Skip to content

npm dependecies should be updated and checked by CI automatically #685

New issue
New issue
Open
#686
Open
npm dependecies should be updated and checked by CI automatically#685
#686
@tswfi

Description

@tswfi
tswfi
opened on Mar 12, 2025
$ npm audit
# npm audit report

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/@storybook/core-common/node_modules/braces
node_modules/watchpack-chokidar2/node_modules/braces
  chokidar  1.3.0 - 2.1.8
  Depends on vulnerable versions of anymatch
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of readdirp
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/@storybook/core-common/node_modules/watchpack
        webpack  4.0.0-alpha.0 - 5.0.0-rc.6
        Depends on vulnerable versions of micromatch
        Depends on vulnerable versions of terser-webpack-plugin
        Depends on vulnerable versions of watchpack
        node_modules/@storybook/core-common/node_modules/webpack
          @storybook/core-common  <=6.5.17-alpha.0
          Depends on vulnerable versions of webpack
          node_modules/@storybook/core-common
          terser-webpack-plugin  <=2.2.1
          Depends on vulnerable versions of webpack
          node_modules/@storybook/core-common/node_modules/terser-webpack-plugin
  micromatch  <=4.0.7
  Depends on vulnerable versions of braces
  node_modules/@storybook/core-common/node_modules/micromatch
  node_modules/watchpack-chokidar2/node_modules/micromatch
    anymatch  1.2.0 - 2.0.0
    Depends on vulnerable versions of micromatch
    node_modules/watchpack-chokidar2/node_modules/anymatch
    readdirp  2.2.0 - 2.2.1
    Depends on vulnerable versions of micromatch
    node_modules/watchpack-chokidar2/node_modules/readdirp

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix`
node_modules/cookie
  express  3.0.0-alpha1 - 4.21.1 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of path-to-regexp
  node_modules/express

cross-spawn  7.0.0 - 7.0.4
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/cross-spawn

elliptic  <=6.6.0
Severity: critical
Valid ECDSA signatures erroneously rejected in Elliptic - https://github.com/advisories/GHSA-fc9h-whq2-v747
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) - https://github.com/advisories/GHSA-vjh7-7g9h-fjfh
fix available via `npm audit fix`
node_modules/elliptic

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/esbuild
node_modules/esbuild-loader/node_modules/esbuild
  @storybook/core  <=0.0.0-pr-30567-sha-f5452a43 || 6.5.17-alpha.0 - 8.5.7 || 8.6.0-alpha.0 - 8.6.0-beta.10
  Depends on vulnerable versions of esbuild
  node_modules/@storybook/core
    storybook  8.2.0-alpha.0 - 8.5.7 || 8.6.0-alpha.0 - 8.6.0-beta.10
    Depends on vulnerable versions of @storybook/core
    node_modules/storybook
  esbuild-loader  <=4.2.2
  Depends on vulnerable versions of esbuild
  node_modules/esbuild-loader

http-proxy-middleware  <2.0.7
Severity: high
Denial of service in http-proxy-middleware - https://github.com/advisories/GHSA-c7qv-q95q-8v27
fix available via `npm audit fix`
node_modules/http-proxy-middleware


nanoid  <3.3.8
Severity: moderate
Predictable results in nanoid generation when given non-integer values - https://github.com/advisories/GHSA-mwcw-c2x4-8c55
fix available via `npm audit fix`
node_modules/nanoid

path-to-regexp  <0.1.12
Severity: high
Unpatched `path-to-regexp` ReDoS in 0.1.x - https://github.com/advisories/GHSA-rhx6-c78j-4q9w
fix available via `npm audit fix`
node_modules/path-to-regexp

store2  <2.14.4
Severity: moderate
Cross Site Scripting vulnerability in store2 - https://github.com/advisories/GHSA-w5hq-hm5m-4548
fix available via `npm audit fix`
node_modules/store2

webpack-dev-middleware  <=5.3.3
Severity: high
Path traversal in webpack-dev-middleware - https://github.com/advisories/GHSA-wr3j-pwj9-hqq6
No fix available
node_modules/@storybook/manager-webpack5/node_modules/webpack-dev-middleware
  @storybook/manager-webpack5  <=6.5.17-alpha.0
  Depends on vulnerable versions of @storybook/core-common
  Depends on vulnerable versions of webpack-dev-middleware
  node_modules/@storybook/manager-webpack5

24 vulnerabilities (1 low, 10 moderate, 12 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

1 critical...

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions