High and moderate security vulnerabilities in latest version 1.3.3

[cavla]

I am running the latest version 1.3.3 and npm audit is showing some vulnerabilities:

┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Server-Side Request Forgery │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ axios │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.21.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ express-status-monitor │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ express-status-monitor > axios │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1594 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Insecure Default Configuration │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ socket.io │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.4.0 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ express-status-monitor │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ express-status-monitor > socket.io │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/1609 │ └───────────────┴──────────────────────────────────────────────────────────────┘

[RutsuKun]

Yes express-status-monitor needs update

[karan-gaur]

There have been no updates in the past 10 months... Is this package even active? If so, this issue needs to be handled. @RafalWilinski

[benmneb]

7 vulnerabilities (1 moderate, 5 high, 1 critical)

# npm audit report

axios  <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/axios
  express-status-monitor  <=0.1.9 || >=1.2.5
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of socket.io
  node_modules/express-status-monitor

socket.io  <=2.3.0 || 3.0.0-rc1 - 3.0.0-rc4
Severity: high
Insecure Default Configuration - https://npmjs.com/advisories/1609
Depends on vulnerable versions of socket.io-client
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/socket.io
  express-status-monitor  <=0.1.9 || >=1.2.5
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of socket.io
  node_modules/express-status-monitor

ws  5.0.0 - 5.2.2 || 6.0.0 - 6.2.1 || 7.0.0 - 7.4.5
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1748
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/engine.io-client/node_modules/ws
  engine.io-client  0.7.0 || 0.7.8 - 0.7.9 || 1.6.0 - 1.8.5 || 2.0.0 - 3.5.1 || 4.0.0-alpha.0 - 4.1.3
  Depends on vulnerable versions of ws
  Depends on vulnerable versions of xmlhttprequest-ssl
  node_modules/engine.io-client
    socket.io-client  1.4.0 - 1.7.3 || 2.0.0 - 2.1.1 || 2.3.0 - 2.3.1 || 3.0.0-rc1 - 3.0.5
    Depends on vulnerable versions of engine.io-client
    node_modules/socket.io-client
      socket.io  <=2.3.0 || 3.0.0-rc1 - 3.0.0-rc4
      Depends on vulnerable versions of socket.io-client
      node_modules/socket.io
        express-status-monitor  <=0.1.9 || >=1.2.5
        Depends on vulnerable versions of axios
        Depends on vulnerable versions of socket.io
        node_modules/express-status-monitor

xmlhttprequest-ssl  <=1.6.1
Severity: critical
Arbitrary Code Injection - https://npmjs.com/advisories/1665
Improper Verification of Cryptographic Signature - https://npmjs.com/advisories/1746
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/xmlhttprequest-ssl
  engine.io-client  0.7.0 || 0.7.8 - 0.7.9 || 1.6.0 - 1.8.5 || 2.0.0 - 3.5.1 || 4.0.0-alpha.0 - 4.1.3
  Depends on vulnerable versions of ws
  Depends on vulnerable versions of xmlhttprequest-ssl
  node_modules/engine.io-client
    socket.io-client  1.4.0 - 1.7.3 || 2.0.0 - 2.1.1 || 2.3.0 - 2.3.1 || 3.0.0-rc1 - 3.0.5
    Depends on vulnerable versions of engine.io-client
    node_modules/socket.io-client
      socket.io  <=2.3.0 || 3.0.0-rc1 - 3.0.0-rc4
      Depends on vulnerable versions of socket.io-client
      node_modules/socket.io
        express-status-monitor  <=0.1.9 || >=1.2.5
        Depends on vulnerable versions of axios
        Depends on vulnerable versions of socket.io
        node_modules/express-status-monitor

7 vulnerabilities (1 moderate, 5 high, 1 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

[kevinclarkadstech]

I guess he abandoned it, sad.

[lamweili]

Mostly closed in the 1.3.4 release (https://github.com/RafalWilinski/express-status-monitor/commit/be7b8fcfc6d24a45fee9c0c815ec2636ee621cfb).

---

Nevertheless, there is 1 outstanding security vulnerability, https://github.com/advisories/GHSA-j4f2-536g-r55m. [email protected] > [email protected] > [email protected]

This has been committed as https://github.com/RafalWilinski/express-status-monitor/commit/1a38ae56dfdb1808aa68ce196db008b28efce49f (or PR #188), upgraded [email protected] to [email protected], but yet to have a release.