ipyleaflet
ipyleaflet copied to clipboard
Published
20 hours ago •
jupyter-widgets
jupyter-widgets
Python sdist ships vulnerable NPM stuff
NPM audit report on jupyter_leaflet-0.9.2:
# npm audit report
ansi-regex 3.0.0 || 4.0.0 - 4.1.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/npm/node_modules/string-width/node_modules/ansi-regex
node_modules/npm/node_modules/yargs/node_modules/ansi-regex
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm/node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/npm/node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/npm/node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/npm/node_modules/update-notifier
libnpx *
Depends on vulnerable versions of update-notifier
node_modules/npm/node_modules/libnpx
npm <=10.5.0
Depends on vulnerable versions of libcipm
Depends on vulnerable versions of libnpm
Depends on vulnerable versions of libnpmaccess
Depends on vulnerable versions of libnpmhook
Depends on vulnerable versions of libnpmorg
Depends on vulnerable versions of libnpmsearch
Depends on vulnerable versions of libnpmteam
Depends on vulnerable versions of libnpx
Depends on vulnerable versions of node-gyp
Depends on vulnerable versions of npm-lifecycle
Depends on vulnerable versions of npm-profile
Depends on vulnerable versions of npm-registry-fetch
Depends on vulnerable versions of pacote
Depends on vulnerable versions of request
Depends on vulnerable versions of semver
Depends on vulnerable versions of tar
Depends on vulnerable versions of update-notifier
node_modules/npm
http-cache-semantics <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm/node_modules/http-cache-semantics
make-fetch-happen 2.0.0 - 8.0.1
Depends on vulnerable versions of http-cache-semantics
Depends on vulnerable versions of socks-proxy-agent
node_modules/npm/node_modules/make-fetch-happen
npm-registry-fetch 0.0.1 - 5.0.1
Depends on vulnerable versions of make-fetch-happen
node_modules/npm/node_modules/npm-registry-fetch
libnpm >=0.0.1
Depends on vulnerable versions of libnpmaccess
Depends on vulnerable versions of libnpmhook
Depends on vulnerable versions of libnpmorg
Depends on vulnerable versions of libnpmpublish
Depends on vulnerable versions of libnpmsearch
Depends on vulnerable versions of libnpmteam
Depends on vulnerable versions of npm-lifecycle
Depends on vulnerable versions of npm-profile
Depends on vulnerable versions of npm-registry-fetch
Depends on vulnerable versions of pacote
node_modules/npm/node_modules/libnpm
libnpmaccess <=3.0.2
Depends on vulnerable versions of npm-registry-fetch
node_modules/npm/node_modules/libnpmaccess
libnpmhook <=5.0.3
Depends on vulnerable versions of npm-registry-fetch
node_modules/npm/node_modules/libnpmhook
libnpmorg <=1.0.1
Depends on vulnerable versions of npm-registry-fetch
node_modules/npm/node_modules/libnpmorg
libnpmpublish <=2.0.0
Depends on vulnerable versions of npm-registry-fetch
node_modules/npm/node_modules/libnpmpublish
libnpmsearch <=2.0.2
Depends on vulnerable versions of npm-registry-fetch
node_modules/npm/node_modules/libnpmsearch
libnpmteam <=1.0.2
Depends on vulnerable versions of npm-registry-fetch
node_modules/npm/node_modules/libnpmteam
npm-profile 4.0.0 - 4.0.4
Depends on vulnerable versions of npm-registry-fetch
node_modules/npm/node_modules/npm-profile
pacote 2.0.0 - 10.3.0
Depends on vulnerable versions of make-fetch-happen
Depends on vulnerable versions of npm-registry-fetch
Depends on vulnerable versions of tar
node_modules/npm/node_modules/pacote
libcipm *
Depends on vulnerable versions of npm-lifecycle
Depends on vulnerable versions of pacote
node_modules/npm/node_modules/libcipm
ip *
Severity: high
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm/node_modules/ip
socks 1.0.0 - 2.7.1
Depends on vulnerable versions of ip
node_modules/npm/node_modules/socks
socks-proxy-agent 1.0.1 - 4.0.2
Depends on vulnerable versions of socks
node_modules/npm/node_modules/socks-proxy-agent
mime <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix`
node_modules/mime
postcss <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postcss
css-loader 0.15.0 - 4.3.0
Depends on vulnerable versions of icss-utils
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-modules-extract-imports
Depends on vulnerable versions of postcss-modules-local-by-default
Depends on vulnerable versions of postcss-modules-scope
Depends on vulnerable versions of postcss-modules-values
node_modules/css-loader
icss-utils <=4.1.1
Depends on vulnerable versions of postcss
node_modules/icss-utils
postcss-modules-local-by-default <=4.0.0-rc.4
Depends on vulnerable versions of icss-utils
Depends on vulnerable versions of postcss
node_modules/postcss-modules-local-by-default
postcss-modules-values <=4.0.0-rc.5
Depends on vulnerable versions of icss-utils
Depends on vulnerable versions of postcss
node_modules/postcss-modules-values
postcss-modules-extract-imports <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-extract-imports
postcss-modules-scope <=2.2.0
Depends on vulnerable versions of postcss
node_modules/postcss-modules-scope
