@datagrok/biostructure-viewer@1.4.9 — npm dependency audit

2 critical · 19 high · 12 medium · 2 low · 35 total (deduped by advisory)

NPM package @datagrok/biostructure-viewer@1.4.9 — production dependency tree audited with npm audit.

AdvisorySeverityDependency InstalledVulnerable rangeFixed byCVSSDescription
GHSA-67hx-6x53-jw92CRITICAL@babel/traverse7.12.13<7.23.2@rcsb/rcsb-saguaro-api@1.0.19.3Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
GHSA-fjxv-7rqg-78g4CRITICALform-data4.0.0>=4.0.0 <4.0.4@rcsb/rcsb-saguaro-api@1.0.1form-data uses unsafe random function in form-data for choosing boundary
GHSA-23c5-xmqv-rm74HIGHminimatch3.0.4<3.1.4@rcsb/rcsb-saguaro-api@1.0.17.5minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
GHSA-34x7-hfp2-rc4vHIGHtar6.2.1<7.5.7molstar@5.10.18.2node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
GHSA-36jr-mh4h-2g58HIGHd3-color1.4.1<3.1.0d3@7.9.0d3-color vulnerable to ReDoS
GHSA-3h5v-q93c-6h6qHIGHws8.13.0>=8.0.0 <8.17.1@rcsb/rcsb-saguaro-api@1.0.17.5ws affected by a DoS when handling a request with many HTTP headers
GHSA-3ppc-4f35-3m26HIGHminimatch3.0.4<3.1.3@rcsb/rcsb-saguaro-api@1.0.1minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern
GHSA-7r86-cg39-jmmjHIGHminimatch3.0.4<3.1.3@rcsb/rcsb-saguaro-api@1.0.17.5minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
GHSA-83g3-92jg-28cxHIGHtar6.2.1<7.5.8molstar@5.10.17.1Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
GHSA-8cf7-32gw-wr33HIGHjsonwebtoken8.5.1<=8.5.1@rcsb/rcsb-saguaro-api@1.0.18.1jsonwebtoken unrestricted key type could lead to legacy keys usage
GHSA-8qq5-rm4j-mr97HIGHtar6.2.1<=7.5.2molstar@5.10.1node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
GHSA-96hv-2xvq-fx4pHIGHws8.13.0>=8.0.0 <8.21.0@rcsb/rcsb-saguaro-api@1.0.17.5ws: Memory exhaustion DoS from tiny fragments and data chunks
GHSA-9ppj-qmqm-q256HIGHtar6.2.1<=7.5.10molstar@5.10.1node-tar Symlink Path Traversal via Drive-Relative Linkpath
GHSA-f8q6-p94x-37v3HIGHminimatch3.0.4<3.0.5@rcsb/rcsb-saguaro-api@1.0.17.5minimatch ReDoS vulnerability
GHSA-hmw2-7cc7-3qxxHIGHform-data4.0.0>=4.0.0 <4.0.6@rcsb/rcsb-saguaro-api@1.0.17.5form-data: CRLF injection in form-data via unescaped multipart field names and filenames
GHSA-ph9p-34f9-6g65HIGHtmp0.0.33<0.2.6@rcsb/rcsb-saguaro-api@1.0.1tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
GHSA-qffp-2rhf-9h96HIGHtar6.2.1<=7.5.9molstar@5.10.1tar has Hardlink Path Traversal via Drive-Relative Linkpath
GHSA-r5fr-rjxr-66jcHIGHlodash4.17.21>=4.0.0 <=4.17.23@rcsb/rcsb-saguaro-api@1.0.18.1lodash vulnerable to Code Injection via `_.template` imports key names
GHSA-r683-j2x4-v87gHIGHnode-fetch2.6.1<2.6.7@rcsb/rcsb-saguaro-api@1.0.18.8node-fetch forwards secure headers to untrusted sites
GHSA-r6q2-hw4h-h46wHIGHtar6.2.1<=7.5.3molstar@5.10.18.8Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
GHSA-x7q7-fchv-8h2jHIGH@ranfdev/deepobj1.0.2<=1.0.2@rcsb/rcsb-saguaro-app@5.1.58.2@ranfdev/deepobj has a Prototype Pollution vulnerability
GHSA-58qx-3vcg-4xpxMEDIUMws8.13.0>=8.0.0 <8.20.1@rcsb/rcsb-saguaro-api@1.0.14.4ws: Uninitialized memory disclosure
GHSA-6fc8-4gx4-v693MEDIUMws8.13.0>=7.0.0 <7.4.6@rcsb/rcsb-saguaro-api@1.0.15.3ReDoS in Sec-Websocket-Protocol header
GHSA-6rw7-vpxm-498pMEDIUMqs6.5.5<6.14.1molstar@5.10.13.7qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
GHSA-72xf-g2v4-qvf3MEDIUMtough-cookie2.5.0<4.1.3molstar@5.10.16.5tough-cookie Prototype Pollution vulnerability
GHSA-f23m-r3pf-42rhMEDIUMlodash4.17.21<=4.17.23@rcsb/rcsb-saguaro-api@1.0.16.5lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
GHSA-hjrf-2m68-5959MEDIUMjsonwebtoken8.5.1<=8.5.1@rcsb/rcsb-saguaro-api@1.0.15jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
GHSA-p8p7-x288-28g6MEDIUMrequest2.88.2<=2.88.2molstar@5.10.16.1Server-Side Request Forgery in Request
GHSA-pfrx-2q88-qq97MEDIUMgot9.6.0<11.8.5@rcsb/rcsb-saguaro-api@1.0.15.3Got allows a redirect to a UNIX socket
GHSA-qwph-4952-7xr6MEDIUMjsonwebtoken8.5.1<9.0.0@rcsb/rcsb-saguaro-api@1.0.16.4jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
GHSA-vmf3-w455-68vhMEDIUMtar6.2.1<=7.5.15molstar@5.10.1node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)
GHSA-w5hq-g745-h8pqMEDIUMuuid10.0.0<11.1.1uuid@14.0.17.5uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
GHSA-xxjr-mmjv-4gpgMEDIUMlodash4.17.21>=4.0.0 <=4.17.22@rcsb/rcsb-saguaro-api@1.0.16.5Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions
GHSA-52f5-9888-hmc6LOWtmp0.0.33<=0.2.3@rcsb/rcsb-saguaro-api@1.0.12.5tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
GHSA-vpq2-c234-7xj6LOW@tootallnate/once1.1.2<2.0.1@rcsb/rcsb-saguaro-api@1.0.13.3@tootallnate/once vulnerable to Incorrect Control Flow Scoping