codesandbox-importers
codesandbox-importers copied to clipboard
Published
20 hours ago •
codesandbox
codesandbox
Vulnerabilities
After installing codesandbox package I have some vulnerabilites on my project.
Here is npm audit report:
# npm audit report
axios <=0.27.2
Severity: high
Axios vulnerable to Server-Side Request Forgery - https://github.com/advisories/GHSA-4w2v-q235-vp99
axios Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
Depends on vulnerable versions of follow-redirects
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/axios
codesandbox >=1.0.0
Depends on vulnerable versions of axios
Depends on vulnerable versions of pacote
Depends on vulnerable versions of update-notifier
node_modules/codesandbox
follow-redirects <=1.15.5
Severity: high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/axios/node_modules/follow-redirects
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix`
node_modules/codesandbox/node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/codesandbox/node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/codesandbox/node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/codesandbox/node_modules/update-notifier
http-cache-semantics <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix`
node_modules/make-fetch-happen/node_modules/http-cache-semantics
make-fetch-happen 2.1.0 - 6.1.0
Depends on vulnerable versions of http-cache-semantics
node_modules/make-fetch-happen
pacote 2.0.0 - 9.5.12
Depends on vulnerable versions of cacache
Depends on vulnerable versions of make-fetch-happen
Depends on vulnerable versions of ssri
node_modules/pacote
ssri <=6.0.1
Severity: high
Regular Expression Denial of Service in ssri - https://github.com/advisories/GHSA-325j-24f4-qv5x
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-vx3p-948g-6vhq
fix available via `npm audit fix`
node_modules/make-fetch-happen/node_modules/ssri
node_modules/ssri
cacache 10.0.4 - 11.0.0 || 7.0.0 - 9.3.0
Depends on vulnerable versions of ssri
Depends on vulnerable versions of ssri
node_modules/cacache
node_modules/make-fetch-happen/node_modules/cacache
12 vulnerabilities (5 moderate, 7 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Is it possible to update vulnerable packages ?
