Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

npm audit shows 21 vulnerabilities, including 17 high and 2 critical #865

Closed
10 tasks
nawordar opened this issue Aug 31, 2022 · 1 comment
Closed
10 tasks
Labels

Comments

@nawordar
Copy link
Contributor

Iris version

3.64.1

Operating system(s) affected

  • Windows
  • MacOS
  • iOS
  • Android
  • Linux
  • Other

Browser(s) affected

  • Firefox
  • Chrome
  • Edge
  • Other

What happened?

When creating a PR (#864) and running npm install, NPM warned about 21 vulnerabilities. 13 of them are easily fixable with npm audit fix.

Logs

# npm audit report

ansi-html  <0.0.8
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix`
node_modules/ansi-html
  webpack-dev-server  2.0.0-beta - 4.7.2
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of selfsigned
  node_modules/webpack-dev-server

ansi-regex  4.0.0 - 4.1.0 || 5.0.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/@jest/core/node_modules/ansi-regex
node_modules/cliui/node_modules/ansi-regex
node_modules/eslint/node_modules/ansi-regex
node_modules/inquirer/node_modules/ansi-regex
node_modules/pretty-format/node_modules/ansi-regex
node_modules/string-length/node_modules/ansi-regex
node_modules/string-width/node_modules/ansi-regex
node_modules/table/node_modules/ansi-regex
node_modules/webpack-cli/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex
node_modules/yargs/node_modules/ansi-regex

css-what  4.0.0 - 5.0.0
Severity: high
Denial of service in css-what - https://github.com/advisories/GHSA-q8pj-2vqx-8ggc
fix available via `npm audit fix`
node_modules/cheerio-select/node_modules/css-what

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @babel/[email protected], which is a breaking change
node_modules/@nicolo-ribaudo/chokidar-2/node_modules/glob-parent
node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  @nicolo-ribaudo/chokidar-2  <=2.1.8-no-fsevents.3
  Depends on vulnerable versions of glob-parent
  node_modules/@nicolo-ribaudo/chokidar-2
    @babel/cli  >=7.12.7
    Depends on vulnerable versions of @nicolo-ribaudo/chokidar-2
    node_modules/@babel/cli
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack

jsdom  <=16.4.0
Severity: moderate
Insufficient Granularity of Access Control in JSDom - https://github.com/advisories/GHSA-f4c9-cqv8-9v98
fix available via `npm audit fix`
node_modules/jsdom

json-schema  <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim

lodash  <=4.17.20
Severity: high
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
fix available via `npm audit fix`
node_modules/eslint/node_modules/lodash
node_modules/inquirer/node_modules/lodash
node_modules/table/node_modules/lodash

node-forge  <=1.2.1
Severity: high
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
fix available via `npm audit fix`
node_modules/selfsigned/node_modules/node-forge
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/cheerio-select/node_modules/nth-check
node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/css-select
    cheerio  0.19.0 - 1.0.0-rc.3
    Depends on vulnerable versions of css-select
    node_modules/cheerio

terser  <4.8.1
Severity: high
Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc
fix available via `npm audit fix`
node_modules/terser

21 vulnerabilities (2 moderate, 17 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
@nawordar nawordar added the bug label Aug 31, 2022
jaedb added a commit that referenced this issue Sep 4, 2022
@jaedb
Copy link
Owner

jaedb commented Sep 4, 2022

Upgrades will be included in next release

@jaedb jaedb closed this as completed Sep 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants