blixhavn / sticky-sidebar-v2

Pure JavaScript tool for making smart and high performance sticky sidebar.
https://blixhavn.github.io/sticky-sidebar-v2/
MIT License
58 stars 25 forks source link

Critial vulnerabilities #21

Open lukasz-madon opened 2 years ago

lukasz-madon commented 2 years ago

After running npm audit

lodash.template  <4.5.0
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via `npm audit fix`
node_modules/sticky-sidebar-v2/node_modules/gulp-util/node_modules/lodash.template
  gulp-util  >=1.1.0
  Depends on vulnerable versions of lodash.template
  node_modules/sticky-sidebar-v2/node_modules/gulp-util

minimist  <1.2.6
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/sticky-sidebar-v2/node_modules/minimist
BaliseSystems commented 2 years ago

@blixhavn, The npm audit report get lot of high severity issue. Below the list

`# npm audit report

ansi-regex 4.0.0 - 4.1.0 Severity: high Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw fix available via npm audit fix node_modules/sticky-sidebar-v2/node_modules/ansi-regex

glob-parent <5.1.2 Severity: high glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6 fix available via npm audit fix node_modules/sticky-sidebar-v2/node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/sticky-sidebar-v2/node_modules/chokidar glob-watcher >=3.0.0 Depends on vulnerable versions of chokidar node_modules/sticky-sidebar-v2/node_modules/glob-watcher gulp >=4.0.0 Depends on vulnerable versions of glob-watcher Depends on vulnerable versions of vinyl-fs node_modules/sticky-sidebar-v2/node_modules/gulp glob-stream 5.3.0 - 6.1.0 Depends on vulnerable versions of glob-parent node_modules/sticky-sidebar-v2/node_modules/glob-stream vinyl-fs >=2.4.2 Depends on vulnerable versions of glob-stream node_modules/sticky-sidebar-v2/node_modules/vinyl-fs

lodash.template <4.5.0 Severity: critical Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695 fix available via npm audit fix node_modules/sticky-sidebar-v2/node_modules/gulp-util/node_modules/lodash.template gulp-util >=1.1.0 Depends on vulnerable versions of lodash.template node_modules/sticky-sidebar-v2/node_modules/gulp-util

minimatch <3.0.5 Severity: high minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3 fix available via npm audit fix node_modules/sticky-sidebar-v2/node_modules/minimatch mocha 5.1.0 - 9.2.1 Depends on vulnerable versions of minimatch Depends on vulnerable versions of nanoid node_modules/sticky-sidebar-v2/node_modules/mocha

minimist <1.2.6 Severity: critical Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h fix available via npm audit fix node_modules/sticky-sidebar-v2/node_modules/minimist

nanoid 3.0.0 - 3.1.30 Severity: moderate Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2 fix available via npm audit fix node_modules/sticky-sidebar-v2/node_modules/nanoid`