diffusionbee-stable-diffusion-ui
diffusionbee-stable-diffusion-ui copied to clipboard
divamgupta
Fix Vulnerabilities
43 vulnerabilities (11 moderate, 22 high, 10 critical) `# npm audit report
ansi-regex 3.0.0 || 4.0.0 - 4.1.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via npm audit fix
node_modules/eslint/node_modules/ansi-regex
node_modules/friendly-errors-webpack-plugin/node_modules/string-width/node_modules/ansi-regex
node_modules/ora/node_modules/ansi-regex
node_modules/table/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/cliui/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/string-width/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/wrap-ansi/node_modules/ansi-regex
async 2.0.0 - 2.6.3
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via npm audit fix
node_modules/async
ejs <3.1.7
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
fix available via npm audit fix --force
Will install @vue/[email protected], which is a breaking change
node_modules/ejs
webpack-bundle-analyzer 1.3.0 - 3.9.0
Depends on vulnerable versions of ejs
node_modules/webpack-bundle-analyzer
@vue/cli-service <=5.0.0-rc.3
Depends on vulnerable versions of @vue/cli-plugin-vuex
Depends on vulnerable versions of copy-webpack-plugin
Depends on vulnerable versions of cssnano
Depends on vulnerable versions of webpack-bundle-analyzer
Depends on vulnerable versions of webpack-dev-server
node_modules/@vue/cli-service
@vue/cli-plugin-babel 4.0.0-alpha.0 - 4.5.19
Depends on vulnerable versions of @vue/cli-service
node_modules/@vue/cli-plugin-babel
@vue/cli-plugin-eslint 3.1.2 - 5.0.0-rc.3
Depends on vulnerable versions of @vue/cli-service
Depends on vulnerable versions of globby
node_modules/@vue/cli-plugin-eslint
@vue/cli-plugin-router <=4.5.19
Depends on vulnerable versions of @vue/cli-service
node_modules/@vue/cli-plugin-router
@vue/cli-plugin-vuex <=4.5.19
Depends on vulnerable versions of @vue/cli-service
node_modules/@vue/cli-plugin-vuex
electron <=21.0.1
Severity: moderate
Depends on vulnerable versions of @electron/get
Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled - https://github.com/advisories/GHSA-mq8j-3h7h-p8g7
AutoUpdater module fails to validate certain nested components of the bundle - https://github.com/advisories/GHSA-77xc-hjv8-ww97
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/electron
eventsource <1.1.1
Severity: critical
Exposure of Sensitive Information in eventsource - https://github.com/advisories/GHSA-6h5x-7c5m-7cr7
fix available via npm audit fix
node_modules/eventsource
follow-redirects <1.14.8
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
fix available via npm audit fix
node_modules/follow-redirects
glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via npm audit fix --force
Will install @vue/[email protected], which is a breaking change
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
webpack-dev-server 2.0.0-beta - 4.7.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of selfsigned
node_modules/webpack-dev-server
@vue/cli-service <=5.0.0-rc.3
Depends on vulnerable versions of @vue/cli-plugin-vuex
Depends on vulnerable versions of copy-webpack-plugin
Depends on vulnerable versions of cssnano
Depends on vulnerable versions of webpack-bundle-analyzer
Depends on vulnerable versions of webpack-dev-server
node_modules/@vue/cli-service
@vue/cli-plugin-babel 4.0.0-alpha.0 - 4.5.19
Depends on vulnerable versions of @vue/cli-service
node_modules/@vue/cli-plugin-babel
@vue/cli-plugin-eslint 3.1.2 - 5.0.0-rc.3
Depends on vulnerable versions of @vue/cli-service
Depends on vulnerable versions of globby
node_modules/@vue/cli-plugin-eslint
@vue/cli-plugin-router <=4.5.19
Depends on vulnerable versions of @vue/cli-service
node_modules/@vue/cli-plugin-router
@vue/cli-plugin-vuex <=4.5.19
Depends on vulnerable versions of @vue/cli-service
node_modules/@vue/cli-plugin-vuex
copy-webpack-plugin 5.0.1 - 5.1.2
Depends on vulnerable versions of glob-parent
node_modules/copy-webpack-plugin
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/globby
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/got
@electron/get <=1.14.1
Depends on vulnerable versions of got
node_modules/@electron/get
electron <=21.0.1
Depends on vulnerable versions of @electron/get
node_modules/electron
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
electron-builder 5.6.1 - 23.4.0
Depends on vulnerable versions of update-notifier
node_modules/electron-builder
node_modules/vue-cli-plugin-electron-builder/node_modules/electron-builder
vue-cli-plugin-electron-builder >=1.0.0-alpha.1
Depends on vulnerable versions of electron-builder
node_modules/vue-cli-plugin-electron-builder
minimist <1.2.6
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via npm audit fix
node_modules/minimist
moment <=2.29.3
Severity: high
Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4
Moment.js vulnerable to Inefficient Regular Expression Complexity - https://github.com/advisories/GHSA-wc69-rhjr-hc9g
fix available via npm audit fix
node_modules/moment
node-forge <=1.2.1
Severity: moderate
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-2r2c-g63r-vccr
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
fix available via npm audit fix --force
Will install @vue/[email protected], which is a breaking change
node_modules/node-forge
selfsigned 1.1.1 - 1.10.14
Depends on vulnerable versions of node-forge
node_modules/selfsigned
webpack-dev-server 2.0.0-beta - 4.7.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of selfsigned
node_modules/webpack-dev-server
@vue/cli-service <=5.0.0-rc.3
Depends on vulnerable versions of @vue/cli-plugin-vuex
Depends on vulnerable versions of copy-webpack-plugin
Depends on vulnerable versions of cssnano
Depends on vulnerable versions of webpack-bundle-analyzer
Depends on vulnerable versions of webpack-dev-server
node_modules/@vue/cli-service
@vue/cli-plugin-babel 4.0.0-alpha.0 - 4.5.19
Depends on vulnerable versions of @vue/cli-service
node_modules/@vue/cli-plugin-babel
@vue/cli-plugin-eslint 3.1.2 - 5.0.0-rc.3
Depends on vulnerable versions of @vue/cli-service
Depends on vulnerable versions of globby
node_modules/@vue/cli-plugin-eslint
@vue/cli-plugin-router <=4.5.19
Depends on vulnerable versions of @vue/cli-service
node_modules/@vue/cli-plugin-router
@vue/cli-plugin-vuex <=4.5.19
Depends on vulnerable versions of @vue/cli-service
node_modules/@vue/cli-plugin-vuex
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/@iconscout/unicons/node_modules/nth-check
node_modules/svgo/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/@iconscout/unicons/node_modules/css-select
node_modules/svgo/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/@iconscout/unicons/node_modules/svgo
node_modules/svgo
@iconscout/unicons *
Depends on vulnerable versions of svgo
node_modules/@iconscout/unicons
vue-unicons 1.3.1 - 1.4.1 || >=2.2.0
Depends on vulnerable versions of @iconscout/unicons
node_modules/vue-unicons
postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano-preset-default <=4.0.8
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
@intervolga/optimize-cssnano-plugin >=1.0.2
Depends on vulnerable versions of cssnano-preset-default
node_modules/@intervolga/optimize-cssnano-plugin
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
@vue/cli-service <=5.0.0-rc.3
Depends on vulnerable versions of @vue/cli-plugin-vuex
Depends on vulnerable versions of copy-webpack-plugin
Depends on vulnerable versions of cssnano
Depends on vulnerable versions of webpack-bundle-analyzer
Depends on vulnerable versions of webpack-dev-server
node_modules/@vue/cli-service
@vue/cli-plugin-babel 4.0.0-alpha.0 - 4.5.19
Depends on vulnerable versions of @vue/cli-service
node_modules/@vue/cli-plugin-babel
@vue/cli-plugin-eslint 3.1.2 - 5.0.0-rc.3
Depends on vulnerable versions of @vue/cli-service
Depends on vulnerable versions of globby
node_modules/@vue/cli-plugin-eslint
@vue/cli-plugin-router <=4.5.19
Depends on vulnerable versions of @vue/cli-service
node_modules/@vue/cli-plugin-router
@vue/cli-plugin-vuex <=4.5.19
Depends on vulnerable versions of @vue/cli-service
node_modules/@vue/cli-plugin-vuex
terser <4.8.1
Severity: high
Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc
fix available via npm audit fix
node_modules/terser
url-parse <=1.5.8
Severity: critical
Incorrect hostname / protocol due to unstripped leading control characters. - https://github.com/advisories/GHSA-jf5r-8hm2-f872
Authorization Bypass Through User-Controlled Key in url-parse - https://github.com/advisories/GHSA-hgjh-723h-mx2j
Authorization bypass in url-parse - https://github.com/advisories/GHSA-rqff-837h-mm52
Incorrect returned href via an '@' sign but no user info and hostname - https://github.com/advisories/GHSA-8v38-pw62-9cw2
fix available via npm audit fix
node_modules/url-parse
43 vulnerabilities (11 moderate, 22 high, 10 critical)
To address issues that do not require attention, run: npm audit fix
To address all issues (including breaking changes), run: npm audit fix --force `
@RocketNinja15: Could you write a plain-text sentence or two explaining what this means? Could my computer be compromised by running DiffusionBee?
@RocketNinja15: Could you write a plain-text sentence or two explaining what this means? Could my computer be compromised by running DiffusionBee?
Not Directly, but there are potential concerns related to the build. I’m not sure how it is packaged, so I confirm anything. You should be okay at the moment
To be even more clear, the far reaching majority of NPM "vulnerabilities" are generally non-important things. That's because vulnerabilities are often related to build processes, tooling, etc.
I personally spy nothing concerning in this list.
