Open mihai-ro opened 5 months ago
Thank you for reporting, I will try to fix it during the next update
With PR https://github.com/fkirc/attranslate/pull/267, I reduced the number of production-vulnerabilities when running npm audit --omit=dev
.
However, at the moment I do not have time to upgrade the packages openai and xml2js.
npm audit --omit=dev
npm audit report
axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx fix available vianpm audit fix --force
Will install openai@4.52.2, which is a breaking change
node_modules/openai/node_modules/axios
openai 2.0.0 - 3.3.0
Depends on vulnerable versions of axios
node_modules/openaixml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
No fix available
node_modules/xml2js3 moderate severity vulnerabilities
Describe the bug After installing the latest available version of
attranslate
(2.1.2), the npm audit logs several critical and medium severity vulnerabilities in the dependency tree.To Reproduce Steps to reproduce the behavior.
Expected behavior No vulnerabilities in the dependency tree
Files
Additional context Add any other context about the problem here.