search

Particle-Network / particle-react-native

Apache License 2.0
12 stars 7 forks source link

This npm package contains 6 high severity vulnerabilities #1

Closed sahil-pr closed 1 year ago

sahil-pr commented 1 year ago

Adding this package to my react app shows there is 6 high severity vulnerabilities, See below:

Screenshot 2023-02-08 at 8 37 19 pm
SunZhiC commented 1 year ago

To address all issues, run: npm audit fix

Run npm audit for details.

sahil-pr commented 1 year ago

This doesn't resolve the venrabilities.

Screenshot 2023-02-10 at 5 05 08 pm

folllowing the instructions running npm audit fix --force results in the following output:

` npm WARN using --force Recommended protections disabled. npm WARN audit Updating react-scripts to 2.1.3, which is a SemVer major change. npm WARN deprecated fsevents@1.2.4: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2. npm WARN deprecated topo@2.0.2: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). npm WARN deprecated flatten@1.0.3: flatten is deprecated in favor of utility frameworks such as lodash. npm WARN deprecated kleur@2.0.2: Please upgrade to kleur@3 or migrate to 'ansi-colors' if you prefer the old syntax. Visit https://github.com/lukeed/kleur/releases/tag/v3.0.0\ for migration path(s). npm WARN deprecated request-promise-native@1.0.9: request-promise-native has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142 npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated eslint-loader@2.1.1: This loader has been deprecated. Please use eslint-webpack-plugin npm WARN deprecated hoek@4.2.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). npm WARN deprecated left-pad@1.3.0: use String.prototype.padStart() npm WARN deprecated acorn-dynamic-import@3.0.0: This is probably built in to whatever tool you're using. If you still need it... idk npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor. npm WARN deprecated sane@2.5.2: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2. npm WARN deprecated fsevents@1.2.13: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2. npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated html-webpack-plugin@4.0.0-alpha.2: please switch to a stable version npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated babel-eslint@9.0.0: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated joi@11.4.0: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). npm WARN deprecated core-js@2.6.4: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. npm WARN deprecated core-js@2.6.12: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 1118 packages, removed 587 packages, changed 292 packages, and audited 2560 packages in 53s

119 packages are looking for funding run npm fund for details

npm audit report

ansi-html <0.0.8 Severity: high Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/ansi-html webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of ansi-html Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned Depends on vulnerable versions of sockjs Depends on vulnerable versions of yargs node_modules/webpack-dev-server react-scripts 0.1.0 - 5.0.0-next.60 Depends on vulnerable versions of @svgr/webpack Depends on vulnerable versions of babel-jest Depends on vulnerable versions of css-loader Depends on vulnerable versions of fork-ts-checker-webpack-plugin-alt Depends on vulnerable versions of jest Depends on vulnerable versions of optimize-css-assets-webpack-plugin Depends on vulnerable versions of react-dev-utils Depends on vulnerable versions of terser-webpack-plugin Depends on vulnerable versions of webpack Depends on vulnerable versions of webpack-dev-server node_modules/react-scripts

