7.0.1 (NES)
Dependency updates to address potential security concerns and continued compatibility. Some of the dependencies that were updated are: chalk, glob, yargs, webdriver-manager, mocha, marked, lodash, jshint, and express. Below is a list of CVEs and vulnerabilities that were resolved by the updates:
- adm-zip - Directory Traversal attack
- ajv - Prototype Pollution
- body-parser - Denial of service when url encoding is enabled
- braces - Uncontrolled resource consumption
- chalk/ansi-regex - Inefficient Regular Expression Complexity
- cookie - Accepts cookie name, path, and domain with out of bounds characters
- copy-props - Prototype Pollution
- decode-uri-component - Denial of Service
- express - XSS via response.redirect()
- express - Redirect in malformed URLs
- flat - Prototype Pollution
- glob-parent - Regular Expression Denial of Service
- hosted-git-info - Regular Expression Denial of Service
- ini - Prototype Pollution
- json-schema - Prototype Pollution
- json-schema - Path Traversal via loadAsync
- jszip - Prototype Pollution
- lodash - Regular Expression Denial of Service
- lodash - Prototype Pollution
- marked - Inefficient Regular Expression Complexity
- marked - Inefficient Regular Expression Complexity
- micromatch - Regular Expression Denial of Service
- minimatch - Regular Expression Denial of Service
- minimist - Prototype Pollution
- path-parse - Regular Expression Denial of Service
- path-to-regexp - Backtracking regular expressions
- qs - Prototype Pollution
- semver - Regular Expression Denial of Service
- send - Template injection
- serve-static - Template injection
- shelljs - Improper Privilege Management
- shelljs - Improper Privilege Management
- y18n - Prototype Pollution
- yargs-parser - Prototype Pollution
7.0.0 (NES)
First release under HeroDevs Never Ending Support (NES)