search

bchatard / alfred-jetbrains

Alfred5 workflow to easily open your projects with your favorite JetBrains product.
MIT License
620 stars 49 forks source link

npm audit report #242

Closed shawnbutts closed 1 year ago

shawnbutts commented 2 years ago

Describe the bug

npm audit report

xmldom  *
Severity: moderate
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-h6q6-9hqw-rwfv
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
fix available via `npm audit fix --force`
Will install alfy@0.4.0, which is a breaking change
node_modules/xmldom
  plist  0.3.2 - 3.0.1
  Depends on vulnerable versions of xmldom
  node_modules/alfred-link/node_modules/plist
  node_modules/alfred-notifier/node_modules/plist
    alfred-link  *
    Depends on vulnerable versions of plist
    node_modules/alfred-link
      alfy  >=0.5.0
      Depends on vulnerable versions of alfred-link
      node_modules/alfy
    alfred-notifier  *
    Depends on vulnerable versions of plist
    node_modules/alfred-notifier

5 vulnerabilities (4 low, 1 moderate)

To Reproduce Steps to reproduce the behavior:

  1. run npm audit
  2. See output

Expected behavior No vulnerabilities reported

bchatard commented 2 years ago

hi,

yes it's a know vulnerability but since it's a dependency of a dependency I'm not comfortable with potential side effects. If I'm right, alfreds (alfy, alfred-link & alfred-notifier) modules should bump plist to v3. alfred-link & alfred-notifier seems abandoned...

bchatard commented 1 year ago

no more npm dependencies