You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I encountered this issue while working on my child branch of the typescript-migration branch for issue #493. After uninstalling the danger package using the command npm uninstall --save-dev danger, I encountered 9 vulnerabilities related to other packages in the project. These vulnerabilities include inefficient regular expression complexity, a redirect vulnerability, and prototype pollution. Additionally, one of the vulnerabilities requires a breaking change to fix.
My Steps/Steps to Reproduce
Checkout a new branch off of the typescript-migration branch
Uninstall the danger package by running the command npm uninstall --save-dev danger
Run the command npm audit to check for any vulnerabilities
The audit should report 9 vulnerabilities, including one breaking change.
Expected Behavior
I expected the danger package to be uninstalled without any issues.
Actual Behavior
Upon attempting to uninstall the package, npm reported 9 vulnerabilities related to other packages in the project.
Vulnerabilities Reported
ansi-regex
got
hosted-git-info
ini
minimatch
minimist
Severity
5 moderate
3 high
1 critical
Breaking Change
The vulnerability related to the got package requires a breaking change to fix. Specifically, the fix would install update-notifier@6.0.2, which which npm declares as a breaking change.
Additional Context
My forked repo is up-to-date with the original repo and my local typescript-migration branch is up-to-date with my the remote forked repo.
NPM Audit Message
# npm audit report
ansi-regex 3.0.0 || 4.0.0 - 4.1.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ansi-regex
node_modules/strip-ansi/node_modules/ansi-regex
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install update-notifier@6.0.2, which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
hosted-git-info <2.8.9
Severity: moderate
Regular Expression Denial of Service in hosted-git-info - https://github.com/advisories/GHSA-43f8-2h32-f4cj
fix available via `npm audit fix`
node_modules/hosted-git-info
ini <1.3.6
Severity: high
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse - https://github.com/advisories/GHSA-qqgx-2p2h-9c37
fix available via `npm audit fix`
node_modules/ini
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch
minimist <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix`
node_modules/minimist
9 vulnerabilities (5 moderate, 3 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
The text was updated successfully, but these errors were encountered:
Ended up bumping to 16, we're down to just some old deps around commitizen from child deps, i think we're gonna be okay for now thanks @Jimmy-Vu see #534
Issue Description
I encountered this issue while working on my child branch of the
typescript-migration
branch for issue #493. After uninstalling the danger package using the commandnpm uninstall --save-dev danger
, I encountered 9 vulnerabilities related to other packages in the project. These vulnerabilities include inefficient regular expression complexity, a redirect vulnerability, and prototype pollution. Additionally, one of the vulnerabilities requires a breaking change to fix.My Steps/Steps to Reproduce
typescript-migration
branchnpm uninstall --save-dev danger
npm audit
to check for any vulnerabilitiesExpected Behavior
I expected the danger package to be uninstalled without any issues.
Actual Behavior
Upon attempting to uninstall the package, npm reported 9 vulnerabilities related to other packages in the project.
Vulnerabilities Reported
Severity
Breaking Change
The vulnerability related to the got package requires a breaking change to fix. Specifically, the fix would install update-notifier@6.0.2, which which npm declares as a breaking change.
Additional Context
My forked repo is up-to-date with the original repo and my local
typescript-migration
branch is up-to-date with my the remote forked repo.NPM Audit Message
The text was updated successfully, but these errors were encountered: