search

IBM / audit-ci

Audit NPM, Yarn, PNPM, and Bun dependencies in continuous integration environments, preventing integration if vulnerabilities are found at or above a configurable threshold while ignoring allowlisted advisories
Apache License 2.0
263 stars 43 forks source link

Long summary output for only one vulnerable advisory #239

Closed mobilutz closed 2 years ago

mobilutz commented 2 years ago

We have a warning for this advisory in our system: https://github.com/advisories/GHSA-xvch-5gv4-984h

But the summary output of the audit-ci run does not look good in my opinion:

$ audit-ci --config audit-config.json
audit-ci version: 6.1.0
Yarn audit report summary:
{
  "vulnerabilities": {
    "info": 0,
    "low": 0,
    "moderate": 0,
    "high": 10,
    "critical": 0
  },
  "dependencies": XXX,
  "devDependencies": 0,
  "optionalDependencies": 0,
  "totalDependencies": XXX
}
Found vulnerable advisory paths:
GHSA-xvch-5gv4-984h|esdoc>minimist
GHSA-xvch-5gv4-984h|@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|fetch-mock>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|esdoc>minimist
GHSA-xvch-5gv4-984h|@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|fetch-mock>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|esdoc>minimist
GHSA-xvch-5gv4-984h|@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|fetch-mock>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|esdoc>minimist
GHSA-xvch-5gv4-984h|@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|fetch-mock>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|esdoc>minimist
GHSA-xvch-5gv4-984h|@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|fetch-mock>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|esdoc>minimist
GHSA-xvch-5gv4-984h|@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|fetch-mock>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|esdoc>minimist
GHSA-xvch-5gv4-984h|@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|fetch-mock>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|esdoc>minimist
GHSA-xvch-5gv4-984h|@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|fetch-mock>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|esdoc>minimist
GHSA-xvch-5gv4-984h|@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|fetch-mock>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|esdoc>minimist
GHSA-xvch-5gv4-984h|@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|fetch-mock>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|esdoc>minimist
GHSA-xvch-5gv4-984h|@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|fetch-mock>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|esdoc>minimist
GHSA-xvch-5gv4-984h|@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|fetch-mock>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>@jest/reporters>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>babel-jest>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
GHSA-xvch-5gv4-984h|jest>jest-cli>@jest/core>jest-config>@jest/test-sequencer>jest-runtime>jest-snapshot>@jest/transform>babel-plugin-istanbul>istanbul-lib-instrument>@babel/core>json5>minimist
Failed security audit due to high vulnerabilities.
Vulnerable advisories are:
https://github.com/advisories/GHSA-xvch-5gv4-984h
Exiting...
error Command failed with exit code 1.

Of course we just need to upgrade minimist and the output goes away, but I do think that the summary should be displayed differently here.

I will try to find time to create a dummy repo for this, but for now here the needed yarn.lock and audit-config.json content.

# needed minimist version
minimist@^1.2.5:
  version "1.2.5"
  resolved "https://registry.yarnpkg.com/minimist/-/minimist-1.2.5.tgz#67d66014b66a6a8aaa0c083c5fd58df4e4e97602"
  integrity sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==

audit-config.json

{
  "low": true,
  "package-manager": "yarn",
  "report-type": "summary",
  "allowlist": []
}
quinnturner commented 2 years ago

The duplications are the concern. I must have missed a deduplication spot (I have them in a few places). IMO, that's the fix required in this scenario. Thanks for reporting!

quinnturner commented 2 years ago

Closed with https://github.com/IBM/audit-ci/pull/240, will create a release shortly.

quinnturner commented 2 years ago

Released with v6.1.1 on NPM now!

mobilutz commented 2 years ago

@quinnturner Thanks for the quick change.

Unfortunately the summary still has the same lines as Found vulnerable advisory paths even with v6.1.1.

I created a repo which shows this: https://github.com/mobilutz/audit-ci-minimist-summary-output

Here the found paths output as well:

Found vulnerable advisory paths:
GHSA-5v2h-r2cx-5xgj|esdoc>marked
GHSA-rrrm-qjm4-v8hf|esdoc>marked
GHSA-rp65-9cf3-cjxr|esdoc>cheerio>css-select>nth-check
GHSA-rp65-9cf3-cjxr|esdoc>ice-cap>cheerio>css-select>nth-check
GHSA-rp65-9cf3-cjxr|esdoc>cheerio>css-select>nth-check
GHSA-rp65-9cf3-cjxr|esdoc>ice-cap>cheerio>css-select>nth-check
GHSA-xvch-5gv4-984h|minimist
GHSA-xvch-5gv4-984h|esdoc>minimist
GHSA-xvch-5gv4-984h|minimist
GHSA-xvch-5gv4-984h|esdoc>minimist
quinnturner commented 2 years ago

Fix released in v6.1.2 thanks to Kyle!

mobilutz commented 2 years ago

Just ran v6.1.2 and can confirm that it reduces the output!

yarn run v1.22.17
$ audit-ci --config audit-ci-config.json
audit-ci version: 6.1.2
Yarn audit report summary:
{
  "vulnerabilities": {
    "info": 0,
    "low": 0,
    "moderate": 2,
    "high": 4,
    "critical": 0
  },
  "dependencies": 189,
  "devDependencies": 0,
  "optionalDependencies": 0,
  "totalDependencies": 189
}
Found vulnerable advisory paths:
GHSA-xvch-5gv4-984h|minimist
GHSA-xvch-5gv4-984h|esdoc>minimist
GHSA-5v2h-r2cx-5xgj|esdoc>marked
GHSA-rrrm-qjm4-v8hf|esdoc>marked
GHSA-rp65-9cf3-cjxr|esdoc>cheerio>css-select>nth-check
GHSA-rp65-9cf3-cjxr|esdoc>ice-cap>cheerio>css-select>nth-check
Failed security audit due to high, moderate vulnerabilities.
Vulnerable advisories are:
https://github.com/advisories/GHSA-xvch-5gv4-984h
https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
https://github.com/advisories/GHSA-rp65-9cf3-cjxr
Exiting...
error Command failed with exit code 1.

Thanks @kyletsang