search

handsontable / hyperformula

HyperFormula is an open-source headless spreadsheet for business web apps. It comes with over 400 formulas, CRUD operations, undo-redo, clipboard support, and sorting.
https://hyperformula.handsontable.com/
GNU General Public License v3.0
1.88k stars 107 forks source link

7 critical vulnerabilities in `npm audit` report #1239

Closed sequba closed 1 year ago

sequba commented 1 year ago

Description

# npm audit report
ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install serve@14.2.0, which is a breaking change
node_modules/serve/node_modules/ajv
  serve  7.0.0 - 14.0.1
  Depends on vulnerable versions of ajv
  Depends on vulnerable versions of serve-handler
  node_modules/serve
glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install vuepress@0.14.11, which is a breaking change
node_modules/@vuepress/core/node_modules/glob-parent
node_modules/copy-webpack-plugin/node_modules/glob-parent
node_modules/fast-glob/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/@vuepress/core/node_modules/chokidar
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack
    webpack-dev-server  2.0.0-beta - 4.7.2
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of selfsigned
    node_modules/webpack-dev-server
  copy-webpack-plugin  5.0.1 - 5.1.2
  Depends on vulnerable versions of glob-parent
  node_modules/copy-webpack-plugin
    @vuepress/core  <=1.9.9
    Depends on vulnerable versions of @vuepress/markdown
    Depends on vulnerable versions of @vuepress/markdown-loader
    Depends on vulnerable versions of @vuepress/plugin-register-components
    Depends on vulnerable versions of @vuepress/shared-utils
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of copy-webpack-plugin
    Depends on vulnerable versions of optimize-css-assets-webpack-plugin
    Depends on vulnerable versions of vuepress-html-webpack-plugin
    Depends on vulnerable versions of webpack-dev-server
    node_modules/@vuepress/core
      vuepress  1.0.0-alpha.0 - 1.9.9
      Depends on vulnerable versions of @vuepress/core
      Depends on vulnerable versions of update-notifier
      node_modules/vuepress
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/globby
      @vuepress/shared-utils  *
      Depends on vulnerable versions of globby
      node_modules/@vuepress/shared-utils
        @vuepress/plugin-register-components  <=1.9.9
        Depends on vulnerable versions of @vuepress/shared-utils
        node_modules/@vuepress/plugin-register-components
        vuepress-plugin-container  >=2.1.5
        Depends on vulnerable versions of @vuepress/shared-utils
        node_modules/vuepress-plugin-container
got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install vuepress@0.14.11, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier
highlight.js  9.0.0 - 10.4.0
Severity: moderate
ReDOS vulnerabities: multiple grammars - https://github.com/advisories/GHSA-7wwv-vh3v-89cq
fix available via `npm audit fix`
node_modules/highlight.js
  @types/markdown-it  10.0.3
  Depends on vulnerable versions of highlight.js
  node_modules/@types/markdown-it
json5  <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
No fix available
node_modules/css-loader/node_modules/json5
node_modules/file-loader/node_modules/json5
node_modules/string-replace-webpack-plugin/node_modules/json5
node_modules/style-loader/node_modules/json5
node_modules/vuepress-html-webpack-plugin/node_modules/json5
  loader-utils  <=1.4.0
  Depends on vulnerable versions of json5
  node_modules/css-loader/node_modules/loader-utils
  node_modules/file-loader/node_modules/loader-utils
  node_modules/string-replace-webpack-plugin/node_modules/loader-utils
  node_modules/style-loader/node_modules/loader-utils
  node_modules/vuepress-html-webpack-plugin/node_modules/loader-utils
    css-loader  0.6.0 - 0.26.1
    Depends on vulnerable versions of loader-utils
    node_modules/css-loader
    file-loader  0.5.0 - 0.10.0
    Depends on vulnerable versions of loader-utils
    node_modules/file-loader
    string-replace-webpack-plugin  *
    Depends on vulnerable versions of css-loader
    Depends on vulnerable versions of file-loader
    Depends on vulnerable versions of loader-utils
    Depends on vulnerable versions of style-loader
    node_modules/string-replace-webpack-plugin
    style-loader  0.8.2 - 0.13.1
    Depends on vulnerable versions of loader-utils
    node_modules/style-loader
    vuepress-html-webpack-plugin  *
    Depends on vulnerable versions of loader-utils
    node_modules/vuepress-html-webpack-plugin
karma  <=6.3.15
Severity: high
Open redirect in karma - https://github.com/advisories/GHSA-rc3x-jf5g-xvc5
Cross-site Scripting in karma - https://github.com/advisories/GHSA-7x7c-qm48-pq9c
Depends on vulnerable versions of ua-parser-js
fix available via `npm audit fix --force`
Will install karma@6.4.1, which is a breaking change
node_modules/karma
markdown-it  <12.3.2
Severity: moderate
Uncontrolled Resource Consumption in markdown-it - https://github.com/advisories/GHSA-6vfc-qv3f-vr6c
fix available via `npm audit fix`
node_modules/markdown-it
  @vuepress/markdown  <=1.9.9
  Depends on vulnerable versions of @vuepress/shared-utils
  Depends on vulnerable versions of markdown-it
  node_modules/@vuepress/markdown
    @vuepress/markdown-loader  *
    Depends on vulnerable versions of @vuepress/markdown
    node_modules/@vuepress/markdown-loader
marked  <=4.0.9
Severity: high
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
fix available via `npm audit fix --force`
Will install typedoc@0.24.1, which is a breaking change
node_modules/marked
  typedoc  <=0.21.9 || 0.22.0-beta.0 - 0.22.10 || >=1.0.0-dev.1
  Depends on vulnerable versions of marked
  node_modules/typedoc
minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install serve@14.2.0, which is a breaking change
node_modules/serve-handler/node_modules/minimatch
  serve-handler  1.1.0 - 6.1.3
  Depends on vulnerable versions of minimatch
  node_modules/serve-handler
node-forge  <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via `npm audit fix`
node_modules/node-forge
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned
nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      postcss-svgo  4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
      Depends on vulnerable versions of svgo
      node_modules/postcss-svgo
        cssnano-preset-default  <=4.0.8
        Depends on vulnerable versions of postcss-svgo
        node_modules/cssnano-preset-default
          cssnano  4.0.0-nightly.2020.1.9 - 4.1.11
          Depends on vulnerable versions of cssnano-preset-default
          node_modules/cssnano
            optimize-css-assets-webpack-plugin  3.2.1 || 5.0.0 - 5.0.8
            Depends on vulnerable versions of cssnano
            node_modules/optimize-css-assets-webpack-plugin
request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix`
node_modules/request
  docsearch.js  2.6.0 - 2.6.3
  Depends on vulnerable versions of request
  node_modules/docsearch.js
ua-parser-js  <=0.7.32
Severity: high
ReDoS Vulnerability in ua-parser-js version  - https://github.com/advisories/GHSA-fhg7-m89q-25r3
ua-parser-js Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-394c-5j6w-4xmx
Regular Expression Denial of Service (ReDoS) in ua-parser-js - https://github.com/advisories/GHSA-78cj-fxph-m83p
fix available via `npm audit fix --force`
Will install karma@6.4.1, which is a breaking change
node_modules/ua-parser-js
49 vulnerabilities (1 low, 11 moderate, 30 high, 7 critical)
To address issues that do not require attention, run:
  npm audit fix
To address all issues possible (including breaking changes), run:
  npm audit fix --force
Some issues need review, and may require choosing
a different dependency.

Steps to reproduce

run npm audit

sequba commented 1 year ago

Also let's update all dependencies that can be updated seamlessly.

AMBudnik commented 1 year ago

Closed with HyperFormula v.2.5.0 released today.