coinbase / coinbase-commerce-node

Coinbase Commerce Node
MIT License
147 stars 54 forks source link

can you fix security issues? thanks #82

Open epubreader opened 1 year ago

epubreader commented 1 year ago

Debugger attached.

npm audit report

lodash <=4.17.20 Severity: high Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9 No fix available node_modules/coinbase-commerce-node/node_modules/lodash coinbase-commerce-node * Depends on vulnerable versions of lodash Depends on vulnerable versions of request node_modules/coinbase-commerce-node

qs 6.5.0 - 6.5.2 Severity: high qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp fix available via npm audit fix node_modules/request/node_modules/qs

request * Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie fix available via npm audit fix node_modules/request

semver 7.0.0 - 7.5.1 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw fix available via npm audit fix node_modules/@npmcli/fs/node_modules/semver

tough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 fix available via npm audit fix node_modules/tough-cookie

6 vulnerabilities (3 moderate, 3 high)

To address issues that do not require attention, run: npm audit fix

Some issues need review, and may require choosing a different dependency.

shankiflang commented 4 months ago

Yes please