search

adobe / leonardo

Generate colors based on a desired contrast ratio
http://www.leonardocolor.io
Apache License 2.0
1.97k stars 108 forks source link

High severity vulnerabilities for ciebase > mout when installing with npm #202

Open chris-copleston opened 1 year ago

chris-copleston commented 1 year ago

Description

High severity vulnerabilities are flagged when installing via npm.

Steps to reproduce

Install leonardo-contrast-colors

$ npm i @adobe/leonardo-contrast-colors

added 6 packages, and audited 454 packages in 5s

4 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

$ npm audit fix

up to date, audited 454 packages in 6s

npm audit report

mout  <=1.2.3
Severity: high
Prototype Pollution in mout - https://github.com/advisories/GHSA-pc58-wgmc-hfjr
Prototype Pollution in mout - https://github.com/advisories/GHSA-vvv8-xw5f-3f88
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/mout
  ciebase  >=0.1.1
  Depends on vulnerable versions of mout
  node_modules/ciebase
    @adobe/leonardo-contrast-colors  *
    Depends on vulnerable versions of ciebase
    node_modules/@adobe/leonardo-contrast-colors
  ciecam02  >=0.4.6
  Depends on vulnerable versions of mout
  node_modules/ciecam02

Expected behavior

Zero vulnerabilities

Leonardo package and version

@leonardo-contrast-colors version: 1.0.0-alpha.17

kscherling commented 1 year ago

Hello! Big fan of this lib!

I just ran into this myself. Are there any plans to address this in the near term or are you accepting PRs?