Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Python sdist ships vulnerable NPM stuff #1229

Open
bnavigator opened this issue Aug 30, 2024 · 1 comment
Open

Python sdist ships vulnerable NPM stuff #1229

bnavigator opened this issue Aug 30, 2024 · 1 comment

Comments

@bnavigator
Copy link

NPM audit report on jupyter_leaflet-0.9.2:

# npm audit report

ansi-regex  3.0.0 || 4.0.0 - 4.1.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/npm/node_modules/string-width/node_modules/ansi-regex
node_modules/npm/node_modules/yargs/node_modules/ansi-regex

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/npm/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/npm/node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/npm/node_modules/update-notifier
        libnpx  *
        Depends on vulnerable versions of update-notifier
        node_modules/npm/node_modules/libnpx
          npm  <=10.5.0
          Depends on vulnerable versions of libcipm
          Depends on vulnerable versions of libnpm
          Depends on vulnerable versions of libnpmaccess
          Depends on vulnerable versions of libnpmhook
          Depends on vulnerable versions of libnpmorg
          Depends on vulnerable versions of libnpmsearch
          Depends on vulnerable versions of libnpmteam
          Depends on vulnerable versions of libnpx
          Depends on vulnerable versions of node-gyp
          Depends on vulnerable versions of npm-lifecycle
          Depends on vulnerable versions of npm-profile
          Depends on vulnerable versions of npm-registry-fetch
          Depends on vulnerable versions of pacote
          Depends on vulnerable versions of request
          Depends on vulnerable versions of semver
          Depends on vulnerable versions of tar
          Depends on vulnerable versions of update-notifier
          node_modules/npm

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm/node_modules/http-cache-semantics
  make-fetch-happen  2.0.0 - 8.0.1
  Depends on vulnerable versions of http-cache-semantics
  Depends on vulnerable versions of socks-proxy-agent
  node_modules/npm/node_modules/make-fetch-happen
    npm-registry-fetch  0.0.1 - 5.0.1
    Depends on vulnerable versions of make-fetch-happen
    node_modules/npm/node_modules/npm-registry-fetch
      libnpm  >=0.0.1
      Depends on vulnerable versions of libnpmaccess
      Depends on vulnerable versions of libnpmhook
      Depends on vulnerable versions of libnpmorg
      Depends on vulnerable versions of libnpmpublish
      Depends on vulnerable versions of libnpmsearch
      Depends on vulnerable versions of libnpmteam
      Depends on vulnerable versions of npm-lifecycle
      Depends on vulnerable versions of npm-profile
      Depends on vulnerable versions of npm-registry-fetch
      Depends on vulnerable versions of pacote
      node_modules/npm/node_modules/libnpm
      libnpmaccess  <=3.0.2
      Depends on vulnerable versions of npm-registry-fetch
      node_modules/npm/node_modules/libnpmaccess
      libnpmhook  <=5.0.3
      Depends on vulnerable versions of npm-registry-fetch
      node_modules/npm/node_modules/libnpmhook
      libnpmorg  <=1.0.1
      Depends on vulnerable versions of npm-registry-fetch
      node_modules/npm/node_modules/libnpmorg
      libnpmpublish  <=2.0.0
      Depends on vulnerable versions of npm-registry-fetch
      node_modules/npm/node_modules/libnpmpublish
      libnpmsearch  <=2.0.2
      Depends on vulnerable versions of npm-registry-fetch
      node_modules/npm/node_modules/libnpmsearch
      libnpmteam  <=1.0.2
      Depends on vulnerable versions of npm-registry-fetch
      node_modules/npm/node_modules/libnpmteam
      npm-profile  4.0.0 - 4.0.4
      Depends on vulnerable versions of npm-registry-fetch
      node_modules/npm/node_modules/npm-profile
      pacote  2.0.0 - 10.3.0
      Depends on vulnerable versions of make-fetch-happen
      Depends on vulnerable versions of npm-registry-fetch
      Depends on vulnerable versions of tar
      node_modules/npm/node_modules/pacote
        libcipm  *
        Depends on vulnerable versions of npm-lifecycle
        Depends on vulnerable versions of pacote
        node_modules/npm/node_modules/libcipm

ip  *
Severity: high
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm/node_modules/ip
  socks  1.0.0 - 2.7.1
  Depends on vulnerable versions of ip
  node_modules/npm/node_modules/socks
    socks-proxy-agent  1.0.1 - 4.0.2
    Depends on vulnerable versions of socks
    node_modules/npm/node_modules/socks-proxy-agent

mime  <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix`
node_modules/mime

