You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When running npm install I'm getting a message about several package vulnerabilities:
jison$ npm audit fix
added 1 package, removed 5 packages, changed 21 packages, and audited 881 packages in 3s
53 packages are looking for funding
run `npm fund` for details
# npm audit report
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/mocha/node_modules/ansi-regex
node_modules/string-width/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/mocha/node_modules/strip-ansi
node_modules/string-width/node_modules/strip-ansi
cliui 4.0.0 - 5.0.0
Depends on vulnerable versions of strip-ansi
Depends on vulnerable versions of wrap-ansi
node_modules/mocha/node_modules/cliui
yargs 8.0.0-candidate.0 - 15.0.0
Depends on vulnerable versions of cliui
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of string-width
Depends on vulnerable versions of yargs-parser
node_modules/mocha/node_modules/yargs
node_modules/yargs
@gerhobbelt/json5 *
Depends on vulnerable versions of minimist
Depends on vulnerable versions of yargs
node_modules/@gerhobbelt/benchmark/node_modules/@gerhobbelt/json5
node_modules/@gerhobbelt/json5
node_modules/jison-gho/node_modules/@gerhobbelt/json5
@gerhobbelt/live-server *
Depends on vulnerable versions of @gerhobbelt/json5
node_modules/@gerhobbelt/live-server
jison-gho *
Depends on vulnerable versions of @gerhobbelt/json5
node_modules/jison-gho
mocha 6.0.0-0 - 9.1.4
Depends on vulnerable versions of nanoid
Depends on vulnerable versions of yargs
node_modules/mocha
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/mocha/node_modules/string-width
node_modules/string-width
wrap-ansi 3.0.0 - 6.1.0
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/mocha/node_modules/wrap-ansi
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @babel/cli@7.17.6, which is outside the stated dependency range
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/@nicolo-ribaudo/chokidar-2/node_modules/chokidar
@nicolo-ribaudo/chokidar-2 *
Depends on vulnerable versions of chokidar
node_modules/@nicolo-ribaudo/chokidar-2
@babel/cli 7.12.1
Depends on vulnerable versions of @nicolo-ribaudo/chokidar-2
node_modules/@babel/cli
lodash <=4.17.20
Severity: critical
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/@gerhobbelt/benchmark/node_modules/lodash
@gerhobbelt/benchmark *
Depends on vulnerable versions of lodash
node_modules/@gerhobbelt/benchmark
mem <4.0.0
Severity: moderate
Denial of Service in mem - https://github.com/advisories/GHSA-4xcv-9jjx-gfj3
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/mem
os-locale 2.0.0 - 3.0.0
Depends on vulnerable versions of mem
node_modules/os-locale
yargs 8.0.0-candidate.0 - 15.0.0
Depends on vulnerable versions of cliui
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of string-width
Depends on vulnerable versions of yargs-parser
node_modules/mocha/node_modules/yargs
node_modules/yargs
@gerhobbelt/json5 *
Depends on vulnerable versions of minimist
Depends on vulnerable versions of yargs
node_modules/@gerhobbelt/benchmark/node_modules/@gerhobbelt/json5
node_modules/@gerhobbelt/json5
node_modules/jison-gho/node_modules/@gerhobbelt/json5
@gerhobbelt/live-server *
Depends on vulnerable versions of @gerhobbelt/json5
node_modules/@gerhobbelt/live-server
jison-gho *
Depends on vulnerable versions of @gerhobbelt/json5
node_modules/jison-gho
mocha 6.0.0-0 - 9.1.4
Depends on vulnerable versions of nanoid
Depends on vulnerable versions of yargs
node_modules/mocha
minimist <=1.2.5
Severity: high
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/@gerhobbelt/benchmark/node_modules/minimist
node_modules/@gerhobbelt/json5/node_modules/minimist
@gerhobbelt/json5 *
Depends on vulnerable versions of minimist
Depends on vulnerable versions of yargs
node_modules/@gerhobbelt/benchmark/node_modules/@gerhobbelt/json5
node_modules/@gerhobbelt/json5
node_modules/jison-gho/node_modules/@gerhobbelt/json5
@gerhobbelt/live-server *
Depends on vulnerable versions of @gerhobbelt/json5
node_modules/@gerhobbelt/live-server
jison-gho *
Depends on vulnerable versions of @gerhobbelt/json5
node_modules/jison-gho
nanoid 3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix --force`
Will install mocha@9.2.2, which is a breaking change
node_modules/nanoid
mocha 6.0.0-0 - 9.1.4
Depends on vulnerable versions of nanoid
Depends on vulnerable versions of yargs
node_modules/mocha
yargs-parser 6.0.0 - 13.1.1
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/yargs-parser
yargs 8.0.0-candidate.0 - 15.0.0
Depends on vulnerable versions of cliui
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of string-width
Depends on vulnerable versions of yargs-parser
node_modules/mocha/node_modules/yargs
node_modules/yargs
@gerhobbelt/json5 *
Depends on vulnerable versions of minimist
Depends on vulnerable versions of yargs
node_modules/@gerhobbelt/benchmark/node_modules/@gerhobbelt/json5
node_modules/@gerhobbelt/json5
node_modules/jison-gho/node_modules/@gerhobbelt/json5
@gerhobbelt/live-server *
Depends on vulnerable versions of @gerhobbelt/json5
node_modules/@gerhobbelt/live-server
jison-gho *
Depends on vulnerable versions of @gerhobbelt/json5
node_modules/jison-gho
mocha 6.0.0-0 - 9.1.4
Depends on vulnerable versions of nanoid
Depends on vulnerable versions of yargs
node_modules/mocha
21 vulnerabilities (14 moderate, 6 high, 1 critical)
To address all issues (including breaking changes), run:
npm audit fix --force
The text was updated successfully, but these errors were encountered:
When running
npm install
I'm getting a message about several package vulnerabilities:The text was updated successfully, but these errors were encountered: