| Warn |
 |
Critical CVE: Prototype Pollution in npm deep-extend
CVE: GHSA-hr2v-3952-633q Prototype Pollution in deep-extend (CRITICAL)
Affected versions: < 0.5.1
Patched version: 0.5.1
From: ? → npm/react-scripts@0.9.5 → npm/deep-extend@0.4.1
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/deep-extend@0.4.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: Exposure of Sensitive Information in npm eventsource
CVE: GHSA-6h5x-7c5m-7cr7 Exposure of Sensitive Information in eventsource (CRITICAL)
Affected versions: < 1.1.1; >= 2.0.0 < 2.0.2
Patched version: 1.1.1
From: ? → npm/react-scripts@0.9.5 → npm/eventsource@0.1.6
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/eventsource@0.1.6. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: Code injection in npm fsevents
CVE: GHSA-8r6j-v8pm-fqw3 Code injection in fsevents (CRITICAL)
Affected versions: < 1.2.11
Patched version: 1.2.11
From: ? → npm/react-scripts@0.9.5 → npm/fsevents@1.0.17
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/fsevents@1.0.17. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: Prototype Pollution in npm handlebars
CVE: GHSA-765h-qjxv-5f44 Prototype Pollution in handlebars (CRITICAL)
Affected versions: < 4.7.7
Patched version: 4.7.7
From: ? → npm/react-scripts@0.9.5 → npm/handlebars@4.5.3
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/handlebars@4.5.3. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: Remote code execution in npm handlebars when compiling templates
CVE: GHSA-f2jv-r9rf-7988 Remote code execution in handlebars when compiling templates (CRITICAL)
Affected versions: < 4.7.7
Patched version: 4.7.7
From: ? → npm/react-scripts@0.9.5 → npm/handlebars@4.5.3
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/handlebars@4.5.3. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: npm json-schema is vulnerable to Prototype Pollution
CVE: GHSA-896r-f27r-55mw json-schema is vulnerable to Prototype Pollution (CRITICAL)
Affected versions: < 0.4.0
Patched version: 0.4.0
From: ? → npm/react-scripts@0.9.5 → npm/json-schema@0.2.3
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/json-schema@0.2.3. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: Prototype pollution in webpack npm loader-utils
CVE: GHSA-76p3-8jx3-jpfq Prototype pollution in webpack loader-utils (CRITICAL)
Affected versions: >= 2.0.0 < 2.0.3; < 1.4.1
Patched version: 1.4.1
From: ? → npm/react-scripts@0.9.5 → npm/loader-utils@0.2.16
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/loader-utils@0.2.16. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: Prototype Pollution in npm lodash
CVE: GHSA-jf85-cpcp-j695 Prototype Pollution in lodash (CRITICAL)
Affected versions: < 4.17.12
Patched version: 4.17.12
From: ? → npm/dagre@0.7.4 → npm/lodash@3.10.1
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/lodash@3.10.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: Prototype Pollution in npm lodash
CVE: GHSA-jf85-cpcp-j695 Prototype Pollution in lodash (CRITICAL)
Affected versions: < 4.17.12
Patched version: 4.17.12
From: ? → npm/react-scripts@0.9.5 → npm/lodash@4.17.4
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/lodash@4.17.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: Command Injection in npm macaddress
CVE: GHSA-pp57-mqmh-44h7 Command Injection in macaddress (CRITICAL)
Affected versions: < 0.2.9
Patched version: 0.2.9
From: ? → npm/react-scripts@0.9.5 → npm/macaddress@0.2.8
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/macaddress@0.2.8. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: Command Injection in npm open
CVE: GHSA-28xh-wpgr-7fm8 Command Injection in open (CRITICAL)
Affected versions: < 6.0.0
Patched version: 6.0.0
From: ? → npm/react-scripts@0.9.5 → npm/open@0.0.5
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/open@0.0.5. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: npm sha.js is missing type checks leading to hash rewind and passing on crafted data
CVE: GHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted data (CRITICAL)
Affected versions: < 2.4.12
Patched version: 2.4.12
From: ? → npm/react-scripts@0.9.5 → npm/sha.js@2.2.6
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/sha.js@2.2.6. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: Authorization Bypass Through User-Controlled Key in npm url-parse
CVE: GHSA-hgjh-723h-mx2j Authorization Bypass Through User-Controlled Key in url-parse (CRITICAL)
Affected versions: < 1.5.8
Patched version: 1.5.8
From: ? → npm/react-scripts@0.9.5 → npm/url-parse@1.0.5
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/url-parse@1.0.5. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: Open Redirect in npm url-parse
CVE: GHSA-pv4c-p2j5-38j4 Open Redirect in url-parse (CRITICAL)
Affected versions: >= 1.0.0 < 1.4.3
Patched version: 1.4.3
From: ? → npm/react-scripts@0.9.5 → npm/url-parse@1.0.5
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/url-parse@1.0.5. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: Open Redirect in npm url-parse
CVE: GHSA-pv4c-p2j5-38j4 Open Redirect in url-parse (CRITICAL)
Affected versions: >= 1.0.0 < 1.4.3
Patched version: 1.4.3
From: ? → npm/react-scripts@0.9.5 → npm/url-parse@1.1.7
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/url-parse@1.1.7. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Critical CVE: Authorization Bypass Through User-Controlled Key in npm url-parse
CVE: GHSA-hgjh-723h-mx2j Authorization Bypass Through User-Controlled Key in url-parse (CRITICAL)
Affected versions: < 1.5.8
Patched version: 1.5.8
From: ? → npm/react-scripts@0.9.5 → npm/url-parse@1.1.7
ℹ Read more on: This package | This alert | What is a critical CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/url-parse@1.1.7. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Obfuscated code: npm buffer is 96.0% likely obfuscated
Confidence: 0.96
Location: Package overview
From: ? → npm/react-scripts@0.9.5 → npm/buffer@4.9.1
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/buffer@4.9.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|