Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:
npm audit report
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via npm audit fix
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/chokidar
@babel/cli <=7.11.6
Depends on vulnerable versions of chokidar
node_modules/@babel/cli
ini <1.3.6
Prototype Pollution - https://npmjs.com/advisories/1589
fix available via npm audit fix
node_modules/fsevents/node_modules/ini
minimist <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via npm audit fix
node_modules/fsevents/node_modules/minimist
node_modules/fsevents/node_modules/rc/node_modules/minimist
node_modules/json5/node_modules/minimist
node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/fsevents/node_modules/mkdirp
node_modules/mkdirp
set-value <=2.0.0 || 3.0.0
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1012
fix available via npm audit fix
node_modules/set-value
node_modules/union-value/node_modules/set-value
union-value <=1.0.0 || 2.0.0
Depends on vulnerable versions of set-value
node_modules/union-value
tar <=3.2.2 || 4.0.0 - 4.4.14 || 5.0.0 - 5.0.6 || 6.0.0 - 6.1.1
Severity: high
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://npmjs.com/advisories/1770
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://npmjs.com/advisories/1771
fix available via npm audit fix
node_modules/fsevents/node_modules/tar
11 vulnerabilities (4 low, 3 moderate, 4 high)
To address all issues, run:
npm audit fix
Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:
Will you fix the vulnerabilities mentioned above? (Yes/No), and why?:
Do you have any additional comments? (If so, please write it down):
For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.
Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].
Steps to reproduce:
Go to the root folder of the project where the package.json file located
Execute “npm audit”
Look at the list of vulnerabilities reported
Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.
Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:
npm audit report
glob-parent <5.1.2 Severity: moderate Regular expression denial of service - https://npmjs.com/advisories/1751 fix available via
npm audit fix
node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/chokidar @babel/cli <=7.11.6 Depends on vulnerable versions of chokidar node_modules/@babel/cliini <1.3.6 Prototype Pollution - https://npmjs.com/advisories/1589 fix available via
npm audit fix
node_modules/fsevents/node_modules/inikind-of 6.0.0 - 6.0.2 Validation Bypass - https://npmjs.com/advisories/1490 fix available via
npm audit fix
node_modules/kind-oflodash <=4.17.20 Severity: high Prototype Pollution - https://npmjs.com/advisories/1523 Command Injection - https://npmjs.com/advisories/1673 fix available via
npm audit fix
node_modules/lodashminimist <0.2.1 || >=1.0.0 <1.2.3 Prototype Pollution - https://npmjs.com/advisories/1179 fix available via
npm audit fix
node_modules/fsevents/node_modules/minimist node_modules/fsevents/node_modules/rc/node_modules/minimist node_modules/json5/node_modules/minimist node_modules/minimist mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/fsevents/node_modules/mkdirp node_modules/mkdirpset-value <=2.0.0 || 3.0.0 Severity: high Prototype Pollution - https://npmjs.com/advisories/1012 fix available via
npm audit fix
node_modules/set-value node_modules/union-value/node_modules/set-value union-value <=1.0.0 || 2.0.0 Depends on vulnerable versions of set-value node_modules/union-valuetar <=3.2.2 || 4.0.0 - 4.4.14 || 5.0.0 - 5.0.6 || 6.0.0 - 6.1.1 Severity: high Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://npmjs.com/advisories/1770 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://npmjs.com/advisories/1771 fix available via
npm audit fix
node_modules/fsevents/node_modules/tar11 vulnerabilities (4 low, 3 moderate, 4 high)
To address all issues, run: npm audit fix
Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:
For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.
Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].
Steps to reproduce:
Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.
References: