Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecated and vulnerable dependencies #18

Open
iainelder opened this issue Apr 6, 2023 · 0 comments
Open

Deprecated and vulnerable dependencies #18

iainelder opened this issue Apr 6, 2023 · 0 comments

Comments

@iainelder
Copy link

When I install cfn-tail I get some warnings about critical vulnerabilities in some dependencies.

The recommended npm audit fix --force action seems to fix it.

$ npm install cfn-tail
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.

added 115 packages, and audited 191 packages in 12s

14 packages are looking for funding
  run `npm fund` for details

6 vulnerabilities (4 high, 2 critical)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
$ npm audit fix

up to date, audited 191 packages in 974ms

14 packages are looking for funding
  run `npm fund` for details

# npm audit report

degenerator  <3.0.1
Severity: high
Code Injection in pac-resolver - https://github.com/advisories/GHSA-9j49-mfvp-vmhm
fix available via `npm audit fix --force`
Will install cfn-tail@1.5.1, which is a breaking change
node_modules/degenerator
  pac-resolver  <=4.2.0
  Depends on vulnerable versions of degenerator
  Depends on vulnerable versions of netmask
  node_modules/pac-resolver
    pac-proxy-agent  <=4.1.0
    Depends on vulnerable versions of pac-resolver
    node_modules/pac-proxy-agent
      proxy-agent  1.1.0 - 4.0.1
      Depends on vulnerable versions of pac-proxy-agent
      node_modules/proxy-agent
        cfn-tail  >=1.6.0
        Depends on vulnerable versions of proxy-agent
        node_modules/cfn-tail

netmask  <=2.0.0
Severity: critical
Improper parsing of octal bytes in netmask - https://github.com/advisories/GHSA-4c7m-wxvm-r7gc
netmask npm package vulnerable to octal input data - https://github.com/advisories/GHSA-pch5-whg9-qr2r
fix available via `npm audit fix --force`
Will install cfn-tail@1.5.1, which is a breaking change
node_modules/netmask
  pac-resolver  <=4.2.0
  Depends on vulnerable versions of degenerator
  Depends on vulnerable versions of netmask
  node_modules/pac-resolver
    pac-proxy-agent  <=4.1.0
    Depends on vulnerable versions of pac-resolver
    node_modules/pac-proxy-agent
      proxy-agent  1.1.0 - 4.0.1
      Depends on vulnerable versions of pac-proxy-agent
      node_modules/proxy-agent
        cfn-tail  >=1.6.0
        Depends on vulnerable versions of proxy-agent
        node_modules/cfn-tail

pac-resolver  <=4.2.0
Severity: critical
Code Injection in pac-resolver - https://github.com/advisories/GHSA-9j49-mfvp-vmhm
Depends on vulnerable versions of degenerator
Depends on vulnerable versions of netmask
fix available via `npm audit fix --force`
Will install cfn-tail@1.5.1, which is a breaking change
node_modules/pac-resolver
  pac-proxy-agent  <=4.1.0
  Depends on vulnerable versions of pac-resolver
  node_modules/pac-proxy-agent
    proxy-agent  1.1.0 - 4.0.1
    Depends on vulnerable versions of pac-proxy-agent
    node_modules/proxy-agent
      cfn-tail  >=1.6.0
      Depends on vulnerable versions of proxy-agent
      node_modules/cfn-tail

6 vulnerabilities (4 high, 2 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force
$ npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating cfn-tail to 1.5.1,which is a SemVer major change.

added 1 package, removed 67 packages, changed 2 packages, and audited 125 packages in 2s

14 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

The tabular output is interrupted by a deprecation warning for the AWS SDK for JavaScript v2.

$ aws cloudformation wait stack-exists --stack-name teststack && AWS_DEFAULT_REGION=eu-central-1 npm exec cfn-tail teststack
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| Stack: teststack                                                                                                                                                                                                                   |
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
(node:138490) NOTE: We are formalizing our plans to enter AWS SDK for JavaScript (v2) into maintenance mode in 2023.

Please migrate your code to use AWS SDK for JavaScript (v3).
For more information, check the migration guide at https://a.co/7PzMCcy
(Use `node --trace-warnings ...` to show where the warning was created)
| 2023-04-06T15:24:14.468Z | teststack           | REVIEW_IN_PROGRESS                  | User Initiated                                                                                                                              |
| 2023-04-06T15:24:25.224Z | teststack           | CREATE_IN_PROGRESS                  | User Initiated                                                                                                                              |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@iainelder