Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependencies and security vulnerabilities #92

Open
mattpaz opened this issue Feb 17, 2024 · 0 comments
Open

Update dependencies and security vulnerabilities #92

mattpaz opened this issue Feb 17, 2024 · 0 comments

Comments

@mattpaz
Copy link

mattpaz commented Feb 17, 2024

In addition to #91 flat dependencies are growing long in the tooth.

As of 2024-02-17, there are 32 vulnerabilities (15 moderate, 12 high, 5 critical).

Outdated Modules
Package                              Current    Wanted    Latest  Location                                    Depended by
@actions/core                          1.2.6    1.10.1    1.10.1  node_modules/@actions/core                  flat
@actions/exec                          1.0.4     1.1.1     1.1.1  node_modules/@actions/exec                  flat
@actions/github                        4.0.0     4.0.0     6.0.0  node_modules/@actions/github                flat
@tinyhttp/content-disposition          1.2.0     1.3.0     2.2.0  node_modules/@tinyhttp/content-disposition  flat
@types/jest                          26.0.20   26.0.24   29.5.12  node_modules/@types/jest                    flat
@types/node                         14.14.37  14.18.63  20.11.19  node_modules/@types/node                    flat
@vercel/ncc                           0.27.0    0.27.0    0.38.1  node_modules/@vercel/ncc                    flat
axios                                 0.21.1    0.21.4     1.6.7  node_modules/axios                          flat
connection-string                      4.3.2     4.4.0     4.4.0  node_modules/connection-string              flat
csv-stringify                          5.6.2     5.6.5     6.4.5  node_modules/csv-stringify                  flat
es-mime-types                         0.0.16    0.0.16     0.1.4  node_modules/es-mime-types                  flat
husky                                  6.0.0     6.0.0    9.0.11  node_modules/husky                          flat
jest                                  26.6.3    26.6.3    29.7.0  node_modules/jest                           flat
jest-circus                           26.6.3    26.6.3    29.7.0  node_modules/jest-circus                    flat
mssql                                  6.3.1     6.4.1    10.0.2  node_modules/mssql                          flat
pg                                     8.5.1    8.11.3    8.11.3  node_modules/pg                             flat
prettier                               2.2.1     2.8.8     3.2.5  node_modules/prettier                       flat
reflect-metadata                      0.1.13    0.1.14     0.2.1  node_modules/reflect-metadata               flat
sqlite3                                5.1.6     5.1.7     5.1.7  node_modules/sqlite3                        flat
ts-jest                               26.5.3    26.5.6    29.1.2  node_modules/ts-jest                        flat
typeorm                               0.2.31    0.2.45    0.3.20  node_modules/typeorm                        flat
typescript                             4.2.3     4.9.5     5.3.3  node_modules/typescript                     flat
zod                            3.0.0-alpha.4    3.22.4    3.22.4  node_modules/zod                            flat
Audit Summary
@actions/core  <=1.9.0
Severity: moderate
@actions/core has Delimiter Injection Vulnerability in exportVariable - https://github.com/advisories/GHSA-7r3h-m5j6-3q42
fix available via `npm audit fix`
node_modules/@actions/core

@azure/ms-rest-nodeauth  <=3.0.9
Severity: high
Depends on vulnerable versions of @azure/ms-rest-js
Improper Privilege Management in Azure ms-rest-nodeauth - https://github.com/advisories/GHSA-qpfw-4m9x-rxx8
Depends on vulnerable versions of adal-node
fix available via `npm audit fix`
node_modules/@azure/ms-rest-nodeauth
  tedious  6.3.0 - 6.7.0 || 7.0.0 - 9.2.1
  Depends on vulnerable versions of @azure/ms-rest-nodeauth
  node_modules/tedious

@babel/traverse  <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse

async  3.0.0 - 3.2.1
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix`
node_modules/async

axios  <=1.5.1
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
fix available via `npm audit fix`
node_modules/axios

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5
fix available via `npm audit fix`
node_modules/browserslist

decode-uri-component  <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component

follow-redirects  <=1.15.3
Severity: high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
fix available via `npm audit fix`
node_modules/follow-redirects

ip  *
Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix`
node_modules/ip
  socks  1.0.0 - 2.7.1
  Depends on vulnerable versions of ip
  node_modules/socks

json-schema  <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim

json5  2.0.0 - 2.2.1
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/json5

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch

minimist  1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist

path-parse  <1.0.7
Severity: moderate
Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9
fix available via `npm audit fix`
node_modules/path-parse

qs  6.5.0 - 6.5.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/qs

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix`
node_modules/request
  adal-node  <=0.2.2 || >=2.0.0-pre
  Depends on vulnerable versions of request
  Depends on vulnerable versions of xmldom
  node_modules/adal-node
  jsdom  0.1.20 || 0.2.0 - 16.5.3
  Depends on vulnerable versions of request
  Depends on vulnerable versions of request-promise-native
  node_modules/jsdom
  request-promise-core  *
  Depends on vulnerable versions of request
  node_modules/request-promise-core
    request-promise-native  >=1.0.0
    Depends on vulnerable versions of request
    Depends on vulnerable versions of request-promise-core
    Depends on vulnerable versions of tough-cookie
    node_modules/request-promise-native

semver  <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/@mapbox/node-pre-gyp/node_modules/semver
node_modules/@npmcli/fs/node_modules/semver
node_modules/jest-snapshot/node_modules/semver
node_modules/node-gyp/node_modules/semver
node_modules/node-notifier/node_modules/semver
node_modules/normalize-package-data/node_modules/semver
node_modules/sane/node_modules/semver
node_modules/semver
node_modules/ts-jest/node_modules/semver

tmpl  <1.0.5
Severity: high
tmpl vulnerable to Inefficient Regular Expression Complexity which may lead to resource exhaustion - https://github.com/advisories/GHSA-jgrx-mgxx-jf9v
fix available via `npm audit fix`
node_modules/tmpl

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix`
node_modules/@azure/ms-rest-js/node_modules/tough-cookie
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie
node_modules/tough-cookie
  @azure/ms-rest-js  <=2.6.6
  Depends on vulnerable versions of tough-cookie
  Depends on vulnerable versions of xml2js
  node_modules/@azure/ms-rest-js

word-wrap  <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap

ws  7.0.0 - 7.4.5
Severity: moderate
ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693
fix available via `npm audit fix`
node_modules/ws

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/xml2js
  typeorm  0.1.0-alpha.1 - 0.3.14-dev.daf1b47 || >=0.3.21-dev.28a8383
  Depends on vulnerable versions of xml2js
  node_modules/typeorm

xmldom  *
Severity: critical
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
xmldom allows multiple root nodes in a DOM - https://github.com/advisories/GHSA-crh6-fp67-6883
fix available via `npm audit fix`
node_modules/xmldom

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant