Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NPM warnings about vulnerabilities #67

Open
mingodad opened this issue Mar 22, 2022 · 0 comments
Open

NPM warnings about vulnerabilities #67

mingodad opened this issue Mar 22, 2022 · 0 comments

Comments

@mingodad
Copy link

When running npm install I'm getting a message about several package vulnerabilities:

jison$ npm audit fix

added 1 package, removed 5 packages, changed 21 packages, and audited 881 packages in 3s

53 packages are looking for funding
  run `npm fund` for details

# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/mocha/node_modules/ansi-regex
node_modules/string-width/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/mocha/node_modules/strip-ansi
  node_modules/string-width/node_modules/strip-ansi
    cliui  4.0.0 - 5.0.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of wrap-ansi
    node_modules/mocha/node_modules/cliui
      yargs  8.0.0-candidate.0 - 15.0.0
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of os-locale
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of yargs-parser
      node_modules/mocha/node_modules/yargs
      node_modules/yargs
        @gerhobbelt/json5  *
        Depends on vulnerable versions of minimist
        Depends on vulnerable versions of yargs
        node_modules/@gerhobbelt/benchmark/node_modules/@gerhobbelt/json5
        node_modules/@gerhobbelt/json5
        node_modules/jison-gho/node_modules/@gerhobbelt/json5
          @gerhobbelt/live-server  *
          Depends on vulnerable versions of @gerhobbelt/json5
          node_modules/@gerhobbelt/live-server
          jison-gho  *
          Depends on vulnerable versions of @gerhobbelt/json5
          node_modules/jison-gho
        mocha  6.0.0-0 - 9.1.4
        Depends on vulnerable versions of nanoid
        Depends on vulnerable versions of yargs
        node_modules/mocha
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/mocha/node_modules/string-width
    node_modules/string-width
      wrap-ansi  3.0.0 - 6.1.0
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of strip-ansi
      node_modules/mocha/node_modules/wrap-ansi

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @babel/cli@7.17.6, which is outside the stated dependency range
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/@nicolo-ribaudo/chokidar-2/node_modules/chokidar
    @nicolo-ribaudo/chokidar-2  *
    Depends on vulnerable versions of chokidar
    node_modules/@nicolo-ribaudo/chokidar-2
      @babel/cli  7.12.1
      Depends on vulnerable versions of @nicolo-ribaudo/chokidar-2
      node_modules/@babel/cli

lodash  <=4.17.20
Severity: critical
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/@gerhobbelt/benchmark/node_modules/lodash
  @gerhobbelt/benchmark  *
  Depends on vulnerable versions of lodash
  node_modules/@gerhobbelt/benchmark

mem  <4.0.0
Severity: moderate
Denial of Service in mem - https://github.com/advisories/GHSA-4xcv-9jjx-gfj3
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/mem
  os-locale  2.0.0 - 3.0.0
  Depends on vulnerable versions of mem
  node_modules/os-locale
    yargs  8.0.0-candidate.0 - 15.0.0
    Depends on vulnerable versions of cliui
    Depends on vulnerable versions of os-locale
    Depends on vulnerable versions of string-width
    Depends on vulnerable versions of yargs-parser
    node_modules/mocha/node_modules/yargs
    node_modules/yargs
      @gerhobbelt/json5  *
      Depends on vulnerable versions of minimist
      Depends on vulnerable versions of yargs
      node_modules/@gerhobbelt/benchmark/node_modules/@gerhobbelt/json5
      node_modules/@gerhobbelt/json5
      node_modules/jison-gho/node_modules/@gerhobbelt/json5
        @gerhobbelt/live-server  *
        Depends on vulnerable versions of @gerhobbelt/json5
        node_modules/@gerhobbelt/live-server
        jison-gho  *
        Depends on vulnerable versions of @gerhobbelt/json5
        node_modules/jison-gho
      mocha  6.0.0-0 - 9.1.4
      Depends on vulnerable versions of nanoid
      Depends on vulnerable versions of yargs
      node_modules/mocha

minimist  <=1.2.5
Severity: high
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/@gerhobbelt/benchmark/node_modules/minimist
node_modules/@gerhobbelt/json5/node_modules/minimist
  @gerhobbelt/json5  *
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of yargs
  node_modules/@gerhobbelt/benchmark/node_modules/@gerhobbelt/json5
  node_modules/@gerhobbelt/json5
  node_modules/jison-gho/node_modules/@gerhobbelt/json5
    @gerhobbelt/live-server  *
    Depends on vulnerable versions of @gerhobbelt/json5
    node_modules/@gerhobbelt/live-server
    jison-gho  *
    Depends on vulnerable versions of @gerhobbelt/json5
    node_modules/jison-gho

nanoid  3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix --force`
Will install mocha@9.2.2, which is a breaking change
node_modules/nanoid
  mocha  6.0.0-0 - 9.1.4
  Depends on vulnerable versions of nanoid
  Depends on vulnerable versions of yargs
  node_modules/mocha

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/yargs-parser
  yargs  8.0.0-candidate.0 - 15.0.0
  Depends on vulnerable versions of cliui
  Depends on vulnerable versions of os-locale
  Depends on vulnerable versions of string-width
  Depends on vulnerable versions of yargs-parser
  node_modules/mocha/node_modules/yargs
  node_modules/yargs
    @gerhobbelt/json5  *
    Depends on vulnerable versions of minimist
    Depends on vulnerable versions of yargs
    node_modules/@gerhobbelt/benchmark/node_modules/@gerhobbelt/json5
    node_modules/@gerhobbelt/json5
    node_modules/jison-gho/node_modules/@gerhobbelt/json5
      @gerhobbelt/live-server  *
      Depends on vulnerable versions of @gerhobbelt/json5
      node_modules/@gerhobbelt/live-server
      jison-gho  *
      Depends on vulnerable versions of @gerhobbelt/json5
      node_modules/jison-gho
    mocha  6.0.0-0 - 9.1.4
    Depends on vulnerable versions of nanoid
    Depends on vulnerable versions of yargs
    node_modules/mocha

21 vulnerabilities (14 moderate, 6 high, 1 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant