Bump browserify-sign from 4.0.0 to 4.2.2 #6

dependabot · 2023-10-26T21:01:58Z

Bumps browserify-sign from 4.0.0 to 4.2.2.

Changelog

Sourced from browserify-sign's changelog.

v4.2.2 - 2023-10-25

Fixed

[Tests] log when openssl doesn't support cipher [#37](https://github.com/crypto-browserify/browserify-sign/issues/37)

Commits

Only apps should have lockfiles 09a8995

[eslint] switch to eslint 83fe463

[meta] add npmignore and auto-changelog 4418183

[meta] fix package.json indentation 9ac5a5e

[Tests] migrate from travis to github actions d845d85

[Fix] sign: throw on unsupported padding scheme 8767739

[Fix] properly check the upper bound for DSA signatures 85994cd

[Tests] handle openSSL not supporting a scheme f5f17c2

[Deps] update bn.js, browserify-rsa, elliptic, parse-asn1, readable-stream, safe-buffer a67d0eb

[Dev Deps] update nyc, standard, tape cc5350b

[Tests] always run coverage; downgrade nyc 75ce1d5

[meta] add safe-publish-latest dcf49ce

[Tests] add npm run posttest 75dd8fd

[Dev Deps] update tape 3aec038

[Tests] skip unsupported schemes 703c83e

[Tests] node < 6 lacks array includes 3aa43cf

[Dev Deps] fix eslint range 98d4e0d

v4.2.1 - 2020-08-04

Merged

bump elliptic [#58](https://github.com/crypto-browserify/browserify-sign/issues/58)

v4.2.0 - 2020-05-18

Merged

switch to safe buffer [#53](https://github.com/crypto-browserify/browserify-sign/issues/53)

v4.1.0 - 2020-05-05

Merged

update deps, modernise usage, use readable-stream [#49](https://github.com/crypto-browserify/browserify-sign/issues/49)

v4.0.4 - 2017-03-28

Merged

Fix algorithms require path, add the extension [#36](https://github.com/crypto-browserify/browserify-sign/issues/36)

... (truncated)

Commits

4af5a90 v4.2.2
3aec038 [Dev Deps] update tape
85994cd [Fix] properly check the upper bound for DSA signatures
9ac5a5e [meta] fix package.json indentation
dcf49ce [meta] add safe-publish-latest
4418183 [meta] add npmignore and auto-changelog
8767739 [Fix] sign: throw on unsupported padding scheme
5f6fb17 [Tests] log when openssl doesn't support cipher
f5f17c2 [Tests] handle openSSL not supporting a scheme
d845d85 [Tests] migrate from travis to github actions
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

ghost · 2025-11-06T17:18:54Z

@dependabot recreate

Bumps [browserify-sign](https://github.com/crypto-browserify/browserify-sign) from 4.0.0 to 4.2.2. - [Changelog](https://github.com/browserify/browserify-sign/blob/main/CHANGELOG.md) - [Commits](browserify/browserify-sign@v4.0.0...v4.2.2) --- updated-dependencies: - dependency-name: browserify-sign dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

ImagineBuildBot · 2025-11-06T17:26:18Z

Checkmarx SAST - Scan Summary & Details

Cx-SAST Summary

Total of 1 vulnerabilities
0 High
1 Medium
0 Low
0 Info

Violation Summary

1 MEDIUM

View more details on Checkmarx UI

Cx-SAST Details

Click to see details

Lines	Severity	Category	File	Link
51	MEDIUM	Missing_HSTS_Header	dev-playground/server.js	Checkmarx

