prebid
Dependency Updates Analysis
Open issue for current npm and yarn warnings. Included both since many feel npm audit is flawed such as in (https://overreacted.io/npm-audit-broken-by-design/).
Going through each of these and fixing or documenting why they are not relevant such as a gulp issue coming up -> https://github.com/gulpjs/gulp/issues/2611
Yarn Dependency Warnings
warning [email protected]: Please use [email protected] or later for an important security patch warning @wdio/browserstack-service > got > @types/cacheable-request > @types/[email protected]: This is a stub types definition. responselike provides its own type definitions, so you do not need this installed. warning @wdio/spec-reporter > @types/[email protected]: This is a stub types definition. easy-table provides its own type definitions, so you do not need this installed. warning babel-register > [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. warning babel-register > babel-runtime > [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. warning coveralls > [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142 warning coveralls > request > [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. warning coveralls > request > [email protected]: this library is no longer supported warning fs.extra > [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.) warning fs.extra > fs-extra > [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.) warning gulp > glob-watcher > [email protected]: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies warning gulp > glob-watcher > chokidar > [email protected]: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2. warning gulp > glob-watcher > anymatch > micromatch > snapdragon > [email protected]: See https://github.com/lydell/source-map-resolve#deprecated warning gulp > glob-watcher > anymatch > micromatch > snapdragon > source-map-resolve > [email protected]: https://github.com/lydell/resolve-url#deprecated warning gulp > glob-watcher > anymatch > micromatch > snapdragon > source-map-resolve > [email protected]: See https://github.com/lydell/source-map-url#deprecated warning gulp > glob-watcher > anymatch > micromatch > snapdragon > source-map-resolve > [email protected]: Please see https://github.com/lydell/urix#deprecated warning gulp-clean > [email protected]: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5 warning gulp-eslint > eslint > file-entry-cache > flat-cache > [email protected]: CircularJSON is in maintenance only, flatted is its successor. warning gulp-sourcemaps > css > [email protected]: See https://github.com/lydell/source-map-resolve#deprecated warning [email protected]: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5 warning [email protected]: This module is no longer maintained, try this instead: npm i nyc Visit https://istanbul.js.org/integrations for other alternatives. warning mocha > [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.) warning sinon > @sinonjs/formatio > [email protected]: This package has been deprecated in favour of @sinonjs/samsam warning url > [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. [3/5] 🚚 Fetching packages... error @wdio/[email protected]: The engine "node" is incompatible with this module. Expected version ">=12.0.0 <16". Got "16.13.0" error Found incompatible module.
NPM Dependency Warnings
ajv <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via npm audit fix
node_modules/gulp-eslint/node_modules/ajv
ajv-keywords 2.1.1
Depends on vulnerable versions of ajv
node_modules/gulp-eslint/node_modules/ajv-keywords
eslint 2.5.0 - 2.5.2 || 4.2.0 - 5.0.0-rc.0
Depends on vulnerable versions of ajv
Depends on vulnerable versions of table
node_modules/gulp-eslint/node_modules/eslint
table 3.7.10 - 4.0.2
Depends on vulnerable versions of ajv
node_modules/gulp-eslint/node_modules/table
dset <3.1.2
Severity: moderate
Prototype Pollution in dset - https://github.com/advisories/GHSA-23wx-cgxq-vpwx
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/dset
eslint-plugin-prebid * Severity: critical Malware in eslint-plugin-prebid - https://github.com/advisories/GHSA-4j42-j635-h679 No fix available node_modules/eslint-plugin-prebid plugins/eslint
glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/glob-stream/node_modules/glob-parent
node_modules/glob-watcher/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/glob-watcher/node_modules/chokidar
glob-watcher >=3.0.0
Depends on vulnerable versions of chokidar
node_modules/glob-watcher
gulp >=4.0.0
Depends on vulnerable versions of glob-watcher
node_modules/gulp
glob-stream 5.3.0 - 6.1.0
Depends on vulnerable versions of glob-parent
node_modules/glob-stream
vinyl-fs >=2.4.2
Depends on vulnerable versions of glob-stream
node_modules/vinyl-fs
lodash.template <4.5.0
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/gulp-clean/node_modules/lodash.template
node_modules/gulp-util/node_modules/lodash.template
gulp-util >=1.1.0
Depends on vulnerable versions of lodash.template
Depends on vulnerable versions of minimist
node_modules/gulp-clean/node_modules/gulp-util
node_modules/gulp-util
gulp-clean <=0.3.2
Depends on vulnerable versions of gulp-util
node_modules/gulp-clean
minimist <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/gulp-clean/node_modules/minimist
node_modules/mocha/node_modules/minimist
gulp-util >=1.1.0
Depends on vulnerable versions of lodash.template
Depends on vulnerable versions of minimist
node_modules/gulp-clean/node_modules/gulp-util
node_modules/gulp-util
gulp-clean <=0.3.2
Depends on vulnerable versions of gulp-util
node_modules/gulp-clean
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mocha/node_modules/mkdirp
mocha 1.21.5 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of mkdirp
node_modules/mocha
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via npm audit fix
node_modules/gulp-clean/node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/gulp-clean/node_modules/meow
