Skip to content

Address vulnerabilities #28

Open
Open
Address vulnerabilities#28
@vitorsr

Description

@vitorsr
vitorsr
opened on May 25, 2026

Just running npm audit reveals a large amount of spam.

Most do not make sense for a client-side CLI application, but it would be good practice to address them which should be as easy as updating dependencies.

The tool is fine and functional otherwise.

$ npm audit
# npm audit report

@babel/helpers  <7.26.10
Severity: moderate
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8
fix available via `npm audit fix`
node_modules/@babel/helpers

@babel/traverse  <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse

@tootallnate/once  <2.0.1
@tootallnate/once vulnerable to Incorrect Control Flow Scoping - https://github.com/advisories/GHSA-vpq2-c234-7xj6
fix available via `npm audit fix --force`
Will install jsdom@29.1.1, which is a breaking change
node_modules/@tootallnate/once
  http-proxy-agent  4.0.1
  Depends on vulnerable versions of @tootallnate/once
  node_modules/http-proxy-agent
    jsdom  0.1.20 || 0.2.0 - 17.0.0
    Depends on vulnerable versions of http-proxy-agent
    Depends on vulnerable versions of request
    Depends on vulnerable versions of request-promise-native
    Depends on vulnerable versions of tough-cookie
    node_modules/jsdom
    node_modules/window/node_modules/jsdom
      window  >=2.0.0
      Depends on vulnerable versions of jsdom
      node_modules/window

ajv  <6.14.0 || >=7.0.0-alpha.0 <8.18.0
Severity: moderate
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
ajv has ReDoS when using `$data` option - https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
fix available via `npm audit fix`
node_modules/ajv
node_modules/table/node_modules/ajv

ansi-regex  3.0.0 || 4.0.0 - 4.1.0 || 5.0.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ansi-regex
node_modules/mocha/node_modules/ansi-regex
node_modules/wide-align/node_modules/ansi-regex
node_modules/yargs-unparser/node_modules/ansi-regex

axios  <=0.31.0
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF - https://github.com/advisories/GHSA-3p68-rc4w-qgx5
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy - https://github.com/advisories/GHSA-w9j2-pvgh-6h63
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 - https://github.com/advisories/GHSA-pmwg-cvhr-8vh7
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams - https://github.com/advisories/GHSA-xhjh-pmcv-23jw
Axios: no_proxy bypass via IP alias allows SSRF - https://github.com/advisories/GHSA-m7pr-hjqh-92cm
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data - https://github.com/advisories/GHSA-62hf-57xw-28j9
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 - https://github.com/advisories/GHSA-5c9x-8gcm-mpgx
Axios: HTTP adapter streamed responses bypass maxContentLength - https://github.com/advisories/GHSA-vf2m-468p-8v99
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking - https://github.com/advisories/GHSA-pf86-5x62-jrwf
Axios: Header Injection via Prototype Pollution - https://github.com/advisories/GHSA-6chq-wfr3-2hj9
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion - https://github.com/advisories/GHSA-xx6v-rp6x-q39c
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig - https://github.com/advisories/GHSA-43fc-jf86-j433
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - https://github.com/advisories/GHSA-fvcv-3m26-pcqx
fix available via `npm audit fix`
node_modules/axios
  localtunnel  1.9.0 - 2.0.1
  Depends on vulnerable versions of axios
  node_modules/localtunnel

body-parser  <=1.20.2
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
Depends on vulnerable versions of qs
fix available via `npm audit fix`
node_modules/body-parser
  express  <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of qs
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/express

brace-expansion  <=1.1.12
Severity: moderate
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/brace-expansion

