Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple vulnerabilities #86

Closed
marcin-sowa opened this issue Mar 24, 2022 · 1 comment
Closed

Multiple vulnerabilities #86

marcin-sowa opened this issue Mar 24, 2022 · 1 comment

Comments

@marcin-sowa
Copy link

Hi,

Latest development branch version and latest release v2.2.0 contains multiple vulnerabilities.
npm audit output:

# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/npm/node_modules/cliui/node_modules/ansi-regex
node_modules/npm/node_modules/string-width/node_modules/ansi-regex
node_modules/npm/node_modules/wrap-ansi/node_modules/ansi-regex
node_modules/npm/node_modules/yargs/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/npm/node_modules/cliui/node_modules/strip-ansi
  node_modules/npm/node_modules/string-width/node_modules/strip-ansi
  node_modules/npm/node_modules/wrap-ansi/node_modules/strip-ansi
  node_modules/npm/node_modules/yargs/node_modules/strip-ansi
    cliui  4.0.0 - 5.0.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of wrap-ansi
    node_modules/npm/node_modules/cliui
      yargs  10.1.0 - 15.0.0
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of string-width
      node_modules/npm/node_modules/yargs
        libnpx  >=10.0.0
        Depends on vulnerable versions of yargs
        node_modules/npm/node_modules/libnpx
          npm  <=7.1.0 || 7.21.0 - 8.5.4
          Depends on vulnerable versions of cli-table3
          Depends on vulnerable versions of hosted-git-info
          Depends on vulnerable versions of ini
          Depends on vulnerable versions of libnpx
          Depends on vulnerable versions of npm-audit-report
          Depends on vulnerable versions of ssri
          Depends on vulnerable versions of tar
          node_modules/npm
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/npm/node_modules/cliui/node_modules/string-width
    node_modules/npm/node_modules/string-width
    node_modules/npm/node_modules/wrap-ansi/node_modules/string-width
    node_modules/npm/node_modules/yargs/node_modules/string-width
      cli-table3  0.5.0 - 0.5.1
      Depends on vulnerable versions of string-width
      node_modules/npm/node_modules/cli-table3
        npm-audit-report  1.3.1 - 1.3.3
        Depends on vulnerable versions of cli-table3
        node_modules/npm/node_modules/npm-audit-report
      widest-line  2.0.0 - 2.0.1
      Depends on vulnerable versions of string-width
      node_modules/npm/node_modules/widest-line
        boxen  1.3.0 - 3.2.0
        Depends on vulnerable versions of widest-line
        node_modules/npm/node_modules/boxen
      wrap-ansi  3.0.0 - 6.1.0
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of strip-ansi
      node_modules/npm/node_modules/wrap-ansi

hosted-git-info  <2.8.9
Severity: moderate
Regular Expression Denial of Service in hosted-git-info - https://github.com/advisories/GHSA-43f8-2h32-f4cj
fix available via `npm audit fix`
node_modules/npm/node_modules/hosted-git-info
  npm  <=7.1.0 || 7.21.0 - 8.5.4
  Depends on vulnerable versions of cli-table3
  Depends on vulnerable versions of hosted-git-info
  Depends on vulnerable versions of ini
  Depends on vulnerable versions of libnpx
  Depends on vulnerable versions of npm-audit-report
  Depends on vulnerable versions of ssri
  Depends on vulnerable versions of tar
  node_modules/npm

ini  <1.3.6
Severity: high
Prototype Pollution - https://github.com/advisories/GHSA-qqgx-2p2h-9c37
fix available via `npm audit fix`
node_modules/npm/node_modules/ini
  npm  <=7.1.0 || 7.21.0 - 8.5.4
  Depends on vulnerable versions of cli-table3
  Depends on vulnerable versions of hosted-git-info
  Depends on vulnerable versions of ini
  Depends on vulnerable versions of libnpx
  Depends on vulnerable versions of npm-audit-report
  Depends on vulnerable versions of ssri
  Depends on vulnerable versions of tar
  node_modules/npm

json-bigint  <1.0.0
Severity: high
Uncontrolled Resource Consumption in json-bigint - https://github.com/advisories/GHSA-wgfq-7857-4jcc
fix available via `npm audit fix --force`
Will install googleapis@98.0.0, which is a breaking change
node_modules/json-bigint
  gcp-metadata  0.8.0 - 4.1.0
  Depends on vulnerable versions of json-bigint
  node_modules/gcp-metadata
    google-auth-library  0.9.4 - 5.10.1
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gtoken
    node_modules/google-auth-library
      googleapis  37.0.0-webpack - 48.0.0
      Depends on vulnerable versions of google-auth-library
      node_modules/googleapis
      googleapis-common  0.5.0-webpack - 0.5.0-webpack3 || 0.6.0-webpack - 3.2.2
      Depends on vulnerable versions of google-auth-library
      node_modules/googleapis-common

json-schema  <0.4.0
Severity: moderate
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/npm/node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/npm/node_modules/jsprim

minimist  <=1.2.5
Severity: high
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/npm/node_modules/minimist
node_modules/npm/node_modules/mkdirp/node_modules/minimist

node-forge  <=1.2.1
Severity: moderate
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge util.setPath API - https://github.com/advisories/GHSA-wxgw-qj99-44c2
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
fix available via `npm audit fix --force`
Will install googleapis@98.0.0, which is a breaking change
node_modules/node-forge
  google-p12-pem  <=3.1.2
  Depends on vulnerable versions of node-forge
  node_modules/google-p12-pem
    gtoken  <=5.0.0
    Depends on vulnerable versions of google-p12-pem
    node_modules/gtoken
      google-auth-library  0.9.4 - 5.10.1
      Depends on vulnerable versions of gcp-metadata
      Depends on vulnerable versions of gtoken
      node_modules/google-auth-library
        googleapis  37.0.0-webpack - 48.0.0
        Depends on vulnerable versions of google-auth-library
        node_modules/googleapis
        googleapis-common  0.5.0-webpack - 0.5.0-webpack3 || 0.6.0-webpack - 3.2.2
        Depends on vulnerable versions of google-auth-library
        node_modules/googleapis-common

path-parse  <1.0.7
Severity: moderate
Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9
fix available via `npm audit fix`
node_modules/npm/node_modules/path-parse

ssri  5.2.2 - 6.0.1
Severity: high
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-vx3p-948g-6vhq
fix available via `npm audit fix`
node_modules/npm/node_modules/ssri
  npm  <=7.1.0 || 7.21.0 - 8.5.4
  Depends on vulnerable versions of cli-table3
  Depends on vulnerable versions of hosted-git-info
  Depends on vulnerable versions of ini
  Depends on vulnerable versions of libnpx
  Depends on vulnerable versions of npm-audit-report
  Depends on vulnerable versions of ssri
  Depends on vulnerable versions of tar
  node_modules/npm

tar  <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw
fix available via `npm audit fix`
node_modules/npm/node_modules/tar
  npm  <=7.1.0 || 7.21.0 - 8.5.4
  Depends on vulnerable versions of cli-table3
  Depends on vulnerable versions of hosted-git-info
  Depends on vulnerable versions of ini
  Depends on vulnerable versions of libnpx
  Depends on vulnerable versions of npm-audit-report
  Depends on vulnerable versions of ssri
  Depends on vulnerable versions of tar
  node_modules/npm

y18n  4.0.0
Severity: high
Prototype Pollution - https://github.com/advisories/GHSA-c4w7-xm78-47vh
fix available via `npm audit fix`
node_modules/npm/node_modules/y18n

29 vulnerabilities (18 moderate, 11 high)
@maierj
Copy link
Owner

maierj commented Dec 7, 2022

New version 3.0.0 includes updates for all dependencies.

@maierj maierj closed this as completed Dec 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@maierj @marcin-sowa