express-gateway
express-gateway copied to clipboard
Published
20 hours ago •
ExpressGateway
ExpressGateway
vulnerabilities in `eg gateway create`
19 vulnerabilities (5 moderate, 9 high, 5 critical) - Fri June 9th 2023
As of Fri June 9th 2023 npm is reporting 5 critical and 9 high vulnerabilities.
$ eg --version
Configuring yargs through package.json is deprecated and will be removed in a future major release, please use the JS API instead.
1.16.11
$ npm audit
# npm audit report
degenerator <3.0.1
Severity: high
Code Injection in pac-resolver - https://github.com/advisories/GHSA-9j49-mfvp-vmhm
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/degenerator
pac-resolver <=4.2.0
Depends on vulnerable versions of degenerator
node_modules/pac-resolver
pac-proxy-agent <=4.1.0
Depends on vulnerable versions of pac-resolver
node_modules/pac-proxy-agent
proxy-agent 1.1.0 - 4.0.1
Depends on vulnerable versions of pac-proxy-agent
node_modules/proxy-agent
express-gateway >=0.0.3
Depends on vulnerable versions of ejs
Depends on vulnerable versions of jsonwebtoken
Depends on vulnerable versions of passport
Depends on vulnerable versions of proxy-agent
Depends on vulnerable versions of yeoman-generator
node_modules/express-gateway
ejs <3.1.7
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/ejs
mem-fs-editor 2.0.0 - 6.0.0 || 7.0.1 - 7.1.0
Depends on vulnerable versions of ejs
Depends on vulnerable versions of globby
node_modules/mem-fs-editor
node_modules/yeoman-environment/node_modules/yeoman-generator/node_modules/mem-fs-editor
node_modules/yeoman-generator/node_modules/mem-fs-editor
yeoman-environment 2.1.0 - 2.10.3
Depends on vulnerable versions of globby
Depends on vulnerable versions of mem-fs-editor
node_modules/yeoman-environment
yeoman-generator 0.20.0 - 4.13.0
Depends on vulnerable versions of github-username
Depends on vulnerable versions of mem-fs-editor
Depends on vulnerable versions of mem-fs-editor
Depends on vulnerable versions of yeoman-environment
node_modules/yeoman-environment/node_modules/yeoman-generator
node_modules/yeoman-generator
glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/fast-glob/node_modules/glob-parent
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/globby
node_modules/mem-fs-editor/node_modules/globby
node_modules/yeoman-environment/node_modules/yeoman-generator/node_modules/globby
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix`
node_modules/got
node_modules/yeoman-environment/node_modules/got
gh-got <=9.0.0
Depends on vulnerable versions of got
node_modules/gh-got
node_modules/yeoman-environment/node_modules/gh-got
github-username 2.0.0 - 5.0.1
Depends on vulnerable versions of gh-got
node_modules/github-username
node_modules/yeoman-environment/node_modules/github-username
jsonwebtoken <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/jsonwebtoken
passport <0.6.0
Severity: moderate
Passport before 0.6.0 vulnerable to session regeneration when a users logs in or out - https://github.com/advisories/GHSA-v923-w3x8-wh69
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/passport
redis 2.6.0 - 3.1.0
Severity: high
Node-Redis potential exponential regex in monitor mode - https://github.com/advisories/GHSA-35q2-47q7-3pc3
fix available via `npm audit fix`
node_modules/redis
rate-limit-redis 1.7.0
Depends on vulnerable versions of redis
node_modules/rate-limit-redis
19 vulnerabilities (5 moderate, 9 high, 5 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
npm audit fix fixes nothing and npm audit fix --force I am afraid my getting started might break.
I thought this was caused by dependency produced by eg gateway create
"express-gateway": "^0.0.1"
but after updating 1.16.11 I still have
19 vulnerabilities (5 moderate, 9 high, 5 critical)
@yogeshgadge did you find an answer to your question? I'm also having the same problem.