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install jest@30.4.2, which is a breaking change
node_modules/braces
node_modules/sane/node_modules/braces
  micromatch  <=4.0.7
  Depends on vulnerable versions of braces
  node_modules/micromatch
  node_modules/sane/node_modules/micromatch
    anymatch  1.2.0 - 2.0.0
    Depends on vulnerable versions of micromatch
    node_modules/sane/node_modules/anymatch
      sane  1.5.0 - 4.1.0
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of micromatch
      node_modules/sane
        jest-haste-map  24.0.0-alpha.0 - 26.6.2
        Depends on vulnerable versions of sane
        node_modules/jest-haste-map
          @jest/core  *
          Depends on vulnerable versions of @jest/reporters
          Depends on vulnerable versions of @jest/transform
          Depends on vulnerable versions of jest-config
          Depends on vulnerable versions of jest-haste-map
          Depends on vulnerable versions of jest-resolve-dependencies
          Depends on vulnerable versions of jest-runner
          Depends on vulnerable versions of jest-runtime
          Depends on vulnerable versions of jest-snapshot
          node_modules/@jest/core
            jest  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/core
            Depends on vulnerable versions of jest-cli
            node_modules/jest
            jest-cli  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/core
            Depends on vulnerable versions of jest-config
            node_modules/jest-cli
          @jest/reporters  *
          Depends on vulnerable versions of @jest/transform
          Depends on vulnerable versions of jest-haste-map
          Depends on vulnerable versions of node-notifier
          node_modules/@jest/reporters
          @jest/test-sequencer  <=26.6.3
          Depends on vulnerable versions of jest-haste-map
          Depends on vulnerable versions of jest-runner
          Depends on vulnerable versions of jest-runtime
          node_modules/@jest/test-sequencer
            jest-config  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/test-sequencer
            Depends on vulnerable versions of babel-jest
            Depends on vulnerable versions of jest-jasmine2
            node_modules/jest-config
              jest-runner  24.0.0-alpha.0 - 26.6.3
              Depends on vulnerable versions of jest-config
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-runtime
              node_modules/jest-runner
              jest-runtime  24.0.0-alpha.0 - 26.6.3
              Depends on vulnerable versions of @jest/transform
              Depends on vulnerable versions of jest-config
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-snapshot
              node_modules/jest-runtime
                jest-jasmine2  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of jest-runtime
                Depends on vulnerable versions of jest-snapshot
                node_modules/jest-jasmine2
          @jest/transform  <=26.6.2
          Depends on vulnerable versions of jest-haste-map
          node_modules/@jest/transform
            babel-jest  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/transform
            node_modules/babel-jest
          jest-snapshot  24.2.0-alpha.0 - 24.5.0 || 26.1.0 - 26.6.2
          Depends on vulnerable versions of jest-haste-map
          node_modules/jest-snapshot
            jest-resolve-dependencies  26.1.0 - 26.6.3
            Depends on vulnerable versions of jest-snapshot
            node_modules/jest-resolve-dependencies

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix`
node_modules/cookie
node_modules/engine.io/node_modules/cookie
  engine.io  <=6.6.1
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of ws
  node_modules/engine.io
    socket.io  <=3.0.4
    Depends on vulnerable versions of debug
    Depends on vulnerable versions of engine.io
    Depends on vulnerable versions of socket.io-client
    node_modules/socket.io
      browser-sync  <=3.0.2
      Depends on vulnerable versions of eazy-logger
      Depends on vulnerable versions of qs
      Depends on vulnerable versions of send
      Depends on vulnerable versions of serve-static
      Depends on vulnerable versions of socket.io
      node_modules/browser-sync

cross-spawn  <6.0.6 || >=7.0.0 <7.0.5
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/cross-spawn
node_modules/sane/node_modules/cross-spawn

debug  3.2.0 - 3.2.6 || 4.0.0 - 4.3.0
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
fix available via `npm audit fix`
node_modules/engine.io/node_modules/debug
node_modules/mocha/node_modules/debug
node_modules/socket.io-parser/node_modules/debug
node_modules/socket.io/node_modules/debug
  mocha  0.14.0 - 9.2.1
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of diff
  Depends on vulnerable versions of js-yaml
  Depends on vulnerable versions of minimatch
  node_modules/mocha
    mathpix-markdown-it  *
    Depends on vulnerable versions of highlight.js
    Depends on vulnerable versions of markdown-it
    Depends on vulnerable versions of markdown-it-multimd-table
    Depends on vulnerable versions of mocha
    Depends on vulnerable versions of sanitize-html
    node_modules/mathpix-markdown-it
  socket.io-parser  <=3.3.4 || 3.4.0 - 4.0.2
  Depends on vulnerable versions of debug
  node_modules/socket.io-client/node_modules/socket.io-parser
  node_modules/socket.io-parser

decode-uri-component  <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component

diff  <3.5.1
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix`
node_modules/diff

eazy-logger  <=4.0.1
Severity: high
eazy-logger prototype pollution - https://github.com/advisories/GHSA-r7jx-5m6m-cpg9
fix available via `npm audit fix`
node_modules/eazy-logger

ejs  <=3.1.9
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
ejs lacks certain pollution protection - https://github.com/advisories/GHSA-ghr5-ch3p-vcr6
fix available via `npm audit fix`
node_modules/ejs



flatted  <=3.4.1
Severity: high
flatted vulnerable to unbounded recursion DoS in parse() revive phase - https://github.com/advisories/GHSA-25h7-pfq9-p65f
Prototype Pollution via parse() in NodeJS flatted - https://github.com/advisories/GHSA-rf6f-7fwh-wjgh
fix available via `npm audit fix`
node_modules/flatted

follow-redirects  <=1.15.11
Severity: high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets - https://github.com/advisories/GHSA-r4q5-vmmm-2653
fix available via `npm audit fix`
node_modules/follow-redirects

form-data  >=3.0.0 <3.0.4 || <2.5.4
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix --force`
Will install jsdom@29.1.1, which is a breaking change
node_modules/form-data
node_modules/request/node_modules/form-data
  request  *
  Depends on vulnerable versions of form-data
  Depends on vulnerable versions of tough-cookie
  Depends on vulnerable versions of uuid
  node_modules/request
    request-promise-core  *
    Depends on vulnerable versions of request
    node_modules/request-promise-core
      request-promise-native  >=1.0.0
      Depends on vulnerable versions of request
      Depends on vulnerable versions of request-promise-core
      Depends on vulnerable versions of tough-cookie
      node_modules/request-promise-native

get-func-name  <2.0.1
Severity: high
Chaijs/get-func-name vulnerable to ReDoS - https://github.com/advisories/GHSA-4q6p-r6v2-jvc5
fix available via `npm audit fix`
node_modules/get-func-name

handlebars  4.0.0 - 4.7.8
Severity: critical
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block - https://github.com/advisories/GHSA-3mfm-83xf-c92r
Handlebars.js has JavaScript Injection via AST Type Confusion - https://github.com/advisories/GHSA-2w6w-674q-4c4q
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection - https://github.com/advisories/GHSA-2qvq-rjwj-gvw9
Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry - https://github.com/advisories/GHSA-7rx3-28cr-v5wh
Handlebars.js has a Property Access Validation Bypass in container.lookup - https://github.com/advisories/GHSA-442j-39wm-28r2
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial - https://github.com/advisories/GHSA-xhpv-hc6g-r9c6
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation - https://github.com/advisories/GHSA-9cx6-37pm-9jff
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options - https://github.com/advisories/GHSA-xjpj-3mr7-gcpf
fix available via `npm audit fix`
node_modules/handlebars

highlight.js  9.0.0 - 10.4.0
Severity: moderate
ReDOS vulnerabities: multiple grammars - https://github.com/advisories/GHSA-7wwv-vh3v-89cq
fix available via `npm audit fix`
node_modules/highlight.js

html-minifier  *
Severity: high
kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m
No fix available
node_modules/html-minifier
  @sherby/eleventy-plugin-files-minifier  *
  Depends on vulnerable versions of html-minifier
  node_modules/@sherby/eleventy-plugin-files-minifier

immutable  <3.8.3
Severity: high
Immutable is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-wf6x-7x77-mvgw
fix available via `npm audit fix`
node_modules/immutable

js-yaml  <3.14.2 || >=4.0.0 <4.1.1
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/js-yaml
node_modules/mathpix-markdown-it/node_modules/js-yaml
node_modules/mocha/node_modules/js-yaml

json-schema  <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim

json5  2.0.0 - 2.2.1
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/json5

liquidjs  <=10.25.6
Severity: high
liquidjs may leak properties of a prototype - https://github.com/advisories/GHSA-45rm-2893-5f49
liquidjs has a path traversal fallback vulnerability - https://github.com/advisories/GHSA-wmfp-5q7x-987x
LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern - https://github.com/advisories/GHSA-6q5m-63h6-5x4v
LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash - https://github.com/advisories/GHSA-9r5m-9576-7f6x
LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read - https://github.com/advisories/GHSA-v273-448j-v4qj
LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel - https://github.com/advisories/GHSA-rv5g-f82m-qrvv
LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter - https://github.com/advisories/GHSA-mmg9-6m6j-jqqx
LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates - https://github.com/advisories/GHSA-56p5-8mhr-2fph
liquidjs has a Denial of Service via circular block reference in layout - https://github.com/advisories/GHSA-4rc3-7j7w-m548
No fix available
node_modules/liquidjs
  @11ty/eleventy  <=2.0.0-canary.18 || 2.0.2-alpha.1 - 3.0.0-alpha.16
  Depends on vulnerable versions of liquidjs
  node_modules/@11ty/eleventy

lodash  <=4.17.23
Severity: high
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions - https://github.com/advisories/GHSA-xxjr-mmjv-4gpg
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
fix available via `npm audit fix`
node_modules/lodash

luxon  1.0.0 - 1.28.0
Severity: high
Luxon Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-3xq5-wjfh-ppjc
fix available via `npm audit fix`
node_modules/luxon

markdown-it  <12.3.2
Severity: moderate
Uncontrolled Resource Consumption in markdown-it - https://github.com/advisories/GHSA-6vfc-qv3f-vr6c
fix available via `npm audit fix`
node_modules/markdown-it
node_modules/markdown-it-multimd-table/node_modules/markdown-it
node_modules/mathpix-markdown-it/node_modules/markdown-it
  markdown-it-multimd-table  1.0.2 - 4.1.1
  Depends on vulnerable versions of markdown-it
  node_modules/markdown-it-multimd-table


