search

GerHobbelt / jison

bison / YACC / LEX in JavaScript (LALR(1), SLR(1), etc. lexer/parser generator)
https://gerhobbelt.github.io/jison/
MIT License
118 stars 20 forks source link

NPM warnings about vulnerabilities #67

Open mingodad opened 2 years ago

mingodad commented 2 years ago

When running npm install I'm getting a message about several package vulnerabilities:

jison$ npm audit fix

added 1 package, removed 5 packages, changed 21 packages, and audited 881 packages in 3s

53 packages are looking for funding
  run `npm fund` for details

# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/mocha/node_modules/ansi-regex
node_modules/string-width/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/mocha/node_modules/strip-ansi
  node_modules/string-width/node_modules/strip-ansi
    cliui  4.0.0 - 5.0.0
    Depends on vulnerable versions of strip-ansi
    Depends on vulnerable versions of wrap-ansi
    node_modules/mocha/node_modules/cliui
      yargs  8.0.0-candidate.0 - 15.0.0
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of os-locale
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of yargs-parser
      node_modules/mocha/node_modules/yargs
      node_modules/yargs
        @gerhobbelt/json5  *
        Depends on vulnerable versions of minimist
        Depends on vulnerable versions of yargs
        node_modules/@gerhobbelt/benchmark/node_modules/@gerhobbelt/json5
        node_modules/@gerhobbelt/json5
        node_modules/jison-gho/node_modules/@gerhobbelt/json5
          @gerhobbelt/live-server  *
          Depends on vulnerable versions of @gerhobbelt/json5
          node_modules/@gerhobbelt/live-server
          jison-gho  *
          Depends on vulnerable versions of @gerhobbelt/json5
          node_modules/jison-gho
        mocha  6.0.0-0 - 9.1.4
        Depends on vulnerable versions of nanoid
        Depends on vulnerable versions of yargs
        node_modules/mocha
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/mocha/node_modules/string-width
    node_modules/string-width
      wrap-ansi  3.0.0 - 6.1.0
      Depends on vulnerable versions of string-width
      Depends on vulnerable versions of strip-ansi
      node_modules/mocha/node_modules/wrap-ansi

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @babel/cli@7.17.6, which is outside the stated dependency range
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/@nicolo-ribaudo/chokidar-2/node_modules/chokidar
    @nicolo-ribaudo/chokidar-2  *
    Depends on vulnerable versions of chokidar
    node_modules/@nicolo-ribaudo/chokidar-2
      @babel/cli  7.12.1
      Depends on vulnerable versions of @nicolo-ribaudo/chokidar-2
      node_modules/@babel/cli

lodash  <=4.17.20
Severity: critical
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/@gerhobbelt/benchmark/node_modules/lodash
  @gerhobbelt/benchmark  *
  Depends on vulnerable versions of lodash
  node_modules/@gerhobbelt/benchmark

mem  <4.0.0
Severity: moderate
Denial of Service in mem - https://github.com/advisories/GHSA-4xcv-9jjx-gfj3
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/mem
  os-locale  2.0.0 - 3.0.0
  Depends on vulnerable versions of mem
  node_modules/os-locale
    yargs  8.0.0-candidate.0 - 15.0.0
    Depends on vulnerable versions of cliui
    Depends on vulnerable versions of os-locale
    Depends on vulnerable versions of string-width
    Depends on vulnerable versions of yargs-parser
    node_modules/mocha/node_modules/yargs
    node_modules/yargs
      @gerhobbelt/json5  *
      Depends on vulnerable versions of minimist
      Depends on vulnerable versions of yargs
      node_modules/@gerhobbelt/benchmark/node_modules/@gerhobbelt/json5
      node_modules/@gerhobbelt/json5
      node_modules/jison-gho/node_modules/@gerhobbelt/json5
        @gerhobbelt/live-server  *
        Depends on vulnerable versions of @gerhobbelt/json5
        node_modules/@gerhobbelt/live-server
        jison-gho  *
        Depends on vulnerable versions of @gerhobbelt/json5
        node_modules/jison-gho
      mocha  6.0.0-0 - 9.1.4
      Depends on vulnerable versions of nanoid
      Depends on vulnerable versions of yargs
      node_modules/mocha

minimist  <=1.2.5
Severity: high
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/@gerhobbelt/benchmark/node_modules/minimist
node_modules/@gerhobbelt/json5/node_modules/minimist
  @gerhobbelt/json5  *
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of yargs
  node_modules/@gerhobbelt/benchmark/node_modules/@gerhobbelt/json5
  node_modules/@gerhobbelt/json5
  node_modules/jison-gho/node_modules/@gerhobbelt/json5
    @gerhobbelt/live-server  *
    Depends on vulnerable versions of @gerhobbelt/json5
    node_modules/@gerhobbelt/live-server
    jison-gho  *
    Depends on vulnerable versions of @gerhobbelt/json5
    node_modules/jison-gho

nanoid  3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix --force`
Will install mocha@9.2.2, which is a breaking change
node_modules/nanoid
  mocha  6.0.0-0 - 9.1.4
  Depends on vulnerable versions of nanoid
  Depends on vulnerable versions of yargs
  node_modules/mocha

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/yargs-parser
  yargs  8.0.0-candidate.0 - 15.0.0
  Depends on vulnerable versions of cliui
  Depends on vulnerable versions of os-locale
  Depends on vulnerable versions of string-width
  Depends on vulnerable versions of yargs-parser
  node_modules/mocha/node_modules/yargs
  node_modules/yargs
    @gerhobbelt/json5  *
    Depends on vulnerable versions of minimist
    Depends on vulnerable versions of yargs
    node_modules/@gerhobbelt/benchmark/node_modules/@gerhobbelt/json5
    node_modules/@gerhobbelt/json5
    node_modules/jison-gho/node_modules/@gerhobbelt/json5
      @gerhobbelt/live-server  *
      Depends on vulnerable versions of @gerhobbelt/json5
      node_modules/@gerhobbelt/live-server
      jison-gho  *
      Depends on vulnerable versions of @gerhobbelt/json5
      node_modules/jison-gho
    mocha  6.0.0-0 - 9.1.4
    Depends on vulnerable versions of nanoid
    Depends on vulnerable versions of yargs
    node_modules/mocha

21 vulnerabilities (14 moderate, 6 high, 1 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force