juice icon indicating copy to clipboard operation
juice copied to clipboard
verified publisher icon Automattic

transitive dependency has the vulnerability

Open Smanst3r opened this issue 3 months ago • 2 comments

I’ve updated juice to the latest version (11.0.1), but npm audit still reports a vulnerability in undici:

npm audit
---
undici  6.0.0 - 6.21.1
Severity: moderate
Use of Insufficiently Random Values in undici - https://github.com/advisories/GHSA-c76h-2ccp-4975
undici Denial of Service attack via bad certificate data - https://github.com/advisories/GHSA-cxrh-j4jr-qwg3
fix available via `npm audit fix`
node_modules/undici

npm ls undici                                                                                                                                                   ✔  at 18:34:36
<project>
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected]

It seems that cheerio is still using a version of undici with known vulnerabilities. Idk if I should open an issue for it here

Smanst3r avatar Sep 09 '25 15:09 Smanst3r

We will fix this and update cheerio which now uses [email protected], but it will mean we release a major version, because undici now uses APIs that are not available in Node 18, which currently Juice still supports.

cossssmin avatar Sep 29 '25 09:09 cossssmin

Thank you for feedback

Smanst3r avatar Oct 09 '25 13:10 Smanst3r