search

jishi / node-sonos-http-api

An HTTP API bridge for Sonos easing automation. Hostable on any node.js capable device, like a raspberry pi or similar.
http://jishi.github.io/node-sonos-http-api/
MIT License
1.85k stars 460 forks source link

Fix npm dependency issues #851

Open jackc94 opened 2 years ago

jackc94 commented 2 years ago

There are currently 8 npm dependency issues that can't be resolved without breaking your project... please could you explore and remedy these as one is DoS. 

npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'sonos-http-api@1.6.9',
npm WARN EBADENGINE   required: { node: '>=4.0.0', npm: '^2.0.0' },
npm WARN EBADENGINE   current: { node: 'v12.22.12', npm: '7.5.2' }
npm WARN EBADENGINE }

up to date, audited 311 packages in 13s

38 packages are looking for funding
  run `npm fund` for details

# npm audit report

ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install eslint@8.22.0, which is a breaking change
node_modules/ajv
  eslint  2.5.0 - 2.5.2 || 4.2.0 - 5.0.0-rc.0
  Depends on vulnerable versions of ajv
  Depends on vulnerable versions of table
  node_modules/eslint
  table  3.7.10 - 4.0.2
  Depends on vulnerable versions of ajv
  node_modules/table

lodash  <=4.17.20
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
fix available via `npm audit fix --force`
Will install request-promise@4.2.6, which is a breaking change
node_modules/request-promise/node_modules/lodash
  request-promise  0.2.4 - 2.0.0
  Depends on vulnerable versions of lodash
  node_modules/request-promise

minimist  <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix`
node_modules/minimist
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/optimist

node-static  *
Severity: moderate
Denial of Service in node-static - https://github.com/advisories/GHSA-8r4g-cg4m-x23c
No fix available
node_modules/node-static

8 vulnerabilities (6 moderate, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.
jsiegenthaler commented 1 year ago

I've found that you can update the dependencies as below, and the plugin still works. It doesn't resolve everything, but it resolves a lot. I've written a script to update everything to the highest working versions. Here's my working dependencies:

"dependencies": { "anesidora": "^1.2.0", "aws-sdk": "^2.1295.0", "basic-auth": "^2.0.1", "fuse.js": "^6.6.2", "html-entities": "^1.4.0", "json5": "^2.2.3", "mime": "^3.0.0", "music-metadata": "^7.13.3", "node-static": "^0.7.11", "request-promise": "^4.2.6", "sonos-discovery": "https://github.com/jishi/node-sonos-discovery/archive/v1.7.3.tar.gz", "wav-file-info": "0.0.10" }, "engines": { "node": "^18.12.1", "npm": "^9.2.0" },