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm/node_modules/request
node-gyp <=7.1.2
Depends on vulnerable versions of request
Depends on vulnerable versions of tar
node_modules/npm/node_modules/node-gyp
npm-lifecycle >=2.0.0
Depends on vulnerable versions of node-gyp
node_modules/npm/node_modules/npm-lifecycle
semver <5.7.2
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm/node_modules/semver
tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm/node_modules/tar
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/npm/node_modules/tough-cookie
underscore 1.3.2 - 1.12.0
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
No fix available
node_modules/css-img-datauri-stream/node_modules/underscore
css-img-datauri-stream *
Depends on vulnerable versions of mime
Depends on vulnerable versions of underscore
node_modules/css-img-datauri-stream
leaflet-splitmap *
Depends on vulnerable versions of css-img-datauri-stream
node_modules/leaflet-splitmap
leaflet-transform *
Depends on vulnerable versions of css-img-datauri-stream
node_modules/leaflet-transform
41 vulnerabilities (18 moderate, 19 high, 4 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
> npm audit fix --force
npm warn using --force Recommended protections disabled.
npm warn audit fix [email protected] node_modules/npm/node_modules/semver
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/string-width/node_modules/ansi-regex
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/yargs/node_modules/ansi-regex
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/got
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/http-cache-semantics
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/ip
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/request
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/tar
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/tough-cookie
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/package-json
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/make-fetch-happen
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/socks
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/node-gyp
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/pacote
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/latest-version
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/npm-registry-fetch
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/socks-proxy-agent
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/npm-lifecycle
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpm
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libcipm
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/update-notifier
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpmpublish
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpmaccess
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/npm-profile
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpmhook
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpmorg
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpmteam
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpmsearch
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit fix [email protected] node_modules/npm/node_modules/libnpx
npm warn audit fix [email protected] is a bundled dependency of
npm warn audit fix [email protected] [email protected] at node_modules/npm
npm warn audit fix [email protected] It cannot be fixed automatically.
npm warn audit fix [email protected] Check for updates to the npm package.
npm warn audit Updating css-loader to 7.1.2, which is a SemVer major change.
npm warn audit Updating npm to 10.8.3, which is a SemVer major change.
npm warn audit No fix available for leaflet-splitmap@*
npm warn audit No fix available for leaflet-transform@*
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated @humanwhocodes/[email protected]: Use @eslint/config-array instead
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Use your platform's native atob() and btoa() methods instead
npm warn deprecated @humanwhocodes/[email protected]: Use @eslint/object-schema instead
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: This module has moved: please install @mapbox/point-geometry instead
npm warn deprecated [email protected]: This module has moved: please install @mapbox/vector-tile instead
added 621 packages, and audited 822 packages in 11s
167 packages are looking for funding
run `npm fund` for details
# npm audit report
mime <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix`
node_modules/mime
underscore 1.3.2 - 1.12.0
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
No fix available
node_modules/css-img-datauri-stream/node_modules/underscore
css-img-datauri-stream *
Depends on vulnerable versions of mime
Depends on vulnerable versions of underscore
node_modules/css-img-datauri-stream
leaflet-splitmap *
Depends on vulnerable versions of css-img-datauri-stream
node_modules/leaflet-splitmap
leaflet-transform *
Depends on vulnerable versions of css-img-datauri-stream
node_modules/leaflet-transform
5 vulnerabilities (1 high, 4 critical)
To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.