"{\n  \"actions\": [\n    {\n      \"isMajor\": true,\n      \"action\": \"install\",\n      \"resolves\": [\n        {\n          \"id\": 1005415,\n          \"path\": \"merge\",\n          \"dev\": false,\n          \"optional\": false,\n          \"bundled\": false\n        },\n        {\n          \"id\": 1006579,\n          \"path\": \"merge\",\n          \"dev\": false,\n          \"optional\": false,\n          \"bundled\": false\n        }\n      ],\n      \"module\": \"merge\",\n      \"target\": \"2.1.1\"\n    },\n    {\n      \"isMajor\": true,\n      \"action\": \"install\",\n      \"resolves\": [\n        {\n          \"id\": 1006708,\n          \"path\": \"uglify-js\",\n          \"dev\": false,\n          \"optional\": false,\n          \"bundled\": false\n        },\n        {\n          \"id\": 1006709,\n          \"path\": \"uglify-js\",\n          \"dev\": false,\n          \"optional\": false,\n          \"bundled\": false\n        }\n      ],\n      \"module\": \"uglify-js\",\n      \"target\": \"3.14.3\"\n    }\n  ],\n  \"advisories\": {\n    \"1005415\": {\n      \"findings\": [\n        {\n          \"version\": \"1.2.0\",\n          \"paths\": [\n            \"merge\"\n          ]\n        }\n      ],\n      \"metadata\": null,\n      \"vulnerable_versions\": \"<2.1.1\",\n      \"module_name\": \"merge\",\n      \"severity\": \"high\",\n      \"github_advisory_id\": \"GHSA-7wpw-2hjm-89gp\",\n      \"cves\": [\n        \"CVE-2020-28499\"\n      ],\n      \"access\": \"public\",\n      \"patched_versions\": \">=2.1.1\",\n      \"updated\": \"2021-03-18T22:54:26.000Z\",\n      \"recommendation\": \"Upgrade to version 2.1.1 or later\",\n      \"cwe\": \"CWE-915\",\n      \"found_by\": null,\n      \"deleted\": null,\n      \"id\": 1005415,\n      \"references\": \"- https://nvd.nist.gov/vuln/detail/CVE-2020-28499\\n- https://github.com/yeikos/js.merge/commit/7b0ddc2701d813f2ba289b32d6a4b9d4cc235fb4\\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1071049\\n- https://snyk.io/vuln/SNYK-JS-MERGE-1042987\\n- https://vuldb.com/?id.170146\\n- https://github.com/yeikos/js.merge/blob/56ca75b2dd0f2820f1e08a49f62f04bbfb8c5f8f/src/index.ts#L64\\n- https://github.com/yeikos/js.merge/blob/master/src/index.ts%23L64\\n- https://github.com/advisories/GHSA-7wpw-2hjm-89gp\",\n      \"created\": \"2021-11-18T16:00:48.538Z\",\n      \"reported_by\": null,\n      \"title\": \"Prototype Pollution in merge\",\n      \"npm_advisory_id\": null,\n      \"overview\": \"All versions of package merge <2.1.1 are vulnerable to Prototype Pollution via _recursiveMerge .\",\n      \"url\": \"https://github.com/advisories/GHSA-7wpw-2hjm-89gp\"\n    },\n    \"1006579\": {\n      \"findings\": [\n        {\n          \"version\": \"1.2.0\",\n          \"paths\": [\n            \"merge\"\n          ]\n        }\n      ],\n      \"metadata\": null,\n      \"vulnerable_versions\": \"<1.2.1\",\n      \"module_name\": \"merge\",\n      \"severity\": \"low\",\n      \"github_advisory_id\": \"GHSA-f9cm-qmx5-m98h\",\n      \"cves\": [\n        \"CVE-2018-16469\"\n      ],\n      \"access\": \"public\",\n      \"patched_versions\": \">=1.2.1\",\n      \"updated\": \"2018-11-01T14:44:39.000Z\",\n      \"recommendation\": \"Upgrade to version 1.2.1 or later\",\n      \"cwe\": \"CWE-400\",\n      \"found_by\": null,\n      \"deleted\": null,\n      \"id\": 1006579,\n      \"references\": \"- https://nvd.nist.gov/vuln/detail/CVE-2018-16469\\n- https://hackerone.com/reports/381194\\n- https://github.com/advisories/GHSA-f9cm-qmx5-m98h\\n- https://www.npmjs.com/advisories/722\",\n      \"created\": \"2021-11-18T16:00:48.637Z\",\n      \"reported_by\": null,\n      \"title\": \"Prototype Pollution in merge\",\n      \"npm_advisory_id\": null,\n      \"overview\": \"Versions of `merge` before 1.2.1 are vulnerable to prototype pollution. The `merge.recursive` function can be tricked into adding or modifying properties of the Object prototype.\\n\\n\\n## Recommendation\\n\\nUpdate to version 1.2.1 or later.