ipfs-docs icon indicating copy to clipboard operation
ipfs-docs copied to clipboard

Published 20 hours ago • verified publisher icon ipfs

npm security fixes

Open ardunster opened this issue 3 years ago • 1 comments

Hey, I was just getting ready to mess around in the docs some to get myself refamiliarized with IPFS before looking for things I might be able to tackle in the js-IPFS repo, and running npm install gives me 39 security vulnerabilities in this repository.

Are any of these under review for updating, etc? 19 of them npm considers high risk.

ipfs-docs % npm audit
# npm audit report

css-what  <5.0.1
Severity: high
Denial of Service - https://npmjs.com/advisories/1754
fix available via `npm audit fix`
node_modules/css-what
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  node_modules/css-select
    svgo  >=1.0.0
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  >=4.0.0-nightly.2020.1.9
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  *
        Depends on vulnerable versions of postcss-normalize-url
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            optimize-css-assets-webpack-plugin  3.2.1 || 5.0.0 - 5.0.4 || 5.0.6
            Depends on vulnerable versions of cssnano
            node_modules/optimize-css-assets-webpack-plugin

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@vuepress/core/node_modules/glob-parent
node_modules/copy-webpack-plugin/node_modules/glob-parent
node_modules/fast-glob/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/@vuepress/core/node_modules/chokidar
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 3.11.2
    Depends on vulnerable versions of chokidar
    node_modules/webpack-dev-server
  copy-webpack-plugin  5.0.1 - 5.1.2
  Depends on vulnerable versions of glob-parent
  node_modules/copy-webpack-plugin
    @vuepress/core  <=1.8.2
    Depends on vulnerable versions of copy-webpack-plugin
    node_modules/@vuepress/core
      vuepress  1.0.0-alpha.0 - 1.8.2
      Depends on vulnerable versions of @vuepress/core
      node_modules/vuepress
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/globby
      @vuepress/shared-utils  *
      Depends on vulnerable versions of globby
      node_modules/@vuepress/shared-utils
        @vuepress/markdown  <=1.8.2
        Depends on vulnerable versions of @vuepress/shared-utils
        node_modules/@vuepress/markdown
          @vuepress/markdown-loader  *
          Depends on vulnerable versions of @vuepress/markdown
          node_modules/@vuepress/markdown-loader
        @vuepress/plugin-register-components  <=1.8.2
        Depends on vulnerable versions of @vuepress/shared-utils
        node_modules/@vuepress/plugin-register-components
        vuepress-plugin-container  >=2.1.5
        Depends on vulnerable versions of @vuepress/shared-utils
        node_modules/vuepress-plugin-container

normalize-url  <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via `npm audit fix`
node_modules/normalize-url
node_modules/postcss-normalize-url/node_modules/normalize-url
  mini-css-extract-plugin  0.6.0 - 1.0.0
  Depends on vulnerable versions of normalize-url
  node_modules/mini-css-extract-plugin
  postcss-normalize-url  <=4.0.1
  Depends on vulnerable versions of normalize-url
  node_modules/postcss-normalize-url
    cssnano-preset-default  *
    Depends on vulnerable versions of postcss-normalize-url
    Depends on vulnerable versions of postcss-svgo
    node_modules/cssnano-preset-default
      cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
      Depends on vulnerable versions of cssnano-preset-default
      node_modules/cssnano
        optimize-css-assets-webpack-plugin  3.2.1 || 5.0.0 - 5.0.4 || 5.0.6
        Depends on vulnerable versions of cssnano
        node_modules/optimize-css-assets-webpack-plugin

trim-newlines  <3.0.1 || =4.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1753
No fix available
node_modules/trim-newlines
  meow  3.4.0 - 6.0.1
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    generate-robotstxt  5.0.1 - 8.0.0
    Depends on vulnerable versions of meow
    node_modules/generate-robotstxt
      vuepress-plugin-robots  *
      Depends on vulnerable versions of generate-robotstxt
      node_modules/vuepress-plugin-robots

url-regex  *
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1550
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/url-regex
  @jsdevtools/rehype-url-inspector  *
  Depends on vulnerable versions of url-regex
  node_modules/@jsdevtools/rehype-url-inspector
    rehype-url-inspector  >=2.0.0
    Depends on vulnerable versions of @jsdevtools/rehype-url-inspector
    node_modules/rehype-url-inspector
      all-relative  >=1.1.0
      Depends on vulnerable versions of rehype-url-inspector
      node_modules/all-relative
        vuepress-plugin-ipfs  >=1.0.2
        Depends on vulnerable versions of all-relative
        node_modules/vuepress-plugin-ipfs

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
No fix available
node_modules/yargs-parser
node_modules/yargs/node_modules/yargs-parser
  meow  3.4.0 - 6.0.1
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    generate-robotstxt  5.0.1 - 8.0.0
    Depends on vulnerable versions of meow
    node_modules/generate-robotstxt
      vuepress-plugin-robots  *
      Depends on vulnerable versions of generate-robotstxt
      node_modules/vuepress-plugin-robots
  yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
  Depends on vulnerable versions of yargs-parser
  node_modules/yargs
    stylint  >=1.3.9
    Depends on vulnerable versions of yargs
    node_modules/stylint
      stylus-supremacy  *
      Depends on vulnerable versions of stylint
      node_modules/stylus-supremacy

39 vulnerabilities (4 low, 16 moderate, 19 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

ardunster avatar Jun 23 '21 03:06 ardunster

@cwaring , any chance you can take a look at this?

johnnymatthews avatar Jun 26 '21 15:06 johnnymatthews