thomas-hayden · 2025-11-06T17:47:24Z

Checkmarx One – Scan Summary & Details – 56e59aea-951c-4338-9ac0-36063ec06943

New Issues (146)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
CVE-2017-16042	Npm-growl-1.9.2	details Recommended version: 1.10.0 Description: Growl adds growl notification support to nodejs. Growl versions prior to 1.10.0 does not properly sanitize input before passing it to exec, allowin... Attack Vector: NETWORK Attack Complexity: LOW `ID: VzZ%2F9duDLcPGB8J%2FdGz85VCZ0WWVhNg%2BQCpM3IH5rVA%3D` Vulnerable Package
CVE-2017-16226	Npm-static-eval-0.2.4	details Recommended version: 2.0.0 Description: The static-eval module is intended to evaluate statically-analyzable expressions. In affected versions prior to 2.0.0, untrusted user input is able... Attack Vector: NETWORK Attack Complexity: LOW `ID: L%2B0YVHsge2zWScubvXtP7XfkIYLzutZQTi4m2aBIF%2F0%3D` Vulnerable Package
CVE-2018-16492	Npm-extend-3.0.0	details Recommended version: 3.0.2 Description: A Prototype Pollution vulnerability was found in module extend that allows an attacker to inject arbitrary properties onto "Object.Prototype". This... Attack Vector: NETWORK Attack Complexity: LOW `ID: bQQHhcmfrm2B57da%2BpChiHdm9J8cdiLhYec2LDyy2io%3D` Vulnerable Package
CVE-2018-3745	Npm-atob-1.1.3	details Recommended version: 2.1.0 Description: The package atob through 2.0.3 allocates uninitialized buffers when a number is passed in input on Node.js 4.x and below. Attack Vector: NETWORK Attack Complexity: LOW `ID: alqTmeqXcNFxEZwWiOkqQEVPl6NRl7Z8w%2BWPf4%2FRUAk%3D` Vulnerable Package
CVE-2018-3750	Npm-deep-extend-0.4.1	details Recommended version: 0.5.1 Description: The `utilities` function of the deep-extend node module can be tricked into modifying the Prototype of Object when the attacker can control part of... Attack Vector: NETWORK Attack Complexity: LOW `ID: x2rFbHrMu2Y2jBa9BHYreAa492eXWFUgFD33flhd4K4%3D` Vulnerable Package
CVE-2019-10744	Npm-lodash-4.17.4	details Recommended version: 4.17.21 Description: A Prototype Pollution vulnerability was discovered in lodash prior to 4.17.12, in lodash.defaultsdeep prior to 4.6.1, and in @sailshq/lodash prior ... Attack Vector: NETWORK Attack Complexity: LOW `ID: RHk1lLac9gXnbIOJqe3cg1PW0MTqdG8O2SfzyLqDIE8%3D` Vulnerable Package
CVE-2019-10744	Npm-lodash-4.17.2	details Recommended version: 4.17.21 Description: A Prototype Pollution vulnerability was discovered in lodash prior to 4.17.12, in lodash.defaultsdeep prior to 4.6.1, and in @sailshq/lodash prior ... Attack Vector: NETWORK Attack Complexity: LOW `ID: u0JUIxp4LRj3%2Fpf3mfm0wjNuimg%2FOdpQFcdDq%2F0gXYA%3D` Vulnerable Package
CVE-2019-10744	Npm-lodash-1.0.2	details Recommended version: 4.17.21 Description: A Prototype Pollution vulnerability was discovered in lodash prior to 4.17.12, in lodash.defaultsdeep prior to 4.6.1, and in @sailshq/lodash prior ... Attack Vector: NETWORK Attack Complexity: LOW `ID: ubRbO96uDXmWMi7udu%2B9S5y9BQRA6ZcU69k2vzMugG8%3D` Vulnerable Package
CVE-2019-10744	Npm-lodash-3.7.0	details Recommended version: 4.17.21 Description: A Prototype Pollution vulnerability was discovered in lodash prior to 4.17.12, in lodash.defaultsdeep prior to 4.6.1, and in @sailshq/lodash prior ... Attack Vector: NETWORK Attack Complexity: LOW `ID: uvNuFY%2Ft3EBFcJT3SECYZXnRoS9lnDQkelmLbS6mO%2BI%3D` Vulnerable Package
CVE-2020-7774	Npm-y18n-3.2.1	details Recommended version: 3.2.2 Description: This affects the package y18n versions prior to 3.2.2, 4.x prior to 4.0.1, 5.0.x prior to 5.0.5 and 6.0.0-alpha.0, are vulnerable to Prototype Poll... Attack Vector: NETWORK Attack Complexity: LOW `ID: YjqfQlVAyugxRAhjYMtPws%2FDTHDBFvV38czYDqV3TqI%3D` Vulnerable Package
CVE-2020-7788	Npm-ini-1.3.4	details Recommended version: 1.3.6 Description: The package ini versions prior to 1.3.6 have a Prototype Pollution vulnerability. If an attacker submits a malicious INI file to an application tha... Attack Vector: NETWORK Attack Complexity: LOW `ID: %2BPsr6sAc9x1%2F6QOy3umh9pC%2B0IzbZLHxch4u%2FVPDx8g%3D` Vulnerable Package
CVE-2021-23807	Npm-jsonpointer-4.0.0	details Recommended version: 5.0.0 Description: A Type Confusion vulnerability in jsonpointer can lead to a bypass of a previous Prototype Pollution fix when the pointer components are arrays. Th... Attack Vector: NETWORK Attack Complexity: LOW `ID: IizHevYdBEuz5N2G1p3VbyW8h4gKUkEPBIW5nJbJm7k%3D` Vulnerable Package
CVE-2021-3918	Npm-json-schema-0.2.3	details Recommended version: 0.4.0 Description: The package json-schema versions prior to 0.4.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Poll... Attack Vector: NETWORK Attack Complexity: LOW `ID: tOgt7AP2ycrnSAGsgUxdX11koEP2UqMXi%2B097uKJdjs%3D` Vulnerable Package
CVE-2021-44906	Npm-minimist-1.2.0	details Recommended version: 1.2.6 Description: Minimist is vulnerable to Prototype Pollution via file "index.js", function "setKey()" (lines 69-95). This issue affects minimist versions prior t... Attack Vector: NETWORK Attack Complexity: LOW `ID: mPbcYvbJUfMeC0%2Fw6vbRtziCFibb3AlYg9EbxnwQ618%3D` Vulnerable Package
CVE-2021-44906	Npm-minimist-0.0.8	details Recommended version: 0.2.4 Description: Minimist is vulnerable to Prototype Pollution via file "index.js", function "setKey()" (lines 69-95). This issue affects minimist versions prior t... Attack Vector: NETWORK Attack Complexity: LOW `ID: zW65AbRQR%2F4kPMzCd%2F4NIQQu95WsJnifNLMv3qb9yHo%3D` Vulnerable Package
CVE-2022-37601	Npm-loader-utils-0.2.16	details Recommended version: 1.4.2 Description: Prototype Pollution Vulnerability present in the loader-utils package in the function 'parseQuery()' of 'parseQuery.js' file via the 'name' variabl... Attack Vector: NETWORK Attack Complexity: LOW `ID: tK9M6xI25dufi9VU%2B4IObUmyH77V2KvSG%2B6pqic10cM%3D` Vulnerable Package
CVE-2022-37601	Npm-loader-utils-1.0.2	details Recommended version: 1.4.2 Description: Prototype Pollution Vulnerability present in the loader-utils package in the function 'parseQuery()' of 'parseQuery.js' file via the 'name' variabl... Attack Vector: NETWORK Attack Complexity: LOW `ID: Vw9Q%2FJk3tJp5NnzD2iHSh2Z0lUH%2FTeJRb%2FSnozMCxUM%3D` Vulnerable Package
CVE-2023-26136	Npm-tough-cookie-2.3.2	details Recommended version: 4.1.3 Description: The package tough-cookie in versions prior to 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 7cTcbdYKi9BPovPsgkGJBHJUgFhHJZ6dzz%2Bs3czQIpg%3D` Vulnerable Package
CVE-2023-45311	Npm-fsevents-1.0.15	details Recommended version: 1.2.11 Description: The package fsevents in versions 1.0.0 through 1.2.10 depends on the "https://fsevents\-binaries\.s3\-us\-west\-2\.amazonaws\.com" URL, which might allow ... Attack Vector: NETWORK Attack Complexity: LOW `ID: v1lsernevl1fyXbDoZF6zW%2FnE5oIwKDyJ86%2F7dIXGpY%3D` Vulnerable Package
CVE-2024-40643	Npm-htmlparser2-3.8.3	details Recommended version: 5.0.0 Description: Joplin is a free, open-source note-taking and to-do application. Joplin fails to consider that "<" followed by a non-letter character will not be c... Attack Vector: NETWORK Attack Complexity: LOW `ID: 012X8sTyNS6bjCJJ8lZQEYAY6AODRXGKhvMmdTBaf4Q%3D` Vulnerable Package
CVE-2024-42461	Npm-elliptic-6.4.0	details Recommended version: 6.6.1 Description: In the elliptic package, "ECDSA" signature malleability occurs because "BER-encoded" signatures are allowed which leads to Improper Verification of... Attack Vector: NETWORK Attack Complexity: LOW `ID: 0IEtd%2BAq1M3Sz8y7Uu2ovet5%2B4DYXokRAXSLKXXQV4c%3D` Vulnerable Package
CVE-2024-48949	Npm-elliptic-6.4.0	details Recommended version: 6.6.1 Description: The verify function in "lib/elliptic/eddsa/index.js" in the Elliptic versions 4.0.0 through 6.5.5 for Node.js omits "sig.S().gte(sig.eddsa.curve.n)... Attack Vector: NETWORK Attack Complexity: LOW `ID: vtskGT5tE2sVEWtvbiO1W6l%2F9nVo97kYpEMcRSNyIgw%3D` Vulnerable Package
CVE-2025-6547	Npm-pbkdf2-3.0.9	details Recommended version: 3.1.3 Description: Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This issue affects versions through 3.1.2. Attack Vector: NETWORK Attack Complexity: HIGH `ID: FN5wBdjgEZ5ToC6AFLyaSK5quw%2BZ9y1oQfjwyGnOx1o%3D` Vulnerable Package
CVE-2025-7783	Npm-form-data-2.1.2	details Recommended version: 2.5.4 Description: Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with the pro... Attack Vector: NETWORK Attack Complexity: HIGH `ID: R1Rjiwu%2FpEaR5bYwO5p%2Fho512TskQ%2BGxOm4ipnUgRaY%3D` Vulnerable Package
CVE-2025-9287	Npm-cipher-base-1.0.3	details Recommended version: 1.0.5 Description: Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation. This issue affects versions through 1.0.4. Attack Vector: NETWORK Attack Complexity: HIGH `ID: MJw%2F8ci45GyWndGspEcEHWu7AHE3BvqdPhYFw%2B%2BJwX4%3D` Vulnerable Package