braces <=2.3.0 Regular Expression Denial of Service in braces - https://github.com/advisories/GHSA-g95f-p29q-9xw4 Regular Expression Denial of Service (ReDoS) in braces - https://github.com/advisories/GHSA-cwfw-4gq5-mrqx fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/jest-cli/node_modules/braces node_modules/jest-config/node_modules/braces node_modules/jest-haste-map/node_modules/braces node_modules/jest-message-util/node_modules/braces node_modules/jest-runtime/node_modules/braces node_modules/test-exclude/node_modules/braces micromatch 0.2.0 - 2.3.11 Depends on vulnerable versions of braces Depends on vulnerable versions of parse-glob node_modules/jest-cli/node_modules/micromatch node_modules/jest-config/node_modules/micromatch node_modules/jest-haste-map/node_modules/micromatch node_modules/jest-message-util/node_modules/micromatch node_modules/jest-runtime/node_modules/micromatch node_modules/test-exclude/node_modules/micromatch jest-cli 0.10.2 - 24.8.0 Depends on vulnerable versions of jest-config Depends on vulnerable versions of jest-environment-jsdom Depends on vulnerable versions of jest-haste-map Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-resolve-dependencies Depends on vulnerable versions of jest-runner Depends on vulnerable versions of jest-runtime Depends on vulnerable versions of jest-snapshot Depends on vulnerable versions of jest-util Depends on vulnerable versions of micromatch Depends on vulnerable versions of node-notifier Depends on vulnerable versions of yargs node_modules/jest-cli jest 13.3.0-alpha.4eb0c908 - 23.6.0 Depends on vulnerable versions of jest-cli node_modules/jest jest-config 12.1.1-alpha.2935e14d - 25.5.4 Depends on vulnerable versions of babel-core Depends on vulnerable versions of babel-jest Depends on vulnerable versions of jest-environment-jsdom Depends on vulnerable versions of jest-environment-node Depends on vulnerable versions of jest-jasmine2 Depends on vulnerable versions of jest-util Depends on vulnerable versions of micromatch node_modules/jest-config jest-runner 21.0.0-alpha.1 - 22.4.4 || 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-config Depends on vulnerable versions of jest-haste-map Depends on vulnerable versions of jest-jasmine2 Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-runtime Depends on vulnerable versions of jest-util node_modules/jest-runner jest-runtime 14.1.0 - 24.8.0 Depends on vulnerable versions of babel-core Depends on vulnerable versions of babel-plugin-istanbul Depends on vulnerable versions of jest-config Depends on vulnerable versions of jest-haste-map Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-snapshot Depends on vulnerable versions of jest-util Depends on vulnerable versions of micromatch Depends on vulnerable versions of yargs node_modules/jest-runtime jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0 Depends on vulnerable versions of micromatch Depends on vulnerable versions of sane node_modules/jest-haste-map jest-message-util 18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16 Depends on vulnerable versions of micromatch node_modules/jest-message-util expect 21.0.0-beta.1 - 22.4.3 || 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-message-util node_modules/expect jest-jasmine2 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0 Depends on vulnerable versions of expect Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-snapshot Depends on vulnerable versions of jest-util node_modules/jest-jasmine2 jest-snapshot 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-message-util node_modules/jest-snapshot jest-resolve-dependencies 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-snapshot node_modules/jest-resolve-dependencies jest-util 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0 Depends on vulnerable versions of jest-message-util node_modules/jest-cli/node_modules/jest-util node_modules/jest-config/node_modules/jest-util node_modules/jest-environment-jsdom/node_modules/jest-util node_modules/jest-environment-node/node_modules/jest-util node_modules/jest-jasmine2/node_modules/jest-util node_modules/jest-runner/node_modules/jest-util node_modules/jest-runtime/node_modules/jest-util jest-environment-jsdom 10.0.2 - 25.5.0 Depends on vulnerable versions of jest-util Depends on vulnerable versions of jsdom node_modules/jest-environment-jsdom jest-environment-node 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0 Depends on vulnerable versions of jest-util node_modules/jest-environment-node test-exclude <=4.2.3 Depends on vulnerable versions of micromatch node_modules/test-exclude babel-plugin-istanbul <=5.0.0 Depends on vulnerable versions of test-exclude node_modules/babel-plugin-istanbul babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16 Depends on vulnerable versions of babel-plugin-istanbul node_modules/babel-jest

browserslist 4.0.0 - 4.16.4 Severity: moderate Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/react-dev-utils/node_modules/browserslist react-dev-utils 0.4.0 - 12.0.0-next.60 Depends on vulnerable versions of browserslist Depends on vulnerable versions of globby Depends on vulnerable versions of immer Depends on vulnerable versions of loader-utils Depends on vulnerable versions of recursive-readdir Depends on vulnerable versions of shell-quote node_modules/react-dev-utils

