Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit - several high severity issues - Please Update #132

Open
smithb1994 opened this issue Nov 23, 2020 · 0 comments
Open

npm audit - several high severity issues - Please Update #132

smithb1994 opened this issue Nov 23, 2020 · 0 comments

Comments

@smithb1994
Copy link

smithb1994 commented Nov 23, 2020
edited
Loading

Doing an npm audit produces:
38 vulnerabilities (21 low, 1 moderate, 13 high, 3 critical)

acorn  5.5.0 - 5.7.3 || 6.0.0 - 6.4.0 || 7.0.0 - 7.1.0
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1488
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/acorn

braces  <2.3.1
Regular Expression Denial of Service - https://npmjs.com/advisories/786
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/braces
node_modules/vue-native-websocket/node_modules/expand-braces/node_modules/braces
  expand-braces  *
  Depends on vulnerable versions of braces
  node_modules/vue-native-websocket/node_modules/expand-braces
    karma  <=4.4.1
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of expand-braces
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of optimist
    Depends on vulnerable versions of socket.io
    node_modules/vue-native-websocket/node_modules/karma
  micromatch  0.2.0 - 2.3.11
  Depends on vulnerable versions of braces
  node_modules/vue-native-websocket/node_modules/micromatch
    anymatch  1.2.0 - 1.3.2
    Depends on vulnerable versions of micromatch
    node_modules/vue-native-websocket/node_modules/anymatch
      chokidar  1.3.0 - 1.7.0
      Depends on vulnerable versions of anymatch
      node_modules/vue-native-websocket/node_modules/chokidar
        babel-cli  >=6.22.0
        Depends on vulnerable versions of chokidar
        node_modules/vue-native-websocket/node_modules/babel-cli

debug  <=2.6.8 || 3.0.0 - 3.0.1
Regular Expression Denial of Service - https://npmjs.com/advisories/534
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/engine.io-client/node_modules/debug
node_modules/vue-native-websocket/node_modules/engine.io/node_modules/debug
node_modules/vue-native-websocket/node_modules/mocha/node_modules/debug
node_modules/vue-native-websocket/node_modules/socket.io-adapter/node_modules/debug
node_modules/vue-native-websocket/node_modules/socket.io-client/node_modules/debug
node_modules/vue-native-websocket/node_modules/socket.io-parser/node_modules/debug
node_modules/vue-native-websocket/node_modules/socket.io/node_modules/debug
  engine.io  <=3.1.3
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of ws
  node_modules/vue-native-websocket/node_modules/engine.io
  engine.io-client  <=3.1.3
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of parsejson
  Depends on vulnerable versions of ws
  node_modules/vue-native-websocket/node_modules/engine.io-client
  mocha  0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of growl
  Depends on vulnerable versions of mkdirp
  node_modules/vue-native-websocket/node_modules/mocha
  socket.io  1.0.0-pre - 2.0.1
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of socket.io-client
  node_modules/vue-native-websocket/node_modules/socket.io
    karma  <=4.4.1
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of expand-braces
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of optimist
    Depends on vulnerable versions of socket.io
    node_modules/vue-native-websocket/node_modules/karma
  socket.io-adapter  <=1.1.0
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of socket.io-parser
  node_modules/vue-native-websocket/node_modules/socket.io-adapter
  socket.io-client  1.0.0-pre - 2.0.1
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of socket.io-parser
  node_modules/vue-native-websocket/node_modules/socket.io-client
  socket.io-parser  1.1.0 - 3.0.0
  Depends on vulnerable versions of debug
  node_modules/vue-native-websocket/node_modules/socket.io-parser

elliptic  <6.5.3
Severity: high
Signature Malleability - https://npmjs.com/advisories/1547
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/elliptic

growl  <1.10.2
Severity: critical
Command Injection - https://npmjs.com/advisories/146
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/growl
  mocha  0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of growl
  Depends on vulnerable versions of mkdirp
  node_modules/vue-native-websocket/node_modules/mocha

handlebars  <=4.7.3
Severity: critical
Prototype Pollution - https://npmjs.com/advisories/1164
Denial of Service - https://npmjs.com/advisories/1300
Arbitrary Code Execution - https://npmjs.com/advisories/1316
Arbitrary Code Execution - https://npmjs.com/advisories/1324
Prototype Pollution - https://npmjs.com/advisories/755
Depends on vulnerable versions of optimist
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/handlebars

http-proxy  <1.18.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1486
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/http-proxy

js-yaml  <=3.13.0
Severity: high
Denial of Service - https://npmjs.com/advisories/788
Code Injection - https://npmjs.com/advisories/813
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/js-yaml

kind-of  6.0.0 - 6.0.2
Validation Bypass - https://npmjs.com/advisories/1490
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/base/node_modules/kind-of
node_modules/vue-native-websocket/node_modules/define-property/node_modules/kind-of
node_modules/vue-native-websocket/node_modules/nanomatch/node_modules/kind-of
node_modules/vue-native-websocket/node_modules/randomatic/node_modules/kind-of
node_modules/vue-native-websocket/node_modules/snapdragon-node/node_modules/kind-of
node_modules/vue-native-websocket/node_modules/watchpack/node_modules/kind-of

lodash  <=4.17.18
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/1523
Prototype Pollution - https://npmjs.com/advisories/577
Prototype Pollution - https://npmjs.com/advisories/782
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/karma/node_modules/lodash
node_modules/vue-native-websocket/node_modules/lodash
  karma  <=4.4.1
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of expand-braces
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of optimist
  Depends on vulnerable versions of socket.io
  node_modules/vue-native-websocket/node_modules/karma

mem  <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/mem
  os-locale  2.0.0 - 3.0.0
  Depends on vulnerable versions of mem
  node_modules/vue-native-websocket/node_modules/os-locale
    yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
    Depends on vulnerable versions of os-locale
    Depends on vulnerable versions of yargs-parser
    node_modules/vue-native-websocket/node_modules/yargs
      webpack  2.1.0-beta.8 - 4.0.0-alpha.0
      Depends on vulnerable versions of yargs
      node_modules/vue-native-websocket/node_modules/webpack

minimist  <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/karma-mocha/node_modules/minimist
node_modules/vue-native-websocket/node_modules/meow/node_modules/minimist
node_modules/vue-native-websocket/node_modules/minimist
  karma-mocha  1.3.0
  Depends on vulnerable versions of minimist
  node_modules/vue-native-websocket/node_modules/karma-mocha
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/vue-native-websocket/node_modules/mkdirp
    mocha  0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
    Depends on vulnerable versions of debug
    Depends on vulnerable versions of growl
    Depends on vulnerable versions of mkdirp
    node_modules/vue-native-websocket/node_modules/mocha
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/vue-native-websocket/node_modules/optimist
    handlebars  <=4.7.3
    Depends on vulnerable versions of optimist
    node_modules/vue-native-websocket/node_modules/handlebars
    karma  <=4.4.1
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of expand-braces
    Depends on vulnerable versions of lodash
    Depends on vulnerable versions of optimist
    Depends on vulnerable versions of socket.io
    node_modules/vue-native-websocket/node_modules/karma

mixin-deep  <=1.3.1 || 2.0.0
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1013
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/mixin-deep

parsejson  *
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/528
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/parsejson
  engine.io-client  <=3.1.3
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of parsejson
  Depends on vulnerable versions of ws
  node_modules/vue-native-websocket/node_modules/engine.io-client

set-value  <=2.0.0 || 3.0.0
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1012
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/set-value
node_modules/vue-native-websocket/node_modules/union-value/node_modules/set-value
  union-value  <=1.0.0 || 2.0.0
  Depends on vulnerable versions of set-value
  node_modules/vue-native-websocket/node_modules/union-value

ws  <1.1.5 || >=2.0.0 <3.3.1
Severity: high
Denial of Service - https://npmjs.com/advisories/550
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/ws
  engine.io  <=3.1.3
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of ws
  node_modules/vue-native-websocket/node_modules/engine.io
  engine.io-client  <=3.1.3
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of parsejson
  Depends on vulnerable versions of ws
  node_modules/vue-native-websocket/node_modules/engine.io-client

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix`
node_modules/vue-native-websocket/node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
  Depends on vulnerable versions of os-locale
  Depends on vulnerable versions of yargs-parser
  node_modules/vue-native-websocket/node_modules/yargs
    webpack  2.1.0-beta.8 - 4.0.0-alpha.0
    Depends on vulnerable versions of yargs
    node_modules/vue-native-websocket/node_modules/webpack

37 vulnerabilities (21 low, 1 moderate, 12 high, 3 critical)

To address all issues, run:
  npm audit fix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@smithb1994