search

Automattic / simplenote-electron

Simplenote for Web, Windows, and Linux
https://app.simplenote.com
GNU General Public License v2.0
4.83k stars 559 forks source link

Update vulnerable dependencies #3136

Closed vitorsr closed 6 months ago

vitorsr commented 1 year ago 
$ npm audit --package-lock-only
# npm audit report

@babel/traverse  <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse

@sideway/formula  3.0.0
Severity: moderate
@sideway/formula contains Regular Expression Denial of Service (ReDoS) Vulnerability - https://github.com/advisories/GHSA-c2jc-4fpr-4vhg
fix available via `npm audit fix`
node_modules/@sideway/formula

ansi-html  <0.0.8
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install webpack-dev-server@3.11.3, which is outside the stated dependency range
node_modules/ansi-html
  webpack-dev-server  2.0.0-beta - 4.7.2
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of selfsigned
  node_modules/webpack-dev-server

ansi-regex  3.0.0 || 4.0.0 - 4.1.0 || 5.0.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/@adlk/misty/node_modules/ansi-regex
node_modules/@jest/core/node_modules/ansi-regex
node_modules/@wdio/logger/node_modules/ansi-regex
node_modules/ansi-regex
node_modules/boxen/node_modules/ansi-regex
node_modules/cli-truncate/node_modules/ansi-regex
node_modules/electron-builder/node_modules/ansi-regex
node_modules/eslint/node_modules/ansi-regex
node_modules/jest-config/node_modules/ansi-regex
node_modules/jest-each/node_modules/ansi-regex
node_modules/jest-jasmine2/node_modules/ansi-regex
node_modules/jest-leak-detector/node_modules/ansi-regex
node_modules/jest-matcher-utils/node_modules/ansi-regex
node_modules/jest-message-util/node_modules/ansi-regex
node_modules/jest-runtime/node_modules/ansi-regex
node_modules/jest-snapshot/node_modules/ansi-regex
node_modules/jest-validate/node_modules/ansi-regex
node_modules/jest/node_modules/ansi-regex
node_modules/pretty-format/node_modules/ansi-regex
node_modules/string-length/node_modules/ansi-regex
node_modules/stylelint/node_modules/ansi-regex
node_modules/wide-align/node_modules/ansi-regex
node_modules/widest-line/node_modules/ansi-regex

async  2.0.0 - 2.6.3 || 3.0.0 - 3.2.1
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix`
node_modules/async
node_modules/portfinder/node_modules/async

axios  <=1.5.1
Severity: high
axios Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios

browserify-sign  2.6.0 - 4.2.1
Severity: high
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack - https://github.com/advisories/GHSA-x9w5-v3q2-3rhw
fix available via `npm audit fix`
node_modules/browserify-sign

browserslist  4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5
fix available via `npm audit fix`
node_modules/browserslist

color-string  <1.5.5
Severity: moderate
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-257v-vj4p-3w2h
fix available via `npm audit fix`
node_modules/color-string

css-what  4.0.0 - 5.0.0
Severity: high
Denial of service in css-what - https://github.com/advisories/GHSA-q8pj-2vqx-8ggc
fix available via `npm audit fix`
node_modules/css-what
  cheerio-select-tmp  *
  Depends on vulnerable versions of css-select
  Depends on vulnerable versions of css-what
  node_modules/cheerio-select-tmp
    cheerio  1.0.0-rc.1 - 1.0.0-rc.5
    Depends on vulnerable versions of cheerio-select-tmp
    node_modules/cheerio
  css-select  <=3.1.2
  Depends on vulnerable versions of css-what
  Depends on vulnerable versions of nth-check
  node_modules/css-select
  node_modules/renderkid/node_modules/css-select
    renderkid  1.0.0 - 2.0.5
    Depends on vulnerable versions of css-select
    node_modules/renderkid

debug  4.0.0 - 4.3.0
Severity: moderate
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
fix available via `npm audit fix --force`
Will install debug@4.3.4, which is outside the stated dependency range
node_modules/debug

decode-uri-component  <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component

dns-packet  <1.3.2
Severity: high
Potential memory exposure in dns-packet - https://github.com/advisories/GHSA-3wcq-x3mq-6r9p
fix available via `npm audit fix`
node_modules/dns-packet

ejs  <3.1.7
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
fix available via `npm audit fix`
node_modules/ejs

