 0 | | Code-Review | :warning: 0 | Found 0/30 approved changesets -- score normalized to 0 | | Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | SAST | :warning: 0 | no SAST tool detected | | Maintained | :warning: 0 | 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Fuzzing | :warning: 0 | project is not fuzzed | | License | :green_circle: 10 | license file detected | | Vulnerabilities | :green_circle: 10 | 0 existing vulnerabilities detected | | Signed-Releases | :warning: -1 | no releases found | | Branch-Protection | :warning: -1 | internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration | | Security-Policy | :green_circle: 9 | security policy file detected |
|
| npm/side-channel-list | 1.0.0 |
Unknown | Unknown |
| npm/side-channel-map | 1.0.1 |
Unknown | Unknown |
| npm/side-channel-weakmap | 1.0.2 |
Unknown | Unknown |
| npm/@coveo/platform-client | 57.6.0 |
:green_circle: 7 | Details| Check | Score | Reason |
|---|
| Maintained | :green_circle: 10 | 26 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 | | Code-Review | :green_circle: 10 | all changesets reviewed | | Packaging | :warning: -1 | packaging workflow not detected | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions | | Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Pinned-Dependencies | :green_circle: 8 | dependency not pinned by hash detected -- score normalized to 8 | | License | :green_circle: 10 | license file detected | | Fuzzing | :warning: 0 | project is not fuzzed | | Signed-Releases | :warning: -1 | no releases found | | Security-Policy | :warning: 0 | security policy file not detected | | Branch-Protection | :warning: -1 | internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration | | Vulnerabilities | :green_circle: 9 | 1 existing vulnerabilities detected | | SAST | :green_circle: 10 | SAST tool is run on all commits |
|
| npm/core-js | 3.41.0 |
:green_circle: 5.3 | Details| Check | Score | Reason |
|---|
| Code-Review | :warning: 0 | Found 1/29 approved changesets -- score normalized to 0 | | Maintained | :green_circle: 10 | 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 | | Token-Permissions | :green_circle: 10 | GitHub workflow tokens follow principle of least privilege | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Security-Policy | :green_circle: 10 | security policy file detected | | Packaging | :warning: -1 | packaging workflow not detected | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | License | :green_circle: 10 | license file detected | | Pinned-Dependencies | :green_circle: 5 | dependency not pinned by hash detected -- score normalized to 5 | | Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Branch-Protection | :warning: 0 | branch protection not enabled on development/release branches | | Signed-Releases | :warning: -1 | no releases found | | Fuzzing | :warning: 0 | project is not fuzzed | | SAST | :warning: 0 | SAST tool is not run on all commits -- score normalized to 0 | | Vulnerabilities | :warning: 0 | 19 existing vulnerabilities detected |
|
| npm/get-intrinsic | 1.2.0 |
:green_circle: 5.1 | Details| Check | Score | Reason |
|---|
| Maintained | :green_circle: 7 | 8 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 7 | | Packaging | :warning: -1 | packaging workflow not detected | | Pinned-Dependencies | :warning: 0 | dependency not pinned by hash detected -- score normalized to 0 | | Code-Review | :warning: 0 | Found 0/30 approved changesets -- score normalized to 0 | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | SAST | :warning: 0 | no SAST tool detected | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | License | :green_circle: 10 | license file detected | | Fuzzing | :warning: 0 | project is not fuzzed | | Vulnerabilities | :green_circle: 10 | 0 existing vulnerabilities detected | | Signed-Releases | :warning: -1 | no releases found | | Branch-Protection | :warning: -1 | internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration | | Security-Policy | :green_circle: 9 | security policy file detected |
|
| npm/gopd | 1.0.1 |
:green_circle: 4.4 | Details| Check | Score | Reason |
|---|
| Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Packaging | :warning: -1 | packaging workflow not detected | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Maintained | :warning: 0 | 0 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 0 | | Pinned-Dependencies | :warning: 0 | dependency not pinned by hash detected -- score normalized to 0 | | Code-Review | :warning: 0 | Found 0/23 approved changesets -- score normalized to 0 | | SAST | :warning: 0 | no SAST tool detected | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions | | Fuzzing | :warning: 0 | project is not fuzzed | | License | :green_circle: 10 | license file detected | | Vulnerabilities | :green_circle: 10 | 0 existing vulnerabilities detected | | Signed-Releases | :warning: -1 | no releases found | | Branch-Protection | :warning: -1 | internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration | | Security-Policy | :green_circle: 9 | security policy file detected |
|
| npm/has-symbols | 1.0.3 |
:green_circle: 4.4 | Details| Check | Score | Reason |
|---|
| Maintained | :warning: 0 | 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 | | Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Code-Review | :warning: 0 | Found 0/30 approved changesets -- score normalized to 0 | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Packaging | :warning: -1 | packaging workflow not detected | | License | :green_circle: 10 | license file detected | | Fuzzing | :warning: 0 | project is not fuzzed | | Vulnerabilities | :green_circle: 10 | 0 existing vulnerabilities detected | | Pinned-Dependencies | :warning: 0 | dependency not pinned by hash detected -- score normalized to 0 | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | SAST | :warning: 0 | no SAST tool detected | | Signed-Releases | :warning: -1 | no releases found | | Branch-Protection | :warning: -1 | internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration | | Security-Policy | :green_circle: 9 | security policy file detected | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions |
|
| npm/object-inspect | 1.12.3 |
:green_circle: 4.8 | Details| Check | Score | Reason |
|---|
| Code-Review | :warning: 0 | Found 1/30 approved changesets -- score normalized to 0 | | Packaging | :warning: -1 | packaging workflow not detected | | Maintained | :green_circle: 4 | 4 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 4 | | Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Pinned-Dependencies | :warning: 0 | dependency not pinned by hash detected -- score normalized to 0 | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions | | Vulnerabilities | :green_circle: 10 | 0 existing vulnerabilities detected | | License | :green_circle: 10 | license file detected | | Fuzzing | :warning: 0 | project is not fuzzed | | Signed-Releases | :warning: -1 | no releases found | | Branch-Protection | :warning: -1 | internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration | | Security-Policy | :green_circle: 9 | security policy file detected | | SAST | :warning: 0 | SAST tool is not run on all commits -- score normalized to 0 |
|
| npm/side-channel | 1.0.4 |
:green_circle: 4.4 | Details| Check | Score | Reason |
|---|
| Packaging | :warning: -1 | packaging workflow not detected | | Dangerous-Workflow | :green_circle: 10 | no dangerous workflow patterns detected | | Pinned-Dependencies | :warning: 0 | dependency not pinned by hash detected -- score normalized to 0 | | Code-Review | :warning: 0 | Found 0/30 approved changesets -- score normalized to 0 | | Binary-Artifacts | :green_circle: 10 | no binaries found in the repo | | SAST | :warning: 0 | no SAST tool detected | | Maintained | :warning: 0 | 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 | | Token-Permissions | :warning: 0 | detected GitHub workflow tokens with excessive permissions | | CII-Best-Practices | :warning: 0 | no effort to earn an OpenSSF best practices badge detected | | Fuzzing | :warning: 0 | project is not fuzzed | | License | :green_circle: 10 | license file detected | | Vulnerabilities | :green_circle: 10 | 0 existing vulnerabilities detected | | Signed-Releases | :warning: -1 | no releases found | | Branch-Protection | :warning: -1 | internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration | | Security-Policy | :green_circle: 9 | security policy file detected |
|
Scanned Manifest Files
package-lock.json
coveo
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}