Need to Fix All vulnerabilities of Kafka-node

[mma3069]

Hi Team as part security and vulnerability checking we have downloaded code and did npm audit:

we found 27 vulnerabilities which are high and critical and moderate in number. please find bellow logs. As a part our internal audit fix, we have modified snappy as dependency version 7.1.1 (also we moved it from optional dependency to regular dependency). we are running latest node version 16.13.0 LTA we request you to kindly fix all vulnerabilities and release latest version of Kafka-node.

Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Users\mma3069\webStormWorkspace\kafka-node> npm audit

npm audit report

ansi-regex >2.1.1 <5.0.1 Severity: moderate Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw fix available via npm audit fix --force Will install eslint@8.8.0, which is a breaking change node_modules/ansi-regex node_modules/inquirer/node_modules/ansi-regex node_modules/table/node_modules/ansi-regex strip-ansi 4.0.0 - 5.2.0 Depends on vulnerable versions of ansi-regex node_modules/inquirer/node_modules/strip-ansi node_modules/strip-ansi node_modules/table/node_modules/strip-ansi eslint 4.5.0 - 7.15.0 Depends on vulnerable versions of inquirer Depends on vulnerable versions of strip-ansi Depends on vulnerable versions of table node_modules/eslint inquirer 3.2.0 - 7.0.4 Depends on vulnerable versions of string-width Depends on vulnerable versions of strip-ansi node_modules/inquirer string-width 2.1.0 - 4.1.0 Depends on vulnerable versions of strip-ansi node_modules/string-width node_modules/table/node_modules/string-width table 4.0.2 - 5.4.6 Depends on vulnerable versions of string-width node_modules/table

cryptiles <=4.1.1 Severity: critical Insufficient Entropy in cryptiles - https://github.com/advisories/GHSA-rq8g-5pc5-wrhr Depends on vulnerable versions of boom fix available via npm audit fix --force Will install coveralls@3.1.1, which is a breaking change node_modules/cryptiles hawk 0.0.6 - 6.0.2 Depends on vulnerable versions of boom Depends on vulnerable versions of cryptiles Depends on vulnerable versions of hoek Depends on vulnerable versions of sntp node_modules/hawk request 2.16.0 - 2.83.0 || 2.85.0 - 2.86.0 Depends on vulnerable versions of hawk Depends on vulnerable versions of tunnel-agent node_modules/request coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coveralls

debug <2.6.9 Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c fix available via npm audit fix --force Will install mocha@9.2.0, which is a breaking change node_modules/mocha/node_modules/debug mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mocha

diff <3.5.0 Severity: high Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-h6ch-v84p-w6p9 fix available via npm audit fix --force Will install mocha@9.2.0, which is a breaking change node_modules/diff mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mocha

growl <1.10.0 Severity: critical Command Injection in growl - https://github.com/advisories/GHSA-qh2h-chj9-jffq fix available via npm audit fix --force Will install mocha@9.2.0, which is a breaking change node_modules/growl mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mocha

hoek <4.2.1 Severity: moderate Prototype Pollution in hoek - https://github.com/advisories/GHSA-jp4x-w63m-7wgm fix available via npm audit fix --force Will install coveralls@3.1.1, which is a breaking change node_modules/hoek boom <=3.1.2 Depends on vulnerable versions of hoek node_modules/boom cryptiles <=4.1.1 Depends on vulnerable versions of boom node_modules/cryptiles hawk 0.0.6 - 6.0.2 Depends on vulnerable versions of boom Depends on vulnerable versions of cryptiles Depends on vulnerable versions of hoek Depends on vulnerable versions of sntp node_modules/hawk request 2.16.0 - 2.83.0 || 2.85.0 - 2.86.0 Depends on vulnerable versions of hawk Depends on vulnerable versions of tunnel-agent node_modules/request coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coveralls sntp 0.0.0 || 0.1.1 - 2.0.0 Depends on vulnerable versions of hoek node_modules/sntp

js-yaml <=3.13.0 Severity: high Denial of Service in js-yaml - https://github.com/advisories/GHSA-2pr6-76vf-7546 Code Injection in js-yaml - https://github.com/advisories/GHSA-8j8c-7jfh-h6hx fix available via npm audit fix --force Will install coveralls@3.1.1, which is a breaking change node_modules/js-yaml coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coveralls

minimist >=1.0.0 <1.2.3 || <0.2.1 Severity: moderate Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m fix available via npm audit fix --force Will install coveralls@3.1.1, which is a breaking change node_modules/minimist node_modules/mocha/node_modules/minimist node_modules/optimist/node_modules/minimist coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coveralls mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/mocha/node_modules/mkdirp mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mocha optimist >=0.6.0 Depends on vulnerable versions of minimist node_modules/optimist

trim <0.0.3 Severity: high Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq fix available via npm audit fix node_modules/trim remark-parse <=8.0.3 Depends on vulnerable versions of trim node_modules/remark-parse @textlint/markdown-to-ast 6.0.8 - 6.3.5 Depends on vulnerable versions of remark-parse node_modules/@textlint/markdown-to-ast doctoc >=1.3.0 Depends on vulnerable versions of @textlint/markdown-to-ast Depends on vulnerable versions of underscore node_modules/doctoc

tunnel-agent <0.6.0 Severity: moderate Memory Exposure in tunnel-agent - https://github.com/advisories/GHSA-xc7v-wxcw-j472 fix available via npm audit fix --force Will install coveralls@3.1.1, which is a breaking change node_modules/tunnel-agent request 2.16.0 - 2.83.0 || 2.85.0 - 2.86.0 Depends on vulnerable versions of hawk Depends on vulnerable versions of tunnel-agent node_modules/request coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coveralls

underscore 1.3.2 - 1.12.0 Severity: high Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq fix available via npm audit fix node_modules/underscore doctoc >=1.3.0 Depends on vulnerable versions of @textlint/markdown-to-ast Depends on vulnerable versions of underscore node_modules/doctoc

27 vulnerabilities (1 low, 14 moderate, 7 high, 5 critical)

To address issues that do not require attention, run: npm audit fix

To address all issues (including breaking changes), run: npm audit fix --force

[harshagarwal00]

if u install using npm install --no-optional some of the vulnerabilities go away..

[harshagarwal00]

also as per https://github.com/SOHU-Co/kafka-node/issues/1445 maybe repo is not maintained.. and so maybe its time to move out ... dnno but suggestion seems to be kafkajs also i read: https://github.com/tulios/kafkajs/issues/289