Skip to content
This repository has been archived by the owner on Aug 23, 2023. It is now read-only.

highly vulnerable packages #21

Open
j2l opened this issue May 1, 2021 · 0 comments
Open

highly vulnerable packages #21

j2l opened this issue May 1, 2021 · 0 comments

Comments

@j2l
Copy link

j2l commented May 1, 2021
edited

Hello,

At npm i
added 1 package, removed 89 packages
20 vulnerabilities (9 low, 5 moderate, 6 high)

And npm audit fix --force can't fix 5 of the high severity ones.

npm audit details after --force:

# npm audit report

axios  <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix`
node_modules/axios
  gatsby  2.10.1-resource-loading.10 - 2.10.1-structured-logs-test.128 || 2.13.37-cors-options.396 || 2.13.58 - 3.0.0-next.4
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of terser-webpack-plugin
  node_modules/gatsby

immer  <8.0.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1603
fix available via `npm audit fix`
node_modules/immer
  @builder.io/react  >=0.1.20
  Depends on vulnerable versions of create-react-context
  Depends on vulnerable versions of immer
  node_modules/@builder.io/react
  node_modules/@builder.io/widgets/node_modules/@builder.io/react
    @builder.io/widgets  *
    Depends on vulnerable versions of @builder.io/react
    Depends on vulnerable versions of immer
    node_modules/@builder.io/widgets

node-fetch  <=2.6.0 || 3.0.0-beta.1 - 3.0.0-beta.8
Denial of Service - https://npmjs.com/advisories/1556
No fix available
node_modules/node-fetch
  @builder.io/gatsby  *
  Depends on vulnerable versions of node-fetch
  node_modules/@builder.io/gatsby
  isomorphic-fetch  2.0.0 - 2.2.1
  Depends on vulnerable versions of node-fetch
  node_modules/isomorphic-fetch
    fbjs  0.7.0 - 1.0.0
    Depends on vulnerable versions of isomorphic-fetch
    node_modules/fbjs
      create-react-context  0.2.0 - 0.2.3
      Depends on vulnerable versions of fbjs
      node_modules/create-react-context
        @builder.io/react  >=0.1.20
        Depends on vulnerable versions of create-react-context
        Depends on vulnerable versions of immer
        node_modules/@builder.io/react
        node_modules/@builder.io/widgets/node_modules/@builder.io/react
          @builder.io/widgets  *
          Depends on vulnerable versions of @builder.io/react
          Depends on vulnerable versions of immer
          node_modules/@builder.io/widgets

ssri  5.2.2 - 6.0.1 || 7.0.0 - 8.0.0
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/565
fix available via `npm audit fix`
node_modules/ssri
  cacache  10.0.4 - 11.0.0 || 13.0.0 - 14.0.0
  Depends on vulnerable versions of ssri
  node_modules/cacache
    terser-webpack-plugin  2.1.1 - 2.3.8
    Depends on vulnerable versions of cacache
    node_modules/terser-webpack-plugin
      gatsby  2.10.1-resource-loading.10 - 2.10.1-structured-logs-test.128 || 2.13.37-cors-options.396 || 2.13.58 - 3.0.0-next.4
      Depends on vulnerable versions of axios
      Depends on vulnerable versions of terser-webpack-plugin
      node_modules/gatsby

13 vulnerabilities (5 low, 3 moderate, 5 high)

I know, maintaining a nodejs project is such a pain.
Good luck!
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@j2l