staticman icon indicating copy to clipboard operation
staticman copied to clipboard

Published 20 hours ago • verified publisher icon eduardoboucas

fix security issues

Open JaderDias opened this issue 2 years ago • 0 comments

$ npm audit fix npm WARN old lockfile npm WARN old lockfile The package-lock.json file was created with an old version of npm, npm WARN old lockfile so supplemental metadata must be fetched from the registry. npm WARN old lockfile npm WARN old lockfile This is a one-time fix-up, please be patient... npm WARN old lockfile npm WARN audit fix [email protected] node_modules/fsevents/node_modules/tar npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit fix [email protected] node_modules/fsevents/node_modules/rc/node_modules/minimist npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit fix [email protected] node_modules/fsevents/node_modules/minimist npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit fix [email protected] node_modules/fsevents/node_modules/ini npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit fix [email protected] node_modules/fsevents/node_modules/mkdirp npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN deprecated [email protected]: Please upgrade to kleur@3 or migrate to 'ansi-colors' if you prefer the old syntax. Visit https://github.com/lukeed/kleur/releases/tag/v3.0.0\ for migration path(s). npm WARN deprecated [email protected]: this library is no longer supported npm WARN deprecated [email protected]: use String.prototype.padStart() npm WARN deprecated [email protected]: CircularJSON is in maintenance only, flatted is its successor. npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated [email protected]: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added npm WARN deprecated [email protected]: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797) npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated [email protected]: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142 npm WARN deprecated [email protected]: request-promise has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142 npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated [email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. npm WARN deprecated [email protected]: The gitlab package has found a new home in the @gitbeaker organization. For the latest gitlab node library, check out @gitbeaker/node. A full list of the features can be found here: https://github.com/jdalrymple/gitbeaker#readme npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated @octokit/[email protected]: '@octokit/app' will be repurposed in future. Use '@octokit/auth-app' instead npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 1021 packages, and audited 1022 packages in 28s

39 packages are looking for funding run npm fund for details

ajv <6.12.3 Severity: moderate Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw fix available via npm audit fix node_modules/table/node_modules/ajv table 3.7.10 - 4.0.2 Depends on vulnerable versions of ajv node_modules/table

braces <=2.3.0 Regular Expression Denial of Service (ReDoS) in braces - https://github.com/advisories/GHSA-cwfw-4gq5-mrqx Regular Expression Denial of Service in braces - https://github.com/advisories/GHSA-g95f-p29q-9xw4 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/jest-cli/node_modules/braces node_modules/jest-config/node_modules/braces node_modules/jest-haste-map/node_modules/braces node_modules/jest-message-util/node_modules/braces node_modules/jest-runtime/node_modules/braces node_modules/test-exclude/node_modules/braces micromatch 0.2.0 - 2.3.11 Depends on vulnerable versions of braces Depends on vulnerable versions of parse-glob node_modules/jest-cli/node_modules/micromatch node_modules/jest-config/node_modules/micromatch node_modules/jest-haste-map/node_modules/micromatch node_modules/jest-message-util/node_modules/micromatch node_modules/jest-runtime/node_modules/micromatch node_modules/test-exclude/node_modules/micromatch jest-cli 0.10.2 - 24.8.0 Depends on vulnerable versions of jest-config Depends on vulnerable versions of jest-environment-jsdom Depends on vulnerable versions of jest-haste-map Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-resolve-dependencies Depends on vulnerable versions of jest-runner Depends on vulnerable versions of jest-runtime Depends on vulnerable versions of jest-snapshot Depends on vulnerable versions of jest-util Depends on vulnerable versions of micromatch Depends on vulnerable versions of node-notifier Depends on vulnerable versions of yargs node_modules/jest-cli jest 13.3.0-alpha.4eb0c908 - 23.6.0 Depends on vulnerable versions of jest-cli node_modules/jest jest-config 12.1.1-alpha.2935e14d - 25.5.4 Depends on vulnerable versions of babel-jest Depends on vulnerable versions of jest-environment-jsdom Depends on vulnerable versions of jest-environment-node Depends on vulnerable versions of jest-jasmine2 Depends on vulnerable versions of jest-util Depends on vulnerable versions of micromatch node_modules/jest-config jest-runner 21.0.0-alpha.1 - 22.4.4 || 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-config Depends on vulnerable versions of jest-haste-map Depends on vulnerable versions of jest-jasmine2 Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-runtime Depends on vulnerable versions of jest-util node_modules/jest-runner jest-runtime 14.1.0 - 24.8.0 Depends on vulnerable versions of babel-plugin-istanbul Depends on vulnerable versions of jest-config Depends on vulnerable versions of jest-haste-map Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-snapshot Depends on vulnerable versions of jest-util Depends on vulnerable versions of micromatch Depends on vulnerable versions of yargs node_modules/jest-runtime jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0 Depends on vulnerable versions of micromatch Depends on vulnerable versions of sane node_modules/jest-haste-map jest-message-util 18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16 Depends on vulnerable versions of micromatch node_modules/jest-message-util expect 21.0.0-beta.1 - 22.4.3 || 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-message-util node_modules/expect jest-jasmine2 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0 Depends on vulnerable versions of expect Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-snapshot Depends on vulnerable versions of jest-util node_modules/jest-jasmine2 jest-snapshot 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-message-util node_modules/jest-snapshot jest-resolve-dependencies 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-snapshot node_modules/jest-resolve-dependencies jest-util 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0 Depends on vulnerable versions of jest-message-util node_modules/jest-util jest-environment-jsdom 10.0.2 - 25.5.0 Depends on vulnerable versions of jest-util Depends on vulnerable versions of jsdom node_modules/jest-environment-jsdom jest-environment-node 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0 Depends on vulnerable versions of jest-util node_modules/jest-environment-node test-exclude <=4.2.3 Depends on vulnerable versions of micromatch node_modules/test-exclude babel-plugin-istanbul <=5.0.0 Depends on vulnerable versions of test-exclude node_modules/babel-plugin-istanbul babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16 Depends on vulnerable versions of babel-plugin-istanbul node_modules/babel-jest

convict <=6.2.2 Severity: critical Prototype Pollution in convict - https://github.com/advisories/GHSA-jjf5-wx3j-3fv7 Prototype Pollution in convict - https://github.com/advisories/GHSA-x2w5-725j-gf2g Depends on vulnerable versions of moment Depends on vulnerable versions of validator Depends on vulnerable versions of yargs-parser fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/convict

express-brute * Severity: high Rate Limiting Bypass in express-brute - https://github.com/advisories/GHSA-984p-xq9m-4rjw Depends on vulnerable versions of underscore No fix available node_modules/express-brute

glob-parent <=5.1.1 Severity: high Regular expression denial of service in glob-parent - https://github.com/advisories/GHSA-ww39-953v-wcq6 glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-cj88-88mr-972w fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/glob-base/node_modules/glob-parent node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/chokidar nodemon 1.3.5 - 2.0.16 || 2.0.18 Depends on vulnerable versions of chokidar Depends on vulnerable versions of update-notifier node_modules/nodemon glob-base * Depends on vulnerable versions of glob-parent node_modules/glob-base parse-glob >=2.1.0 Depends on vulnerable versions of glob-base node_modules/parse-glob

got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version node_modules/update-notifier

ini <1.3.6 Severity: high Prototype Pollution - https://github.com/advisories/GHSA-qqgx-2p2h-9c37 fix available via npm audit fix node_modules/ini

jsdom <=16.4.0 Severity: moderate Insufficient Granularity of Access Control in JSDom - https://github.com/advisories/GHSA-f4c9-cqv8-9v98 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/jsdom

merge <2.1.1 Severity: high Prototype Pollution in merge - https://github.com/advisories/GHSA-7wpw-2hjm-89gp fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/merge exec-sh <=0.3.1 Depends on vulnerable versions of merge node_modules/exec-sh sane 1.0.4 - 4.0.2 Depends on vulnerable versions of exec-sh Depends on vulnerable versions of watch node_modules/sane watch >=0.14.0 Depends on vulnerable versions of exec-sh node_modules/watch

minimist <=1.2.5 Severity: critical Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m fix available via npm audit fix node_modules/minimist node_modules/rc/node_modules/minimist mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/mkdirp

moment <=2.29.3 Severity: high Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4 Inefficient Regular Expression Complexity in moment - https://github.com/advisories/GHSA-wc69-rhjr-hc9g fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/convict/node_modules/moment

netmask <=2.0.0 Severity: critical Improper parsing of octal bytes in netmask - https://github.com/advisories/GHSA-4c7m-wxvm-r7gc netmask npm package vulnerable to octal input data - https://github.com/advisories/GHSA-pch5-whg9-qr2r fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/netmask pac-resolver <=4.2.0 Depends on vulnerable versions of netmask node_modules/pac-resolver pac-proxy-agent <=4.1.0 Depends on vulnerable versions of pac-resolver node_modules/pac-proxy-agent proxy-agent 1.1.0 - 4.0.1 Depends on vulnerable versions of pac-proxy-agent node_modules/proxy-agent mailgun-js >=0.6.8 Depends on vulnerable versions of proxy-agent node_modules/mailgun-js

node-notifier <8.0.1 Severity: moderate OS Command Injection in node-notifier - https://github.com/advisories/GHSA-5fw9-fq32-wv5p fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/node-notifier

parse-link-header <2.0.0 Severity: high Uncontrolled Resource Consumption in parse-link-header - https://github.com/advisories/GHSA-q674-xm3x-2926 fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/parse-link-header gitlab 3.0.0 - 4.5.1 Depends on vulnerable versions of parse-link-header node_modules/gitlab

shelljs <=0.8.4 Severity: high Improper Privilege Management in shelljs - https://github.com/advisories/GHSA-4rq4-32rv-6wp6 Improper Privilege Management in shelljs - https://github.com/advisories/GHSA-64g7-mvw6-v9qj fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/shelljs eslint 1.4.0 - 4.0.0-rc.0 Depends on vulnerable versions of shelljs node_modules/eslint eslint-plugin-import 1.0.0-beta.0 - 2.5.0 Depends on vulnerable versions of eslint node_modules/eslint-plugin-import standard 3.3.0 || 4.1.0 - 4.3.3 || 6.0.0 - 10.0.3 Depends on vulnerable versions of eslint Depends on vulnerable versions of eslint-plugin-import Depends on vulnerable versions of eslint-plugin-react node_modules/standard eslint-plugin-react 6.0.0-alpha.1 - 7.0.1 Depends on vulnerable versions of eslint node_modules/eslint-plugin-react

tar <=4.4.17 Severity: high Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-qq89-hq3f-393p Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw fix available via npm audit fix node_modules/tar

underscore 1.3.2 - 1.12.0 Severity: high Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq No fix available node_modules/underscore

validator <13.7.0 Severity: moderate Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5 fix available via npm audit fix node_modules/validator

yargs-parser 6.0.0 - 13.1.1 Severity: moderate Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp fix available via npm audit fix --force Will install [email protected], which is a breaking change node_modules/yargs-parser node_modules/yargs/node_modules/yargs-parser yargs 8.0.0-candidate.0 - 12.0.5 Depends on vulnerable versions of yargs-parser node_modules/yargs

59 vulnerabilities (12 low, 22 moderate, 21 high, 4 critical)

To address issues that do not require attention, run: npm audit fix

To address all issues possible (including breaking changes), run: npm audit fix --force

Some issues need review, and may require choosing a different dependency.

JaderDias avatar Jul 21 '22 17:07 JaderDias