search

athombv / homey-web-api-issues

This issue tracker is for Homey Developers using the Web API.
4 stars 1 forks source link

Vulnerabilities on `1.10.7` #24

Closed OlivierZal closed 1 year ago

OlivierZal commented 1 year ago

Hi,

Is it possible to upgrade homey-api 1.10.7 dependencies in order to fix vulnerabilities? Otherwise npm audit fix --force will downgrade to 1.0.1...

Thanks!

debug  <=2.6.8
Severity: high
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
debug Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-9vvw-cc9w-f27h
Depends on vulnerable versions of ms
fix available via `npm audit fix --force`
Will install homey-api@1.0.1, which is a breaking change
node_modules/engine.io-client/node_modules/debug
node_modules/socket.io-client/node_modules/debug
node_modules/socket.io-parser/node_modules/debug
  engine.io-client  <=3.1.1
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of parsejson
  node_modules/engine.io-client
    socket.io-client  1.0.0-pre - 2.1.1
    Depends on vulnerable versions of debug
    Depends on vulnerable versions of engine.io-client
    Depends on vulnerable versions of socket.io-parser
    node_modules/socket.io-client
      homey-api  >=1.0.2
      Depends on vulnerable versions of socket.io-client
      node_modules/homey-api
  socket.io-parser  <=3.3.2
  Depends on vulnerable versions of debug
  node_modules/socket.io-parser

ms  <2.0.0
Severity: moderate
Vercel ms Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-w9mr-4mfr-499f
fix available via `npm audit fix --force`
Will install homey-api@1.0.1, which is a breaking change
node_modules/engine.io-client/node_modules/ms
node_modules/socket.io-client/node_modules/ms
node_modules/socket.io-parser/node_modules/ms

parsejson  *
Severity: high
Regular Expression Denial of Service in parsejson - https://github.com/advisories/GHSA-q75g-2496-mxpp
fix available via `npm audit fix --force`
Will install homey-api@1.0.1, which is a breaking change
node_modules/parsejson

7 vulnerabilities (1 moderate, 4 high, 2 critical)
OlivierZal commented 1 year ago

@jeroenwienk I close this task since 1.10.14 has no more vulnerability.