node-sonos-http-api
node-sonos-http-api copied to clipboard
jishi
Fix npm dependency issues
There are currently 8 npm dependency issues that can't be resolved without breaking your project... please could you explore and remedy these as one is DoS.
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '[email protected]',
npm WARN EBADENGINE required: { node: '>=4.0.0', npm: '^2.0.0' },
npm WARN EBADENGINE current: { node: 'v12.22.12', npm: '7.5.2' }
npm WARN EBADENGINE }
up to date, audited 311 packages in 13s
38 packages are looking for funding
run `npm fund` for details
# npm audit report
ajv <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/ajv
eslint 2.5.0 - 2.5.2 || 4.2.0 - 5.0.0-rc.0
Depends on vulnerable versions of ajv
Depends on vulnerable versions of table
node_modules/eslint
table 3.7.10 - 4.0.2
Depends on vulnerable versions of ajv
node_modules/table
lodash <=4.17.20
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request-promise/node_modules/lodash
request-promise 0.2.4 - 2.0.0
Depends on vulnerable versions of lodash
node_modules/request-promise
minimist <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix`
node_modules/minimist
optimist >=0.6.0
Depends on vulnerable versions of minimist
node_modules/optimist
node-static *
Severity: moderate
Denial of Service in node-static - https://github.com/advisories/GHSA-8r4g-cg4m-x23c
No fix available
node_modules/node-static
8 vulnerabilities (6 moderate, 2 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
I've found that you can update the dependencies as below, and the plugin still works. It doesn't resolve everything, but it resolves a lot. I've written a script to update everything to the highest working versions. Here's my working dependencies:
"dependencies": { "anesidora": "^1.2.0", "aws-sdk": "^2.1295.0", "basic-auth": "^2.0.1", "fuse.js": "^6.6.2", "html-entities": "^1.4.0", "json5": "^2.2.3", "mime": "^3.0.0", "music-metadata": "^7.13.3", "node-static": "^0.7.11", "request-promise": "^4.2.6", "sonos-discovery": "https://github.com/jishi/node-sonos-discovery/archive/v1.7.3.tar.gz", "wav-file-info": "0.0.10" }, "engines": { "node": "^18.12.1", "npm": "^9.2.0" },
