Closed dubfib closed 1 year ago
output of npm audit fix
removed 3 packages, changed 2 packages, and audited 377 packages in 14s
30 packages are looking for funding
run `npm fund` for details
# npm audit report
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install electron@6.1.12, which is a breaking change
node_modules/got
@electron/get *
Depends on vulnerable versions of got
node_modules/@electron/get
electron >=7.0.0-beta.1
Depends on vulnerable versions of @electron/get
node_modules/electron
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
electron-builder >=5.6.1
Depends on vulnerable versions of update-notifier
node_modules/electron-builder
jpeg-js <0.4.4
Severity: high
Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6
fix available via `npm audit fix --force`
Will install png-to-ico@2.0.0, which is a breaking change
node_modules/jpeg-js
@jimp/jpeg <=0.12.0 || >=0.16.1
Depends on vulnerable versions of jpeg-js
node_modules/@jimp/jpeg
@jimp/types <=0.11.1-canary.891.908.0 || >=0.16.1
Depends on vulnerable versions of @jimp/jpeg
node_modules/@jimp/types
jimp 0.3.6-alpha.5 - 0.11.1-canary.891.908.0 || >=0.16.1
Depends on vulnerable versions of @jimp/types
node_modules/jimp
png-to-ico >=2.0.1
Depends on vulnerable versions of jimp
node_modules/png-to-ico
node-fetch <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix --force`
Will install node-fetch@2.6.7, which is outside the stated dependency range
node_modules/node-fetch
13 vulnerabilities (7 moderate, 6 high)
To address all issues (including breaking changes), run:
npm audit fix --force
output of npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating node-fetch to 2.6.7,which is outside your stated dependency range.
npm WARN audit Updating electron to 6.1.12,which is a SemVer major change.
npm WARN audit Updating png-to-ico to 2.0.0,which is a SemVer major change.
npm WARN audit Updating electron-builder to 5.5.0,which is a SemVer major change.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated xmldom@0.1.31: Deprecated due to CVE-2021-21366 resolved in 0.5.0
npm WARN deprecated cross-spawn-async@2.2.5: cross-spawn no longer requires a build toolchain, use it instead
npm WARN deprecated uuid@2.0.3: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
added 208 packages, removed 225 packages, changed 53 packages, and audited 355 packages in 16s
10 packages are looking for funding
run `npm fund` for details
# npm audit report
electron <=15.5.4
Severity: high
Context isolation bypass via leaked cross-context objects in Electron - https://github.com/advisories/GHSA-m93v-9qjc-3g79
Context isolation bypass via contextBridge in Electron - https://github.com/advisories/GHSA-h9jc-284h-533g
Arbitrary file read via window-open IPC in Electron - https://github.com/advisories/GHSA-f9mq-jph6-9mhm
Sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API - https://github.com/advisories/GHSA-mpjm-v997-c4h4
IPC messages delivered to the wrong frame in Electron - https://github.com/advisories/GHSA-hvf8-h2qh-37m9
Renderers can obtain access to random bluetooth device without permission in Electron - https://github.com/advisories/GHSA-3p22-ghq8-v749
AutoUpdater module fails to validate certain nested components of the bundle - https://github.com/advisories/GHSA-77xc-hjv8-ww97
Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled - https://github.com/advisories/GHSA-mq8j-3h7h-p8g7
fix available via `npm audit fix --force`
Will install electron@19.0.6, which is a breaking change
node_modules/electron
jpeg-js <=0.4.3
Severity: high
Uncontrolled resource consumption in jpeg-js - https://github.com/advisories/GHSA-w7q9-p3jq-fmhm
Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6
fix available via `npm audit fix --force`
Will install png-to-ico@2.1.4, which is outside the stated dependency range
node_modules/jpeg-js
jimp <=0.3.5
Depends on vulnerable versions of jpeg-js
Depends on vulnerable versions of mkdirp
Depends on vulnerable versions of url-regex
node_modules/jimp
png-to-ico <=2.0.0
Depends on vulnerable versions of jimp
node_modules/png-to-ico
lodash <=4.17.20
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install electron-builder@5.35.0, which is outside the stated dependency range
node_modules/xmlbuilder/node_modules/lodash
xmlbuilder 2.5.0 - 4.2.0
Depends on vulnerable versions of lodash
node_modules/xmlbuilder
plist <=3.0.4