CVE-2025-9288	Npm-sha.js-2.2.6	details Recommended version: 2.4.12 Description: Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js through 2.4.11. Attack Vector: NETWORK Attack Complexity: HIGH `ID: cLSg%2FxMtZFow0kL6rWry2ILapFuOTR9Q6qqkjD19MZI%3D` Vulnerable Package
CVE-2025-9288	Npm-sha.js-2.4.8	details Recommended version: 2.4.12 Description: Improper Input Validation vulnerability in sha.js allows Input Data Manipulation.This issue affects sha.js through 2.4.11. Attack Vector: NETWORK Attack Complexity: HIGH `ID: YUn4V41I%2BKddTwHsWVEDcEwENaUVRjvDSeJAR01xGko%3D` Vulnerable Package
Cx88b46a98-47a5	Npm-elliptic-6.4.0	details Recommended version: 6.6.1 Description: The elliptic package is a plain JavaScript implementation of elliptic-curve cryptography. Versions of elliptic package prior to 6.6.1 are vulnerabl... Attack Vector: NETWORK Attack Complexity: LOW `ID: jEz%2BWY%2FsBhTe1KqQDCNcLviUcLBNAjJz%2BdB82kkM4ak%3D` Vulnerable Package
Cxbf5cb5f8-f150	Npm-lodash.merge-4.6.0	details Recommended version: 4.6.2 Description: The package `lodash.merge` versions prior to 4.6.2 are vulnerable to Prototype Pollution. The function `merge` may allow a malicious user to modify... Attack Vector: NETWORK Attack Complexity: LOW `ID: hJudgcH2w30vkjuIaj6VCe8Bcf9cXXszHPqF7mh2%2BVg%3D` Vulnerable Package
CVE-2016-10540	Npm-minimatch-0.2.14	details Recommended version: 3.0.5 Description: Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatc... Attack Vector: NETWORK Attack Complexity: LOW `ID: BUK%2BC66ogTR%2F9kH8xddS56cBv3E5u8sa%2BV1hI%2B7Hjao%3D` Vulnerable Package
CVE-2016-10540	Npm-minimatch-2.0.10	details Recommended version: 3.0.5 Description: Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatc... Attack Vector: NETWORK Attack Complexity: LOW `ID: WL%2FxZ0KY8AKvDnHmD%2BlfNoo3mQ9IbxALYqGMre8wPMI%3D` Vulnerable Package
CVE-2017-1000048	Npm-qs-6.3.0	details Recommended version: 6.3.3 Description: the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil r... Attack Vector: NETWORK Attack Complexity: LOW `ID: plgSKsS5nND8lF12rEICNWdFdLRZ4Vin9DMMnhwj%2BPQ%3D` Vulnerable Package
CVE-2017-1000048	Npm-qs-6.2.0	details Recommended version: 6.2.4 Description: the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil r... Attack Vector: NETWORK Attack Complexity: LOW `ID: T7DVD6R%2BFgdQCv4kwmdpxp1vjSF12i3hwuhsYswdJWc%3D` Vulnerable Package
CVE-2017-15010	Npm-tough-cookie-2.3.2	details Recommended version: 4.1.3 Description: A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make... Attack Vector: NETWORK Attack Complexity: LOW `ID: oORgxmPkl9cIIBjeS6XSSls5isAouTWnjBqbPVdgFrQ%3D` Vulnerable Package
CVE-2017-16032	Npm-brace-expansion-1.1.6	details Recommended version: 1.1.12 Description: Brace-expansion is vulnerable to a Regular Expression Denial of Service (ReDoS) condition in versions prior to 1.1.7. Attack Vector: NETWORK Attack Complexity: LOW `ID: i0Qw71Loy71CqveWsQbEjK1cIEBinel9B0kGcKX45Ms%3D` Vulnerable Package
CVE-2017-16118	Npm-forwarded-0.1.0	details Recommended version: 0.1.2 Description: The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of s... Attack Vector: NETWORK Attack Complexity: LOW `ID: XEqEVRjR%2FCks2pFJbCYP5iiOQLTxKoF9ZIRDbNmiBcE%3D` Vulnerable Package
CVE-2017-16119	Npm-fresh-0.3.0	details Recommended version: 0.5.2 Description: Fresh is a module used by the Express.js framework for HTTP response freshness testing. Prior to v0.5.2 it is vulnerable to a regular expression de... Attack Vector: NETWORK Attack Complexity: LOW `ID: 5OR746IQ8fLL%2BuVQk8GjPaMb7P6qP%2BI7GEL3zj%2BAtVQ%3D` Vulnerable Package
CVE-2017-16138	Npm-mime-1.3.4	details Recommended version: 1.4.1 Description: The mime module < 1.4.1 and 2.0.0 through 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted ... Attack Vector: NETWORK Attack Complexity: LOW `ID: eKIgNkGAbRviIs%2F4iU1Pweoz5kmY7vh0E0s%2B3Xx%2BAM8%3D` Vulnerable Package
CVE-2017-18077	Npm-brace-expansion-1.1.6	details Recommended version: 1.1.12 Description: index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argume... Attack Vector: NETWORK Attack Complexity: LOW `ID: JjzZXl8YwfWMspw38CaAfvDlg7UpmP98qNfY6M2TCLI%3D` Vulnerable Package
CVE-2018-20834	Npm-tar-2.2.1	details Recommended version: 6.2.1 Description: A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a ta... Attack Vector: NETWORK Attack Complexity: LOW `ID: uogaM4s0xHe8afA8Hp4JCnRJhiDNa2dEJv33HcerB0I%3D` Vulnerable Package
