Open mma3069 opened 2 years ago
if u install using npm install --no-optional
some of the vulnerabilities go away..
also as per https://github.com/SOHU-Co/kafka-node/issues/1445 maybe repo is not maintained.. and so maybe its time to move out ... dnno but suggestion seems to be kafkajs also i read: https://github.com/tulios/kafkajs/issues/289
Hi Team as part security and vulnerability checking we have downloaded code and did npm audit:
we found 27 vulnerabilities which are high and critical and moderate in number. please find bellow logs. As a part our internal audit fix, we have modified snappy as dependency version 7.1.1 (also we moved it from optional dependency to regular dependency). we are running latest node version 16.13.0 LTA we request you to kindly fix all vulnerabilities and release latest version of Kafka-node.
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\mma3069\webStormWorkspace\kafka-node> npm audit
npm audit report
ansi-regex >2.1.1 <5.0.1 Severity: moderate Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw fix available via
npm audit fix --force
Will install eslint@8.8.0, which is a breaking change node_modules/ansi-regex node_modules/inquirer/node_modules/ansi-regex node_modules/table/node_modules/ansi-regex strip-ansi 4.0.0 - 5.2.0 Depends on vulnerable versions of ansi-regex node_modules/inquirer/node_modules/strip-ansi node_modules/strip-ansi node_modules/table/node_modules/strip-ansi eslint 4.5.0 - 7.15.0 Depends on vulnerable versions of inquirer Depends on vulnerable versions of strip-ansi Depends on vulnerable versions of table node_modules/eslint inquirer 3.2.0 - 7.0.4 Depends on vulnerable versions of string-width Depends on vulnerable versions of strip-ansi node_modules/inquirer string-width 2.1.0 - 4.1.0 Depends on vulnerable versions of strip-ansi node_modules/string-width node_modules/table/node_modules/string-width table 4.0.2 - 5.4.6 Depends on vulnerable versions of string-width node_modules/tablecryptiles <=4.1.1 Severity: critical Insufficient Entropy in cryptiles - https://github.com/advisories/GHSA-rq8g-5pc5-wrhr Depends on vulnerable versions of boom fix available via
npm audit fix --force
Will install coveralls@3.1.1, which is a breaking change node_modules/cryptiles hawk 0.0.6 - 6.0.2 Depends on vulnerable versions of boom Depends on vulnerable versions of cryptiles Depends on vulnerable versions of hoek Depends on vulnerable versions of sntp node_modules/hawk request 2.16.0 - 2.83.0 || 2.85.0 - 2.86.0 Depends on vulnerable versions of hawk Depends on vulnerable versions of tunnel-agent node_modules/request coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coverallsdebug <2.6.9 Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c fix available via
npm audit fix --force
Will install mocha@9.2.0, which is a breaking change node_modules/mocha/node_modules/debug mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mochadiff <3.5.0 Severity: high Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-h6ch-v84p-w6p9 fix available via
npm audit fix --force
Will install mocha@9.2.0, which is a breaking change node_modules/diff mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mochagrowl <1.10.0 Severity: critical Command Injection in growl - https://github.com/advisories/GHSA-qh2h-chj9-jffq fix available via
npm audit fix --force
Will install mocha@9.2.0, which is a breaking change node_modules/growl mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mochahoek <4.2.1 Severity: moderate Prototype Pollution in hoek - https://github.com/advisories/GHSA-jp4x-w63m-7wgm fix available via
npm audit fix --force
Will install coveralls@3.1.1, which is a breaking change node_modules/hoek boom <=3.1.2 Depends on vulnerable versions of hoek node_modules/boom cryptiles <=4.1.1 Depends on vulnerable versions of boom node_modules/cryptiles hawk 0.0.6 - 6.0.2 Depends on vulnerable versions of boom Depends on vulnerable versions of cryptiles Depends on vulnerable versions of hoek Depends on vulnerable versions of sntp node_modules/hawk request 2.16.0 - 2.83.0 || 2.85.0 - 2.86.0 Depends on vulnerable versions of hawk Depends on vulnerable versions of tunnel-agent node_modules/request coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coveralls sntp 0.0.0 || 0.1.1 - 2.0.0 Depends on vulnerable versions of hoek node_modules/sntpjs-yaml <=3.13.0 Severity: high Denial of Service in js-yaml - https://github.com/advisories/GHSA-2pr6-76vf-7546 Code Injection in js-yaml - https://github.com/advisories/GHSA-8j8c-7jfh-h6hx fix available via
npm audit fix --force
Will install coveralls@3.1.1, which is a breaking change node_modules/js-yaml coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coverallsminimist >=1.0.0 <1.2.3 || <0.2.1 Severity: moderate Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m fix available via
npm audit fix --force
Will install coveralls@3.1.1, which is a breaking change node_modules/minimist node_modules/mocha/node_modules/minimist node_modules/optimist/node_modules/minimist coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coveralls mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/mocha/node_modules/mkdirp mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mocha optimist >=0.6.0 Depends on vulnerable versions of minimist node_modules/optimisttrim <0.0.3 Severity: high Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq fix available via
npm audit fix
node_modules/trim remark-parse <=8.0.3 Depends on vulnerable versions of trim node_modules/remark-parse @textlint/markdown-to-ast 6.0.8 - 6.3.5 Depends on vulnerable versions of remark-parse node_modules/@textlint/markdown-to-ast doctoc >=1.3.0 Depends on vulnerable versions of @textlint/markdown-to-ast Depends on vulnerable versions of underscore node_modules/doctoctunnel-agent <0.6.0 Severity: moderate Memory Exposure in tunnel-agent - https://github.com/advisories/GHSA-xc7v-wxcw-j472 fix available via
npm audit fix --force
Will install coveralls@3.1.1, which is a breaking change node_modules/tunnel-agent request 2.16.0 - 2.83.0 || 2.85.0 - 2.86.0 Depends on vulnerable versions of hawk Depends on vulnerable versions of tunnel-agent node_modules/request coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coverallsunderscore 1.3.2 - 1.12.0 Severity: high Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq fix available via
npm audit fix
node_modules/underscore doctoc >=1.3.0 Depends on vulnerable versions of @textlint/markdown-to-ast Depends on vulnerable versions of underscore node_modules/doctoc27 vulnerabilities (1 low, 14 moderate, 7 high, 5 critical)
To address issues that do not require attention, run: npm audit fix
To address all issues (including breaking changes), run: npm audit fix --force