search

Brightspace / d2l-license-checker

Simple tool to continuously check for D2L accepted licenses of all npm dependencies in a project.
4 stars 2 forks source link

security issues from dependencies - Critical Arbitrary Code Execution and Moderate Regular Expression Denial of Service #79

Closed DonBrinn closed 4 years ago

DonBrinn commented 4 years ago 
>npm audit

                       === npm audit security report ===

# Run  npm update eslint-utils --depth 2  to resolve 1 vulnerability

  Critical        Arbitrary Code Execution

  Package         eslint-utils

  Dependency of   eslint [dev]

  Path            eslint > eslint-utils

  More info       https://npmjs.com/advisories/1118

# Run  npm update acorn --depth 3  to resolve 1 vulnerability

  Moderate        Regular Expression Denial of Service

  Package         acorn

  Dependency of   eslint [dev]

  Path            eslint > espree > acorn

  More info       https://npmjs.com/advisories/1488

found 2 vulnerabilities (1 moderate, 1 critical) in 574 scanned packages
  run `npm audit fix` to fix 2 of them.
DonBrinn commented 4 years ago

This seems to be caused by just an out-of-date package-lock.json, and not actually requiring any updated dependency versions in package.json.