Closed AvvariSreedhar closed 7 months ago
Hello In the latest version(4.1.2), 2 CVEs were reported related to dependency on semver and minimist, more details added below.
- minimist - 1.2.5 - CVE-2021-44906 - CVSS Score: 9.8 - Fixed by version: 1.2.6 - CVE Link: [here](https://nvd.nist.gov/vuln/detail/CVE-2021-44906) - Severity: CRITICAL_VULNERABILITY_SEVERITY
- semver - 7.3.8 - CVE-2022-25883 - CVSS Score: 7.5 - Fixed by version: 7.5.2 - CVE Link: [here](https://nvd.nist.gov/vuln/detail/CVE-2022-25883) - Severity: IMPORTANT_VULNERABILITY_SEVERITY
+-- msnodesqlv8@4.1.2 | +-- nan@2.18.0 | +-- node-abi@3.51.0 | | `-- semver@7.3.8 | | `-- lru-cache@6.0.0 deduped | `-- prebuild-install@7.1.1 | +-- detect-libc@2.0.1 | +-- expand-template@2.0.3 | +-- github-from-package@0.0.0 | +-- minimist@1.2.5 | +-- mkdirp-classic@0.5.3 | +-- napi-build-utils@1.0.2 | +-- node-abi@3.51.0 deduped | +-- pump@3.0.0 | | +-- end-of-stream@1.4.4 | | | `-- once@1.4.0 deduped | | `-- once@1.4.0 | | `-- wrappy@1.0.2 | +-- rc@1.2.8 | | +-- deep-extend@0.6.0 | | +-- ini@1.3.8 | | +-- minimist@1.2.5 deduped | | `-- strip-json-comments@2.0.1 | +-- simple-get@4.0.1 | | +-- decompress-response@6.0.0 | | | `-- mimic-response@3.1.0 | | +-- once@1.4.0 deduped | | `-- simple-concat@1.0.1 | +-- tar-fs@2.1.1 | | +-- chownr@1.1.4 | | +-- mkdirp-classic@0.5.3 deduped | | +-- pump@3.0.0 deduped | | `-- tar-stream@2.2.0 | | +-- bl@4.1.0 | | | +-- buffer@5.7.1 | | | | +-- base64-js@1.3.1 deduped | | | | `-- ieee754@1.1.13 deduped | | | +-- inherits@2.0.4 deduped | | | `-- readable-stream@3.6.1 deduped | | +-- end-of-stream@1.4.4 deduped | | +-- fs-constants@1.0.0 | | +-- inherits@2.0.4 deduped | | `-- readable-stream@3.6.1 | | +-- inherits@2.0.4 deduped | | +-- string_decoder@1.1.1 deduped | | `-- util-deprecate@1.0.2 deduped | `-- tunnel-agent@0.6.0 deduped
Can you please take a look and let us know on how to remedy the reported CVEs (CVE-2021-44906, CVE-2022-25883)
node abi can probably be removed from msnodesqlv8 as it’s included by prebuild -install. Even then the vulnerability will still be there even when we remove from msnodesqlv8
Hello In the latest version(4.1.2), 2 CVEs were reported related to dependency on semver and minimist, more details added below.
Can you please take a look and let us know on how to remedy the reported CVEs (CVE-2021-44906, CVE-2022-25883)