[Snyk] Security upgrade electron-rebuild from 2.3.5 to 3.0.0

[terrorizer1980]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • package.json
  • package-lock.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	696/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 7.5	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	Yes	Proof of Concept

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: electron-rebuild

The new version differs by 195 commits.

• 72f21bf feat!: 3.0.0 (Add Linux For Everyone to Featured By section GitSquared/edex-ui#799)
• ceb6ad5 ci: use the Node 16 Docker image for the release job
• e166132 chore: update deps, require Node 12 (Code GitSquared/edex-ui#784)
• 60d277e build(deps-dev): bump @ types/node from 16.4.11 to 16.4.12
• 695655a build(deps): bump yargs from 17.0.1 to 17.1.0
• f2b982c build(deps): bump tar from 6.1.5 to 6.1.6
• 5f198d9 build(deps-dev): bump @ types/node from 16.4.10 to 16.4.11
• 45174ad Merge pull request Hu GitSquared/edex-ui#792 from electron/dependabot/npm_and_yarn/tar-6.1.5
• b10f9ef build(deps): bump tar from 6.1.4 to 6.1.5
• 00a4da7 build(deps): bump tar from 6.1.3 to 6.1.4
• 3468d48 build(deps-dev): bump @ typescript-eslint/parser from 4.28.5 to 4.29.0
• 9906fcb build(deps-dev): bump @ typescript-eslint/eslint-plugin
• a100d50 build(deps): bump tar from 6.1.2 to 6.1.3
• 991f2a5 build(deps-dev): bump @ types/node from 16.4.7 to 16.4.10
• d883702 build(deps-dev): bump eslint from 7.31.0 to 7.32.0
• 97f03ad build(deps-dev): bump @ types/node from 16.4.6 to 16.4.7
• 19147cc build(deps-dev): bump @ types/node from 16.4.4 to 16.4.6
• a028f8d build(deps-dev): bump @ types/node from 16.4.3 to 16.4.4
• 6e500a2 build(deps-dev): bump @ typescript-eslint/parser from 4.28.4 to 4.28.5
• dfc79cd build(deps-dev): bump @ typescript-eslint/eslint-plugin
• 5a4c46a build(deps): bump tar from 6.1.1 to 6.1.2
• b430f90 build(deps-dev): bump @ types/node from 16.4.1 to 16.4.3
• f9498ec build(deps-dev): bump mocha from 9.0.2 to 9.0.3
• 65b6c58 build(deps-dev): bump @ types/debug from 4.1.6 to 4.1.7

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[sonatype-lift]

Critical OSS Vulnerability:

pkg:npm/clean-css@5.1.2

1 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 1 dependencies

Components

pkg:npm/clean-css@5.1.2

CRITICAL Vulnerabilities (1)




[sonatype-2021-1523] Unknown

nodejs-clean-css - Regular Expression Denial of Service (ReDoS)

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

(at-me in a reply with help or ignore)

---

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

[sonatype-lift]

Critical OSS Vulnerability:

pkg:npm/electron@12.0.11

2 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 2 dependencies

Components

pkg:npm/minimist@1.2.5

CRITICAL Vulnerabilities (1)




[CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

pkg:npm/electron@12.0.11

CRITICAL Vulnerabilities (1)




[CVE-2021-39184] CWE-668: Exposure of Resource to Wrong Sphere

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 11.5.0, 12.1.0, and 13.3.0 allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases. Versions 15.0.0-alpha.10, 14.0.0, 13.3.0, 12.1.0, and 11.5.0 all contain a fix for the vulnerability. Two workarounds aside from upgrading are available. One may make the vulnerability significantly more difficult for an attacker to exploit by enabling contextIsolation in one's app. One may also disable the functionality of the createThumbnailFromPath API if one does not need it.