electron  <=22.3.24
Severity: high
Depends on vulnerable versions of @electron/get
AutoUpdater module fails to validate certain nested components of the bundle - https://github.com/advisories/GHSA-77xc-hjv8-ww97
Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled - https://github.com/advisories/GHSA-mq8j-3h7h-p8g7
Exfiltration of hashed SMB credentials on Windows via file:// redirect - https://github.com/advisories/GHSA-p2jh-44qj-pf2v
Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API - https://github.com/advisories/GHSA-mpjm-v997-c4h4
Renderers can obtain access to random bluetooth device without permission in Electron - https://github.com/advisories/GHSA-3p22-ghq8-v749
Electron vulnerable to out-of-package code execution when launched with arbitrary cwd - https://github.com/advisories/GHSA-7x97-j373-85x5
Electron context isolation bypass via nested unserializable return value - https://github.com/advisories/GHSA-p7v2-p9m8-qqg7
Electron affected by libvpx's heap buffer overflow in vp8 encoding - https://github.com/advisories/GHSA-qqvq-6xgj-jw8g
fix available via `npm audit fix --force`
Will install electron@27.1.0, which is a breaking change
node_modules/electron

elliptic  <6.5.4
Severity: moderate
Elliptic Uses a Broken or Risky Cryptographic Algorithm - https://github.com/advisories/GHSA-r9p9-mrjm-926w
fix available via `npm audit fix`
node_modules/elliptic

eventsource  <1.1.1
Severity: critical
Exposure of Sensitive Information in eventsource - https://github.com/advisories/GHSA-6h5x-7c5m-7cr7
fix available via `npm audit fix`
node_modules/eventsource

follow-redirects  <=1.14.7
Severity: high
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
fix available via `npm audit fix`
node_modules/follow-redirects

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install webpack-dev-server@3.11.3, which is outside the stated dependency range
node_modules/eslint/node_modules/glob-parent
node_modules/fast-glob/node_modules/glob-parent
node_modules/glob-parent
node_modules/watchpack/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    @adlk/misty  *
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of concurrently
    Depends on vulnerable versions of wait-on
    node_modules/@adlk/misty
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install electron@27.1.0, which is a breaking change
node_modules/got
node_modules/webdriver/node_modules/got
  @electron/get  <=1.14.1
  Depends on vulnerable versions of got
  node_modules/@electron/get
    electron-chromedriver  9.0.0 - 20.0.0
    Depends on vulnerable versions of @electron/get
    node_modules/electron-chromedriver
      spectron  >=0.33.4
      Depends on vulnerable versions of electron-chromedriver
      Depends on vulnerable versions of request
      node_modules/spectron
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
        electron-builder  5.6.1 - 24.0.0-alpha.13
        Depends on vulnerable versions of app-builder-lib
        Depends on vulnerable versions of dmg-builder
        Depends on vulnerable versions of update-notifier
        node_modules/electron-builder

highlight.js  9.0.0 - 10.4.0
Severity: moderate
ReDOS vulnerabities: multiple grammars - https://github.com/advisories/GHSA-7wwv-vh3v-89cq
Prototype Pollution in highlight.js - https://github.com/advisories/GHSA-vfrc-7r7c-w9mx
fix available via `npm audit fix --force`
Will install highlight.js@10.7.3, which is outside the stated dependency range
node_modules/highlight.js

hosted-git-info  <2.8.9
Severity: moderate
Regular Expression Denial of Service in hosted-git-info - https://github.com/advisories/GHSA-43f8-2h32-f4cj
fix available via `npm audit fix`
node_modules/hosted-git-info

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix`
node_modules/http-cache-semantics

jsdom  <=16.5.3
Severity: moderate
Insufficient Granularity of Access Control in JSDom - https://github.com/advisories/GHSA-f4c9-cqv8-9v98
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-native
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install jsdom@16.7.0, which is outside the stated dependency range
node_modules/jest-environment-jsdom/node_modules/jsdom
node_modules/jsdom

json-schema  <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim

json5  <1.0.2 || >=2.0.0 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/@babel/core/node_modules/json5
node_modules/file-loader/node_modules/json5
node_modules/json5
node_modules/monaco-editor-webpack-plugin/node_modules/json5
node_modules/read-config-file/node_modules/json5
node_modules/sass-loader/node_modules/json5
node_modules/style-loader/node_modules/json5
node_modules/url-loader/node_modules/json5

jszip  <=3.7.1
Severity: high
JSZip contains Path Traversal via loadAsync - https://github.com/advisories/GHSA-36fh-84j7-cv5h
jszip Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-jg8v-48h5-wgxg
fix available via `npm audit fix --force`
Will install jszip@3.10.1, which is outside the stated dependency range
node_modules/jszip

loader-utils  <=1.4.1 || 2.0.0 - 2.0.3
Severity: critical
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
fix available via `npm audit fix`
node_modules/file-loader/node_modules/loader-utils
node_modules/loader-utils
node_modules/monaco-editor-webpack-plugin/node_modules/loader-utils
node_modules/sass-loader/node_modules/loader-utils
node_modules/style-loader/node_modules/loader-utils
node_modules/url-loader/node_modules/loader-utils

lodash  <=4.17.20
Severity: high
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
fix available via `npm audit fix --force`
Will install lodash@4.17.21, which is outside the stated dependency range
node_modules/@restart/hooks/node_modules/lodash
node_modules/lodash
node_modules/pretty-error/node_modules/lodash
node_modules/renderkid/node_modules/lodash
node_modules/stylelint/node_modules/lodash
node_modules/wait-on/node_modules/lodash

lodash-es  <=4.17.20
Severity: high
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
fix available via `npm audit fix`
node_modules/lodash-es

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install electron-builder@24.6.4, which is a breaking change
node_modules/minimatch
  dir-compare  <=2.4.0
  Depends on vulnerable versions of minimatch
  node_modules/dir-compare
    @electron/universal  1.0.1 - 1.3.3
    Depends on vulnerable versions of dir-compare
    node_modules/@electron/universal
      app-builder-lib  22.10.4 - 24.0.0-alpha.13
      Depends on vulnerable versions of @electron/universal
      node_modules/app-builder-lib
        dmg-builder  22.10.4 - 24.0.0-alpha.13
        Depends on vulnerable versions of app-builder-lib
        node_modules/dmg-builder

minimist  1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist

node-fetch  <2.6.7
Severity: high
node-fetch forwards secure headers to untrusted sites - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix`
node_modules/node-fetch

node-forge  <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
fix available via `npm audit fix --force`
Will install webpack-dev-server@3.11.3, which is outside the stated dependency range
node_modules/node-forge
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

node-sass  1.2.3 - 7.0.3
Severity: high
Improper Certificate Validation in node-sass - https://github.com/advisories/GHSA-r8f7-9pfq-mjmv
Depends on vulnerable versions of meow
Depends on vulnerable versions of node-gyp
Depends on vulnerable versions of request
Depends on vulnerable versions of sass-graph
fix available via `npm audit fix --force`
Will install node-sass@9.0.0, which is a breaking change
node_modules/node-sass

normalize-url  4.3.0 - 4.5.0
Severity: high
ReDoS in normalize-url - https://github.com/advisories/GHSA-px4h-xg32-q955
fix available via `npm audit fix`
node_modules/normalize-url

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/nth-check
node_modules/renderkid/node_modules/nth-check

path-parse  <1.0.7
Severity: moderate
Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9
fix available via `npm audit fix`
node_modules/path-parse

plist  <=3.0.4
Severity: critical
Prototype pollution in Plist before 3.0.5 can cause denial of service - https://github.com/advisories/GHSA-4cpg-3vgw-4877
Depends on vulnerable versions of xmldom
fix available via `npm audit fix`
node_modules/plist

postcss  <=8.4.30
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-hwj9-h5mp-3pm3
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix`
node_modules/postcss

qs  6.5.0 - 6.5.2 || 6.7.0 - 6.7.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/body-parser/node_modules/qs
node_modules/express/node_modules/qs
node_modules/qs
  body-parser  1.19.0
  Depends on vulnerable versions of qs
  node_modules/body-parser
  express  4.17.0 - 4.17.1 || 5.0.0-alpha.1 - 5.0.0-alpha.8
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of qs
  node_modules/express

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install node-sass@9.0.0, which is a breaking change
node_modules/request
  node-gyp  <=7.1.2
  Depends on vulnerable versions of request
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of tar
  node_modules/node-gyp
  wait-on  <=4.0.2
  Depends on vulnerable versions of request
  node_modules/@adlk/misty/node_modules/wait-on

scss-tokenizer  <=0.4.2
Severity: high
Regular expression denial of service in scss-tokenizer - https://github.com/advisories/GHSA-7mwh-4pqv-wmr8
fix available via `npm audit fix --force`
Will install node-sass@9.0.0, which is a breaking change
node_modules/scss-tokenizer
  sass-graph  2.2.0 - 4.0.0
  Depends on vulnerable versions of scss-tokenizer
  node_modules/sass-graph

semver  <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install node-sass@9.0.0, which is a breaking change
node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/@babel/plugin-transform-runtime/node_modules/semver
node_modules/@babel/preset-env/node_modules/semver
node_modules/@electron/get/node_modules/semver
node_modules/app-builder-lib/node_modules/semver
node_modules/configstore/node_modules/semver
node_modules/core-js-compat/node_modules/semver
node_modules/cross-spawn/node_modules/semver
node_modules/css-loader/node_modules/semver
node_modules/enzyme-adapter-react-16/node_modules/semver
node_modules/enzyme-adapter-utils/node_modules/semver
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/istanbul-lib-report/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/node-gyp/node_modules/semver
node_modules/normalize-package-data/node_modules/semver
node_modules/package-json/node_modules/semver
node_modules/semver
node_modules/semver-diff/node_modules/semver
node_modules/update-notifier/node_modules/semver
node_modules/webpack-dev-server/node_modules/semver
  core-js-compat  3.6.0 - 3.25.0
  Depends on vulnerable versions of semver
  node_modules/core-js-compat

semver-regex  <=3.1.3
Severity: high
semver-regex Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
fix available via `npm audit fix --force`
Will install husky@4.3.8, which is outside the stated dependency range
node_modules/semver-regex
  find-versions  <=3.2.0
  Depends on vulnerable versions of semver-regex
  node_modules/find-versions
    husky  4.2.0 - 4.3.6
    Depends on vulnerable versions of find-versions
    node_modules/husky

ssri  5.2.2 - 6.0.1
Severity: high
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-vx3p-948g-6vhq
fix available via `npm audit fix`
node_modules/ssri

tar  <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-qq89-hq3f-393p
fix available via `npm audit fix --force`
Will install node-sass@9.0.0, which is a breaking change
node_modules/tar

terser  <4.8.1
Severity: high
Terser insecure use of regular expressions leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc
fix available via `npm audit fix`
node_modules/terser

tmpl  <1.0.5
Severity: high
tmpl vulnerable to Inefficient Regular Expression Complexity which may lead to resource exhaustion - https://github.com/advisories/GHSA-jgrx-mgxx-jf9v
fix available via `npm audit fix`
node_modules/tmpl

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install node-sass@9.0.0, which is a breaking change
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie
node_modules/tough-cookie
  request-promise-native  >=1.0.6
  Depends on vulnerable versions of tough-cookie
  node_modules/request-promise-native

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix --force`
Will install node-sass@9.0.0, which is a breaking change
node_modules/stylelint/node_modules/trim-newlines
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow

ua-parser-js  <=0.7.32
Severity: high
Regular Expression Denial of Service (ReDoS) in ua-parser-js - https://github.com/advisories/GHSA-78cj-fxph-m83p
ReDoS Vulnerability in ua-parser-js version - https://github.com/advisories/GHSA-fhg7-m89q-25r3
fix available via `npm audit fix`
node_modules/ua-parser-js

url-parse  <=1.5.8
Severity: critical
Authorization bypass in url-parse - https://github.com/advisories/GHSA-rqff-837h-mm52
Open redirect in url-parse - https://github.com/advisories/GHSA-hh27-ffr2-f2jc
Path traversal in url-parse - https://github.com/advisories/GHSA-9m6j-fcg5-2442
Authorization Bypass Through User-Controlled Key in url-parse - https://github.com/advisories/GHSA-hgjh-723h-mx2j
url-parse incorrectly parses hostname / protocol due to unstripped leading control characters. - https://github.com/advisories/GHSA-jf5r-8hm2-f872
url-parse Incorrectly parses URLs that include an '@' - https://github.com/advisories/GHSA-8v38-pw62-9cw2
fix available via `npm audit fix`
node_modules/url-parse

word-wrap  <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap

ws  6.0.0 - 6.2.1 || 7.0.0 - 7.4.5
Severity: moderate
ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693
ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693
fix available via `npm audit fix`
node_modules/webpack-dev-server/node_modules/ws
node_modules/ws

xmldom  *
Severity: critical
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
xmldom allows multiple root nodes in a DOM - https://github.com/advisories/GHSA-crh6-fp67-6883
fix available via `npm audit fix`
node_modules/xmldom

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix`
node_modules/@adlk/misty/node_modules/yargs-parser
  yargs  8.0.0-candidate.0 - 12.0.5
  Depends on vulnerable versions of yargs-parser
  node_modules/@adlk/misty/node_modules/yargs
    concurrently  4.0.0 - 5.0.0
    Depends on vulnerable versions of yargs
    node_modules/@adlk/misty/node_modules/concurrently

91 vulnerabilities (1 low, 28 moderate, 52 high, 10 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.
codebykat commented 6 months ago

3183

vitorsr commented 5 months ago

Thanks for this and for all the great work on Simplenote, @codebykat.