search

NASA-PDS / doi-ui

The web interface for the PDS DOI Service providing the ability management PDS archive DOIs. See the DOI Service for more details on the available capabilities. https://nasa-pds.github.io/doi-service/
Apache License 2.0
0 stars 4 forks source link

Updated Dependencies Using NPM Audit #130 #136

Closed eddiesarevalo closed 2 years ago

eddiesarevalo commented 2 years ago

🗒️ Summary

-Used NPM Audit to make non breaking updates to the dependencies.

Running npm audit fix, fixed 6 moderate, 1 high and 1 critical All the left overs are caused by one react dependency: react-scripts@5.0.1, which is a breaking change. This one update will break all the remaining dependencies and the doi-ui. They need to be fixed by the dependencies' developers.

⚙️ Test Data and/or Report

Run npm start. Everything should work normally. If there was a breaking change the code would not run and throw an error on npm start.

♻️ Related Issues

resolves #130

eddiesarevalo commented 2 years ago

remaining npm audit report

ansi-html <0.0.8 Severity: high Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/ansi-html @pmmmwh/react-refresh-webpack-plugin <=0.5.0-rc.6 Depends on vulnerable versions of ansi-html node_modules/@pmmmwh/react-refresh-webpack-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server

browserslist 4.0.0 - 4.16.4 Severity: moderate Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/react-dev-utils/node_modules/browserslist react-dev-utils 6.0.0-next.03604a46 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts

ejs <3.1.7 Severity: high Template injection in ejs - https://github.com/advisories/GHSA-phwq-j96m-2c2q fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/ejs @surma/rollup-plugin-off-main-thread <=2.1.0 Depends on vulnerable versions of ejs node_modules/@surma/rollup-plugin-off-main-thread workbox-build 5.0.0-alpha.0 - 6.3.0 Depends on vulnerable versions of @surma/rollup-plugin-off-main-thread node_modules/workbox-build workbox-webpack-plugin 5.0.0-alpha.0 - 5.1.4 || 6.2.2 - 6.3.0 Depends on vulnerable versions of workbox-build node_modules/workbox-webpack-plugin react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts

glob-parent <5.1.2 Severity: high Regular expression denial of service in glob-parent - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/watchpack-chokidar2/node_modules/glob-parent node_modules/webpack-dev-server/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts

immer <9.0.6 Severity: critical Prototype Pollution in immer - https://github.com/advisories/GHSA-33f9-j839-rf8h fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/immer react-dev-utils 6.0.0-next.03604a46 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of immer node_modules/react-dev-utils react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts

node-forge <=1.2.1 Severity: high Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765 URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/node-forge selfsigned 1.1.1 - 1.10.14 Depends on vulnerable versions of node-forge node_modules/selfsigned webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts

nth-check <2.0.1 Severity: moderate Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack react-scripts >=0.10.0-alpha.328cb32e Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of webpack-dev-server Depends on vulnerable versions of workbox-webpack-plugin node_modules/react-scripts postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2 Depends on vulnerable versions of svgo node_modules/postcss-svgo cssnano-preset-default <=4.0.8 Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.8 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin