qnabot-on-aws icon indicating copy to clipboard operation
qnabot-on-aws copied to clipboard

Published 20 hours ago verified publisher icon aws-solutions

1 Critical and10 high vulnerabilities reported during npm install

Open bentterp opened this issue 3 years ago • 3 comments 

% npm install                              

added 1904 packages, and audited 1971 packages in 3m

17 vulnerabilities (6 low, 10 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
%

bentterp avatar Mar 03 '21 09:03 bentterp

After running npm audit fix, the critical remains together with 6 high:

safe-eval  *
Severity: critical
Sandbox Breakout / Arbitrary Code Execution - https://npmjs.com/advisories/1322
No fix available
node_modules/safe-eval

bentterp avatar Mar 03 '21 09:03 bentterp

my node installation was too old

bentterp avatar Mar 03 '21 09:03 bentterp

Re-ran everything using node v15.10.0: 1 critical and 7 high

% npm audit fix 

up to date, audited 1810 packages in 3s

71 packages are looking for funding
  run `npm fund` for details

# npm audit report

axios  <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/axios

diff  <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tap-mocha-reporter/node_modules/diff
  tap-mocha-reporter  0.0.4 - 5.0.0
  Depends on vulnerable versions of diff
  node_modules/tap-mocha-reporter
    tap  7.0.0 - 14.6.7 || 14.10.2-totally-bundled - 14.10.2-unbundled
    Depends on vulnerable versions of tap-mocha-reporter
    node_modules/tap
      nodeunit  >=0.9.3
      Depends on vulnerable versions of tap
      node_modules/nodeunit

pug  <3.0.1
Severity: high
Remote Code Execution - https://npmjs.com/advisories/1643
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/pug
  pug-loader  >=2.0.0
  Depends on vulnerable versions of pug
  node_modules/pug-loader

safe-eval  *
Severity: critical
Sandbox Breakout / Arbitrary Code Execution - https://npmjs.com/advisories/1322
No fix available
node_modules/safe-eval

8 vulnerabilities (7 high, 1 critical)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.
%

bentterp avatar Mar 03 '21 10:03 bentterp

All dependencies resolved as of latest version.

ihmaws avatar Apr 18 '23 15:04 ihmaws