search

bryntum / support

An issues-only repository for the Bryntum project management component suite which includes powerful Grid, Scheduler, Calendar, Kanban Task Board and Gantt chart components all built in pure JS / CSS / TypeScript
https://www.bryntum.com
54 stars 6 forks source link

Fix export server npm audit errors #3756

Open bmblb opened 2 years ago

bmblb commented 2 years ago

Reported in email. There are few errors with the server:

Grid\examples\_shared\server>npm audit

                       === npm audit security report ===

                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  High            Arbitrary File Creation/Overwrite on Windows via
                  insufficient relative path sanitization

  Package         tar

  Patched in      >=4.4.18

  Dependency of   hummus

  Path            hummus > node-pre-gyp > tar

  More info       https://github.com/advisories/GHSA-5955-9wpr-37jh

  High            Arbitrary File Creation/Overwrite via insufficient symlink
                  protection due to directory cache poisoning using symbolic
                  links

  Package         tar

  Patched in      >=4.4.18

  Dependency of   hummus

  Path            hummus > node-pre-gyp > tar

  More info       https://github.com/advisories/GHSA-qq89-hq3f-393p

  High            Arbitrary File Creation/Overwrite via insufficient symlink
                  protection due to directory cache poisoning using symbolic
                  links

  Package         tar

  Patched in      >=4.4.16

  Dependency of   hummus

  Path            hummus > node-pre-gyp > tar

  More info       https://github.com/advisories/GHSA-9r2w-394v-53qc

  High            Arbitrary File Creation/Overwrite due to insufficient
                  absolute path sanitization

  Package         tar

  Patched in      >=4.4.14

  Dependency of   hummus

  Path            hummus > node-pre-gyp > tar

  More info       https://github.com/advisories/GHSA-3jfq-g458-7qm9

  High            Arbitrary File Creation/Overwrite via insufficient symlink
                  protection due to directory cache poisoning

  Package         tar

  Patched in      >=4.4.15

  Dependency of   hummus

  Path            hummus > node-pre-gyp > tar

  More info       https://github.com/advisories/GHSA-r628-mhmh-qjhw

  High            Prototype Pollution

  Package         ini

  Patched in      >=1.3.6

  Dependency of   hummus

  Path            hummus > node-pre-gyp > rc > ini

  More info       https://github.com/advisories/GHSA-qqgx-2p2h-9c37

  Moderate        Uncontrolled resource consumption in jpeg-js

  Package         jpeg-js

  Patched in      >=0.4.0

  Dependency of   merge-img

  Path            merge-img > jimp > jpeg-js

  More info       https://github.com/advisories/GHSA-w7q9-p3jq-fmhm

  High            Regular expression denial of service in url-regex

  Package         url-regex

  Patched in      No patch available

  Dependency of   merge-img

  Path            merge-img > jimp > url-regex

  More info       https://github.com/advisories/GHSA-v4rh-8p82-6h5w

found 8 vulnerabilities (1 moderate, 7 high) in 454 scanned packages
  8 vulnerabilities require manual review. See the full report for details.

They cannot be fixed automatically, probably need to replace some packages. hummus doesn't look supported any longer which could be a problem.

bmblb commented 2 years ago

https://github.com/preco21/merge-img/issues/15