CVSS Score: 8.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-668

SEVERE Vulnerabilities (1)




[CVE-2022-21718] CWE-668: Exposure of Resource to Wrong Sphere

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. A vulnerability in versions prior to 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 allows renderers to obtain access to a bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. This has been patched and Electron versions 17.0.0-alpha.6, 16.0.6, 15.3.5, 14.2.4, and 13.6.6 contain the fix. Code from the GitHub Security Advisory can be added to the app to work around the issue.

CVSS Score: 5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CWE: CWE-668

(at-me in a reply with help or ignore)

---

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

[sonatype-lift]

Critical OSS Vulnerability:

pkg:npm/electron-builder@22.11.7

11 Critical, 1 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 11 dependencies

Components

pkg:npm/ansi-regex@3.0.0

CRITICAL Vulnerabilities (1)




[sonatype-2021-1169] Unknown

ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/minimist@1.2.5

CRITICAL Vulnerabilities (1)




[CVE-2021-44906] Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

pkg:npm/ansi-regex@4.1.0

CRITICAL Vulnerabilities (1)




[sonatype-2021-1169] Unknown

ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/electron-builder@22.11.7

CRITICAL Vulnerabilities (1)




[sonatype-2018-0621] CWE-94: Improper Control of Generation of Code ('Code Injection')

electron-builder - DLL Hijacking in Windows Installer

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVSS Score: 8.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

pkg:npm/ejs@3.1.6

CRITICAL Vulnerabilities (2)




CVE-2022-29078

[CVE-2022-29078] CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation).

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

sonatype-2021-0438

[sonatype-2021-0438] CWE-94: Improper Control of Generation of Code ('Code Injection')

ejs - Remote Code Execution (RCE)

The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

pkg:npm/ansi-regex@5.0.0

CRITICAL Vulnerabilities (1)




[sonatype-2021-1169] Unknown

ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/plist@3.0.2

CRITICAL Vulnerabilities (1)




[CVE-2022-22912] Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.

Prototype pollution vulnerability via .parse() in Plist before v3.0.4 allows attackers to cause a Denial of Service (DoS) and may lead to remote code execution.

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

pkg:npm/filelist@1.0.2

CRITICAL Vulnerabilities (1)




[sonatype-2021-0457] Unknown

filelist, utilities - Prototype Pollution

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1321

pkg:npm/jake@10.8.2

CRITICAL Vulnerabilities (1)




[sonatype-2021-0253] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

jake - OS Command Injection

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVSS Score: 7.3

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-78

pkg:npm/xmldom@0.5.0

SEVERE Vulnerabilities (1)




[CVE-2021-32796] CWE-116: Improper Encoding or Escaping of Output

xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes during XML processing in some downstream applications. This issue has been resolved in version 0.7.0. As a workaround downstream applications can validate the input and reject the maliciously crafted documents.

CVSS Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-116

pkg:npm/minimatch@3.0.4

CRITICAL Vulnerabilities (1)




[sonatype-2021-4879] Unknown

minimatch - Regular Expression Denial of Service (ReDoS)

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

(at-me in a reply with help or ignore)

---

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]

[sonatype-lift]

Critical OSS Vulnerability:

pkg:npm/electron-rebuild@3.0.0

4 Critical, 0 Severe, 0 Moderate, 0 Unknown vulnerabilities have been found across 4 dependencies

Components

pkg:npm/ansi-regex@3.0.0

CRITICAL Vulnerabilities (1)




[sonatype-2021-1169] Unknown

ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/ansi-regex@4.1.0

CRITICAL Vulnerabilities (1)




[sonatype-2021-1169] Unknown

ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/ansi-regex@5.0.0

CRITICAL Vulnerabilities (1)




[sonatype-2021-1169] Unknown

ansi-regex - Regular Expression Denial of Service (ReDoS) [CVE-2021-3807]

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

pkg:npm/minimatch@3.0.4

CRITICAL Vulnerabilities (1)




[sonatype-2021-4879] Unknown

minimatch - Regular Expression Denial of Service (ReDoS)

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

(at-me in a reply with help or ignore)

---

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]