crossbuilder icon indicating copy to clipboard operation
crossbuilder copied to clipboard

Published 20 hours ago verified publisher icon zalmoxisus

Output with errors on npm audit fix --force

Open catafest-work opened this issue 2 years ago • 0 comments

I try to run this with npm audit fix --force ... but I got errors about changes and updates. This is the output I got with these errors:

npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating gulp-jade to 0.1.0,which is a SemVer major change.
npm WARN audit Updating gulp-mocha to 7.0.2,which is a SemVer major change.
npm WARN audit Updating gulp to 3.9.1,which is a SemVer major change.
npm WARN audit Updating gulp-zip to 4.2.0,which is a SemVer major change.
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: [email protected]
npm WARN Found: [email protected]
npm WARN node_modules/gulp
npm WARN   dev gulp@"3.9.1" from the root project
npm WARN
npm WARN Could not resolve dependency:
npm WARN peerOptional gulp@">=4" from [email protected]
npm WARN node_modules/gulp-mocha
npm WARN   dev gulp-mocha@"7.0.2" from the root project
npm WARN
npm WARN Conflicting peer dependency: [email protected]
npm WARN node_modules/gulp
npm WARN   peerOptional gulp@">=4" from [email protected]
npm WARN   node_modules/gulp-mocha
npm WARN     dev gulp-mocha@"7.0.2" from the root project
npm WARN deprecated [email protected]: This module relies on Node.js's internals and will break at some point. Do not use it, and update to [email protected].
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please update to at least constantinople 3.1.1
npm WARN deprecated [email protected]: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (https://github.com/visionmedia/debug/issues/797)
npm WARN deprecated [email protected]: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated [email protected]: Jade has been renamed to pug, please install the latest version of pug instead of jade
npm WARN deprecated [email protected]: Deprecated, use jstransformer

added 142 packages, removed 179 packages, changed 56 packages, and audited 1539 packages in 22s

141 packages are looking for funding
  run `npm fund` for details

# npm audit report

constantinople  <=3.1.0
Severity: critical
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople - https://github.com/advisories/GHSA-4vmm-mhcq-4x9j
Depends on vulnerable versions of uglify-js
No fix available
node_modules/constantinople
  jade  >=0.30.0
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of transformers
  Depends on vulnerable versions of with
  node_modules/jade
    gulp-jade  *
    Depends on vulnerable versions of jade
    node_modules/gulp-jade

lodash  <=4.17.20
Severity: critical
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix`
node_modules/globule/node_modules/lodash
  globule  <=1.1.0
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of minimatch
  node_modules/globule
    gaze  0.4.0 - 1.0.0
    Depends on vulnerable versions of globule
    node_modules/gaze
      glob-watcher  <=2.0.0
      Depends on vulnerable versions of gaze
      node_modules/glob-watcher

lodash.template  <4.5.0
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/lodash.template
  gulp-util  >=1.1.0
  Depends on vulnerable versions of lodash.template
  node_modules/gulp/node_modules/gulp-util
    gulp  2.6.1 - 3.9.1
    Depends on vulnerable versions of gulp-util
    Depends on vulnerable versions of vinyl-fs
    node_modules/gulp

minimatch  <3.0.2
Severity: high
Regular Expression Denial of Service in minimatch - https://github.com/advisories/GHSA-hxm2-r34f-qmc5
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/glob-stream/node_modules/minimatch
node_modules/globule/node_modules/minimatch
  glob  3.0.0 - 5.0.14
  Depends on vulnerable versions of minimatch
  node_modules/glob-stream/node_modules/glob
  node_modules/globule/node_modules/glob
    glob-stream  0.2.0 - 5.2.0
    Depends on vulnerable versions of glob
    Depends on vulnerable versions of minimatch
    node_modules/glob-stream
      vinyl-fs  <=1.0.0
      Depends on vulnerable versions of glob-stream
      node_modules/vinyl-fs
        gulp  2.6.1 - 3.9.1
        Depends on vulnerable versions of gulp-util
        Depends on vulnerable versions of vinyl-fs
        node_modules/gulp
  globule  <=1.1.0
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of minimatch
  node_modules/globule
    gaze  0.4.0 - 1.0.0
    Depends on vulnerable versions of globule
    node_modules/gaze
      glob-watcher  <=2.0.0
      Depends on vulnerable versions of gaze
      node_modules/glob-watcher

uglify-js  <=2.5.0
Severity: critical
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c
Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx
No fix available
node_modules/transformers/node_modules/uglify-js
node_modules/uglify-js
node_modules/with/node_modules/uglify-js
  constantinople  <=3.1.0
  Depends on vulnerable versions of uglify-js
  node_modules/constantinople
    jade  >=0.30.0
    Depends on vulnerable versions of constantinople
    Depends on vulnerable versions of transformers
    Depends on vulnerable versions of with
    node_modules/jade
      gulp-jade  *
      Depends on vulnerable versions of jade
      node_modules/gulp-jade
  transformers  2.0.0 - 3.0.1
  Depends on vulnerable versions of uglify-js
  node_modules/transformers
  with  1.1.0 - 2.0.0
  Depends on vulnerable versions of uglify-js
  node_modules/with

17 vulnerabilities (7 high, 10 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

catafest-work avatar Mar 31 '22 09:03 catafest-work