Snyk Security Database

rollup-plugin-polyfill-connect is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship.

python-liquid is an A Python engine for the Liquid template language.

Affected versions of this package are vulnerable to Infinite loop in the {% case %} tag parsing logic, caused by an incorrect definition of the EOF token's kind and value in the TokenStream.eof attribute. A user who can author or supply templates can hang the parser and cause a denial of service by providing a {% case %} tag that has no {% when %} or {% else %} branch and no terminating {% endcase %}. Exploitation requires the application to parse template source supplied by untrusted authors, and the hang occurs at parse time.

org.webjars.npm:angular is a WebJar for angular.

Affected versions of this package are vulnerable to Incomplete Filtering of Special Elements in the $sceDelegate service's trustedResourceUrlList() validation, where a regular expression intended to match the entire resource URL is only partially applied when the pattern contains an alternation operator. An attacker can execute JavaScript in a victim's browser by supplying a resource URL such as https://evil.com/scripts.js#https://good.com/ that satisfies the partially applied pattern and bypasses the Strict Contextual Escaping allowlist. Exploitation is possible only where the application configures trustedResourceUrlList() with regex matchers that use alternation (|).