search

chrvadala / node-ble

Bluetooth Low Energy (BLE) library written with pure Node.js (no bindings) - baked by Bluez via DBus
https://www.npmjs.com/package/node-ble
MIT License
310 stars 45 forks source link

Moderate severity vulnerabilities found #64

Open Raffone17 opened 6 months ago

Raffone17 commented 6 months ago

Got alerts from npm audit of 7 moderate severity vulnerabilities when using this package:

# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request
  node-gyp  <=7.1.2
  Depends on vulnerable versions of request
  node_modules/node-gyp
    usocket  0.2.2 - 0.3.0
    Depends on vulnerable versions of node-gyp
    node_modules/usocket
      dbus-next  *
      Depends on vulnerable versions of usocket
      Depends on vulnerable versions of xml2js
      node_modules/dbus-next
        node-ble  >=0.0.2
        Depends on vulnerable versions of dbus-next
        node_modules/node-ble

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
No fix available
node_modules/xml2js

7 moderate severity vulnerabilities