Recently I found an application using this with vulnerabilities on install... upon review i realized it was google. After looking into the package.json and understanding the depth of changes, I realized anything using cheerio pre version 0.22.0 probably would be difficult to refactor.
I agree with https://github.com/jprichardson/node-google/issues/63. This library is unmaintained I am just going to refactor around an API with a key in that application to get the audit to be clean and use best practices.
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.11 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ google │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ google > cheerio > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/782 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ google │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ google > cheerio > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 vulnerabilities (1 low, 1 moderate)
Recently I found an application using this with vulnerabilities on install... upon review i realized it was
google. After looking into thepackage.jsonand understanding the depth of changes, I realized anything usingcheeriopre version0.22.0probably would be difficult to refactor.I agree with https://github.com/jprichardson/node-google/issues/63. This library is unmaintained I am just going to refactor around an API with a key in that application to get the audit to be clean and use best practices.
Links to vulnerabilities: