I have installed this package with npm install and my app with 0 vulnerability became a vulnerability powerhouse
PS path> npm install iyzipay
npm WARN deprecated cryptiles@2.0.5: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated sntp@1.0.9: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated boom@2.10.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
npm WARN deprecated hoek@2.16.3: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
npm WARN deprecated request@2.69.0: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator@2.0.6: this library is no longer supported
npm WARN deprecated hawk@3.1.3: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
added 64 packages, and audited 1036 packages in 6s
141 packages are looking for funding
run npm fund for details
11 vulnerabilities (3 moderate, 8 high)
Some issues need review, and may require choosing
a different dependency.
Run npm audit for details.
I'm using nestjs@latest at the time being nodejs 18 LTS
here is npm audit result
npm audit report
bl <1.2.3
Severity: moderate
Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r
No fix available
node_modules/request/node_modules/bl
request
Depends on vulnerable versions of bl
Depends on vulnerable versions of hawk
Depends on vulnerable versions of qs
Depends on vulnerable versions of tough-cookie
Depends on vulnerable versions of tunnel-agent
node_modules/request
iyzipay
Depends on vulnerable versions of request
node_modules/iyzipay
hawk <=9.0.0
Severity: high
Uncontrolled Resource Consumption in Hawk - https://github.com/advisories/GHSA-44pw-h2cw-w3vq
Depends on vulnerable versions of boom
Depends on vulnerable versions of cryptiles
Depends on vulnerable versions of hoek
Depends on vulnerable versions of sntp
No fix available
node_modules/hawk
hoek <4.2.1
Severity: high
Prototype Pollution in hoek - https://github.com/advisories/GHSA-jp4x-w63m-7wgm
No fix available
node_modules/hoek
boom <=3.1.2
Depends on vulnerable versions of hoek
node_modules/boom
cryptiles <=2.0.5
Depends on vulnerable versions of boom
node_modules/cryptiles
sntp 0.0.0 || 0.1.1 - 2.0.0
Depends on vulnerable versions of hoek
node_modules/sntp
I have installed this package with npm install and my app with 0 vulnerability became a vulnerability powerhouse
PS path> npm install iyzipay npm WARN deprecated cryptiles@2.0.5: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). npm WARN deprecated sntp@1.0.9: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues. npm WARN deprecated boom@2.10.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130 npm WARN deprecated hoek@2.16.3: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial). npm WARN deprecated node-uuid@1.4.8: Use uuid module instead npm WARN deprecated request@2.69.0: request has been deprecated, see https://github.com/request/request/issues/3142 npm WARN deprecated har-validator@2.0.6: this library is no longer supported npm WARN deprecated hawk@3.1.3: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
added 64 packages, and audited 1036 packages in 6s
141 packages are looking for funding run
npm fund
for details11 vulnerabilities (3 moderate, 8 high)
Some issues need review, and may require choosing a different dependency.
Run
npm audit
for details.I'm using nestjs@latest at the time being nodejs 18 LTS
here is npm audit result
npm audit report
bl <1.2.3 Severity: moderate Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r No fix available node_modules/request/node_modules/bl request Depends on vulnerable versions of bl Depends on vulnerable versions of hawk Depends on vulnerable versions of qs Depends on vulnerable versions of tough-cookie Depends on vulnerable versions of tunnel-agent node_modules/request iyzipay Depends on vulnerable versions of request node_modules/iyzipay
hawk <=9.0.0 Severity: high Uncontrolled Resource Consumption in Hawk - https://github.com/advisories/GHSA-44pw-h2cw-w3vq Depends on vulnerable versions of boom Depends on vulnerable versions of cryptiles Depends on vulnerable versions of hoek Depends on vulnerable versions of sntp No fix available node_modules/hawk
hoek <4.2.1 Severity: high Prototype Pollution in hoek - https://github.com/advisories/GHSA-jp4x-w63m-7wgm No fix available node_modules/hoek boom <=3.1.2 Depends on vulnerable versions of hoek node_modules/boom cryptiles <=2.0.5 Depends on vulnerable versions of boom node_modules/cryptiles sntp 0.0.0 || 0.1.1 - 2.0.0 Depends on vulnerable versions of hoek node_modules/sntp
qs <6.2.4 Severity: high qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp No fix available node_modules/request/node_modules/qs
tough-cookie <=4.1.2 Severity: high Regular Expression Denial of Service in tough-cookie - https://github.com/advisories/GHSA-g7q5-pjjr-gqvp ReDoS via long string of semicolons in tough-cookie - https://github.com/advisories/GHSA-qhv9-728r-6jqg tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 No fix available node_modules/tough-cookie
tunnel-agent <0.6.0 Severity: moderate Memory Exposure in tunnel-agent - https://github.com/advisories/GHSA-xc7v-wxcw-j472 No fix available node_modules/request/node_modules/tunnel-agent
11 vulnerabilities (3 moderate, 8 high)
Some issues need review, and may require choosing a different dependency.
i have installed latest github relase as well
npm install github:iyzico/iyzipay-node#v2.0.49
but result is the same.