Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

7 critical vulnerabilities in npm audit report #1239

Closed
sequba opened this issue Apr 13, 2023 · 2 comments · Fixed by #1258
Closed

7 critical vulnerabilities in npm audit report #1239

sequba opened this issue Apr 13, 2023 · 2 comments · Fixed by #1258
Assignees
@sequba
Labels
Impact: Medium

Comments

@sequba
Copy link
Contributor

sequba commented Apr 13, 2023

Description

# npm audit report
ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install serve@14.2.0, which is a breaking change
node_modules/serve/node_modules/ajv
  serve  7.0.0 - 14.0.1
  Depends on vulnerable versions of ajv
  Depends on vulnerable versions of serve-handler
  node_modules/serve
glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install vuepress@0.14.11, which is a breaking change
node_modules/@vuepress/core/node_modules/glob-parent
node_modules/copy-webpack-plugin/node_modules/glob-parent
node_modules/fast-glob/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/@vuepress/core/node_modules/chokidar
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 4.7.2
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of selfsigned
    node_modules/webpack-dev-server
  copy-webpack-plugin  5.0.1 - 5.1.2
  Depends on vulnerable versions of glob-parent
  node_modules/copy-webpack-plugin
    @vuepress/core  <=1.9.9
    Depends on vulnerable versions of @vuepress/markdown
    Depends on vulnerable versions of @vuepress/markdown-loader
    Depends on vulnerable versions of @vuepress/plugin-register-components
    Depends on vulnerable versions of @vuepress/shared-utils
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of copy-webpack-plugin
    Depends on vulnerable versions of optimize-css-assets-webpack-plugin
    Depends on vulnerable versions of vuepress-html-webpack-plugin
    Depends on vulnerable versions of webpack-dev-server
    node_modules/@vuepress/core
      vuepress  1.0.0-alpha.0 - 1.9.9
      Depends on vulnerable versions of @vuepress/core
      Depends on vulnerable versions of update-notifier
      node_modules/vuepress
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/globby
      @vuepress/shared-utils  *
      Depends on vulnerable versions of globby
      node_modules/@vuepress/shared-utils
        @vuepress/plugin-register-components  <=1.9.9
        Depends on vulnerable versions of @vuepress/shared-utils
        node_modules/@vuepress/plugin-register-components
        vuepress-plugin-container  >=2.1.5
        Depends on vulnerable versions of @vuepress/shared-utils
        node_modules/vuepress-plugin-container
got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install vuepress@0.14.11, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
highlight.js  9.0.0 - 10.4.0
Severity: moderate
ReDOS vulnerabities: multiple grammars - https://github.com/advisories/GHSA-7wwv-vh3v-89cq
fix available via `npm audit fix`
node_modules/highlight.js
  @types/markdown-it  10.0.3
  Depends on vulnerable versions of highlight.js
  node_modules/@types/markdown-it
json5  <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
No fix available
node_modules/css-loader/node_modules/json5
node_modules/file-loader/node_modules/json5
node_modules/string-replace-webpack-plugin/node_modules/json5
node_modules/style-loader/node_modules/json5
node_modules/vuepress-html-webpack-plugin/node_modules/json5
  loader-utils  <=1.4.0
  Depends on vulnerable versions of json5
  node_modules/css-loader/node_modules/loader-utils
  node_modules/file-loader/node_modules/loader-utils
  node_modules/string-replace-webpack-plugin/node_modules/loader-utils
  node_modules/style-loader/node_modules/loader-utils
  node_modules/vuepress-html-webpack-plugin/node_modules/loader-utils
    css-loader  0.6.0 - 0.26.1
    Depends on vulnerable versions of loader-utils
    node_modules/css-loader
    file-loader  0.5.0 - 0.10.0
    Depends on vulnerable versions of loader-utils
    node_modules/file-loader
    string-replace-webpack-plugin  *
    Depends on vulnerable versions of css-loader
    Depends on vulnerable versions of file-loader