\",\n      \"url\": \"https://github.com/advisories/GHSA-f9cm-qmx5-m98h\"\n    },\n    \"1006708\": {\n      \"findings\": [\n        {\n          \"version\": \"1.2.3\",\n          \"paths\": [\n            \"uglify-js\"\n          ]\n        }\n      ],\n      \"metadata\": null,\n      \"vulnerable_versions\": \"<2.4.24\",\n      \"module_name\": \"uglify-js\",\n      \"severity\": \"critical\",\n      \"github_advisory_id\": \"GHSA-34r7-q49f-h37c\",\n      \"cves\": [\n        \"CVE-2015-8857\"\n      ],\n      \"access\": \"public\",\n      \"patched_versions\": \">=2.4.24\",\n      \"updated\": \"2017-10-24T18:33:36.000Z\",\n      \"recommendation\": \"Upgrade to version 2.4.24 or later\",\n      \"cwe\": \"CWE-1254\",\n      \"found_by\": null,\n      \"deleted\": null,\n      \"id\": 1006708,\n      \"references\": \"- https://nvd.nist.gov/vuln/detail/CVE-2015-8857\\n- https://github.com/mishoo/UglifyJS2/issues/751\\n- https://github.com/advisories/GHSA-34r7-q49f-h37c\\n- https://www.npmjs.com/advisories/39\\n- https://zyan.scripts.mit.edu/blog/backdooring-js/\\n- https://nodesecurity.io/advisories/39\\n- http://www.openwall.com/lists/oss-security/2016/04/20/11\\n- http://www.securityfocus.com/bid/96410\",\n      \"created\": \"2021-11-18T16:00:48.645Z\",\n      \"reported_by\": null,\n      \"title\": \"Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js\",\n      \"npm_advisory_id\": null,\n      \"overview\": \"Versions of `uglify-js` prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.\\n\\n## Recommendation\\n\\nUpgrade UglifyJS to version >= 2.4.24.\",\n      \"url\": \"https://github.com/advisories/GHSA-34r7-q49f-h37c\"\n    },\n    \"1006709\": {\n      \"findings\": [\n        {\n          \"version\": \"1.2.3\",\n          \"paths\": [\n            \"uglify-js\"\n          ]\n        }\n      ],\n      \"metadata\": null,\n      \"vulnerable_versions\": \"<2.6.0\",\n      \"module_name\": \"uglify-js\",\n      \"severity\": \"high\",\n      \"github_advisory_id\": \"GHSA-c9f4-xj24-8jqx\",\n      \"cves\": [\n        \"CVE-2015-8858\"\n      ],\n      \"access\": \"public\",\n      \"patched_versions\": \">=2.6.0\",\n      \"updated\": \"2017-10-24T18:33:36.000Z\",\n      \"recommendation\": \"Upgrade to version 2.6.0 or later\",\n      \"cwe\": \"\",\n      \"found_by\": null,\n      \"deleted\": null,\n      \"id\": 1006709,\n      \"references\": \"- https://nvd.nist.gov/vuln/detail/CVE-2015-8858\\n- https://github.com/advisories/GHSA-c9f4-xj24-8jqx\\n- https://www.npmjs.com/advisories/48\\n- https://nodesecurity.io/advisories/48\\n- http://www.openwall.com/lists/oss-security/2016/04/20/11\\n- http://www.securityfocus.com/bid/96409\",\n      \"created\": \"2021-11-18T16:00:48.645Z\",\n      \"reported_by\": null,\n      \"title\": \"Regular Expression Denial of Service in uglify-js\",\n      \"npm_advisory_id\": null,\n      \"overview\": \"Versions of `uglify-js` prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the `parse()` method.\\n\\n\\n### Proof of Concept\\n\\n```\\nvar u = require('uglify-js');\\nvar genstr = function (len, chr) {\\n    var result = \\\"\\\";\\n    for (i=0; i<=len; i++) {\\n        result = result + chr;\\n    }\\n\\n    return result;\\n}\\n\\nu.parse(\\\"var a = \\\" + genstr(process.argv[2], \\\"1\\\") + \\\".1ee7;\\\");\\n```\\n\\n### Results\\n```\\n$ time node test.js 10000\\nreal\\t0m1.091s\\nuser\\t0m1.047s\\nsys\\t0m0.039s\\n\\n$ time node test.js 80000\\nreal\\t0m6.486s\\nuser\\t0m6.229s\\nsys\\t0m0.094s\\n```\\n\\n\\n## Recommendation\\n\\nUpdate to version 2.6.0 or later.\",\n      \"url\": \"https://github.com/advisories/GHSA-c9f4-xj24-8jqx\"\n    }\n  },\n  \"muted\": [],\n  \"metadata\": {\n    \"vulnerabilities\": {\n      \"info\": 0,\n      \"low\": 1,\n      \"moderate\": 0,\n      \"high\": 2,\n      \"critical\": 1\n    },\n    \"dependencies\": 4,\n    \"devDependencies\": 0,\n    \"optionalDependencies\": 0,\n    \"totalDependencies\": 4\n  },\n  \"runId\": \"90edc9ec-a29c-46fd-9dc5-caa3c3d4586a\"\n}\n"