CVE-2018-3728	Npm-hoek-2.16.3	details Recommended version: 4.2.1 Description: hoek node module before 4.2.1 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'ap... Attack Vector: NETWORK Attack Complexity: LOW `ID: EeXaS1XZG5Oi5UAyD%2F25ZFLUWc418btQmb6FRZK8zzw%3D` Vulnerable Package
CVE-2018-3737	Npm-sshpk-1.10.1	details Recommended version: 1.13.2 Description: sshpk is vulnerable to ReDoS when parsing crafted invalid public keys. Attack Vector: NETWORK Attack Complexity: LOW `ID: ghMnec3rahdc2ZpCBrxwS4a2dtuwRkjM8NTDeoX3ySE%3D` Vulnerable Package
CVE-2019-13173	Npm-fstream-1.0.10	details Recommended version: 1.0.12 Description: fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the sys... Attack Vector: NETWORK Attack Complexity: LOW `ID: Om9JEVUAws0bL44QBrhsR7Qwuurp6GDcV2Vnxjvg3pY%3D` Vulnerable Package
CVE-2020-13822	Npm-elliptic-6.4.0	details Recommended version: 6.6.1 Description: The Elliptic package up to 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflo... Attack Vector: NETWORK Attack Complexity: HIGH `ID: e33qQramjt%2B29vjiiZ9V33thuOc3Wa1QcwXW%2F633b0o%3D` Vulnerable Package
CVE-2020-28469	Npm-glob-parent-2.0.0	details Recommended version: 5.1.2 Description: In glob-parent prior to 5.1.2 the way that the `enclosure` regex in `index.js` is defined could allow an attacker to exploit it, and cause a Denial... Attack Vector: NETWORK Attack Complexity: LOW `ID: FGyoY9z3Qvn8AAhLo6sXRmp3jgSeZvJ6eWWCOHgrY0o%3D` Vulnerable Package
CVE-2020-8203	Npm-lodash-4.17.2	details Recommended version: 4.17.21 Description: Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Attack Vector: NETWORK Attack Complexity: HIGH `ID: 77J4lcRsXulddeIEpAnzL5TPEU0S2MIj%2ByC8CNIRHKs%3D` Vulnerable Package
CVE-2020-8203	Npm-lodash-4.17.4	details Recommended version: 4.17.21 Description: Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Attack Vector: NETWORK Attack Complexity: HIGH `ID: JiZTeQNG7tBOtlqmHbpX%2BkSRfw2iZJ3f8A%2BR%2BzFsQYQ%3D` Vulnerable Package
CVE-2020-8203	Npm-lodash-1.0.2	details Recommended version: 4.17.21 Description: Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Attack Vector: NETWORK Attack Complexity: HIGH `ID: KrPR7UPTbGKFG29s4d6lD36vMed2LT3vPe89D%2FTmtTU%3D` Vulnerable Package
CVE-2020-8203	Npm-lodash-3.7.0	details Recommended version: 4.17.21 Description: Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20. Attack Vector: NETWORK Attack Complexity: HIGH `ID: TIAhYuJUAyeWddff97VjbfwHXIvhnr%2B1NyJ%2B0wOwljc%3D` Vulnerable Package
CVE-2021-23337	Npm-lodash-1.0.2	details Recommended version: 4.17.21 Description: lodash and lodash-es prior to 4.17.21, are vulnerable to Command Injection via the "template" function. lodash.template versions are vulnerable, too. Attack Vector: NETWORK Attack Complexity: LOW `ID: EgEPLyjYXkml5b3W6r7J%2F%2Bognr8Z3DcuGfZt6J6Mvks%3D` Vulnerable Package
CVE-2021-23337	Npm-lodash.template-3.6.2	details Description: lodash and lodash-es prior to 4.17.21, are vulnerable to Command Injection via the "template" function. lodash.template versions are vulnerable, too. Attack Vector: NETWORK Attack Complexity: LOW `ID: LlYvFCgwsfYwHL97KzQ3e%2FLyKOETubSck76Ih4wnrPQ%3D` Vulnerable Package
CVE-2021-23337	Npm-lodash-4.17.2	details Recommended version: 4.17.21 Description: lodash and lodash-es prior to 4.17.21, are vulnerable to Command Injection via the "template" function. lodash.template versions are vulnerable, too. Attack Vector: NETWORK Attack Complexity: LOW `ID: Q%2B4yDIVeGba5E37yhb%2FJRoZEtOo%2FWSDIUGJWVUHUCQA%3D` Vulnerable Package
CVE-2021-23337	Npm-lodash-3.7.0	details Recommended version: 4.17.21 Description: lodash and lodash-es prior to 4.17.21, are vulnerable to Command Injection via the "template" function. lodash.template versions are vulnerable, too. Attack Vector: NETWORK Attack Complexity: LOW `ID: Xm8nztXc1gTfEGOor2Q9TsluLXnCkLPAwxNU462OOrE%3D` Vulnerable Package
CVE-2021-23337	Npm-lodash-4.17.4	details Recommended version: 4.17.21 Description: lodash and lodash-es prior to 4.17.21, are vulnerable to Command Injection via the "template" function. lodash.template versions are vulnerable, too. Attack Vector: NETWORK Attack Complexity: LOW `ID: ZaGMQ2lJYIuxFpTYeCvKCWWivY06eNOf56n5dc6DRMY%3D` Vulnerable Package
CVE-2021-32803	Npm-tar-2.2.1	details Recommended version: 6.2.1 Description: The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via ins... Attack Vector: NETWORK Attack Complexity: LOW `ID: uCyoo8FUcThOI8%2FKQwdSNki37b6oaCagjZccdMhFmEE%3D` Vulnerable Package
CVE-2021-32804	Npm-tar-2.2.1	details Recommended version: 6.2.1 Description: The npm package "tar" (aka node-tar) versions prior to 3.2.2 and 4.x prior to 4.4.14, 5.x prior to 5.0.6 and 6.x prior to 6.1.1 has a arbitrary Fil... Attack Vector: NETWORK Attack Complexity: LOW `ID: SAsKubhMXcCODQn9VFdlgKsQlFMLSlT8SpD0i0CZPI8%3D` Vulnerable Package
CVE-2021-37701	Npm-tar-2.2.1	details Recommended version: 6.2.1 Description: The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution... Attack Vector: LOCAL Attack Complexity: LOW `ID: zKEiqJojPFb%2FmYlporo1cPTcddb382ss%2BSVGPFf3E10%3D` Vulnerable Package
CVE-2021-37712	Npm-tar-2.2.1	details Recommended version: 6.2.1 Description: The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code executio... Attack Vector: LOCAL Attack Complexity: LOW `ID: O4BAvcEGuzTyalY%2B%2F%2B6PnEtwvR%2FCqQH69gR61zx4rZU%3D` Vulnerable Package
CVE-2021-37713	Npm-tar-2.2.1	details Recommended version: 6.2.1 Description: The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code executio... Attack Vector: LOCAL Attack Complexity: LOW `ID: %2FPluTNRAHl71tBlDTl3aP6t9hCm1Pm99aqaeYB%2FCtlY%3D` Vulnerable Package
CVE-2021-3807	Npm-ansi-regex-2.0.0	details Recommended version: 3.0.1 Description: The package ansi-regex versions 3.x prior to 3.0.1, 4.x prior to 4.1.1, 5.x prior to 5.0.1 and 6.0.x prior to 6.0.1 is vulnerable to Inefficient Re... Attack Vector: NETWORK Attack Complexity: LOW `ID: FhwpPQF3NDq27DyvNvNoRcMFmEekAbQAl7ry%2BQLSz7g%3D` Vulnerable Package
CVE-2021-43138	Npm-async-2.1.5	details Recommended version: 2.6.4 Description: In Async versions 2.0.0-rc.6 prior to 2.6.4, and 3.x prior to 3.2.2, a malicious user can obtain privileges via the "mapValues()" method, aka "lib/... Attack Vector: LOCAL Attack Complexity: LOW `ID: bX2AfXuLdnT%2Ft5fSIeYuwNCptxHohKfOA7UWzpMaTes%3D` Vulnerable Package
CVE-2022-0144	Npm-shelljs-0.3.0	details Recommended version: 0.8.5 Description: shelljs prior to 0.8.5 is vulnerable to Improper Privilege Management. Attack Vector: LOCAL Attack Complexity: LOW `ID: PmqYNBtGLVXIp4w6uqeXuiOs173G3UG9mJP55pHj2Tw%3D` Vulnerable Package
CVE-2022-21803	Npm-nconf-0.6.9	details Recommended version: 0.11.4 Description: This affects the package nconf before 0.11.4. When using the memory engine, it is possible to store a nested JSON representation of the configurati... Attack Vector: NETWORK Attack Complexity: LOW `ID: 2Jsol6nbQShjEOz%2FEaAeSWiAIr%2BotVwIAfEpNsJ8Y6E%3D` Vulnerable Package
CVE-2022-24999	Npm-qs-6.2.0	details Recommended version: 6.2.4 Description: The qs package as used in Express through 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application becau... Attack Vector: NETWORK Attack Complexity: LOW `ID: e%2Burf0APT0vqetwCHRO4Kxwh%2BVCeTHPF7sNyNSXSRjA%3D` Vulnerable Package
CVE-2022-24999	Npm-qs-6.3.0	details Recommended version: 6.3.3 Description: The qs package as used in Express through 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application becau... Attack Vector: NETWORK Attack Complexity: LOW `ID: Y9WT3RHr3avSRCkjkV8Dd99TlUI4DWDgnciUILwkfpU%3D` Vulnerable Package
CVE-2022-25883	Npm-semver-5.3.0	details Recommended version: 5.7.2 Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are vulnerable to Regular Expression Denial of Service (ReDoS) ... Attack Vector: NETWORK Attack Complexity: LOW `ID: 1A9xp11m9C3OaT7HIs6gx6i%2BuhJJyDzBxNySpqwzXMs%3D` Vulnerable Package
CVE-2022-25883	Npm-semver-4.3.6	details Recommended version: 5.7.2 Description: The package semver versions prior to 5.7.2, 6.x through 6.3.0 and 7.x through 7.5.1 are vulnerable to Regular Expression Denial of Service (ReDoS) ... Attack Vector: NETWORK Attack Complexity: LOW `ID: eb4%2Fe2JN6Id6M%2FIaMFoYSnXgY4T9Y5QObfQ5ZERqFOM%3D` Vulnerable Package
CVE-2022-29167	Npm-hawk-3.1.3	details Recommended version: 9.0.1 Description: Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the re... Attack Vector: NETWORK Attack Complexity: LOW `ID: j4f%2BWxz%2BXA%2FVYJuAPSEYcSjJMEgYvcfQRKSSxQkGO14%3D` Vulnerable Package
CVE-2022-3517	Npm-minimatch-2.0.10	details Recommended version: 3.0.5 Description: A vulnerability was found in the minimatch package versions prior to 3.0.5. This flaw allows a Regular Expression Denial of Service (ReDoS) when ca... Attack Vector: NETWORK Attack Complexity: LOW `ID: D9YFW8KDbLBdSA5GuurtPfETyqE2ecukqNdsPpfniEg%3D` Vulnerable Package
