search

hapipal / boilerplate

A friendly, proven starting place for your next hapi plugin or deployment
https://hapipal.com
183 stars 27 forks source link

Three high severity vulnerabilities found in npm dependencies #99

Closed nikhiljohn10 closed 2 years ago

nikhiljohn10 commented 2 years ago

When I did npm install, it mentioned about 3 high severity vulnerabilities. Is this already noticed and getting fixed?

# npm audit report

marked  <=4.0.9
Severity: high
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
Regular Expression Denial of Service (REDoS) in Marked - https://github.com/advisories/GHSA-4r62-v4vq-hr96
No fix available
node_modules/marked
  @hapipal/hpal  *
  Depends on vulnerable versions of marked
  Depends on vulnerable versions of marked-terminal
  node_modules/@hapipal/hpal
  marked-terminal  <=4.2.0
  Depends on vulnerable versions of marked
  node_modules/marked-terminal

3 high severity vulnerabilities
Nargonath commented 2 years ago

Thank you for the report. Not sure if it was flag or not already by someone else. This is likely low severity because IIRC marked is only used for dev CLI commands that help you search through hapi's documentation through your terminal. It shouldn't impact any of the production code because it's not run during that time.

devinivy commented 2 years ago

Fair question! If anyone wants to perform the marked upgrade, we'd definitely take a PR on hpal 👍 https://github.com/hapipal/hpal