ngx-mqtt icon indicating copy to clipboard operation
ngx-mqtt copied to clipboard

Published 20 hours ago verified publisher icon sclausen

NPM reported high serverity vulnerability

Open paulober opened this issue 3 years ago • 1 comments

  • [x] I have searched for similar issues in this repository, but couldn't find one.
  • [x] I have read the README and have a basic understanding how angular works.

I'm submitting a...

  • [ ] Regression (a behavior that used to work and stopped working in a new release)
  • [x] Bug report  
  • [ ] Feature request

Current behavior

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/glob-stream/node_modules/glob-parent
  glob-stream  5.3.0 - 6.1.0
  Depends on vulnerable versions of glob-parent
  node_modules/glob-stream
    help-me  1.0.0 - 1.1.0
    Depends on vulnerable versions of glob-stream
    node_modules/help-me
      mqtt  1.14.1 - 4.2.6
      Depends on vulnerable versions of help-me
      node_modules/mqtt
        mqtt-browser  *
        Depends on vulnerable versions of mqtt
        node_modules/mqtt-browser
          ngx-mqtt  >=9.0.0
          Depends on vulnerable versions of mqtt-browser
          node_modules/ngx-mqtt

6 high severity vulnerabilities

Expected behavior

No DoS warning on installation.

ng new my-app (default angular template without anything elese)

What is the motivation / use case for changing the behavior?

I think that's obvious...

Environment


Newest angular template with css and without router
- npm install ngx-mqtt --save

paulober avatar Dec 29 '21 16:12 paulober

Same here!

Error:

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/glob-stream/node_modules/glob-parent
  glob-stream  5.3.0 - 6.1.0
  Depends on vulnerable versions of glob-parent
  node_modules/glob-stream
    help-me  1.0.0 - 1.1.0
    Depends on vulnerable versions of glob-stream
    node_modules/help-me
      mqtt  1.14.1 - 4.2.6
      Depends on vulnerable versions of help-me
      node_modules/mqtt
        mqtt-browser  *
        Depends on vulnerable versions of mqtt
        node_modules/mqtt-browser
          ngx-mqtt  >=9.0.0
          Depends on vulnerable versions of mqtt-browser
          node_modules/ngx-mqtt

6 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

System Info:

Ionic:

   Ionic CLI                     : 6.20.1 (/usr/local/lib/node_modules/@ionic/cli)
   Ionic Framework               : @ionic/angular 6.3.3
   @angular-devkit/build-angular : 13.3.9
   @angular-devkit/schematics    : 13.3.9
   @angular/cli                  : 13.3.9
   @ionic/angular-toolkit        : 6.1.0

Capacitor:

   Capacitor CLI      : 4.4.0
   @capacitor/android : not installed
   @capacitor/core    : 4.4.0
   @capacitor/ios     : not installed

Utility:

   cordova-res : not installed globally
   native-run  : 1.7.1

System:

   NodeJS : v14.20.1 (.nvm/versions/node/v14.20.1/bin/node)
   npm    : 8.19.2
   OS     : Linux 5.15

armand-carreras avatar Oct 31 '22 16:10 armand-carreras