Skip to content

Vulnerabilities found when installing dependencies #70

New issue
New issue
Open
Open
Vulnerabilities found when installing dependencies#70
Labels
buildChanges that affect the build system or external dependenciessecurityA change that addresses a security concern
@jmdelfa

Description

@jmdelfa
jmdelfa
opened on Aug 7, 2023

Checked for duplicates

Yes - I've already checked

Is this a regression?

No - This is a new bug

Version

1.11.09

Describe the bug

Installing aerie-docs dependencies as described in https://github.com/NASA-AMMOS/aerie-docs/blob/develop/CONTRIBUTING.md

When running nvm install, I get a number of vulnerabilities (initially 105)
_audited 1147 packages in 4.541s
200 packages are looking for funding
run npm fund for details
found 105 vulnerabilities (87 moderate, 18 high)
run npm audit fix to fix them, or npm audit for details

npm audit fix does not fix them. After updating multiple libraries, I get vulnerabilities down to 24
205 packages are looking for funding
run npm fund for details_

24 vulnerabilities (10 moderate, 14 high)

To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.
Run npm audit for details.

The output of npm audit fix is provided below:

Reproduction

No reproduction needed

Logs

_up to date, audited 1165 packages in 3s

202 packages are looking for funding
  run `npm fund` for details

# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        @docusaurus/core  <=2.4.1
        Depends on vulnerable versions of @docusaurus/mdx-loader
        Depends on vulnerable versions of update-notifier
        node_modules/@docusaurus/core
          @docusaurus/plugin-debug  <=2.4.1
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-debug
          @docusaurus/plugin-google-analytics  <=2.4.1
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-google-analytics
          @docusaurus/plugin-google-gtag  <=2.4.1
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-google-gtag
          @docusaurus/plugin-google-tag-manager  <=2.4.1
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-google-tag-manager
            @docusaurus/preset-classic  <=2.4.1
            Depends on vulnerable versions of @docusaurus/core
            Depends on vulnerable versions of @docusaurus/plugin-content-blog
            Depends on vulnerable versions of @docusaurus/plugin-content-docs
            Depends on vulnerable versions of @docusaurus/plugin-content-pages
            Depends on vulnerable versions of @docusaurus/plugin-debug
            Depends on vulnerable versions of @docusaurus/plugin-google-analytics
            Depends on vulnerable versions of @docusaurus/plugin-google-gtag
            Depends on vulnerable versions of @docusaurus/plugin-google-tag-manager
            Depends on vulnerable versions of @docusaurus/plugin-sitemap
            Depends on vulnerable versions of @docusaurus/theme-classic
            Depends on vulnerable versions of @docusaurus/theme-common
            Depends on vulnerable versions of @docusaurus/theme-search-algolia
            node_modules/@docusaurus/preset-classic
          @docusaurus/plugin-sitemap  <=2.4.1
          Depends on vulnerable versions of @docusaurus/core
          node_modules/@docusaurus/plugin-sitemap
          @docusaurus/theme-mermaid  <=2.4.1
          Depends on vulnerable versions of @docusaurus/core
          Depends on vulnerable versions of @docusaurus/theme-common
          node_modules/@docusaurus/theme-mermaid
          @docusaurus/theme-search-algolia  <=2.4.1
          Depends on vulnerable versions of @docusaurus/core
          Depends on vulnerable versions of @docusaurus/plugin-content-docs
          Depends on vulnerable versions of @docusaurus/theme-common
          node_modules/@docusaurus/theme-search-algolia

trim  <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix`
node_modules/trim
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/remark-parse
    @mdx-js/mdx  <=1.6.22
    Depends on vulnerable versions of remark-mdx
    Depends on vulnerable versions of remark-parse
    node_modules/@mdx-js/mdx
      @docusaurus/mdx-loader  <=2.4.1
      Depends on vulnerable versions of @mdx-js/mdx
      node_modules/@docusaurus/mdx-loader
        @docusaurus/plugin-content-blog  <=2.4.1
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-blog
        @docusaurus/plugin-content-docs  <=2.4.1
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-docs
        @docusaurus/plugin-content-pages  <=2.4.1
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        node_modules/@docusaurus/plugin-content-pages
        @docusaurus/theme-classic  <=2.4.1
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/mdx-loader
        Depends on vulnerable versions of @docusaurus/plugin-content-blog
        Depends on vulnerable versions of @docusaurus/plugin-content-docs
        Depends on vulnerable versions of @docusaurus/plugin-content-pages
        Depends on vulnerable versions of @docusaurus/theme-common
        node_modules/@docusaurus/theme-classic
        @docusaurus/theme-common  <=2.4.1
        Depends on vulnerable versions of @docusaurus/mdx-loader
        Depends on vulnerable versions of @docusaurus/plugin-content-blog
        Depends on vulnerable versions of @docusaurus/plugin-content-docs
        Depends on vulnerable versions of @docusaurus/plugin-content-pages
        node_modules/@docusaurus/theme-common
    remark-mdx  <=1.6.22
    Depends on vulnerable versions of remark-parse
    node_modules/remark-mdx

23 vulnerabilities (9 moderate, 14 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing_

System Info

Reference machine: Ubuntu 22 amd64 running as guest with VMWARE Workshtation 17 for Windows 10

Severity

Moderate

Metadata

Assignees

No one assigned

    Labels

    buildChanges that affect the build system or external dependenciessecurityA change that addresses a security concern

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions