npm Updates
2204Warning Date
Severity Level
Warning Number
Target Sector
21 February, 2021
● High
2021-2501
All
Description:
npm has released security updates to address several vulnerabilities in the following products:
- TinyMCE
- 5.6.0 or later
- buns
- 1.0.0
- 1.0.1
- 1.0.2
- 1.0.3
- 1.0.4
- 1.0.5
- 1.0.6
- 1.0.7
- 1.0.8
- 1.0.9
- 1.0.10
- 1.0.11
- 1.0.12
- 1.0.13
- 1.0.14
- 1.0.15
- 1.0.16
- 1.1.0
- 1.1.1
- 1.1.2
- 1.1.3
- 1.1.4
- 1.1.5
- 1.1.6
- immer
- 0.0.1
- 0.0.2
- 0.0.3
- 0.0.4
- 0.1.0
- 0.1.1
- 0.1.2
- 0.2.0
- 0.2.1
- 0.2.2
- 0.3.0
- 0.3.1
- 0.4.0
- 0.4.1
- 0.4.2
- 0.5.0
- 0.6.0
- 0.6.1
- 0.7.0
- 0.8.0
- 0.8.1
- 0.8.2
- 0.8.3
- 0.8.4
- 0.8.5
- 1.0.0
- 1.0.1
- 1.0.2
- 1.0.3
- 1.1.0
- 1.1.1
- 1.1.2
- 1.1.3
- 1.2.0
- 1.2.1
- 1.3.0
- 1.3.1
- 1.4.0
- 1.5.0
- 1.6.0
- 1.7.0
- 1.7.1
- 1.7.2
- 1.7.3
- 1.7.4
- 1.8.0
- 1.8.1
- 1.8.2
- 1.9.0
- 1.9.1
- 1.9.2
- 1.9.3
- 1.10.0
- 1.10.1
- 1.10.2
- 1.10.3
- 1.10.4
- 1.10.5
- 1.11.0
- 1.11.1
- 1.12.0
- 1.12.1
- 2.0.0
- 2.1.0
- 2.1.1
- 2.1.2
- 2.1.3
- 2.1.4
- 2.1.5
- 2.2.0
- 3.0.0
- 3.1.0
- 3.1.1
- 3.1.2
- 3.1.3
- 3.1.4
- 3.2.0
- 3.2.1
- 3.3.0
- 4.0.0
- 4.0.1
- 4.0.2
- 5.0.0
- 5.0.1
- 5.0.2
- 5.1.0
- 5.2.0
- 5.2.1
- 5.3.0
- 5.3.1
- 5.3.2
- 5.3.3
- 5.3.4
- 5.3.5
- 5.3.6
- 6.0.0
- 6.0.1
- 6.0.2
- 6.0.3
- 6.0.4
- 6.0.5
- 6.0.6
- 6.0.7
- 6.0.8
- 6.0.9
- 7.0.0
- 7.0.1
- 7.0.2
- 7.0.3
- 7.0.4
- 7.0.5
- 7.0.6
- 7.0.7
- 7.0.8
- 7.0.9
- 7.0.10
- 7.0.11
- 7.0.12
- 7.0.13
- 7.0.14
- 7.0.15
- 8.0.0
- ts-process-promises
- 1.0.2
- jquery-validation
- 1.13.1
- 1.14.0
- 1.15.0
- 1.15.1
- 1.16.0
- 1.17.0
- 1.18.0
- 1.19.0
- 1.19.1
- 1.19.2
- hellojs
- 0.1.5
- 0.1.6
- 0.2.0
- 0.2.1
- 0.2.2
- 0.2.3
- 0.2.4
- 0.2.5
- 1.0.0
- 1.1.3
- 1.3.2
- 1.3.7
- 1.4.0
- 1.4.1
- 1.4.2
- 1.4.3
- 1.5.0
- 1.5.1
- 1.6.0
- 1.7.0
- 1.7.3
- 1.7.4
- 1.7.5
- 1.8.2
- 1.8.3
- 1.8.4
- 1.9.3
- 1.9.4
- 1.9.5
- 1.9.6
- 1.9.7
- 1.9.8
- 1.9.9
- 1.10.0
- 1.10.1
- 1.11.0
- 1.11.1
- 1.11.2
- 1.12.0
- 1.13.1
- 1.13.2
- 1.13.3
- 1.13.4
- 1.13.5
- 1.13.6
- 1.14.0
- 1.14.1
- 1.15.0
- 1.15.1
- 1.16.0
- 1.16.1
- 1.17.1
- 1.18.0
- 1.18.1
- 1.18.3
- 1.18.4
- jointjs
- 0.7.0
- 0.8.0
- 0.9.4
- 0.9.5
- 0.9.6
- 0.9.7
- 0.9.8
- 0.9.9
- 0.9.10
- 1.0.0
- 1.0.1
- 1.0.2
- 1.0.3
- 1.1.0
- 2.0.0
- 2.0.1
- 2.1.0
- 2.1.1
- 2.1.2
- 2.1.3
- 2.1.4
- 2.2.0
- 2.2.1
- 3.0.0
- 3.0.1
- 3.0.2
- 3.0.3
- 3.0.4
- 3.1.0
- 3.1.1
- 3.2.0
- gsap
- 1.13.2
- 1.14.1
- 1.14.2
- 1.15.0
- 1.15.1
- 1.16.0
- 1.16.1
- 1.17.0
- 1.18.0
- 1.18.1
- 1.18.2
- 1.18.3
- 1.18.4
- 1.18.5
- 1.19.0
- 1.19.1
- 1.20.0
- 1.20.1
- 1.20.2
- 1.20.3
- 1.20.4
- 1.20.5
- 1.20.6
- 2.0.0
- 2.0.1
- 2.0.2
- 2.1.0
- 2.1.1
- 2.1.2
- 2.1.3
- 3.0.0
- 3.0.1
- 3.0.2
- 3.0.3
- 3.0.4
- 3.0.5
- 3.1.0
- 3.1.1
- 3.2.0
- 3.2.1
- 3.2.2
- 3.2.3
- 3.2.4
- 3.2.5
- 3.2.6
- 3.3.0
- 3.3.1
- 3.3.2
- 3.3.3
- 3.3.4
- 3.4.0
- 3.4.1
- 3.4.2
- 3.5.0
- 3.5.1
- socket.io
- 2.4.0 or later
Threats:
An attacker could exploit these vulnerabilities by executing arbitrary code.
Best practice and Recommendations:
The CERT team encourages users to review npm security advisory and apply the necessary updates:
- https://www.npmjs.com/advisories/1601
- https://www.npmjs.com/advisories/1602/versions
- https://www.npmjs.com/advisories/1603
- https://www.npmjs.com/advisories/1604/versions
- https://www.npmjs.com/advisories/1605/versions
- https://www.npmjs.com/advisories/1606/versions
- https://www.npmjs.com/advisories/1607/versions
- https://www.npmjs.com/advisories/1608/versions
- https://www.npmjs.com/advisories/1609