profile
viewpoint

5app/base5-ui 2

5app's reusable UI component library

5app/json-assert 1

check json object matches template

5app/require-private 1

require local modules without relative paths (for node.js)

5app/.github 0

Shared Workflows

5app/base5-icons 0

5app's React SVG icons

5app/dare 0

Database and REST

5app/digital-hub-api 0

A NodeJS API for interoperating with a Digital Hub

5app/eslint-config-5app 0

🔧 5app Javascript Style Guide

delete branch 5app/digital-hub-api

delete branch : snyk-fix-d0bcb376b78e59c57ae72c3d9549a854

delete time in a day

push event5app/digital-hub-api

snyk-bot

commit sha ddf23c17bbe48f7e9cafe4c1a6a6353cf4b2d6be

fix: package.json & package-lock.json to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-NODEFETCH-2342118

view details

push time in a day

push event5app/digital-hub-api

Renovate Bot

commit sha 9f8c026c020fb8b38d693ced21af725477d39792

chore(deps): update dependency semantic-release to v19

view details

dependabot[bot]

commit sha 3402487a2b3925ce2ff6a57f62dc3e5648eae15c

chore(deps-dev): bump validator from 13.6.0 to 13.7.0 Bumps [validator](https://github.com/validatorjs/validator.js) from 13.6.0 to 13.7.0. - [Release notes](https://github.com/validatorjs/validator.js/releases) - [Changelog](https://github.com/validatorjs/validator.js/blob/master/CHANGELOG.md) - [Commits](https://github.com/validatorjs/validator.js/compare/13.6.0...13.7.0) --- updated-dependencies: - dependency-name: validator dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>

view details

push time in a day

push event5app/digital-hub-api

Renovate Bot

commit sha 9f8c026c020fb8b38d693ced21af725477d39792

chore(deps): update dependency semantic-release to v19

view details

Renovate Bot

commit sha 1e13a3f5f89fbc6ed15a4f832504f97bf9792e68

chore(deps): update dependency eslint to v8

view details

push time in a day

push event5app/digital-hub-api

Renovate Bot

commit sha 9f8c026c020fb8b38d693ced21af725477d39792

chore(deps): update dependency semantic-release to v19

view details

push time in a day

delete branch 5app/digital-hub-api

delete branch : renovate/major-semantic-release-monorepo

delete time in a day

PR merged 5app/digital-hub-api

chore(deps): update dependency semantic-release to v19

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semantic-release ^18.0.0 -> ^19.0.0 age adoption passing confidence

Release Notes

<details> <summary>semantic-release/semantic-release</summary>

v19.0.2

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the stable version (0eca144)

v19.0.1

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the latest beta version (8097afb)

v19.0.0

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the beta, which upgrades npm to v8 (f634b8c)
  • upgrade marked to resolve ReDos vulnerability (#​2330) (d9e5bc0)
BREAKING CHANGES
  • npm-plugin: @semantic-release/npm has also dropped support for node v15
  • node v15 has been removed from our defined supported versions of node. this was done to upgrade to compatible versions of marked and marked-terminal that resolved the ReDoS vulnerability. removal of support of this node version should be low since it was not an LTS version and has been EOL for several months already.

v18.0.1

Compare Source

Bug Fixes

</details>


Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

+501 -1168

0 comment

2 changed files

renovate[bot]

pr closed time in a day

push event5app/dare

Renovate Bot

commit sha 0e5e6d334b62f427798229680adc4bfdf03c44cf

chore(deps): update dependency semantic-release to v19

view details

push time in a day

delete branch 5app/dare

delete branch : renovate/major-semantic-release-monorepo

delete time in a day

PR merged 5app/dare

Reviewers
chore(deps): update dependency semantic-release to v19

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semantic-release ^18.0.0 -> ^19.0.0 age adoption passing confidence

Release Notes

<details> <summary>semantic-release/semantic-release</summary>

v19.0.2

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the stable version (0eca144)

v19.0.1

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the latest beta version (8097afb)

v19.0.0

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the beta, which upgrades npm to v8 (f634b8c)
  • upgrade marked to resolve ReDos vulnerability (#​2330) (d9e5bc0)
BREAKING CHANGES
  • npm-plugin: @semantic-release/npm has also dropped support for node v15
  • node v15 has been removed from our defined supported versions of node. this was done to upgrade to compatible versions of marked and marked-terminal that resolved the ReDoS vulnerability. removal of support of this node version should be low since it was not an LTS version and has been EOL for several months already.

v18.0.1

Compare Source

Bug Fixes

</details>


Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

+558 -1211

0 comment

2 changed files

renovate[bot]

pr closed time in a day

push event5app/buslane

Renovate Bot

commit sha 7f16e379399820c071a42e4946b871466d801dc4

chore(deps): update dependency semantic-release to v19

view details

Renovate Bot

commit sha bf4fceec29c24dfd12edeb1b2d0fa175aa98615f

chore(deps): update dependency eslint to v8

view details

push time in a day

push event5app/buslane

Renovate Bot

commit sha 7f16e379399820c071a42e4946b871466d801dc4

chore(deps): update dependency semantic-release to v19

view details

Renovate Bot

commit sha 54381a934088caed16a88877926e3b3fc75d98a9

chore(deps): update dependency eslint-config-5app to ^0.16.0

view details

push time in a day

push event5app/buslane

Renovate Bot

commit sha 7f16e379399820c071a42e4946b871466d801dc4

chore(deps): update dependency semantic-release to v19

view details

push time in a day

delete branch 5app/buslane

delete branch : renovate/major-semantic-release-monorepo

delete time in a day

PR merged 5app/buslane

chore(deps): update dependency semantic-release to v19

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semantic-release ^18.0.0 -> ^19.0.0 age adoption passing confidence

Release Notes

<details> <summary>semantic-release/semantic-release</summary>

v19.0.2

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the stable version (0eca144)

v19.0.1

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the latest beta version (8097afb)

v19.0.0

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the beta, which upgrades npm to v8 (f634b8c)
  • upgrade marked to resolve ReDos vulnerability (#​2330) (d9e5bc0)
BREAKING CHANGES
  • npm-plugin: @semantic-release/npm has also dropped support for node v15
  • node v15 has been removed from our defined supported versions of node. this was done to upgrade to compatible versions of marked and marked-terminal that resolved the ReDoS vulnerability. removal of support of this node version should be low since it was not an LTS version and has been EOL for several months already.

</details>


Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

+1 -1

1 comment

1 changed file

renovate[bot]

pr closed time in a day

PR opened 5app/digital-hub-api

chore(deps): update dependency semantic-release to v19

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semantic-release ^18.0.0 -> ^19.0.0 age adoption passing confidence

Release Notes

<details> <summary>semantic-release/semantic-release</summary>

v19.0.2

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the stable version (0eca144)

v19.0.1

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the latest beta version (8097afb)

v19.0.0

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the beta, which upgrades npm to v8 (f634b8c)
  • upgrade marked to resolve ReDos vulnerability (#​2330) (d9e5bc0)
BREAKING CHANGES
  • npm-plugin: @semantic-release/npm has also dropped support for node v15
  • node v15 has been removed from our defined supported versions of node. this was done to upgrade to compatible versions of marked and marked-terminal that resolved the ReDoS vulnerability. removal of support of this node version should be low since it was not an LTS version and has been EOL for several months already.

v18.0.1

Compare Source

Bug Fixes

</details>


Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

+501 -1168

0 comment

2 changed files

pr created time in a day

PR opened 5app/dare

chore(deps): update dependency semantic-release to v19

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semantic-release ^18.0.0 -> ^19.0.0 age adoption passing confidence

Release Notes

<details> <summary>semantic-release/semantic-release</summary>

v19.0.2

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the stable version (0eca144)

v19.0.1

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the latest beta version (8097afb)

v19.0.0

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the beta, which upgrades npm to v8 (f634b8c)
  • upgrade marked to resolve ReDos vulnerability (#​2330) (d9e5bc0)
BREAKING CHANGES
  • npm-plugin: @semantic-release/npm has also dropped support for node v15
  • node v15 has been removed from our defined supported versions of node. this was done to upgrade to compatible versions of marked and marked-terminal that resolved the ReDoS vulnerability. removal of support of this node version should be low since it was not an LTS version and has been EOL for several months already.

