"{\n  \"actions\": [\n    {\n      \"isMajor\": true,\n      \"action\": \"install\",\n      \"resolves\": [\n        {\n          \"id\": 1006708,\n          \"path\": \"uglify-js\",\n          \"dev\": false,\n          \"optional\": false,\n          \"bundled\": false\n        },\n        {\n          \"id\": 1006709,\n          \"path\": \"uglify-js\",\n          \"dev\": false,\n          \"optional\": false,\n          \"bundled\": false\n        }\n      ],\n      \"module\": \"uglify-js\",\n      \"target\": \"3.14.3\"\n    }\n  ],\n  \"advisories\": {\n    \"1006708\": {\n      \"findings\": [\n        {\n          \"version\": \"1.2.3\",\n          \"paths\": [\n            \"uglify-js\"\n          ]\n        }\n      ],\n      \"metadata\": null,\n      \"vulnerable_versions\": \"<2.4.24\",\n      \"module_name\": \"uglify-js\",\n      \"severity\": \"critical\",\n      \"github_advisory_id\": \"GHSA-34r7-q49f-h37c\",\n      \"cves\": [\n        \"CVE-2015-8857\"\n      ],\n      \"access\": \"public\",\n      \"patched_versions\": \">=2.4.24\",\n      \"updated\": \"2017-10-24T18:33:36.000Z\",\n      \"recommendation\": \"Upgrade to version 2.4.24 or later\",\n      \"cwe\": \"CWE-1254\",\n      \"found_by\": null,\n      \"deleted\": null,\n      \"id\": 1006708,\n      \"references\": \"- https://nvd.nist.gov/vuln/detail/CVE-2015-8857\\n- https://github.com/mishoo/UglifyJS2/issues/751\\n- https://github.com/advisories/GHSA-34r7-q49f-h37c\\n- https://www.npmjs.com/advisories/39\\n- https://zyan.scripts.mit.edu/blog/backdooring-js/\\n- https://nodesecurity.io/advisories/39\\n- http://www.openwall.com/lists/oss-security/2016/04/20/11\\n- http://www.securityfocus.com/bid/96410\",\n      \"created\": \"2021-11-18T16:00:48.645Z\",\n      \"reported_by\": null,\n      \"title\": \"Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js\",\n      \"npm_advisory_id\": null,\n      \"overview\": \"Versions of `uglify-js` prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.\\n\\n## Recommendation\\n\\nUpgrade UglifyJS to version >= 2.4.24.\",\n      \"url\": \"https://github.com/advisories/GHSA-34r7-q49f-h37c\"\n    },\n    \"1006709\": {\n      \"findings\": [\n        {\n          \"version\": \"1.2.3\",\n          \"paths\": [\n            \"uglify-js\"\n          ]\n        }\n      ],\n      \"metadata\": null,\n      \"vulnerable_versions\": \"<2.6.0\",\n      \"module_name\": \"uglify-js\",\n      \"severity\": \"high\",\n      \"github_advisory_id\": \"GHSA-c9f4-xj24-8jqx\",\n      \"cves\": [\n        \"CVE-2015-8858\"\n      ],\n      \"access\": \"public\",\n      \"patched_versions\": \">=2.6.0\",\n      \"updated\": \"2017-10-24T18:33:36.000Z\",\n      \"recommendation\": \"Upgrade to version 2.6.0 or later\",\n      \"cwe\": \"\",\n      \"found_by\": null,\n      \"deleted\": null,\n      \"id\": 1006709,\n      \"references\": \"- https://nvd.nist.gov/vuln/detail/CVE-2015-8858\\n- https://github.com/advisories/GHSA-c9f4-xj24-8jqx\\n- https://www.npmjs.com/advisories/48\\n- https://nodesecurity.io/advisories/48\\n- http://www.openwall.com/lists/oss-security/2016/04/20/11\\n- http://www.securityfocus.com/bid/96409\",\n      \"created\": \"2021-11-18T16:00:48.645Z\",\n      \"reported_by\": null,\n      \"title\": \"Regular Expression Denial of Service in uglify-js\",\n      \"npm_advisory_id\": null,\n      \"overview\": \"Versions of `uglify-js` prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the `parse()` method.\\n\\n\\n### Proof of Concept\\n\\n```\\nvar u = require('uglify-js');\\nvar genstr = function (len, chr) {\\n    var result = \\\"\\\";\\n    for (i=0; i<=len; i++) {\\n        result = result + chr;\\n    }\\n\\n    return result;\\n}\\n\\nu.parse(\\\"var a = \\\" + genstr(process.argv[2], \\\"1\\\") + \\\".1ee7;\\\");\\n```\\n\\n### Results\\n```\\n$ time node test.js 10000\\nreal\\t0m1.091s\\nuser\\t0m1.047s\\nsys\\t0m0.039s\\n\\n$ time node test.js 80000\\nreal\\t0m6.486s\\nuser\\t0m6.229s\\nsys\\t0m0.094s\\n```\\n\\n\\n## Recommendation\\n\\nUpdate to version 2.6.0 or later.\",\n      \"url\": \"https://github.com/advisories/GHSA-c9f4-xj24-8jqx\"\n    }\n  },\n  \"muted\": [],\n  \"metadata\": {\n    \"vulnerabilities\": {\n      \"info\": 0,\n      \"low\": 0,\n      \"moderate\": 0,\n      \"high\": 1,\n      \"critical\": 1\n    },\n    \"dependencies\": 3,\n    \"devDependencies\": 0,\n    \"optionalDependencies\": 0,\n    \"totalDependencies\": 3\n  },\n  \"runId\": \"fded8d09-e5fa-4ba5-8b19-6427e6a19929\"\n}\n"
