OSS Index Helpclose
An open index of open source

 Welcome to the npm Start Page

Posted by OSS-Index on May 18, 2016

Quick access to npm auditing tools, search, and recent npm activity on OSS Index.

 Recent news...

npm package vulnerability: libxmljs

[Dependency] Embedded dependency has multiple vulnerabilities
Wed Aug 02 20:15:47 EDT 2017

A vulnerable version of libxml2 is embedded within this package.

npm package vulnerability: jstree

Cross Site Scripting (XSS)
Wed Aug 02 18:53:48 EDT 2017

> When using inline HTML to populate the tree, if the nodes contain HTML entities, the node text will contain those entities even though they aren't rendered. > > – github.com

npm package vulnerability: dompurify

Cross Site Scripting (XSS)
Mon Jul 31 20:34:06 EDT 2017

It is possible to avoid the attribute name whitelist, allowing the setting of arbitrary javascript attributes.

npm package vulnerability: m2m-supervisor

[Unconfirmed] Possible code execution
Sun Jul 30 21:19:47 EDT 2017

Possible arbitrary code execution is possible if unvalidated input is executed by the eval function.

npm package vulnerability: mobile-icon-resizer

Code execution
Sun Jul 30 21:16:57 EDT 2017

Arbitrary code injection is possible when input is passed directly to an invocation of eval.

npm package vulnerability: mongoosemask

[Unconfirmed] Possible code execution
Sun Jul 30 21:11:56 EDT 2017

It is possible that attacker control of input parameters can result in code execution through unprotected calls to eval.

npm package vulnerability: mongoose

Denial of Service (DoS)
Sun Jul 30 20:48:11 EDT 2017

Specially constructed input can cause the package to enter an infinite loop.

npm package vulnerability: ag-grid

Cross Site Scripting (XSS)
Sun Jul 30 20:42:44 EDT 2017

With a column definition like: {headerName: "Name", field: "name"} a user can enter a name such as <span onclick="alert('hacked!')">John Smith</span> and effectively initiate a cross-site scripting attack.

npm package vulnerability: ng-dialog

Denial of Service (DoS)
Sun Jul 30 15:42:53 EDT 2017

> [Open] a dialog that has a custom listener for ngdialog.closing event: inside the listener we do a ui-router state reload $state.reload. > > This cause an infinite loop and makes your browser hang: Chrome, Safari

npm package vulnerability: mysql

Unverified Certificate
Sun Jul 30 15:35:33 EDT 2017

> When using SSL to connect to a MySQL server, the SSL procedure implemented does not actually check if the remote server has a trusted certificate or not. > > – github.com

Package auditing tools

 npm [AuditJS]