surge icon indicating copy to clipboard operation
surge copied to clipboard

Published 20 hours ago verified publisher icon sintaxi

Vulnerable Libraries - [email protected] upgrade to: >=0.9.0

Open Valexr opened this issue 2 years ago • 3 comments

https://github.com/advisories/GHSA-xvch-5gv4-984h https://github.com/advisories/GHSA-93q8-gq69-wqmw

# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/cli-table3/node_modules/ansi-regex
node_modules/inquirer/node_modules/ansi-regex
node_modules/inquirer/node_modules/string-width/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/cli-table3/node_modules/strip-ansi
  node_modules/inquirer/node_modules/string-width/node_modules/strip-ansi
  node_modules/inquirer/node_modules/strip-ansi
    inquirer  3.2.0 - 7.0.4
    Depends on vulnerable versions of string-width
    Depends on vulnerable versions of strip-ansi
    node_modules/inquirer
      surge  >=0.10.0
      Depends on vulnerable versions of cli-table3
      Depends on vulnerable versions of inquirer
      Depends on vulnerable versions of minimist
      node_modules/surge
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/cli-table3/node_modules/string-width
    node_modules/inquirer/node_modules/string-width
      cli-table3  0.5.0 - 0.5.1
      Depends on vulnerable versions of string-width
      node_modules/cli-table3

minimist  <=1.2.5
Severity: high
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/minimist
node_modules/surge/node_modules/minimist
  surge  >=0.10.0
  Depends on vulnerable versions of cli-table3
  Depends on vulnerable versions of inquirer
  Depends on vulnerable versions of minimist
  node_modules/surge

7 vulnerabilities (5 moderate, 2 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

Valexr avatar Mar 23 '22 17:03 Valexr

Fix in https://github.com/sintaxi/surge/pull/473

RyanZim avatar Jun 02 '22 23:06 RyanZim

I use surge to deploy the documentation for the @bevry packages, this has caused all the bevry pakages to be marked as insecure.

balupton avatar Nov 13 '23 17:11 balupton

Thanks for reporting. Looking into it.

sintaxi avatar Nov 13 '23 19:11 sintaxi