    Depends on vulnerable versions of loader-utils
    Depends on vulnerable versions of style-loader
    node_modules/string-replace-webpack-plugin
    style-loader  0.8.2 - 0.13.1
    Depends on vulnerable versions of loader-utils
    node_modules/style-loader
    vuepress-html-webpack-plugin  *
    Depends on vulnerable versions of loader-utils
    node_modules/vuepress-html-webpack-plugin
karma  <=6.3.15
Severity: high
Open redirect in karma - https://github.com/advisories/GHSA-rc3x-jf5g-xvc5
Cross-site Scripting in karma - https://github.com/advisories/GHSA-7x7c-qm48-pq9c
Depends on vulnerable versions of ua-parser-js
fix available via `npm audit fix --force`
Will install karma@6.4.1, which is a breaking change
node_modules/karma
markdown-it  <12.3.2
Severity: moderate
Uncontrolled Resource Consumption in markdown-it - https://github.com/advisories/GHSA-6vfc-qv3f-vr6c
fix available via `npm audit fix`
node_modules/markdown-it
  @vuepress/markdown  <=1.9.9
  Depends on vulnerable versions of @vuepress/shared-utils
  Depends on vulnerable versions of markdown-it
  node_modules/@vuepress/markdown
    @vuepress/markdown-loader  *
    Depends on vulnerable versions of @vuepress/markdown
    node_modules/@vuepress/markdown-loader
marked  <=4.0.9
Severity: high
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
fix available via `npm audit fix --force`
Will install typedoc@0.24.1, which is a breaking change
node_modules/marked
  typedoc  <=0.21.9 || 0.22.0-beta.0 - 0.22.10 || >=1.0.0-dev.1
  Depends on vulnerable versions of marked
  node_modules/typedoc
minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install serve@14.2.0, which is a breaking change
node_modules/serve-handler/node_modules/minimatch
  serve-handler  1.1.0 - 6.1.3
  Depends on vulnerable versions of minimatch
  node_modules/serve-handler
node-forge  <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via `npm audit fix`
node_modules/node-forge
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned
nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            optimize-css-assets-webpack-plugin  3.2.1 || 5.0.0 - 5.0.8
            Depends on vulnerable versions of cssnano
            node_modules/optimize-css-assets-webpack-plugin
request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix`
node_modules/request
  docsearch.js  2.6.0 - 2.6.3
  Depends on vulnerable versions of request
  node_modules/docsearch.js
ua-parser-js  <=0.7.32
Severity: high
ReDoS Vulnerability in ua-parser-js version  - https://github.com/advisories/GHSA-fhg7-m89q-25r3
ua-parser-js Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-394c-5j6w-4xmx
Regular Expression Denial of Service (ReDoS) in ua-parser-js - https://github.com/advisories/GHSA-78cj-fxph-m83p
fix available via `npm audit fix --force`
Will install karma@6.4.1, which is a breaking change
node_modules/ua-parser-js
49 vulnerabilities (1 low, 11 moderate, 30 high, 7 critical)
To address issues that do not require attention, run:
  npm audit fix
To address all issues possible (including breaking changes), run:
  npm audit fix --force
Some issues need review, and may require choosing
a different dependency.

Steps to reproduce

run npm audit
@sequba sequba added Bug Something isn't working Impact: Low labels Apr 13, 2023
@sequba sequba self-assigned this Apr 13, 2023
@sequba
Copy link
Contributor Author

sequba commented Apr 27, 2023

Also let's update all dependencies that can be updated seamlessly.

@sequba sequba mentioned this issue Apr 28, 2023
Merged
16 tasks
@sequba sequba linked a pull request May 10, 2023 that will close this issue
Update typescript, typedoc, vuepress & eslint #1258
Merged
16 tasks
@sequba sequba removed the Bug Something isn't working label May 10, 2023
@sequba sequba mentioned this issue May 11, 2023
Open
@AMBudnik
Copy link
Contributor

Closed with HyperFormula v.2.5.0 released today.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sequba sequba

Labels
Impact: Medium
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update typescript, typedoc, vuepress & eslint handsontable/hyperformula
2 participants
@sequba @AMBudnik