We have some open vulnerablities, this PR attempts to eliminate them all at once by running npm audit fix, instead of working through each Dependabot PR separately. Interestingly (not sure why), the Dependabot PRs seemed to actually have a lot more churn on the number of lines changed.
Audit output before looked like this:
❯ npm audit
# npm audit report
@babel/traverse <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse
@koa/cors <5.0.0
Severity: high
Overly permissive origin policy - https://github.com/advisories/GHSA-qxrj-hx23-xp82
fix available via `npm audit fix`
node_modules/@koa/cors
@vscode/test-web 0.0.24 - 0.0.49
Depends on vulnerable versions of @koa/cors
node_modules/@vscode/test-web
browserify-sign 2.6.0 - 4.2.1
Severity: high
browserify-sign upper bound check issue in `dsaVerify` leads to a signature forgery attack - https://github.com/advisories/GHSA-x9w5-v3q2-3rhw
fix available via `npm audit fix`
node_modules/browserify-sign
semver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/@typescript-eslint/eslint-plugin/node_modules/semver
node_modules/@typescript-eslint/typescript-estree/node_modules/semver
node_modules/@typescript-eslint/utils/node_modules/semver
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/jest-snapshot/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/node-abi/node_modules/semver
node_modules/semver
node_modules/ts-jest/node_modules/semver
node_modules/ts-loader/node_modules/semver
node_modules/vscode-languageclient/node_modules/semver
word-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
6 vulnerabilities (2 moderate, 3 high, 1 critical)
To address all issues, run:
npm audit fix
cdb
commented
7 months ago
We have some open vulnerablities, this PR attempts to eliminate them all at once by running
npm audit fix, instead of working through each Dependabot PR separately. Interestingly (not sure why), the Dependabot PRs seemed to actually have a lot more churn on the number of lines changed.Audit output before looked like this:
The output looks clean after this: