run npm audit fix --force #43
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
package.json
Outdated
| @@ -105,7 +105,7 @@ | |||
| "custom-element-vs-code-integration": "^1.2.1", | |||
| "custom-element-vuejs-integration": "^1.0.0", | |||
| "del": "^7.1.0", | |||
| "download": "^8.0.0", | |||
| "download": "^3.3.0", | |||
There was a problem hiding this comment.
in playing around locally, it seems downgrading this from 8 to 3 still leaves some unresolved issues from npm audit:
when on [email protected]:
# npm audit report
bl <1.2.3
Severity: moderate
Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r
fix available via `npm audit fix`
node_modules/tar-stream/node_modules/bl
tar-stream <=1.2.0
Depends on vulnerable versions of bl
node_modules/tar-stream
decompress-tar 2.0.1 - 2.0.2
Depends on vulnerable versions of tar-stream
node_modules/decompress-tar
decompress-tarbz2 2.0.1 - 2.0.2
Depends on vulnerable versions of tar-stream
node_modules/decompress-tarbz2
deep-extend <0.5.1
Severity: critical
Prototype Pollution in deep-extend - https://github.com/advisories/GHSA-hr2v-3952-633q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/download/node_modules/deep-extend
rc 0.1.0 - 1.2.6
Depends on vulnerable versions of deep-extend
Depends on vulnerable versions of minimist
node_modules/download/node_modules/rc
download <=4.2.1
Depends on vulnerable versions of decompress-tar
Depends on vulnerable versions of decompress-tarbz2
Depends on vulnerable versions of rc
Depends on vulnerable versions of request
Depends on vulnerable versions of url-regex
Depends on vulnerable versions of vinyl-fs
node_modules/download
lodash <=4.17.20
Severity: critical
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via `npm audit fix`
node_modules/globule/node_modules/lodash
globule <=1.1.0
Depends on vulnerable versions of glob
Depends on vulnerable versions of lodash
Depends on vulnerable versions of minimatch
node_modules/globule
gaze 0.4.0 - 1.0.0
Depends on vulnerable versions of globule
node_modules/gaze
glob-watcher <=2.0.0
Depends on vulnerable versions of gaze
node_modules/glob-watcher
minimatch <=3.0.4
Severity: high
Regular Expression Denial of Service in minimatch - https://github.com/advisories/GHSA-hxm2-r34f-qmc5
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/glob-stream/node_modules/minimatch
node_modules/globule/node_modules/minimatch
glob 3.0.0 - 5.0.14
Depends on vulnerable versions of minimatch
node_modules/glob-stream/node_modules/glob
node_modules/globule/node_modules/glob
glob-stream 0.2.0 - 5.2.0
Depends on vulnerable versions of glob
Depends on vulnerable versions of minimatch
node_modules/glob-stream
vinyl-fs <=1.0.0
Depends on vulnerable versions of glob-stream
Depends on vulnerable versions of glob-watcher
node_modules/vinyl-fs
minimist <=0.2.3
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/download/node_modules/minimist
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request/node_modules/tough-cookie
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/lpad-align/node_modules/meow
url-regex *
Severity: high
Regular expression denial of service in url-regex - https://github.com/advisories/GHSA-v4rh-8p82-6h5w
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/url-regex
21 vulnerabilities (6 moderate, 10 high, 5 critical)when on [email protected]:
# npm audit report
got <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
download >=4.0.0
Depends on vulnerable versions of got
node_modules/download
http-cache-semantics <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/http-cache-semantics
cacheable-request 0.1.0 - 2.1.4
Depends on vulnerable versions of http-cache-semantics
node_modules/cacheable-request
4 vulnerabilities (1 moderate, 3 high)There was a problem hiding this comment.
trying to figure out how to update got to 8.3.2 which is what upstream is on: https://github.com/shoelace-style/shoelace/blame/8cbd07b401b733ff40d27f2fbd325e033766f5b1/package-lock.json#L9284 without having to include got explicitly in our package.json
There was a problem hiding this comment.
actually scratch my theory, running npm audit on shoelace upstream next also surfaces the same issues we have on our fork:
adrianbautista
approved these changes
Nov 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.