search

Polyconseil / vue-gettext

Translate your Vue.js applications with gettext.
MIT License
278 stars 55 forks source link

Update dependencies to reduce vulnerabilities #96

Closed janlazo closed 5 years ago

janlazo commented 5 years ago

Report after running npm audit fix and npm dedupe.

=== npm audit security report ===

# Run  npm install --save-dev karma@4.1.0  to resolve 22 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Low             Regular Expression Denial of Service

  Package         braces

  Dependency of   karma [dev]

  Path            karma > chokidar > anymatch > micromatch > braces

  More info       https://npmjs.com/advisories/786

  Low             Regular Expression Denial of Service

  Package         braces

  Dependency of   karma [dev]

  Path            karma > expand-braces > braces

  More info       https://npmjs.com/advisories/786

  Moderate        Prototype Pollution

  Package         hoek

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > request > hawk > boom > hoek

  More info       https://npmjs.com/advisories/566

  Moderate        Prototype Pollution

  Package         hoek

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > request > hawk > cryptiles > boom
                  > hoek

  More info       https://npmjs.com/advisories/566

  Moderate        Prototype Pollution

  Package         hoek

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > request > hawk > hoek

  More info       https://npmjs.com/advisories/566

  Moderate        Prototype Pollution

  Package         hoek

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > request > hawk > sntp > hoek

  More info       https://npmjs.com/advisories/566

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > log4js > mailgun-js > debug

  More info       https://npmjs.com/advisories/534

  Moderate        Denial of Service

  Package         axios

  Dependency of   karma [dev]

  Path            karma > log4js > axios

  More info       https://npmjs.com/advisories/880

  High            Insufficient Entropy

  Package         cryptiles

  Dependency of   karma [dev]

  Path            karma > log4js > hipchat-notifier > request > hawk >
                  cryptiles

  More info       https://npmjs.com/advisories/720

  High            Insufficient Entropy

  Package         cryptiles

  Dependency of   karma [dev]

  Path            karma > log4js > slack-node > requestretry > request > hawk
                  > cryptiles

  More info       https://npmjs.com/advisories/720

  High            Regular Expression Denial of Service

  Package         sshpk

  Dependency of   karma [dev]

  Path            karma > log4js > hipchat-notifier > request > http-signature
                  > sshpk

  More info       https://npmjs.com/advisories/606

  High            Regular Expression Denial of Service

  Package         sshpk

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > request > http-signature > sshpk

  More info       https://npmjs.com/advisories/606

  High            Regular Expression Denial of Service

  Package         sshpk

  Dependency of   karma [dev]

  Path            karma > log4js > slack-node > requestretry > request >
                  http-signature > sshpk

  More info       https://npmjs.com/advisories/606

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   karma [dev]

  Path            karma > log4js > hipchat-notifier > request > stringstream

  More info       https://npmjs.com/advisories/664

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > request > stringstream

  More info       https://npmjs.com/advisories/664

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   karma [dev]

  Path            karma > log4js > slack-node > requestretry > request >
                  stringstream

  More info       https://npmjs.com/advisories/664

  Moderate        Memory Exposure

  Package         tunnel-agent

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > request > tunnel-agent

  More info       https://npmjs.com/advisories/598

  Low             Regular Expression Denial of Service

  Package         timespan

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > timespan

  More info       https://npmjs.com/advisories/533

  High            Denial of Service

  Package         http-proxy-agent

  Dependency of   karma [dev]

  Path            karma > log4js > mailgun-js > proxy-agent > http-proxy-agent

  More info       https://npmjs.com/advisories/607

  High            Denial of Service

  Package         http-proxy-agent

  Dependency of   karma [dev]

  Path            karma > log4js > mailgun-js > proxy-agent > pac-proxy-agent
                  > http-proxy-agent

  More info       https://npmjs.com/advisories/607

  High            Denial of Service

  Package         https-proxy-agent

  Dependency of   karma [dev]

  Path            karma > log4js > mailgun-js > proxy-agent >
                  https-proxy-agent

  More info       https://npmjs.com/advisories/593

  High            Denial of Service

  Package         https-proxy-agent

  Dependency of   karma [dev]

  Path            karma > log4js > mailgun-js > proxy-agent > pac-proxy-agent
                  > https-proxy-agent

  More info       https://npmjs.com/advisories/593

# Run  npm install --save-dev postcss-import@12.0.1  to resolve 16 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Low             Regular Expression Denial of Service

  Package         braces

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > sane > anymatch >
                  micromatch > braces

  More info       https://npmjs.com/advisories/786

  High            Insufficient Entropy

  Package         cryptiles

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > jspm-github > request
                  > hawk > cryptiles

  More info       https://npmjs.com/advisories/720

  High            Insufficient Entropy

  Package         cryptiles

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > jspm-npm > request >
                  hawk > cryptiles

  More info       https://npmjs.com/advisories/720

  High            Insufficient Entropy

  Package         cryptiles

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > request > hawk >
                  cryptiles

  More info       https://npmjs.com/advisories/720

  High            Regular Expression Denial of Service

  Package         sshpk

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > jspm-github > request
                  > http-signature > sshpk

  More info       https://npmjs.com/advisories/606

  High            Regular Expression Denial of Service

  Package         sshpk

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > jspm-npm > request >
                  http-signature > sshpk

  More info       https://npmjs.com/advisories/606

  High            Regular Expression Denial of Service

  Package         sshpk

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > request >
                  http-signature > sshpk

  More info       https://npmjs.com/advisories/606

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > jspm-github > request
                  > stringstream

  More info       https://npmjs.com/advisories/664

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > jspm-npm > request >
                  stringstream

  More info       https://npmjs.com/advisories/664

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > request > stringstream

  More info       https://npmjs.com/advisories/664

  Moderate        Out-of-bounds Read

  Package         atob

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > liftoff > findup-sync
                  > micromatch > braces > snapdragon > source-map-resolve >
                  atob

  More info       https://npmjs.com/advisories/646

  Moderate        Out-of-bounds Read

  Package         atob

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > liftoff > findup-sync
                  > micromatch > extglob > expand-brackets > snapdragon >
                  source-map-resolve > atob

  More info       https://npmjs.com/advisories/646

  Moderate        Out-of-bounds Read

  Package         atob

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > liftoff > findup-sync
                  > micromatch > extglob > snapdragon > source-map-resolve >
                  atob

  More info       https://npmjs.com/advisories/646

  Moderate        Out-of-bounds Read

  Package         atob

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > liftoff > findup-sync
                  > micromatch > nanomatch > snapdragon > source-map-resolve >
                  atob

  More info       https://npmjs.com/advisories/646

  Moderate        Out-of-bounds Read

  Package         atob

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > liftoff > findup-sync
                  > micromatch > snapdragon > source-map-resolve > atob

  More info       https://npmjs.com/advisories/646

  Low             Prototype Pollution

  Package         merge

  Dependency of   postcss-import [dev]

  Path            postcss-import > pkg-resolve > jspm > sane > exec-sh > merge

  More info       https://npmjs.com/advisories/722

# Run  npm install --save-dev css-loader@3.0.0  to resolve 3 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Moderate        Denial of Service

  Package         js-yaml

  Dependency of   css-loader [dev]

  Path            css-loader > cssnano > postcss-svgo > svgo > js-yaml

  More info       https://npmjs.com/advisories/788

  High            Code Injection

  Package         js-yaml

  Dependency of   css-loader [dev]

  Path            css-loader > cssnano > postcss-svgo > svgo > js-yaml

  More info       https://npmjs.com/advisories/813

  Critical        Command Injection

  Package         macaddress

  Dependency of   css-loader [dev]

  Path            css-loader > cssnano > postcss-filter-plugins > uniqid >
                  macaddress

  More info       https://npmjs.com/advisories/654

# Run  npm install --save-dev mocha@6.1.4  to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   mocha [dev]

  Path            mocha > debug

  More info       https://npmjs.com/advisories/534

  Critical        Command Injection

  Package         growl

  Dependency of   mocha [dev]

  Path            mocha > growl

  More info       https://npmjs.com/advisories/146

# Run  npm install --save-dev easygettext@2.7.0  to resolve 5 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Moderate        Prototype Pollution

  Package         lodash

  Dependency of   easygettext [dev]

  Path            easygettext > cheerio > lodash

  More info       https://npmjs.com/advisories/782

  Low             Prototype Pollution

  Package         lodash

  Dependency of   easygettext [dev]

  Path            easygettext > cheerio > lodash

  More info       https://npmjs.com/advisories/577

  Low             Regular Expression Denial of Service

  Package         clean-css

  Dependency of   easygettext [dev]

  Path            easygettext > jade > clean-css

  More info       https://npmjs.com/advisories/785

  Low             Incorrect Handling of Non-Boolean Comparisons During
                  Minification

  Package         uglify-js

  Dependency of   easygettext [dev]

  Path            easygettext > jade > transformers > uglify-js

  More info       https://npmjs.com/advisories/39

  Low             Regular Expression Denial of Service

  Package         uglify-js

  Dependency of   easygettext [dev]

  Path            easygettext > jade > transformers > uglify-js

  More info       https://npmjs.com/advisories/48

# Run  npm install --save-dev webpack@4.34.0  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change

  Low             Regular Expression Denial of Service

  Package         braces

  Dependency of   webpack [dev]

  Path            webpack > watchpack > chokidar > anymatch > micromatch >
                  braces

  More info       https://npmjs.com/advisories/786

                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  Low             Regular Expression Denial of Service

  Package         braces

  Patched in      >=2.3.1

  Dependency of   rollup-watch [dev]

  Path            rollup-watch > chokidar > anymatch > micromatch > braces

  More info       https://npmjs.com/advisories/786

found 50 vulnerabilities (13 low, 19 moderate, 16 high, 2 critical) in 7295 scanned packages
  49 vulnerabilities require semver-major dependency updates.
  1 vulnerability requires manual review. See the full report for details.
kemar commented 5 years ago

Thanx for the reminder and the PR.

I updated other dependencies too (https://github.com/Polyconseil/vue-gettext/commit/9ffb32b5ee5285012b0372c43731f119f17c9700 and https://github.com/Polyconseil/vue-gettext/commit/5ab6d1cb0e3639370bf3360143d92d9af3ba1518).

Note that these are only dev dependencies.