chownr <1.1.0 Time-of-check Time-of-use (TOCTOU) Race Condition in chownr - https://github.com/advisories/GHSA-c6rq-rjc2-86v2 fix available via npm audit fix node_modules/chownr

glob-parent <5.1.2 Severity: high glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/glob-base/node_modules/glob-parent node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/chokidar fork-ts-checker-webpack-plugin-alt Depends on vulnerable versions of chokidar node_modules/fork-ts-checker-webpack-plugin-alt watchpack-chokidar2 Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack fast-glob <=2.2.7 Depends on vulnerable versions of glob-parent node_modules/fast-glob globby 8.0.0 - 9.2.0 Depends on vulnerable versions of fast-glob node_modules/globby glob-base * Depends on vulnerable versions of glob-parent node_modules/glob-base parse-glob >=2.1.0 Depends on vulnerable versions of glob-base node_modules/parse-glob

immer <=9.0.5 Severity: critical Prototype Pollution in immer - https://github.com/advisories/GHSA-c36v-fmgq-m8hx Prototype Pollution in immer - https://github.com/advisories/GHSA-33f9-j839-rf8h Prototype Pollution in immer - https://github.com/advisories/GHSA-9qmh-276g-x5pj fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/immer

ini <1.3.6 Severity: high ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse - https://github.com/advisories/GHSA-qqgx-2p2h-9c37 fix available via npm audit fix node_modules/ini

jsdom <=16.4.0 Severity: moderate Insufficient Granularity of Access Control in JSDom - https://github.com/advisories/GHSA-f4c9-cqv8-9v98 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/jest-environment-jsdom/node_modules/jsdom

json5 <1.0.2 Severity: high Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/babel-register/node_modules/json5 node_modules/jest-config/node_modules/json5 node_modules/jest-runtime/node_modules/json5 babel-core 5.8.20 - 7.0.0-beta.3 Depends on vulnerable versions of babel-register Depends on vulnerable versions of json5 node_modules/babel-register/node_modules/babel-core node_modules/jest-config/node_modules/babel-core node_modules/jest-runtime/node_modules/babel-core babel-register * Depends on vulnerable versions of babel-core node_modules/babel-register

loader-utils <=1.4.1 Severity: critical loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488 loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/react-dev-utils/node_modules/loader-utils

merge <2.1.1 Severity: high Prototype Pollution in merge - https://github.com/advisories/GHSA-7wpw-2hjm-89gp fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/merge exec-sh <=0.3.1 Depends on vulnerable versions of merge node_modules/exec-sh sane 1.0.4 - 4.0.2 Depends on vulnerable versions of exec-sh Depends on vulnerable versions of watch node_modules/sane watch >=0.14.0 Depends on vulnerable versions of exec-sh node_modules/watch

minimatch <3.0.5 Severity: high minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/minimatch node_modules/recursive-readdir/node_modules/minimatch recursive-readdir 1.2.0 - 2.2.2 Depends on vulnerable versions of minimatch node_modules/recursive-readdir

minimist <=1.2.5 Severity: critical Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m fix available via npm audit fix node_modules/minimist node_modules/rc/node_modules/minimist mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/mkdirp

node-forge <=1.2.1 Severity: high Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5 URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-2r2c-g63r-vccr Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765 Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/node-forge selfsigned 1.1.1 - 1.10.14 Depends on vulnerable versions of node-forge node_modules/selfsigned

node-notifier <8.0.1 Severity: moderate OS Command Injection in node-notifier - https://github.com/advisories/GHSA-5fw9-fq32-wv5p fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/node-notifier

nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/svgo/node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/svgo/node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo @svgr/core <=3.1.0 Depends on vulnerable versions of svgo node_modules/@svgr/core @svgr/webpack <=3.1.0 Depends on vulnerable versions of @svgr/core node_modules/@svgr/webpack postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2 Depends on vulnerable versions of svgo node_modules/postcss-svgo cssnano-preset-default <=4.0.8 Depends on vulnerable versions of postcss-svgo node_modules/cssnano-preset-default cssnano 4.0.0-nightly.2020.1.9 - 4.1.11 Depends on vulnerable versions of cssnano-preset-default node_modules/cssnano optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.8 Depends on vulnerable versions of cssnano node_modules/optimize-css-assets-webpack-plugin

postcss <7.0.36 Severity: moderate Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/postcss css-loader 0.15.0 - 1.0.1 Depends on vulnerable versions of icss-utils Depends on vulnerable versions of postcss Depends on vulnerable versions of postcss-modules-extract-imports Depends on vulnerable versions of postcss-modules-local-by-default Depends on vulnerable versions of postcss-modules-scope Depends on vulnerable versions of postcss-modules-values node_modules/css-loader icss-utils <=3.0.1 Depends on vulnerable versions of postcss node_modules/icss-utils postcss-modules-extract-imports <=1.2.1 Depends on vulnerable versions of postcss node_modules/postcss-modules-extract-imports postcss-modules-local-by-default <=1.2.0 Depends on vulnerable versions of postcss node_modules/postcss-modules-local-by-default postcss-modules-scope <=1.1.0 Depends on vulnerable versions of postcss node_modules/postcss-modules-scope postcss-modules-values <=1.3.0 Depends on vulnerable versions of postcss node_modules/postcss-modules-values

serialize-javascript <=3.0.0 Severity: high Insecure serialization leading to RCE in serialize-javascript - https://github.com/advisories/GHSA-hxcc-f52p-wc94 Cross-Site Scripting in serialize-javascript - https://github.com/advisories/GHSA-h9rv-jmmf-4pgx fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/serialize-javascript terser-webpack-plugin <=1.4.3 || 2.0.0 - 2.3.5 Depends on vulnerable versions of serialize-javascript Depends on vulnerable versions of terser node_modules/terser-webpack-plugin uglifyjs-webpack-plugin >=1.1.3 Depends on vulnerable versions of cacache Depends on vulnerable versions of serialize-javascript node_modules/uglifyjs-webpack-plugin webpack 4.3.0 - 4.25.1 Depends on vulnerable versions of uglifyjs-webpack-plugin node_modules/webpack

shell-quote <=1.7.2 Severity: critical Improper Neutralization of Special Elements used in a Command in Shell-quote - https://github.com/advisories/GHSA-g4rg-993r-mgx7 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/react-dev-utils/node_modules/shell-quote

sockjs <0.3.20 Severity: moderate Improper Input Validation in SocksJS-Node - https://github.com/advisories/GHSA-c9g6-9335-x697 fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/sockjs

ssri 5.2.2 - 6.0.1 Severity: high Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-vx3p-948g-6vhq fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/uglifyjs-webpack-plugin/node_modules/ssri cacache 10.0.4 - 11.0.0 Depends on vulnerable versions of ssri node_modules/uglifyjs-webpack-plugin/node_modules/cacache

tar <=4.4.17 Severity: high Arbitrary File Overwrite in tar - https://github.com/advisories/GHSA-j44m-qm6p-hp7m Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-qq89-hq3f-393p Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9 fix available via npm audit fix node_modules/tar

terser <4.8.1 Severity: high Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/terser-webpack-plugin/node_modules/terser

yargs-parser 6.0.0 - 13.1.1 Severity: moderate yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp fix available via npm audit fix --force Will install react-scripts@5.0.1, which is a breaking change node_modules/webpack-dev-server/node_modules/yargs-parser node_modules/yargs-parser yargs 8.0.0-candidate.0 - 12.0.5 Depends on vulnerable versions of yargs-parser node_modules/webpack-dev-server/node_modules/yargs node_modules/yargs

80 vulnerabilities (14 low, 17 moderate, 44 high, 5 critical)

To address issues that do not require attention, run: npm audit fix

To address all issues (including breaking changes), run: npm audit fix --force`