Depends on vulnerable versions of xmlbuilder
Depends on vulnerable versions of xmldom
node_modules/plist
electron-osx-sign-tf >=0.6.0
Depends on vulnerable versions of plist
node_modules/electron-osx-sign-tf
electron-builder 2.8.0 - 3.1.1 || 3.5.0 - 3.6.1 || 3.11.0 - 15.0.0
Depends on vulnerable versions of electron-osx-sign-tf
Depends on vulnerable versions of electron-packager-tf
Depends on vulnerable versions of electron-winstaller-fixed
Depends on vulnerable versions of signcode-tf
Depends on vulnerable versions of yargs
node_modules/electron-builder
electron-packager-tf *
Depends on vulnerable versions of plist
node_modules/electron-packager-tf
minimist <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix --force`
Will install png-to-ico@2.1.4, which is outside the stated dependency range
node_modules/jimp/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/jimp/node_modules/mkdirp
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/meow
url-regex *
Severity: high
Regular expression denial of service in url-regex - https://github.com/advisories/GHSA-v4rh-8p82-6h5w
fix available via `npm audit fix --force`
Will install png-to-ico@2.1.4, which is outside the stated dependency range
node_modules/url-regex
xmldom *
Severity: moderate
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-h6q6-9hqw-rwfv
fix available via `npm audit fix --force`
Will install electron-builder@5.35.0, which is outside the stated dependency range
node_modules/xmldom
yargs-parser <=5.0.0
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install electron-builder@5.35.0, which is outside the stated dependency range
node_modules/yargs-parser
yargs 4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1
Depends on vulnerable versions of yargs-parser
node_modules/yargs
signcode-tf *
Depends on vulnerable versions of yargs
node_modules/signcode-tf
electron-winstaller-fixed <=3.0.0
Depends on vulnerable versions of signcode-tf
node_modules/electron-winstaller-fixed
20 vulnerabilities (7 moderate, 7 high, 6 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
also tried updating everything to the latest version and heres the output of npm audit
# npm audit report
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install electron@6.1.12, which is a breaking change
node_modules/got
@electron/get *
Depends on vulnerable versions of got
node_modules/@electron/get
electron >=7.0.0-beta.1
Depends on vulnerable versions of @electron/get
node_modules/electron
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
electron-builder >=5.6.1
Depends on vulnerable versions of update-notifier
node_modules/electron-builder
jpeg-js <0.4.4
Severity: high
Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6
fix available via `npm audit fix --force`
Will install png-to-ico@2.0.0, which is a breaking change
node_modules/jpeg-js
@jimp/jpeg <=0.12.0 || >=0.16.1
Depends on vulnerable versions of jpeg-js
node_modules/@jimp/jpeg
@jimp/types <=0.11.1-canary.891.908.0 || >=0.16.1
Depends on vulnerable versions of @jimp/jpeg
node_modules/@jimp/types
jimp 0.3.6-alpha.5 - 0.11.1-canary.891.908.0 || >=0.16.1
Depends on vulnerable versions of @jimp/types
node_modules/jimp
png-to-ico >=2.0.1
Depends on vulnerable versions of jimp
node_modules/png-to-ico
12 vulnerabilities (7 moderate, 5 high)
To address all issues (including breaking changes), run:
npm audit fix --force
I was able to get the number of issues down to 7 but it seems like we might need to wait for some upstream fixes to solve the rest.
I will try giving it another shot soon though. But in the meantime I'm going to push a new version with the fixes that I've made so far, because there's too many of them active in the current version.
More updates in #163 but some minor vulnerabilities are still not fixable
This was already fixed in merged PRs. Closing. Thanks.
Describe the bug
heres the console output of
npm audit
when doing
npm audit fix
it ran but it had security issues still then when I didnpm audit fix --force
even more security issuesTo Reproduce
npm install
npm audit
Screenshots
No response
Operating System
Manjaro Linux
Desktop Environment
KDE
Display Server
Wayland
Installation method
Source
Version
1.7.0
Is this a fresh install of the app or an update from a past version?
Fresh Install
Did this issue appear right away upon installation/updating, or spontaneously?
Appeared when I checked
Additional context
No response