Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit issues #52

Open
hirenchauhan2 opened this issue Mar 13, 2024 · 0 comments
Open

npm audit issues #52

hirenchauhan2 opened this issue Mar 13, 2024 · 0 comments

Comments

@hirenchauhan2
Copy link

hirenchauhan2 commented Mar 13, 2024
edited
Loading

Hi Team,

When I generated a new add-in app with following options, I'm getting these items in the npm audit response.

? What is the name of your add-in? (geotab add in) Run-async wrapped function (sync) returned a promise but async() callback must be executed to resolve.
? What is the name of your add-in? my-add-in
? What type of add-in do you want to create? Geotab Drive Add-In Page
? What is the support contact email address for the add-in? [email protected]
? What is the deployment host URL? https://static.example.com/geotab
? What is the add-in menu item name? rickRoll
   create package.json
   create webpack.common.js
   create webpack.development.js
   create webpack.production.js
   create webpack.local.js
   create .gitignore
   create .gitattributes
   create src/app/rickRoll.html
   create src/app/index.js
   create src/app/config.json
   create src/app/scripts/main.js
   create src/app/styles/main.css
   create src/app/images/icon.svg
   create test/functional/mocks/mocks.js
   create test/functional/test.js
   create zip.util.js
   create src/.dev/api.js
   create src/.dev/rison.js
   create src/.dev/index.js
   create src/.dev/state.js
   create src/.dev/login/loginTemplate.js
   create src/.dev/login/loginLogic.js
   create src/.dev/login/takePictureDialog/Dialog.js
   create src/.dev/login/takePictureDialog/UploadImageDialog.js
   create src/.dev/login/takePictureDialog/CaptureImageDialog.js
   create src/.dev/navbar/navbar.js
   create src/.dev/navbar/NavBuilder.js
   create src/.dev/navbar/NavFactory.js
   create src/.dev/navbar/NavHandler.js
   create src/.dev/navbar/props.js
   create src/.dev/loaders/css-sandbox/css-sandbox.js
   create src/.dev/images/Font_Awesome_5_solid_chevron-left.svg
   create src/.dev/images/close-round.svg
   create src/.dev/styles/styleGuide.css
   create src/.dev/styles/styleGuideMyGeotab.html
   create src/.dev/ToggleHandler.js

Changes to package.json were detected.

Running npm install for you to install the required dependencies.
npm WARN deprecated [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated [email protected]: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: < 21.5.0 is no longer supported

> [email protected] preinstall
> npm install --package-lock-only --ignore-scripts && npx npm-force-resolutions

npm audit report

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios
  wait-on  5.0.0-rc.0 - 7.1.0
  Depends on vulnerable versions of axios
  node_modules/wait-on
    start-server-and-test  1.11.1 - 2.0.2
    Depends on vulnerable versions of wait-on
    node_modules/start-server-and-test

got  <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/bin-wrapper/node_modules/got
node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/bin-wrapper/node_modules/download
  node_modules/download
    bin-build  >=2.1.2
    Depends on vulnerable versions of download
    node_modules/bin-build
      gifsicle  >=3.0.0
      Depends on vulnerable versions of bin-build
      Depends on vulnerable versions of bin-wrapper
      node_modules/gifsicle
        imagemin-gifsicle  >=4.2.0
        Depends on vulnerable versions of gifsicle
        node_modules/imagemin-gifsicle
      mozjpeg  >=4.0.0
      Depends on vulnerable versions of bin-build
      Depends on vulnerable versions of bin-wrapper
      node_modules/mozjpeg
        imagemin-mozjpeg  >=5.1.0
        Depends on vulnerable versions of mozjpeg
        node_modules/imagemin-mozjpeg
      pngquant-bin  >=3.0.0
      Depends on vulnerable versions of bin-build
      Depends on vulnerable versions of bin-wrapper
      node_modules/pngquant-bin
        imagemin-pngquant  >=4.1.0
        Depends on vulnerable versions of pngquant-bin
        node_modules/imagemin-pngquant
    bin-wrapper  >=0.4.0
    Depends on vulnerable versions of bin-version-check
    Depends on vulnerable versions of download
    node_modules/bin-wrapper

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/http-cache-semantics
  cacheable-request  0.1.0 - 2.1.4
  Depends on vulnerable versions of http-cache-semantics
  node_modules/cacheable-request

node-fetch  <2.6.7
Severity: high
node-fetch forwards secure headers to untrusted sites - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/node-fetch
  puppeteer  10.0.0 - 13.1.1
  Depends on vulnerable versions of node-fetch
  node_modules/puppeteer

semver-regex  <=3.1.3 || 4.0.0 - 4.0.2
Severity: high
semver-regex Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/find-versions/node_modules/semver-regex
node_modules/semver-regex
  find-versions  <=3.2.0
  Depends on vulnerable versions of semver-regex
  node_modules/find-versions
    bin-version  <=4.0.0
    Depends on vulnerable versions of find-versions
    node_modules/bin-version
      bin-version-check  <=4.0.0
      Depends on vulnerable versions of bin-version
      node_modules/bin-version-check

21 vulnerabilities (11 moderate, 10 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

When can we see a new update on the dependencies? Also, any plans on migrating to newer versions on Yeoman?

Thanks,
Hiren
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hirenchauhan2