minimatch  <=3.1.3
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix`
node_modules/minimatch

minimist  1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist

node-fetch  <2.6.7
Severity: high
node-fetch forwards secure headers to untrusted sites - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix`
node_modules/node-fetch

nunjucks  <3.2.4
Severity: moderate
Nunjucks autoescape bypass leads to cross site scripting - https://github.com/advisories/GHSA-x77j-w7wf-fjmw
fix available via `npm audit fix`
node_modules/nunjucks

parseuri  <2.0.0
Severity: moderate
parse-uri Regular expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-6fx8-h7jm-663j
fix available via `npm audit fix`
node_modules/parseuri
  engine.io-client  0.7.0 || 0.7.8 - 0.7.9 || 1.0.2 - 6.1.1
  Depends on vulnerable versions of parseuri
  Depends on vulnerable versions of ws
  node_modules/engine.io-client
  socket.io-client  1.0.0-pre - 4.4.1
  Depends on vulnerable versions of parseuri
  node_modules/socket.io-client
    browser-sync-ui  1.0.1 - 2.27.7
    Depends on vulnerable versions of socket.io-client
    node_modules/browser-sync-ui

path-to-regexp  <=0.1.12
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
path-to-regexp contains a ReDoS - https://github.com/advisories/GHSA-rhx6-c78j-4q9w
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - https://github.com/advisories/GHSA-37ch-88jc-xwx2
fix available via `npm audit fix`
node_modules/path-to-regexp

picomatch  <=2.3.1
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/picomatch

postcss  <=8.5.9
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - https://github.com/advisories/GHSA-qx2v-qp2m-jg93
fix available via `npm audit fix`
node_modules/postcss
  sanitize-html  <=2.12.0
  Depends on vulnerable versions of postcss
  node_modules/sanitize-html

pug  <=3.0.2
Severity: moderate
Pug allows JavaScript code execution if an application accepts untrusted input - https://github.com/advisories/GHSA-3965-hpx2-q597
fix available via `npm audit fix`
node_modules/pug

pug-code-gen  <=3.0.2
Severity: moderate
Pug allows JavaScript code execution if an application accepts untrusted input - https://github.com/advisories/GHSA-3965-hpx2-q597
fix available via `npm audit fix`
node_modules/pug-code-gen

qs  <=6.14.1
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
qs's arrayLimit bypass in comma parsing allows denial of service - https://github.com/advisories/GHSA-w7fw-mjwx-w883
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix`
node_modules/body-parser/node_modules/qs
node_modules/express/node_modules/qs
node_modules/qs
node_modules/request/node_modules/qs



semver  2.0.0-alpha - 5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/editorconfig/node_modules/semver
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/node-environment-flags/node_modules/semver
node_modules/normalize-package-data/node_modules/semver
node_modules/sane/node_modules/semver
node_modules/semver

send  <0.19.0
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix`
node_modules/express/node_modules/send
node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/express/node_modules/serve-static
  node_modules/serve-static




tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix`
node_modules/tmp
  external-editor  >=1.1.1
  Depends on vulnerable versions of tmp
  node_modules/external-editor
    inquirer  3.0.0 - 8.2.6 || 9.0.0 - 9.3.7
    Depends on vulnerable versions of external-editor
    node_modules/inquirer

tmpl  <1.0.5
Severity: high
tmpl vulnerable to Inefficient Regular Expression Complexity which may lead to resource exhaustion - https://github.com/advisories/GHSA-jgrx-mgxx-jf9v
fix available via `npm audit fix`
node_modules/tmpl

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install jsdom@29.1.1, which is a breaking change
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie
node_modules/tough-cookie
node_modules/window/node_modules/tough-cookie

uuid  <11.1.1
Severity: moderate
uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided - https://github.com/advisories/GHSA-w5hq-g745-h8pq
fix available via `npm audit fix --force`
Will install jsdom@29.1.1, which is a breaking change
node_modules/request/node_modules/uuid
node_modules/uuid
  node-notifier  >=7.0.0
  Depends on vulnerable versions of uuid
  node_modules/node-notifier

word-wrap  <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap

ws  6.0.0 - 6.2.2 || 7.0.0 - 7.5.9
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/engine.io-client/node_modules/ws
node_modules/engine.io/node_modules/ws
node_modules/window/node_modules/ws
node_modules/ws

93 vulnerabilities (10 low, 39 moderate, 35 high, 9 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions