potential security vulnerability

[ranjit-git]

@Bottelet A potential security vulnerability has been disclosed for this repo . Plz visit report url https://huntr.dev/bounties/5-other-Bottelet/DaybydayCRM/ to validate the bug . This bug has been opened for long time

[ptaylor2]

Have these bugs been fixed. Running Ubuntu 20.x

npm audit fix --force

Run npm audit for details. apps:/var/www/apps.professionalsoftwaredevelopment.com/projectmanager# npm audit fix --force npm WARN using --force Recommended protections disabled. npm WARN audit fix minimatch@3.0.4 node_modules/fsevents/node_modules/minimatch npm WARN audit fix minimatch@3.0.4 is a bundled dependency of npm WARN audit fix minimatch@3.0.4 fsevents@1.2.9 at node_modules/fsevents npm WARN audit fix minimatch@3.0.4 It cannot be fixed automatically. npm WARN audit fix minimatch@3.0.4 Check for updates to the fsevents package. npm WARN audit fix minimist@1.2.0 node_modules/fsevents/node_modules/rc/node_modules/minimist npm WARN audit fix minimist@1.2.0 is a bundled dependency of npm WARN audit fix minimist@1.2.0 fsevents@1.2.9 at node_modules/fsevents npm WARN audit fix minimist@1.2.0 It cannot be fixed automatically. npm WARN audit fix minimist@1.2.0 Check for updates to the fsevents package. npm WARN audit fix minimist@0.0.8 node_modules/fsevents/node_modules/minimist npm WARN audit fix minimist@0.0.8 is a bundled dependency of npm WARN audit fix minimist@0.0.8 fsevents@1.2.9 at node_modules/fsevents npm WARN audit fix minimist@0.0.8 It cannot be fixed automatically. npm WARN audit fix minimist@0.0.8 Check for updates to the fsevents package. npm WARN audit fix tar@4.4.8 node_modules/fsevents/node_modules/tar npm WARN audit fix tar@4.4.8 is a bundled dependency of npm WARN audit fix tar@4.4.8 fsevents@1.2.9 at node_modules/fsevents npm WARN audit fix tar@4.4.8 It cannot be fixed automatically. npm WARN audit fix tar@4.4.8 Check for updates to the fsevents package. npm WARN audit fix mkdirp@0.5.1 node_modules/fsevents/node_modules/mkdirp npm WARN audit fix mkdirp@0.5.1 is a bundled dependency of npm WARN audit fix mkdirp@0.5.1 fsevents@1.2.9 at node_modules/fsevents npm WARN audit fix mkdirp@0.5.1 It cannot be fixed automatically. npm WARN audit fix mkdirp@0.5.1 Check for updates to the fsevents package. npm WARN audit Updating axios to 1.1.3, which is a SemVer major change. npm WARN audit Updating laravel-mix to 6.0.49, which is a SemVer major change.

added 346 packages, removed 285 packages, changed 359 packages, and audited 1131 packages in 18s

86 packages are looking for funding run npm fund for details

npm audit report

glob-parent <5.1.2 Severity: high glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via npm audit fix node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/chokidar watchpack 0.2.2 - 1.6.1 Depends on vulnerable versions of chokidar node_modules/watchpack

loader-utils <=1.4.1 Severity: critical Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488 loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g fix available via npm audit fix --force Will install resolve-url-loader@5.0.0, which is a breaking change node_modules/loader-utils resolve-url-loader 1.0.3 - 2.0.0 || 3.0.1 - 4.0.0-beta.2 Depends on vulnerable versions of loader-utils node_modules/resolve-url-loader

minimatch <3.0.5 Severity: high minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3 fix available via npm audit fix node_modules/minimatch

minimist <=1.2.5 Severity: critical Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m fix available via npm audit fix node_modules/minimist node_modules/rc/node_modules/minimist mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/mkdirp

tar <=4.4.17 Severity: high Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-qq89-hq3f-393p Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw fix available via npm audit fix node_modules/tar

9 vulnerabilities (1 moderate, 5 high, 3 critical)

To address issues that do not require attention, run: npm audit fix

To address all issues (including breaking changes), run: npm audit fix --force

npm audit report

glob-parent <5.1.2 Severity: high glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via npm audit fix node_modules/watchpack-chokidar2/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack

4 high severity vulnerabilities

To address all issues, run: npm audit fix