search

johannesjo / super-productivity

Super Productivity is an advanced todo list app with integrated Timeboxing and time tracking capabilities. It also comes with integrations for Jira, Gitlab, GitHub and Open Project.
http://super-productivity.com
MIT License
10.3k stars 835 forks source link

NPM vulnerabilities detected #3344

Open MiragonMx opened 1 month ago

MiragonMx commented 1 month ago

When following the instructions for running a dev server, you run into the following npm vulnerability audit that should probably be addressed (I'm very new to node/npm/angular, maybe someone else has a better knowledge of how to address this?):

# npm audit report

@angular/core  <10.2.5
Severity: moderate
Cross site scripting in Angular - https://github.com/advisories/GHSA-c75v-2vq8-878f
fix available via `npm audit fix --force`
Will install codelyzer@0.0.28, which is a breaking change
node_modules/codelyzer/node_modules/@angular/core
  codelyzer  >=1.0.0-beta.0
  Depends on vulnerable versions of @angular/core
  node_modules/codelyzer

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install webdav@5.7.1, which is a breaking change
node_modules/wait-on/node_modules/axios
node_modules/webdav/node_modules/axios
  wait-on  5.0.0-rc.0 - 7.1.0
  Depends on vulnerable versions of axios
  node_modules/wait-on
    start-server-and-test  1.11.1 - 2.0.2
    Depends on vulnerable versions of wait-on
    node_modules/start-server-and-test
  webdav  2.0.0-rc1 - 4.11.3
  Depends on vulnerable versions of axios
  node_modules/webdav

marked  <=4.0.9
Severity: high
Regular Expression Denial of Service in marked - https://github.com/advisories/GHSA-ch52-vgq2-943f
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
No fix available
node_modules/jira2md/node_modules/marked
  jira2md  2.0.4
  Depends on vulnerable versions of marked
  node_modules/jira2md

8 vulnerabilities (1 low, 6 moderate, 1 high)

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.
github-actions[bot] commented 1 month ago

Thank you very much for opening up this issue! I am currently a bit overwhelmed by the many requests that arrive each week, so please forgive me, if I fail to respond personally. I am still very likely to at least skim read your request and I'll probably try to fix all (real) bugs if possible and I will likely review every single PR being made (please, give me a heads up if you intent to do so) and I will try to work on popular requests (please upvote via thumbs up on the original issue) whenever possible, but trying to respond to every single issue over the last years has been kind of draining and I need to adjust my approach for this project to remain fun for me and to make any progress with actually coding new stuff. Thanks for your understanding!

johannesjo commented 4 weeks ago

Hey hey! Thanks for letting us know! The security risk is not too big I'd say, but something we should fix nevertheless.