Open anonym-HPI opened 1 year ago
I think all of the vulnerabilities are false positives. If a package that we use for e.g. linting or testing imports a package that has a DOS vulnerability we could only DOS ourselves (or make the CI take longer). In addition, it is enough to import a package that has this vulnerability. The affected function in this package doesn't even have to be used anywhere.
I believe this is a fix for it (backport to semver 6) https://github.com/npm/node-semver/pull/593
PR Checklist
Please make sure to fulfil the following conditions before marking this PR ready for review:
It seems that packages, like
nyc
are out of date and e.g. don't have the newestsemver
as dependency, which itself has a DDOS vurnerability. We may need to find other packages for the same job.Packages I found so far seem to be:
nyc
mkirp
@Dassderdie @ClFeSc Can someone of you both help to fix this? E.g.
mkdirp
was introduced by you @ClFeSc for thenpm run merge-coverage
command. I tried usingnpm audit fix --force
or even installing packages manually, but as we are using packages that don't have a newer version, but seem to be dependent on a vurnerablesemver
version or so we probably need to use new packages or need to manually edit the dependencies of these packages and hope that nothing breaks. It seems some packages are also dependent on an older version ofsemver
(version 6), there seems to be@nicolo-ribaudo/semver-v6
used, which should include it. I am not that into the whole npm package system.This is for example the error output in the root folder: