npm-audit-action
npm-audit-action copied to clipboard
Published
20 hours ago •
oke-py
oke-py
npm audit run by test job
trafficstars
# npm audit report
@actions/core <=1.9.0
Severity: moderate
@actions/core has Delimiter Injection Vulnerability in exportVariable - https://github.com/advisories/GHSA-7r3h-m5j6-3q42
Environment Variable Injection in GitHub Actions - https://github.com/advisories/GHSA-mfwh-5m23-j46w
fix available via `npm audit fix`
node_modules/@actions/core
@babel/helpers <7.26.10
Severity: moderate
Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8
fix available via `npm audit fix`
node_modules/@babel/helpers
@babel/runtime <7.26.10
Severity: moderate
Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8
fix available via `npm audit fix`
node_modules/@babel/runtime
@babel/runtime-corejs3 <7.26.10
Severity: moderate
Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8
fix available via `npm audit fix`
node_modules/@babel/runtime-corejs3
@babel/traverse <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse
@octokit/request <=8.4.0
Severity: moderate
Depends on vulnerable versions of @octokit/request-error
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-rmvr-2pp2-xj38
fix available via `npm audit fix --force`
Will install @octokit/[email protected], which is a breaking change
node_modules/@octokit/request
@octokit/graphql <=2.1.3 || 3.0.0 - 6.0.1
Depends on vulnerable versions of @octokit/request
node_modules/@octokit/graphql
@octokit/rest 16.0.0 - 16.43.2
Depends on vulnerable versions of @octokit/request
Depends on vulnerable versions of @octokit/request-error
Depends on vulnerable versions of lodash.set
node_modules/@octokit/rest
@actions/github <=2.2.0
Depends on vulnerable versions of @octokit/rest
node_modules/@actions/github
@octokit/request-error <=5.1.0
Severity: moderate
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-xx4v-prfh-6cgc
fix available via `npm audit fix --force`
Will install @octokit/[email protected], which is a breaking change
node_modules/@octokit/request-error
acorn 5.5.0 - 5.7.3 || 6.0.0 - 6.4.0
Severity: high
Regular Expression Denial of Service in Acorn - https://github.com/advisories/GHSA-6chw-6frg-f759
Regular Expression Denial of Service in Acorn - https://github.com/advisories/GHSA-6chw-6frg-f759
fix available via `npm audit fix`
node_modules/acorn
node_modules/jsdom/node_modules/acorn
ajv <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix`
node_modules/ajv
ansi-regex 3.0.0 || 4.0.0 - 4.1.0 || 5.0.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ansi-regex
node_modules/eslint/node_modules/ansi-regex
node_modules/string-length/node_modules/ansi-regex
node_modules/string-width/node_modules/ansi-regex
node_modules/strip-ansi/node_modules/ansi-regex
axios <=1.8.1
Severity: high
Axios vulnerable to Server-Side Request Forgery - https://github.com/advisories/GHSA-4w2v-q235-vp99
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
Depends on vulnerable versions of follow-redirects
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/axios
braces <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/braces
micromatch <=4.0.7
Depends on vulnerable versions of braces
node_modules/micromatch
@jest/core <=25.5.4
Depends on vulnerable versions of @jest/reporters
Depends on vulnerable versions of @jest/transform
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-resolve-dependencies
Depends on vulnerable versions of jest-runner
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of jest-watcher
Depends on vulnerable versions of micromatch
node_modules/@jest/core
jest-cli 23.5.0 - 24.9.0
Depends on vulnerable versions of @jest/core
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-util
node_modules/jest/node_modules/jest-cli
jest 24.2.0-alpha.0 - 24.9.0
Depends on vulnerable versions of jest-cli
node_modules/jest
@jest/transform <=24.9.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
node_modules/@jest/transform
@jest/environment <=24.9.0
Depends on vulnerable versions of @jest/fake-timers
Depends on vulnerable versions of @jest/transform
node_modules/@jest/environment
jest-circus 20.1.0-alpha.1 - 24.9.0
Depends on vulnerable versions of @jest/environment
Depends on vulnerable versions of expect
Depends on vulnerable versions of jest-each
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of jest-util
node_modules/jest-circus
jest-runner 21.0.0-alpha.1 - 24.9.0
Depends on vulnerable versions of @jest/environment
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of jest-util
node_modules/jest-runner
babel-jest 24.2.0-alpha.0 - 24.9.0
Depends on vulnerable versions of @jest/transform
node_modules/babel-jest
jest-config 12.1.1-alpha.2935e14d - 25.5.4
Depends on vulnerable versions of @jest/test-sequencer
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of jest-environment-jsdom
Depends on vulnerable versions of jest-environment-node
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
node_modules/jest-config
jest-runtime 18.1.0 - 24.9.0
Depends on vulnerable versions of @jest/environment
Depends on vulnerable versions of @jest/transform
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of jest-util
node_modules/jest-runtime
jest-jasmine2 18.5.0-alpha.7da3df39 - 24.9.0
Depends on vulnerable versions of @jest/environment
Depends on vulnerable versions of expect
Depends on vulnerable versions of jest-each
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of jest-util
node_modules/jest-jasmine2
anymatch 1.2.0 - 2.0.0
Depends on vulnerable versions of micromatch
node_modules/anymatch
jest-haste-map 18.1.0 - 26.6.2
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
@jest/reporters <=26.4.0
Depends on vulnerable versions of @jest/environment
Depends on vulnerable versions of @jest/transform
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of node-notifier
node_modules/@jest/reporters
@jest/test-sequencer <=24.9.0
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-runner
Depends on vulnerable versions of jest-runtime
node_modules/@jest/test-sequencer
sane 1.5.0 - 4.1.0
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of micromatch
node_modules/sane
jest-message-util 18.5.0-alpha.7da3df39 - 24.9.0
Depends on vulnerable versions of micromatch
node_modules/jest-message-util
@jest/fake-timers <=24.9.0
Depends on vulnerable versions of jest-message-util
node_modules/@jest/fake-timers
jest-environment-jsdom 10.0.2 - 25.5.0
Depends on vulnerable versions of @jest/environment
Depends on vulnerable versions of @jest/fake-timers
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of jsdom
node_modules/jest-environment-jsdom
jest-environment-node 24.2.0-alpha.0 - 24.9.0
Depends on vulnerable versions of @jest/environment
Depends on vulnerable versions of @jest/fake-timers
Depends on vulnerable versions of jest-util
node_modules/jest-environment-node
jest-util 24.2.0-alpha.0 - 24.9.0
Depends on vulnerable versions of @jest/fake-timers
node_modules/jest-util
jest-each 24.2.0-alpha.0 - 24.9.0
Depends on vulnerable versions of jest-util
node_modules/jest-each
jest-watcher 24.2.0-alpha.0 - 24.9.0
Depends on vulnerable versions of jest-util
node_modules/jest-watcher
expect 21.0.0-beta.1 - 24.9.0
Depends on vulnerable versions of jest-message-util
node_modules/expect
jest-snapshot 23.3.0 - 24.9.0
Depends on vulnerable versions of expect
Depends on vulnerable versions of jest-message-util
node_modules/jest-snapshot
jest-resolve-dependencies 23.3.0 - 24.9.0
Depends on vulnerable versions of jest-snapshot
node_modules/jest-resolve-dependencies
cross-fetch <=2.2.5 || 3.0.0 - 3.0.5
Severity: moderate
Incorrect Authorization in cross-fetch - https://github.com/advisories/GHSA-7gc6-qh9x-w6h8
Depends on vulnerable versions of node-fetch
fix available via `npm audit fix`
node_modules/cross-fetch
graphql-request 1.4.0 - 1.8.2
Depends on vulnerable versions of cross-fetch
node_modules/graphql-request
graphql-config 0.0.0-experimental.0 || 1.0.8 - 3.0.0-rc.3
Depends on vulnerable versions of graphql-request
node_modules/graphql-config
eslint-plugin-graphql 1.5.0 - 3.1.1
Depends on vulnerable versions of graphql-config
node_modules/eslint-plugin-graphql
cross-spawn <6.0.6
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/cross-spawn
debug 4.0.0 - 4.3.0
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
fix available via `npm audit fix`
node_modules/debug
node_modules/fsevents/node_modules/debug
decode-uri-component <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component
follow-redirects <=1.15.5
Severity: high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/follow-redirects
fsevents <=1.2.10
Severity: critical
Malware in fsevents - https://github.com/advisories/GHSA-xv2f-5jw4-v95m
Code injection in fsevents - https://github.com/advisories/GHSA-8r6j-v8pm-fqw3
fix available via `npm audit fix`
node_modules/fsevents
handlebars <=4.7.6
Severity: critical
Remote code execution in handlebars when compiling templates - https://github.com/advisories/GHSA-f2jv-r9rf-7988
Prototype Pollution in handlebars - https://github.com/advisories/GHSA-765h-qjxv-5f44
Depends on vulnerable versions of optimist
fix available via `npm audit fix`
node_modules/handlebars
hosted-git-info <2.8.9
Severity: moderate
Regular Expression Denial of Service in hosted-git-info - https://github.com/advisories/GHSA-43f8-2h32-f4cj
fix available via `npm audit fix`
node_modules/hosted-git-info
ini <1.3.6
Severity: high
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse - https://github.com/advisories/GHSA-qqgx-2p2h-9c37
fix available via `npm audit fix`
node_modules/fsevents/node_modules/ini
json-schema <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
Depends on vulnerable versions of json-schema
node_modules/jsprim
json5 2.0.0 - 2.2.1
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/json5
kind-of 6.0.0 - 6.0.2
Severity: high
Validation Bypass in kind-of - https://github.com/advisories/GHSA-6c8f-qphg-qjgp
fix available via `npm audit fix`
node_modules/kind-of
lodash <=4.17.20
Severity: high
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
fix available via `npm audit fix`
node_modules/lodash
lodash.set *
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix`
node_modules/lodash.set
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/fsevents/node_modules/minimatch
node_modules/minimatch
minimist <=0.2.3 || 1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/@cnakazawa/watch/node_modules/minimist
node_modules/fsevents/node_modules/minimist
node_modules/fsevents/node_modules/rc/node_modules/minimist
node_modules/json5/node_modules/minimist
node_modules/minimist
node_modules/sane/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/fsevents/node_modules/mkdirp
node_modules/mkdirp
optimist >=0.6.0
Depends on vulnerable versions of minimist
node_modules/optimist
node-fetch <=2.6.6
Severity: high
node-fetch forwards secure headers to untrusted sites - https://github.com/advisories/GHSA-r683-j2x4-v87g
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
fix available via `npm audit fix`
node_modules/@octokit/request/node_modules/node-fetch
node_modules/node-fetch
node-notifier <8.0.1
Severity: moderate
OS Command Injection in node-notifier - https://github.com/advisories/GHSA-5fw9-fq32-wv5p
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/node-notifier
path-parse <1.0.7
Severity: moderate
Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9
fix available via `npm audit fix`
node_modules/path-parse
qs 6.5.0 - 6.5.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/qs
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request
jsdom 0.1.20 || 0.2.0 - 16.5.3
Depends on vulnerable versions of request
Depends on vulnerable versions of tough-cookie
node_modules/jsdom
semver <5.7.2 || >=6.0.0 <6.3.1
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@babel/core/node_modules/semver
node_modules/@typescript-eslint/eslint-plugin/node_modules/semver
node_modules/cross-spawn/node_modules/semver
node_modules/eslint-plugin-github/node_modules/semver
node_modules/eslint-plugin-jest/node_modules/semver
node_modules/eslint/node_modules/semver
node_modules/fsevents/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/node-notifier/node_modules/semver
node_modules/normalize-package-data/node_modules/semver
node_modules/semver
node_modules/ts-jest/node_modules/semver
@typescript-eslint/typescript-estree <=2.0.0-alpha.6
Depends on vulnerable versions of semver
node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/typescript-estree
node_modules/eslint-plugin-github/node_modules/@typescript-eslint/typescript-estree
node_modules/eslint-plugin-jest/node_modules/@typescript-eslint/typescript-estree
@typescript-eslint/experimental-utils <=2.0.0-alpha.6
Depends on vulnerable versions of @typescript-eslint/typescript-estree
node_modules/@typescript-eslint/eslint-plugin/node_modules/@typescript-eslint/experimental-utils
node_modules/eslint-plugin-github/node_modules/@typescript-eslint/experimental-utils
node_modules/eslint-plugin-jest/node_modules/@typescript-eslint/experimental-utils
@typescript-eslint/eslint-plugin 1.7.1-alpha.0 - 2.0.0-alpha.6
Depends on vulnerable versions of @typescript-eslint/experimental-utils
node_modules/@typescript-eslint/eslint-plugin
@typescript-eslint/parser 0.2.1-alpha.1 - 2.0.0-alpha.6
Depends on vulnerable versions of @typescript-eslint/experimental-utils
Depends on vulnerable versions of @typescript-eslint/typescript-estree
node_modules/eslint-plugin-github/node_modules/@typescript-eslint/parser
eslint-plugin-github 1.9.0 - 3.2.0
Depends on vulnerable versions of @typescript-eslint/parser
node_modules/eslint-plugin-github
eslint-plugin-jest 22.6.2 || 22.13.1 - 22.21.0
Depends on vulnerable versions of @typescript-eslint/experimental-utils
node_modules/eslint-plugin-jest
tar <=6.2.0
Severity: high
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-qq89-hq3f-393p
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/fsevents/node_modules/tar
tmpl <1.0.5
Severity: high
tmpl vulnerable to Inefficient Regular Expression Complexity which may lead to resource exhaustion - https://github.com/advisories/GHSA-jgrx-mgxx-jf9v
fix available via `npm audit fix`
node_modules/tmpl
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request/node_modules/tough-cookie
node_modules/tough-cookie
request-promise-native >=1.0.6
Depends on vulnerable versions of tough-cookie
node_modules/request-promise-native
word-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
ws 2.1.0 - 5.2.3
Severity: high
ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/ws
y18n 4.0.0
Severity: high
Prototype Pollution in y18n - https://github.com/advisories/GHSA-c4w7-xm78-47vh
fix available via `npm audit fix`
node_modules/y18n
yargs-parser 6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/ts-jest/node_modules/yargs-parser
node_modules/yargs-parser
ts-jest 23.10.0-beta.1 - 25.2.0
Depends on vulnerable versions of yargs-parser
node_modules/ts-jest
86 vulnerabilities (1 low, 49 moderate, 28 high, 8 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