v18.0.1

Compare Source

Bug Fixes

</details>


Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

+558 -1211

0 comment

2 changed files

pr created time in a day

create barnch5app/dare

branch : renovate/major-semantic-release-monorepo

created branch time in a day

pull request comment5app/buslane

chore(deps): update dependency semantic-release to v19

Coverage Status

Coverage remained the same at 81.416% when pulling d64152abddfaa63018fae4d16389cd6bbc453666 on renovate/major-semantic-release-monorepo into 6372380f3e0d84bc361cffcc214ef050c54d25eb on master.

renovate[bot]

comment created time in a day

PR opened 5app/buslane

chore(deps): update dependency semantic-release to v19

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
semantic-release ^18.0.0 -> ^19.0.0 age adoption passing confidence

Release Notes

<details> <summary>semantic-release/semantic-release</summary>

v19.0.2

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the stable version (0eca144)

v19.0.1

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the latest beta version (8097afb)

v19.0.0

Compare Source

Bug Fixes
  • npm-plugin: upgraded to the beta, which upgrades npm to v8 (f634b8c)
  • upgrade marked to resolve ReDos vulnerability (#​2330) (d9e5bc0)
BREAKING CHANGES
  • npm-plugin: @semantic-release/npm has also dropped support for node v15
  • node v15 has been removed from our defined supported versions of node. this was done to upgrade to compatible versions of marked and marked-terminal that resolved the ReDoS vulnerability. removal of support of this node version should be low since it was not an LTS version and has been EOL for several months already.

</details>


Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

+1 -1

0 comment

1 changed file

pr created time in a day

create barnch5app/buslane

branch : renovate/major-semantic-release-monorepo

created branch time in a day

push event5app/base5-ui

Renovate Bot

commit sha 061dbed61e70eff9428d664610d62ac5425f2cf9

chore(deps): update semantic-release monorepo

view details

push time in a day

push event5app/logger

Renovate Bot

commit sha ca54b7201c09d002942d0ab4ae0cfae21ce5404b

chore(deps): update dependency marked to 4.0.10 [security]

view details

Renovate Bot

commit sha 66c12ca0aec6e676dc695ed17cf9a7c338caf89e

fix(deps): update dependency chalk to v5

view details

push time in 2 days

push event5app/logger

Renovate Bot

commit sha ca54b7201c09d002942d0ab4ae0cfae21ce5404b

chore(deps): update dependency marked to 4.0.10 [security]

view details

Renovate Bot

commit sha 820c6f999f0ca704508ee0a9e23d538ce63d512b

chore(deps): update dependency eslint-config-5app to ^0.16.0

view details

push time in 2 days

push event5app/logger

Renovate Bot

commit sha ca54b7201c09d002942d0ab4ae0cfae21ce5404b

chore(deps): update dependency marked to 4.0.10 [security]

view details

push time in 2 days

delete branch 5app/logger

delete branch : renovate/npm-marked-vulnerability

delete time in 2 days

PR merged 5app/logger

chore(deps): update dependency marked to 4.0.10 [security]

WhiteSource Renovate

This PR contains the following updates:

Package Change
marked 2.1.3 -> 4.0.10

GitHub Vulnerability Alerts

CVE-2022-21681

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression inline.reflinkSearch may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from 'marked';

console.log(marked.parse(`[x]: x

\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](\\[\\](`));

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

  • https://marked.js.org/using_advanced#workers
  • https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:

CVE-2022-21680

Impact

What kind of vulnerability is it?

Denial of service.

The regular expression block.def may cause catastrophic backtracking against some strings. PoC is the following.

import * as marked from "marked";

marked.parse(`[x]:${' '.repeat(1500)}x ${' '.repeat(1500)} x`);

Who is impacted?

Anyone who runs untrusted markdown through marked and does not use a worker with a time limit.

Patches

Has the problem been patched?

Yes

What versions should users upgrade to?

4.0.10

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Do not run untrusted markdown through marked or run marked on a worker thread and set a reasonable time limit to prevent draining resources.

References

Are there any links users can visit to find out more?

  • https://marked.js.org/using_advanced#workers
  • https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

For more information

If you have any questions or comments about this advisory:


Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

+2497 -2734

0 comment

2 changed files

renovate[bot]

pr closed time in 2 days

push event5app/health-check-helpers

Renovate Bot

commit sha 121ff8819e4c5bedbf423e9ea164ee98b01380b4

chore(deps): update dependency marked to 4.0.10 [security]

view details

push time in 2 days

more