Skip to content
This repository was archived by the owner on Apr 18, 2024. It is now read-only.
This repository was archived by the owner on Apr 18, 2024. It is now read-only.

npm audit found vulnerabilities #475

Open
Open
npm audit found vulnerabilities#475
Assignees
nick-skriabin
Labels
testvulnerability
@github-actions

Description

@github-actions
github-actions
opened on Feb 7, 2022
# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/cliui/node_modules/ansi-regex
node_modules/inquirer/node_modules/ansi-regex
node_modules/inquirer/node_modules/string-width/node_modules/ansi-regex
node_modules/log-update/node_modules/ansi-regex
node_modules/mocha-junit-reporter/node_modules/ansi-regex
node_modules/wide-align/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex
node_modules/yargs-unparser/node_modules/ansi-regex
node_modules/yargs/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/cliui/node_modules/strip-ansi
  node_modules/inquirer/node_modules/string-width/node_modules/strip-ansi
  node_modules/inquirer/node_modules/strip-ansi
  node_modules/log-update/node_modules/strip-ansi
  node_modules/mocha-junit-reporter/node_modules/strip-ansi
  node_modules/wide-align/node_modules/strip-ansi
  node_modules/wrap-ansi/node_modules/strip-ansi
  node_modules/yargs-unparser/node_modules/strip-ansi
  node_modules/yargs/node_modules/strip-ansi
    cliui  4.0.0 - 5.0.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of wrap-ansi
    node_modules/cliui
      yargs  10.1.0 - 15.0.0
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of string-width
      node_modules/yargs
      node_modules/yargs-unparser/node_modules/yargs
        mocha  6.0.0-0 - 8.2.1
        Depends on vulnerable versions of yargs
        Depends on vulnerable versions of yargs-unparser
        node_modules/mocha
          codeceptjs  >=2.0.1
          Depends on vulnerable versions of inquirer
          Depends on vulnerable versions of mocha
          Depends on vulnerable versions of mocha-junit-reporter
          node_modules/codeceptjs
        sass-graph  2.2.5 || 3.0.3 - 3.0.5
        Depends on vulnerable versions of yargs
        node_modules/sass-graph
          node-sass  4.14.1 - 7.0.0
          Depends on vulnerable versions of sass-graph
          node_modules/node-sass
        yargs-unparser  1.5.0 - 1.6.4
        Depends on vulnerable versions of yargs
        node_modules/yargs-unparser
    inquirer  3.2.0 - 7.0.4
    Depends on vulnerable versions of string-width
    Depends on vulnerable versions of strip-ansi
    node_modules/inquirer
    mocha-junit-reporter  1.17.0 - 2.0.0
    Depends on vulnerable versions of strip-ansi
    node_modules/mocha-junit-reporter
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/cliui/node_modules/string-width
    node_modules/inquirer/node_modules/string-width
    node_modules/log-update/node_modules/string-width
    node_modules/wide-align/node_modules/string-width
    node_modules/wrap-ansi/node_modules/string-width
    node_modules/yargs-unparser/node_modules/string-width
    node_modules/yargs/node_modules/string-width
      wrap-ansi  3.0.0 - 6.1.0
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of strip-ansi
      node_modules/log-update/node_modules/wrap-ansi
      node_modules/wrap-ansi
        log-update  2.1.0 - 3.4.0
        Depends on vulnerable versions of wrap-ansi
        node_modules/log-update
          listr-update-renderer  >=0.5.0
          Depends on vulnerable versions of log-update
          node_modules/listr-update-renderer
            listr  >=0.14.3
            Depends on vulnerable versions of listr-update-renderer
            node_modules/listr
              lint-staged  9.0.0 - 10.1.7
              Depends on vulnerable versions of listr
              node_modules/lint-staged

follow-redirects  <1.14.7
Severity: high
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
fix available via `npm audit fix`
node_modules/follow-redirects

markdown-it  <12.3.2
Severity: moderate
Uncontrolled Resource Consumption in markdown-it - https://github.com/advisories/GHSA-6vfc-qv3f-vr6c
fix available via `npm audit fix`
node_modules/markdown-it
  jsdoc  3.2.0-dev - 3.6.7
  Depends on vulnerable versions of markdown-it
  Depends on vulnerable versions of marked
  node_modules/jsdoc

marked  <4.0.10
Severity: high
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/jsdoc/node_modules/marked
node_modules/marked
  dmd  0.3.7 - 0.3.17 || 2.0.2 - 6.0.0
  Depends on vulnerable versions of marked
  node_modules/dmd
    jsdoc-to-markdown  0.6.0 - 0.6.4 || 2.0.0-alpha.0 - 6.0.1
    Depends on vulnerable versions of dmd
    node_modules/jsdoc-to-markdown
  jsdoc  3.2.0-dev - 3.6.7
  Depends on vulnerable versions of markdown-it
  Depends on vulnerable versions of marked
  node_modules/jsdoc

nanoid  <3.1.31
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/nanoid
node_modules/postcss/node_modules/nanoid

node-fetch  <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix`
node_modules/node-fetch

node-forge  <1.0.0
Severity: moderate
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
fix available via `npm audit fix`
node_modules/node-forge
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned
    webpack-dev-server  2.5.0 - 4.7.2
    Depends on vulnerable versions of selfsigned
    node_modules/webpack-dev-server

nth-check  <2.0.1
Severity: moderate
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install @svgr/[email protected], which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack

postcss  <8.2.13
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix`
node_modules/@types/cssnano/node_modules/postcss
  @types/cssnano  <=4.0.1
  Depends on vulnerable versions of postcss
  node_modules/@types/cssnano
    css-minimizer-webpack-plugin  3.2.0 - 3.3.0
    Depends on vulnerable versions of @types/cssnano
    node_modules/css-minimizer-webpack-plugin

36 vulnerabilities (30 moderate, 6 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Metadata

Metadata

Assignees

Labels

testvulnerability

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions