fkirc / attranslate

A command line tool for translating JSON, YAML, CSV, ARB, XML (via a CLI)
https://www.npmjs.com/package/attranslate
Other
336 stars 27 forks source link

Vulnerabilities detected in the dependency tree #266

Open mihai-ro opened 5 months ago

mihai-ro commented 5 months ago

Describe the bug After installing the latest available version of attranslate (2.1.2), the npm audit logs several critical and medium severity vulnerabilities in the dependency tree.

To Reproduce Steps to reproduce the behavior.

npm i attranslate && npm audit

Expected behavior No vulnerabilities in the dependency tree

Files

Screenshot 2024-06-25 at 19 32 03

Additional context Add any other context about the problem here.

fkirc commented 5 months ago

Thank you for reporting, I will try to fix it during the next update

fkirc commented 4 months ago

With PR https://github.com/fkirc/attranslate/pull/267, I reduced the number of production-vulnerabilities when running npm audit --omit=dev .

However, at the moment I do not have time to upgrade the packages openai and xml2js.

npm audit --omit=dev

npm audit report

axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx fix available via npm audit fix --force
Will install openai@4.52.2, which is a breaking change
node_modules/openai/node_modules/axios
openai 2.0.0 - 3.3.0
Depends on vulnerable versions of axios
node_modules/openai

xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
No fix available
node_modules/xml2js

3 moderate severity vulnerabilities