fatihtashan
commented
9 months ago Are you planning updating dependencies?
Open simbolmina opened 10 months ago
fatihtashan
commented
9 months ago Are you planning updating dependencies?
I have installed this package with npm install and my app with 0 vulnerability became a vulnerability powerhouse
PS path> npm install iyzipay npm WARN deprecated cryptiles@2.0.5: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). npm WARN deprecated sntp@1.0.9: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues. npm WARN deprecated boom@2.10.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130 npm WARN deprecated hoek@2.16.3: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). npm WARN deprecated node-uuid@1.4.8: Use uuid module instead npm WARN deprecated request@2.69.0: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated har-validator@2.0.6: this library is no longer supported npm WARN deprecated hawk@3.1.3: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
added 64 packages, and audited 1036 packages in 6s
141 packages are looking for funding run
npm fundfor details11 vulnerabilities (3 moderate, 8 high)
Some issues need review, and may require choosing a different dependency.
Run
npm auditfor details.I'm using nestjs@latest at the time being nodejs 18 LTS
here is npm audit result
npm audit report
bl <1.2.3 Severity: moderate Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r No fix available node_modules/request/node_modules/bl request Depends on vulnerable versions of bl Depends on vulnerable versions of hawk Depends on vulnerable versions of qs Depends on vulnerable versions of tough-cookie Depends on vulnerable versions of tunnel-agent node_modules/request iyzipay Depends on vulnerable versions of request node_modules/iyzipay
hawk <=9.0.0 Severity: high Uncontrolled Resource Consumption in Hawk - https://github.com/advisories/GHSA-44pw-h2cw-w3vq Depends on vulnerable versions of boom Depends on vulnerable versions of cryptiles Depends on vulnerable versions of hoek Depends on vulnerable versions of sntp No fix available node_modules/hawk
hoek <4.2.1 Severity: high Prototype Pollution in hoek - https://github.com/advisories/GHSA-jp4x-w63m-7wgm No fix available node_modules/hoek boom <=3.1.2 Depends on vulnerable versions of hoek node_modules/boom cryptiles <=2.0.5 Depends on vulnerable versions of boom node_modules/cryptiles sntp 0.0.0 || 0.1.1 - 2.0.0 Depends on vulnerable versions of hoek node_modules/sntp
qs <6.2.4 Severity: high qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp No fix available node_modules/request/node_modules/qs
tough-cookie <=4.1.2 Severity: high Regular Expression Denial of Service in tough-cookie - https://github.com/advisories/GHSA-g7q5-pjjr-gqvp ReDoS via long string of semicolons in tough-cookie - https://github.com/advisories/GHSA-qhv9-728r-6jqg tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 No fix available node_modules/tough-cookie
tunnel-agent <0.6.0 Severity: moderate Memory Exposure in tunnel-agent - https://github.com/advisories/GHSA-xc7v-wxcw-j472 No fix available node_modules/request/node_modules/tunnel-agent
11 vulnerabilities (3 moderate, 8 high)
Some issues need review, and may require choosing a different dependency.
i have installed latest github relase as well
npm install github:iyzico/iyzipay-node#v2.0.49
but result is the same.