html-midi-player icon indicating copy to clipboard operation
html-midi-player copied to clipboard

Published 20 hours ago • verified publisher icon cifkao

Update NPM packages to fix Prototype Pollution vulnerability

Open Cheezer1656 opened this issue 10 months ago • 1 comments 

# npm audit report

minimist  <=0.2.3
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist
  quote-stream  <=1.0.0
  Depends on vulnerable versions of minimist
  node_modules/quote-stream

static-eval  <=2.0.1
Severity: high
Sandbox Breakout / Arbitrary Code Execution in static-eval - https://github.com/advisories/GHSA-x9hc-rw35-f44h
Sandbox Breakout / Arbitrary Code Execution in static-eval - https://github.com/advisories/GHSA-5mjw-6jrh-hvfq
fix available via `npm audit fix --force`
Will install @magenta/[email protected], which is a breaking change
node_modules/static-eval
  static-module  <=1.5.0
  Depends on vulnerable versions of quote-stream
  Depends on vulnerable versions of static-eval
  node_modules/static-module
    cwise  >=1.0.0
    Depends on vulnerable versions of static-module
    node_modules/cwise
      ndarray-fft  >=1.0.0
      Depends on vulnerable versions of cwise
      node_modules/ndarray-fft
      ndarray-resample  *
      Depends on vulnerable versions of cwise
      Depends on vulnerable versions of ndarray-fft
      node_modules/ndarray-resample
        @magenta/music  >=1.1.14
        Depends on vulnerable versions of ndarray-resample
        node_modules/@magenta/music

8 vulnerabilities (6 moderate, 1 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Cheezer1656 avatar Apr 22 '24 01:04 Cheezer1656

Thanks for reporting this! However I don't think this can be solved just by updating packages. The latest version of cwise still depends on the vulnerable version of static-eval through static-module. Updating static-eval would create a dependency conflict. (Indeed, npm audit fix doesn't fix anything, and npm audit fix --force gives me an error.)

So I think this would have to be fixed in cwise by making it depend on a more recent version of static-module that doesn't have the vulnerability.

cifkao avatar May 23 '24 16:05 cifkao