resolve redos in normalize-url - GHSA-px4h-xg32-q955
bad
yarn why v1.22.5
[1/4] π€ Why do we have the module "normalize-url"...?
[2/4] π Initialising dependency graph...
[3/4] π Finding dependency...
[4/4] π‘ Calculating file sizes...
=> Found "normalize-url@4.5.0"
info Reasons this module exists
- "flow-typed#got#cacheable-request" depends on it
- Hoisted from "flow-typed#got#cacheable-request#normalize-url"
info Disk size without dependencies: "32KB"
info Disk size with unique dependencies: "32KB"
info Disk size with transitive dependencies: "32KB"
info Number of shared dependencies: 0
β¨ Done in 0.49s.
good
yarn why v1.22.5
[1/4] π€ Why do we have the module "normalize-url"...?
[2/4] π Initialising dependency graph...
[3/4] π Finding dependency...
[4/4] π‘ Calculating file sizes...
=> Found "normalize-url@4.5.1"
info Reasons this module exists
- "flow-typed#got#cacheable-request" depends on it
- Hoisted from "flow-typed#got#cacheable-request#normalize-url"
info Disk size without dependencies: "32KB"
info Disk size with unique dependencies: "32KB"
info Disk size with transitive dependencies: "32KB"
info Number of shared dependencies: 0
β¨ Done in 0.92s.
resolves other vulnerabilites that arent showing (yet?)
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via `npm audit fix`
node_modules/chokidar/node_modules/glob-parent
node_modules/flow-copy-source/node_modules/glob-parent
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/chokidar
normalize-url <=4.5.0 || 5.0.0 - 5.3.0 || 6.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1755
fix available via `npm audit fix`
node_modules/normalize-url
yargs-parser <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix`
node_modules/flow-copy-source/node_modules/yargs-parser
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of yargs-parser
node_modules/flow-copy-source/node_modules/yargs
Summary
What does this PR do?
resolve redos in normalize-url - GHSA-px4h-xg32-q955
bad
good
resolves other vulnerabilites that arent showing (yet?)