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postcss
  css-loader  0.15.0 - 4.3.0
  Depends on vulnerable versions of icss-utils
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of postcss-modules-extract-imports
  Depends on vulnerable versions of postcss-modules-local-by-default
  Depends on vulnerable versions of postcss-modules-scope
  Depends on vulnerable versions of postcss-modules-values
  node_modules/css-loader
  icss-utils  <=4.1.1
  Depends on vulnerable versions of postcss
  node_modules/icss-utils
    postcss-modules-local-by-default  <=4.0.0-rc.4
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-local-by-default
    postcss-modules-values  <=4.0.0-rc.5
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-values
  postcss-modules-extract-imports  <=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-extract-imports
  postcss-modules-scope  <=2.2.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-scope

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm/node_modules/request
  node-gyp  <=7.1.2
  Depends on vulnerable versions of request
  Depends on vulnerable versions of tar
  node_modules/npm/node_modules/node-gyp
    npm-lifecycle  >=2.0.0
    Depends on vulnerable versions of node-gyp
    node_modules/npm/node_modules/npm-lifecycle

semver  <5.7.2
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm/node_modules/semver

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm/node_modules/tar

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm/node_modules/tough-cookie

underscore  1.3.2 - 1.12.0
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
No fix available
node_modules/css-img-datauri-stream/node_modules/underscore
  css-img-datauri-stream  *
  Depends on vulnerable versions of mime
  Depends on vulnerable versions of underscore
  node_modules/css-img-datauri-stream
    leaflet-splitmap  *
    Depends on vulnerable versions of css-img-datauri-stream
    node_modules/leaflet-splitmap
    leaflet-transform  *
    Depends on vulnerable versions of css-img-datauri-stream
    node_modules/leaflet-transform

41 vulnerabilities (18 moderate, 19 high, 4 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.
@bnavigator
Copy link
Author

> npm audit fix --force
npm warn using --force Recommended protections disabled.
npm warn audit fix [email protected] node_modules/npm/node_modules/semver
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/string-width/node_modules/ansi-regex
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/yargs/node_modules/ansi-regex
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/got
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/http-cache-semantics
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/ip
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/request
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/tar
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/tough-cookie
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/package-json
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/make-fetch-happen
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/socks
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/node-gyp
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/pacote
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/latest-version
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/npm-registry-fetch
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/socks-proxy-agent
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/npm-lifecycle
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpm
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libcipm
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/update-notifier
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpmpublish
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpmaccess
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/npm-profile
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpmhook
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpmorg
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpmteam
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpmsearch
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpx
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit Updating css-loader to 7.1.2, which is a SemVer major change.
npm warn audit Updating npm to 10.8.3, which is a SemVer major change.
npm warn audit No fix available for leaflet-splitmap@*
npm warn audit No fix available for leaflet-transform@*
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated @humanwhocodes/[email protected]: Use @eslint/config-array instead
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Use your platform's native atob() and btoa() methods instead
npm warn deprecated @humanwhocodes/[email protected]: Use @eslint/object-schema instead
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: This module has moved: please install @mapbox/point-geometry instead
npm warn deprecated [email protected]: This module has moved: please install @mapbox/vector-tile instead

added 621 packages, and audited 822 packages in 11s

167 packages are looking for funding
  run `npm fund` for details

# npm audit report

mime  <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix`
node_modules/mime

underscore  1.3.2 - 1.12.0
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
No fix available
node_modules/css-img-datauri-stream/node_modules/underscore
  css-img-datauri-stream  *
  Depends on vulnerable versions of mime
  Depends on vulnerable versions of underscore
  node_modules/css-img-datauri-stream
    leaflet-splitmap  *
    Depends on vulnerable versions of css-img-datauri-stream
    node_modules/leaflet-splitmap
    leaflet-transform  *
    Depends on vulnerable versions of css-img-datauri-stream
    node_modules/leaflet-transform

5 vulnerabilities (1 high, 4 critical)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant