There are a lot vulnerabilities found in the used packages.
added 498 packages from 451 contributors and audited 1084 packages in 11.898s
found 72 vulnerabilities (29 low, 23 moderate, 19 high, 1 critical)
=== npm audit security report ===
# Run npm install zappajs@6.5.0 to resolve 65 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > express > connect > compression > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > express > connect > connect-timeout > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > express > connect > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > express > connect > express-session > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > express > connect > finalhandler > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > express > connect > method-override > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > express > connect > serve-static > send > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > express > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > express > send > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > socket.io > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > socket.io > socket.io-adapter > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > socket.io > socket.io-adapter > socket.io-parser >
debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > socket.io > socket.io-client > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > socket.io > socket.io-client > engine.io-client >
debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > socket.io > socket.io-client > socket.io-parser >
debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > socket.io > socket.io-parser > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of zappajs
Path zappajs > socket.io > engine.io > debug
More info https://nodesecurity.io/advisories/534
Moderate Regular Expression Denial of Service
Package ms
Dependency of zappajs
Path zappajs > express > connect > compression > debug > ms
More info https://nodesecurity.io/advisories/46
Moderate Regular Expression Denial of Service
Package ms
Dependency of zappajs
Path zappajs > express > connect > connect-timeout > debug > ms
More info https://nodesecurity.io/advisories/46
Moderate Regular Expression Denial of Service
Package ms
Dependency of zappajs
Path zappajs > express > connect > connect-timeout > ms
More info https://nodesecurity.io/advisories/46
Moderate Regular Expression Denial of Service
Package ms
Dependency of zappajs
Path zappajs > express > connect > debug > ms
More info https://nodesecurity.io/advisories/46
Moderate Regular Expression Denial of Service
Package ms
Dependency of zappajs
Path zappajs > express > connect > express-session > debug > ms
More info https://nodesecurity.io/advisories/46
Moderate Regular Expression Denial of Service
Package ms
Dependency of zappajs
Path zappajs > express > connect > finalhandler > debug > ms
More info https://nodesecurity.io/advisories/46
Moderate Regular Expression Denial of Service
Package ms
Dependency of zappajs
Path zappajs > express > connect > method-override > debug > ms
More info https://nodesecurity.io/advisories/46
Moderate Regular Expression Denial of Service
Package ms
Dependency of zappajs
Path zappajs > express > connect > serve-static > send > debug >
ms
More info https://nodesecurity.io/advisories/46
Moderate Regular Expression Denial of Service
Package ms
Dependency of zappajs
Path zappajs > express > connect > serve-static > send > ms
More info https://nodesecurity.io/advisories/46
Moderate Regular Expression Denial of Service
Package ms
Dependency of zappajs
Path zappajs > express > debug > ms
More info https://nodesecurity.io/advisories/46
Moderate Regular Expression Denial of Service
Package ms
Dependency of zappajs
Path zappajs > express > send > debug > ms
More info https://nodesecurity.io/advisories/46
Moderate Regular Expression Denial of Service
Package ms
Dependency of zappajs
Path zappajs > express > send > ms
More info https://nodesecurity.io/advisories/46
Low Incorrect Handling of Non-Boolean Comparisons During
Minification
Package uglify-js
Dependency of zappajs
Path zappajs > coffeecup > uglify-js
More info https://nodesecurity.io/advisories/39
Low Incorrect Handling of Non-Boolean Comparisons During
Minification
Package uglify-js
Dependency of zappajs
Path zappajs > uglify-js
More info https://nodesecurity.io/advisories/39
Low Regular Expression Denial of Service
Package uglify-js
Dependency of zappajs
Path zappajs > coffeecup > uglify-js
More info https://nodesecurity.io/advisories/48
Low Regular Expression Denial of Service
Package uglify-js
Dependency of zappajs
Path zappajs > uglify-js
More info https://nodesecurity.io/advisories/48
High Regular Expression Denial of Service
Package negotiator
Dependency of zappajs
Path zappajs > express > connect > compression > accepts >
negotiator
More info https://nodesecurity.io/advisories/106
High Regular Expression Denial of Service
Package negotiator
Dependency of zappajs
Path zappajs > express > connect > errorhandler > accepts >
negotiator
More info https://nodesecurity.io/advisories/106
High Regular Expression Denial of Service
Package negotiator
Dependency of zappajs
Path zappajs > express > connect > serve-index > accepts >
negotiator
More info https://nodesecurity.io/advisories/106
Moderate Timing Attack
Package cookie-signature
Dependency of zappajs
Path zappajs > express > connect > cookie-parser >
cookie-signature
More info https://nodesecurity.io/advisories/134
Moderate Timing Attack
Package cookie-signature
Dependency of zappajs
Path zappajs > express > connect > cookie-signature
More info https://nodesecurity.io/advisories/134
Moderate Timing Attack
Package cookie-signature
Dependency of zappajs
Path zappajs > express > connect > csurf > cookie-signature
More info https://nodesecurity.io/advisories/134
Moderate Timing Attack
Package cookie-signature
Dependency of zappajs
Path zappajs > express > connect > express-session >
cookie-signature
More info https://nodesecurity.io/advisories/134
Moderate Timing Attack
Package cookie-signature
Dependency of zappajs
Path zappajs > express > cookie-signature
More info https://nodesecurity.io/advisories/134
High Out-of-bounds Read
Package base64-url
Dependency of zappajs
Path zappajs > express > connect > csurf > csrf > base64-url
More info https://nodesecurity.io/advisories/660
High Out-of-bounds Read
Package base64-url
Dependency of zappajs
Path zappajs > express > connect > csurf > csrf > uid-safe >
base64-url
More info https://nodesecurity.io/advisories/660
High Regular Expression Denial of Service
Package fresh
Dependency of zappajs
Path zappajs > express > connect > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package fresh
Dependency of zappajs
Path zappajs > express > connect > serve-favicon > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package fresh
Dependency of zappajs
Path zappajs > express > connect > serve-static > send > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package fresh
Dependency of zappajs
Path zappajs > express > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package fresh
Dependency of zappajs
Path zappajs > express > send > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package method-override
Dependency of zappajs
Path zappajs > express > connect > method-override
More info https://nodesecurity.io/advisories/538
Moderate Cross-Site Scripting
Package serve-index
Dependency of zappajs
Path zappajs > express > connect > serve-index
More info https://nodesecurity.io/advisories/34
Low Open Redirect
Package serve-static
Dependency of zappajs
Path zappajs > express > connect > serve-static
More info https://nodesecurity.io/advisories/35
Low Directory Traversal
Package send
Dependency of zappajs
Path zappajs > express > send
More info https://nodesecurity.io/advisories/32
Low Root Path Disclosure
Package send
Dependency of zappajs
Path zappajs > express > connect > serve-static > send
More info https://nodesecurity.io/advisories/56
Low Root Path Disclosure
Package send
Dependency of zappajs
Path zappajs > express > send
More info https://nodesecurity.io/advisories/56
Moderate Regular Expression Denial of Service
Package mime
Dependency of zappajs
Path zappajs > express > connect > serve-static > send > mime
More info https://nodesecurity.io/advisories/535
Moderate Regular Expression Denial of Service
Package mime
Dependency of zappajs
Path zappajs > express > send > mime
More info https://nodesecurity.io/advisories/535
High Denial of Service
Package ws
Dependency of zappajs
Path zappajs > socket.io > engine.io > ws
More info https://nodesecurity.io/advisories/550
High Denial of Service
Package ws
Dependency of zappajs
Path zappajs > socket.io > socket.io-client > engine.io-client >
ws
More info https://nodesecurity.io/advisories/550
High DoS due to excessively large websocket message
Package ws
Dependency of zappajs
Path zappajs > socket.io > engine.io > ws
More info https://nodesecurity.io/advisories/120
High DoS due to excessively large websocket message
Package ws
Dependency of zappajs
Path zappajs > socket.io > socket.io-client > engine.io-client >
ws
More info https://nodesecurity.io/advisories/120
Low Remote Memory Disclosure
Package ws
Dependency of zappajs
Path zappajs > socket.io > engine.io > ws
More info https://nodesecurity.io/advisories/67
Low Remote Memory Disclosure
Package ws
Dependency of zappajs
Path zappajs > socket.io > socket.io-client > engine.io-client >
ws
More info https://nodesecurity.io/advisories/67
Moderate Insecure Defaults Allow MITM Over TLS
Package engine.io-client
Dependency of zappajs
Path zappajs > socket.io > socket.io-client > engine.io-client
More info https://nodesecurity.io/advisories/99
High Regular Expression Denial of Service
Package parsejson
Dependency of zappajs
Path zappajs > socket.io > socket.io-client > engine.io-client >
parsejson
More info https://nodesecurity.io/advisories/528
High Out-of-bounds Read
Package base64-url
Dependency of zappajs
Path zappajs > express > connect > express-session > uid-safe >
base64-url
More info https://nodesecurity.io/advisories/660
# Run npm install superagent@3.8.3 to resolve 3 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Moderate Regular Expression Denial of Service
Package mime
Dependency of superagent
Path superagent > form-data > mime
More info https://nodesecurity.io/advisories/535
Moderate Regular Expression Denial of Service
Package mime
Dependency of superagent
Path superagent > mime
More info https://nodesecurity.io/advisories/535
Low Large gzip Denial of Service
Package superagent
Dependency of superagent [dev]
Path superagent
More info https://nodesecurity.io/advisories/479
# Run npm install --save-dev stylus-loader@3.0.2 to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
High Regular Expression Denial of Service
Package minimatch
Dependency of stylus-loader [dev]
Path stylus-loader > nib > stylus > glob > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Dependency of stylus-loader [dev]
Path stylus-loader > stylus > glob > minimatch
More info https://nodesecurity.io/advisories/118
# Run npm install --save-dev webpack-dev-server@3.1.8 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
Critical Command Injection
Package open
Dependency of webpack-dev-server [dev]
Path webpack-dev-server > open
More info https://nodesecurity.io/advisories/663
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Low Insecure Entropy Source - Math.random()
Package node-uuid
Patched in >=1.4.4
Dependency of zappajs
Path zappajs > node-uuid
More info https://nodesecurity.io/advisories/93
eddyparkinson
commented
6 years ago
We had the same issue with etherpad. See https://github.com/ether/etherpad-lite/issues/3397
There are a lot vulnerabilities found in the used packages.