search

Ananto30 / golpo-express

Backend of the Social Network - Golpo
https://golpo.vercel.app
4 stars 15 forks source link

Fix node modules/dependencies #10

Closed Ananto30 closed 3 years ago

Ananto30 commented 3 years ago

Context

Currently, there are some vulnerabilities in packages. If we do npm install we get the message 9 vulnerabilities (2 low, 6 moderate, 1 high). If we do npm audit we get this - 

# npm audit report

braces  <2.3.1
Regular Expression Denial of Service - https://npmjs.com/advisories/786
No fix available
node_modules/braces
  micromatch  0.2.0 - 2.3.11
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of parse-glob
  node_modules/micromatch
    anymatch  1.2.0 - 1.3.2
    Depends on vulnerable versions of micromatch
    node_modules/anymatch
      chokidar  1.0.0-rc1 - 2.1.8
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of glob-parent
      node_modules/chokidar
        babel-cli  *
        Depends on vulnerable versions of chokidar
        node_modules/babel-cli

glob-parent  <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
No fix available
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of anymatch
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    babel-cli  *
    Depends on vulnerable versions of chokidar
    node_modules/babel-cli
  glob-base  *
  Depends on vulnerable versions of glob-parent
  node_modules/glob-base
    parse-glob  >=2.1.0
    Depends on vulnerable versions of glob-base
    node_modules/parse-glob
      micromatch  0.2.0 - 2.3.11
      Depends on vulnerable versions of braces
      Depends on vulnerable versions of parse-glob
      node_modules/micromatch
        anymatch  1.2.0 - 1.3.2
        Depends on vulnerable versions of micromatch
        node_modules/anymatch

ini  <1.3.6
Prototype Pollution - https://npmjs.com/advisories/1589
fix available via `npm audit fix`
node_modules/fsevents/node_modules/ini

tar  <=4.4.17 || 5.0.0 - 5.0.9 || 6.0.0 - 6.1.8
Severity: high
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://npmjs.com/advisories/1770
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://npmjs.com/advisories/1771
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://npmjs.com/advisories/1779
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://npmjs.com/advisories/1780
fix available via `npm audit fix`
node_modules/fsevents/node_modules/tar

10 vulnerabilities (3 low, 6 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Task

sagarchoudhary96 commented 3 years ago

can pick this up @Ananto30 ?

Ananto30 commented 3 years ago

Sure! Go on 🚀