Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities found when installing dependencies #70

Open
jmdelfa opened this issue Aug 7, 2023 · 0 comments
Open

Vulnerabilities found when installing dependencies #70

jmdelfa opened this issue Aug 7, 2023 · 0 comments
Labels
build Changes that affect the build system or external dependencies security A change that addresses a security concern

Comments

@jmdelfa
Copy link
Contributor

jmdelfa commented Aug 7, 2023

Checked for duplicates

Yes - I've already checked

Is this a regression?

No - This is a new bug

Version

1.11.09

Describe the bug

Installing aerie-docs dependencies as described in https://github.com/NASA-AMMOS/aerie-docs/blob/develop/CONTRIBUTING.md

When running nvm install, I get a number of vulnerabilities (initially 105)
_audited 1147 packages in 4.541s
200 packages are looking for funding
run npm fund for details
found 105 vulnerabilities (87 moderate, 18 high)
run npm audit fix to fix them, or npm audit for details

npm audit fix does not fix them. After updating multiple libraries, I get vulnerabilities down to 24
205 packages are looking for funding
run npm fund for details_

24 vulnerabilities (10 moderate, 14 high)

To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.
Run npm audit for details.

The output of npm audit fix is provided below:

Reproduction

No reproduction needed

Logs

_up to date, audited 1165 packages in 3s

202 packages are looking for funding
  run `npm fund` for details

# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        @docusaurus/core  <=2.4.1
        Depends on vulnerable versions of @docusaurus/mdx-loader
        Depends on vulnerable versions of update-notifier
        node_modules/@docusaurus/core
          @docusaurus/plugin-debug  <=2.4.1
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-debug
          @docusaurus/plugin-google-analytics  <=2.4.1
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-google-analytics
          @docusaurus/plugin-google-gtag  <=2.4.1
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-google-gtag
          @docusaurus/plugin-google-tag-manager  <=2.4.1
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-google-tag-manager
            @docusaurus/preset-classic  <=2.4.1
            Depends on vulnerable versions of @docusaurus/core
            Depends on vulnerable versions of @docusaurus/plugin-content-blog
            Depends on vulnerable versions of @docusaurus/plugin-content-docs
            Depends on vulnerable versions of @docusaurus/plugin-content-pages
            Depends on vulnerable versions of @docusaurus/plugin-debug
            Depends on vulnerable versions of @docusaurus/plugin-google-analytics
            Depends on vulnerable versions of @docusaurus/plugin-google-gtag
            Depends on vulnerable versions of @docusaurus/plugin-google-tag-manager
            Depends on vulnerable versions of @docusaurus/plugin-sitemap
            Depends on vulnerable versions of @docusaurus/theme-classic
            Depends on vulnerable versions of @docusaurus/theme-common
            Depends on vulnerable versions of @docusaurus/theme-search-algolia
            node_modules/@docusaurus/preset-classic
          @docusaurus/plugin-sitemap  <=2.4.1
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-sitemap
          @docusaurus/theme-mermaid  <=2.4.1
          Depends on vulnerable versions of @docusaurus/core
          Depends on vulnerable versions of @docusaurus/theme-common
          node_modules/@docusaurus/theme-mermaid
          @docusaurus/theme-search-algolia  <=2.4.1
          Depends on vulnerable versions of @docusaurus/core
          Depends on vulnerable versions of @docusaurus/plugin-content-docs
          Depends on vulnerable versions of @docusaurus/theme-common
          node_modules/@docusaurus/theme-search-algolia

trim  <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix`
node_modules/trim
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/remark-parse
    @mdx-js/mdx  <=1.6.22
    Depends on vulnerable versions of remark-mdx
    Depends on vulnerable versions of remark-parse
    node_modules/@mdx-js/mdx
      @docusaurus/mdx-loader  <=2.4.1
      Depends on vulnerable versions of @mdx-js/mdx
      node_modules/@docusaurus/mdx-loader
        @docusaurus/plugin-content-blog  <=2.4.1
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-blog
        @docusaurus/plugin-content-docs  <=2.4.1
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-docs
        @docusaurus/plugin-content-pages  <=2.4.1
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-pages
        @docusaurus/theme-classic  <=2.4.1
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        Depends on vulnerable versions of @docusaurus/plugin-content-blog
        Depends on vulnerable versions of @docusaurus/plugin-content-docs
        Depends on vulnerable versions of @docusaurus/plugin-content-pages
        Depends on vulnerable versions of @docusaurus/theme-common
        node_modules/@docusaurus/theme-classic
        @docusaurus/theme-common  <=2.4.1
        Depends on vulnerable versions of @docusaurus/mdx-loader
        Depends on vulnerable versions of @docusaurus/plugin-content-blog
        Depends on vulnerable versions of @docusaurus/plugin-content-docs
        Depends on vulnerable versions of @docusaurus/plugin-content-pages
        node_modules/@docusaurus/theme-common
    remark-mdx  <=1.6.22
    Depends on vulnerable versions of remark-parse
    node_modules/remark-mdx

23 vulnerabilities (9 moderate, 14 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing_

System Info

Reference machine: Ubuntu 22 amd64 running as guest with VMWARE Workshtation 17 for Windows 10

Severity

Moderate
@jmdelfa jmdelfa added the bug Something isn't working label Aug 7, 2023
@camargo camargo transferred this issue from NASA-AMMOS/aerie Aug 7, 2023
@camargo camargo changed the title Vulnerabilities found when install aeerie-docs dependencies Vulnerabilities found when installing dependencies Aug 7, 2023
@camargo camargo removed this from Aerie Aug 7, 2023
@camargo camargo added build Changes that affect the build system or external dependencies security A change that addresses a security concern and removed bug Something isn't working labels Aug 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
build Changes that affect the build system or external dependencies security A change that addresses a security concern
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@camargo @jmdelfa