search

designsystemau / gold-design-system

GOLD Design System, previously known as the Australian Government Design System.
https://gold.designsystemau.org/
MIT License
60 stars 2 forks source link

NPM Audit for @gold.au/form - Please advise. #11

Open AtamDhillon opened 2 years ago

AtamDhillon commented 2 years ago

`# npm audit report

postcss 7.0.0 - 7.0.35 || 8.0.0 - 8.2.9 Severity: moderate Regular Expression Denial of Service - https://npmjs.com/advisories/1693 fix available via npm audit fix --force Will install @gold.au/form@0.1.6, which is a breaking change node_modules/@gold.au/pancake-sass/node_modules/postcss @gold.au/pancake-sass * Depends on vulnerable versions of postcss node_modules/@gold.au/pancake-sass @gold.au/core >=4.0.1 Depends on vulnerable versions of @gold.au/pancake-sass node_modules/@gold.au/core @gold.au/form >=0.1.7 Depends on vulnerable versions of @gold.au/core Depends on vulnerable versions of @gold.au/pancake-sass node_modules/@gold.au/form

tar <=4.4.17 || 5.0.0 - 5.0.9 || 6.0.0 - 6.1.8 Severity: high Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://npmjs.com/advisories/1770 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://npmjs.com/advisories/1771 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://npmjs.com/advisories/1779 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://npmjs.com/advisories/1780 fix available via npm audit fix node_modules/@gold.au/pancake-sass/node_modules/tar node-gyp <=3.8.0 Depends on vulnerable versions of tar node_modules/@gold.au/pancake-sass/node_modules/node-gyp node-sass 3.3.3 - 6.0.0 Depends on vulnerable versions of meow Depends on vulnerable versions of node-gyp node_modules/@gold.au/pancake-sass/node_modules/node-sass

trim-newlines <3.0.1 || =4.0.0 Severity: high Regular Expression Denial of Service - https://npmjs.com/advisories/1753 fix available via npm audit fix node_modules/@gold.au/pancake-sass/node_modules/trim-newlines meow 3.4.0 - 5.0.0 Depends on vulnerable versions of trim-newlines node_modules/@gold.au/pancake-sass/node_modules/meow node-sass 3.3.3 - 6.0.0 Depends on vulnerable versions of meow Depends on vulnerable versions of node-gyp node_modules/@gold.au/pancake-sass/node_modules/node-sass

9 vulnerabilities (4 moderate, 5 high)`

AtamDhillon commented 2 years ago

Fixes are trying to switch back to 0.1.6 version of gold.au/form package which still appears to make references to @gov.au and crashed (currently on Node 14, install completely crashes on Node 16).