Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable Libraries - surge@0.23.1 upgrade to: >=0.9.0 #472

Open
Valexr opened this issue Mar 23, 2022 · 3 comments
Open

Vulnerable Libraries - surge@0.23.1 upgrade to: >=0.9.0 #472

Valexr opened this issue Mar 23, 2022 · 3 comments

Comments

@Valexr
Copy link

Valexr commented Mar 23, 2022

GHSA-xvch-5gv4-984h
GHSA-93q8-gq69-wqmw

# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install surge@0.9.0, which is a breaking change
node_modules/cli-table3/node_modules/ansi-regex
node_modules/inquirer/node_modules/ansi-regex
node_modules/inquirer/node_modules/string-width/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/cli-table3/node_modules/strip-ansi
  node_modules/inquirer/node_modules/string-width/node_modules/strip-ansi
  node_modules/inquirer/node_modules/strip-ansi
    inquirer  3.2.0 - 7.0.4
    Depends on vulnerable versions of string-width
    Depends on vulnerable versions of strip-ansi
    node_modules/inquirer
      surge  >=0.10.0
      Depends on vulnerable versions of cli-table3
      Depends on vulnerable versions of inquirer
      Depends on vulnerable versions of minimist
      node_modules/surge
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/cli-table3/node_modules/string-width
    node_modules/inquirer/node_modules/string-width
      cli-table3  0.5.0 - 0.5.1
      Depends on vulnerable versions of string-width
      node_modules/cli-table3

minimist  <=1.2.5
Severity: high
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install surge@0.9.0, which is a breaking change
node_modules/minimist
node_modules/surge/node_modules/minimist
  surge  >=0.10.0
  Depends on vulnerable versions of cli-table3
  Depends on vulnerable versions of inquirer
  Depends on vulnerable versions of minimist
  node_modules/surge

7 vulnerabilities (5 moderate, 2 high)

To address all issues (including breaking changes), run:
  npm audit fix --force
@RyanZim
Copy link

RyanZim commented Jun 2, 2022

Fix in #473

@balupton
Copy link

I use surge to deploy the documentation for the @bevry packages, this has caused all the bevry pakages to be marked as insecure.

This was referenced Nov 13, 2023
Open
Closed
@sintaxi
Copy link
Owner

sintaxi commented Nov 13, 2023

Thanks for reporting. Looking into it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sintaxi @balupton @Valexr @RyanZim