CVE-2022-3517	Npm-minimatch-0.2.14	details Recommended version: 3.0.5 Description: A vulnerability was found in the minimatch package versions prior to 3.0.5. This flaw allows a Regular Expression Denial of Service (ReDoS) when ca... Attack Vector: NETWORK Attack Complexity: LOW `ID: %2Bfy2kJm%2B4%2FK2KSMAkNhiZpagL7c7xvY9pvuiiSvhrns%3D` Vulnerable Package
CVE-2022-3517	Npm-minimatch-3.0.3	details Recommended version: 3.0.5 Description: A vulnerability was found in the minimatch package versions prior to 3.0.5. This flaw allows a Regular Expression Denial of Service (ReDoS) when ca... Attack Vector: NETWORK Attack Complexity: LOW `ID: %2BiAQnlaILmA1rOD6453UBG54ah%2BFpSg%2BpnH4ORwq4gM%3D` Vulnerable Package
CVE-2022-37599	Npm-loader-utils-1.0.2	details Recommended version: 1.4.2 Description: A Regular expression Denial of Service (ReDoS) flaw was found in loader-utils versions 1.0.0 through 1.4.1, 2.0.0 through 2.0.3, and 3.0.0 through ... Attack Vector: NETWORK Attack Complexity: LOW `ID: VYcXRlr%2FL4WEONOxzjVWyU1nns8qtEOApNBbDyMyxjQ%3D` Vulnerable Package
CVE-2022-37603	Npm-loader-utils-1.0.2	details Recommended version: 1.4.2 Description: A Regular expression Denial of Service (ReDoS) flaw was found in loader-utils versions 1.0.0 through 1.4.1, 2.0.0 through 2.0.3, and 3.0.0 through ... Attack Vector: NETWORK Attack Complexity: LOW `ID: uhfYVuNgWteqRhrNOPk%2F%2FP1cWt7RaygqT%2FCTc0NQvdA%3D` Vulnerable Package
CVE-2022-46175	Npm-json5-0.5.1	details Recommended version: 1.0.2 Description: JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The `parse` met... Attack Vector: NETWORK Attack Complexity: LOW `ID: on7x2paufWe9Lb8ZrciH4oeFMsiAvduChfFe7dbT%2Fkc%3D` Vulnerable Package
CVE-2024-4068	Npm-braces-1.8.5	details Recommended version: 3.0.3 Description: The NPM package "braces", versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In... Attack Vector: NETWORK Attack Complexity: LOW `ID: 8Q9Ehz0frbwfm0x0PuRmN11fKq6CuuteqE5N9m3NR%2B8%3D` Vulnerable Package
CVE-2024-45296	Npm-path-to-regexp-0.1.7	details Recommended version: 0.1.12 Description: The path-to-regexp turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be explo... Attack Vector: NETWORK Attack Complexity: LOW `ID: 10PO5DUuPZZPGjabsWBGL0sNWdQhJmsUv19RWFmn3Sk%3D` Vulnerable Package
CVE-2024-45296	Npm-path-to-regexp-1.7.0	details Recommended version: 1.9.0 Description: The path-to-regexp turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be explo... Attack Vector: NETWORK Attack Complexity: LOW `ID: cZFUphCV1BqldIv%2FTxCdXhW3LEL4mtVrE9pP6O3tECw%3D` Vulnerable Package
CVE-2024-45590	Npm-body-parser-1.15.2	details Recommended version: 1.20.3 Description: The body-parser is Node.js body parsing middleware. The body-parser package versions prior to 1.20.3 and 2.0.x prior to 2.0.0 are vulnerable to Den... Attack Vector: NETWORK Attack Complexity: LOW `ID: Vb49liC9kH%2FEl7OPxyW%2FXmjPNHn7lit%2BniJwL3%2B05ec%3D` Vulnerable Package
CVE-2024-52798	Npm-path-to-regexp-0.1.7	details Recommended version: 0.1.12 Description: path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploit... Attack Vector: NETWORK Attack Complexity: LOW `ID: HdxuOAYkwcb5TjUY0pH9yTcwNHSAzXhrlPjf%2ByrXaT8%3D` Vulnerable Package
Cx0b414307-5d4b	Npm-lodash-3.7.0	details Recommended version: 4.17.21 Description: Prototype Pollution vulnerability in lodash before 4.17.19. Attack Vector: NETWORK Attack Complexity: LOW `ID: dCcoKSVT2QiZWQAJ9U%2FDAuII12Tw9MCzboy4l1YFafU%3D` Vulnerable Package
Cx0b414307-5d4b	Npm-lodash-4.17.2	details Recommended version: 4.17.21 Description: Prototype Pollution vulnerability in lodash before 4.17.19. Attack Vector: NETWORK Attack Complexity: LOW `ID: kKBBxFqp0Up20Lj5GMZTgEHdJXDMLzaOGTUNldIqPgw%3D` Vulnerable Package
Cx0b414307-5d4b	Npm-lodash-1.0.2	details Recommended version: 4.17.21 Description: Prototype Pollution vulnerability in lodash before 4.17.19. Attack Vector: NETWORK Attack Complexity: LOW `ID: %2BnoilSW3H4lKbA2QIXRy3Bn5s%2FJgfmtM6fljEn1CqME%3D` Vulnerable Package
Cx0b414307-5d4b	Npm-lodash-4.17.4	details Recommended version: 4.17.21 Description: Prototype Pollution vulnerability in lodash before 4.17.19. Attack Vector: NETWORK Attack Complexity: LOW `ID: VXC8wEThsSi9oUDGHeJm1RP9wRySpUTjEGUCVOGf7Lc%3D` Vulnerable Package

More results are available on the CxOne platform

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

dependabot bot added the dependencies This pull request has dependencies. label Oct 26, 2023

dependabot bot force-pushed the dependabot/npm_and_yarn/browserify-sign-4.2.2 branch from 1d98b71 to 241aedc Compare November 6, 2025 17:20

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump browserify-sign from 4.0.0 to 4.2.2 #6

Bump browserify-sign from 4.0.0 to 4.2.2 #6

Uh oh!

dependabot bot commented on behalf of github Oct 26, 2023 •

edited

Loading

Uh oh!

ghost commented Nov 6, 2025

Uh oh!

ImagineBuildBot commented Nov 6, 2025

Uh oh!

thomas-hayden commented Nov 6, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Bump browserify-sign from 4.0.0 to 4.2.2 #6

Are you sure you want to change the base?

Bump browserify-sign from 4.0.0 to 4.2.2 #6

Uh oh!

Conversation

dependabot bot commented on behalf of github Oct 26, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v4.2.2 - 2023-10-25

Fixed

Commits

v4.2.1 - 2020-08-04

Merged

v4.2.0 - 2020-05-18

Merged

v4.1.0 - 2020-05-05

Merged

v4.0.4 - 2017-03-28

Merged

Uh oh!

ghost commented Nov 6, 2025

Uh oh!

ImagineBuildBot commented Nov 6, 2025

Cx-SAST Summary

Violation Summary

Cx-SAST Details

Uh oh!

thomas-hayden commented Nov 6, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

dependabot bot commented on behalf of github Oct 26, 2023 •

edited

Loading