search

jupyter-widgets / ipyleaflet

A Jupyter - Leaflet.js bridge
https://ipyleaflet.readthedocs.io
MIT License
1.49k stars 363 forks source link

Python sdist ships vulnerable NPM stuff #1229

Open bnavigator opened 2 weeks ago

bnavigator commented 2 weeks ago

NPM audit report on jupyter_leaflet-0.9.2:

# npm audit report

ansi-regex  3.0.0 || 4.0.0 - 4.1.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/npm/node_modules/string-width/node_modules/ansi-regex
node_modules/npm/node_modules/yargs/node_modules/ansi-regex

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install npm@10.8.3, which is a breaking change
node_modules/npm/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/npm/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/npm/node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/npm/node_modules/update-notifier
        libnpx  *
        Depends on vulnerable versions of update-notifier
        node_modules/npm/node_modules/libnpx
          npm  <=10.5.0
          Depends on vulnerable versions of libcipm
          Depends on vulnerable versions of libnpm
          Depends on vulnerable versions of libnpmaccess
          Depends on vulnerable versions of libnpmhook
          Depends on vulnerable versions of libnpmorg
          Depends on vulnerable versions of libnpmsearch
          Depends on vulnerable versions of libnpmteam
          Depends on vulnerable versions of libnpx
          Depends on vulnerable versions of node-gyp
          Depends on vulnerable versions of npm-lifecycle
          Depends on vulnerable versions of npm-profile
          Depends on vulnerable versions of npm-registry-fetch
          Depends on vulnerable versions of pacote
          Depends on vulnerable versions of request
          Depends on vulnerable versions of semver
          Depends on vulnerable versions of tar
          Depends on vulnerable versions of update-notifier
          node_modules/npm

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install npm@10.8.3, which is a breaking change
node_modules/npm/node_modules/http-cache-semantics
  make-fetch-happen  2.0.0 - 8.0.1
  Depends on vulnerable versions of http-cache-semantics
  Depends on vulnerable versions of socks-proxy-agent
  node_modules/npm/node_modules/make-fetch-happen
    npm-registry-fetch  0.0.1 - 5.0.1
    Depends on vulnerable versions of make-fetch-happen
    node_modules/npm/node_modules/npm-registry-fetch
      libnpm  >=0.0.1
      Depends on vulnerable versions of libnpmaccess
      Depends on vulnerable versions of libnpmhook
      Depends on vulnerable versions of libnpmorg
      Depends on vulnerable versions of libnpmpublish
      Depends on vulnerable versions of libnpmsearch
      Depends on vulnerable versions of libnpmteam
      Depends on vulnerable versions of npm-lifecycle
      Depends on vulnerable versions of npm-profile
      Depends on vulnerable versions of npm-registry-fetch
      Depends on vulnerable versions of pacote
      node_modules/npm/node_modules/libnpm
      libnpmaccess  <=3.0.2
      Depends on vulnerable versions of npm-registry-fetch
      node_modules/npm/node_modules/libnpmaccess
      libnpmhook  <=5.0.3
      Depends on vulnerable versions of npm-registry-fetch
      node_modules/npm/node_modules/libnpmhook
      libnpmorg  <=1.0.1
      Depends on vulnerable versions of npm-registry-fetch
      node_modules/npm/node_modules/libnpmorg
      libnpmpublish  <=2.0.0
      Depends on vulnerable versions of npm-registry-fetch
      node_modules/npm/node_modules/libnpmpublish
      libnpmsearch  <=2.0.2
      Depends on vulnerable versions of npm-registry-fetch
      node_modules/npm/node_modules/libnpmsearch
      libnpmteam  <=1.0.2
      Depends on vulnerable versions of npm-registry-fetch
      node_modules/npm/node_modules/libnpmteam
      npm-profile  4.0.0 - 4.0.4
      Depends on vulnerable versions of npm-registry-fetch
      node_modules/npm/node_modules/npm-profile
      pacote  2.0.0 - 10.3.0
      Depends on vulnerable versions of make-fetch-happen
      Depends on vulnerable versions of npm-registry-fetch
      Depends on vulnerable versions of tar
      node_modules/npm/node_modules/pacote
        libcipm  *
        Depends on vulnerable versions of npm-lifecycle
        Depends on vulnerable versions of pacote
        node_modules/npm/node_modules/libcipm

ip  *
Severity: high
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix --force`
Will install npm@10.8.3, which is a breaking change
node_modules/npm/node_modules/ip
  socks  1.0.0 - 2.7.1
  Depends on vulnerable versions of ip
  node_modules/npm/node_modules/socks
    socks-proxy-agent  1.0.1 - 4.0.2
    Depends on vulnerable versions of socks
    node_modules/npm/node_modules/socks-proxy-agent

mime  <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix`
node_modules/mime

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install css-loader@7.1.2, which is a breaking change
node_modules/postcss
  css-loader  0.15.0 - 4.3.0
  Depends on vulnerable versions of icss-utils
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of postcss-modules-extract-imports
  Depends on vulnerable versions of postcss-modules-local-by-default
  Depends on vulnerable versions of postcss-modules-scope
  Depends on vulnerable versions of postcss-modules-values
  node_modules/css-loader
  icss-utils  <=4.1.1
  Depends on vulnerable versions of postcss
  node_modules/icss-utils
    postcss-modules-local-by-default  <=4.0.0-rc.4
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-local-by-default
    postcss-modules-values  <=4.0.0-rc.5
    Depends on vulnerable versions of icss-utils
    Depends on vulnerable versions of postcss
    node_modules/postcss-modules-values
  postcss-modules-extract-imports  <=2.0.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-extract-imports
  postcss-modules-scope  <=2.2.0
  Depends on vulnerable versions of postcss
  node_modules/postcss-modules-scope

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install npm@10.8.3, which is a breaking change
node_modules/npm/node_modules/request
  node-gyp  <=7.1.2
  Depends on vulnerable versions of request
  Depends on vulnerable versions of tar
  node_modules/npm/node_modules/node-gyp
    npm-lifecycle  >=2.0.0
    Depends on vulnerable versions of node-gyp
    node_modules/npm/node_modules/npm-lifecycle

semver  <5.7.2
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install npm@10.8.3, which is a breaking change
node_modules/npm/node_modules/semver

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install npm@10.8.3, which is a breaking change
node_modules/npm/node_modules/tar

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install npm@10.8.3, which is a breaking change
node_modules/npm/node_modules/tough-cookie

underscore  1.3.2 - 1.12.0
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
No fix available
node_modules/css-img-datauri-stream/node_modules/underscore
  css-img-datauri-stream  *
  Depends on vulnerable versions of mime
  Depends on vulnerable versions of underscore
  node_modules/css-img-datauri-stream
    leaflet-splitmap  *
    Depends on vulnerable versions of css-img-datauri-stream
    node_modules/leaflet-splitmap
    leaflet-transform  *
    Depends on vulnerable versions of css-img-datauri-stream
    node_modules/leaflet-transform

41 vulnerabilities (18 moderate, 19 high, 4 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.
bnavigator commented 2 weeks ago 
> npm audit fix --force
npm warn using --force Recommended protections disabled.
npm warn audit fix semver@5.7.1 node_modules/npm/node_modules/semver
npm warn audit fix semver@5.7.1 is a bundled dependency of
npm warn audit fix semver@5.7.1 npm@6.14.18 at node_modules/npm
npm warn audit fix semver@5.7.1 It cannot be fixed automatically.
npm warn audit fix semver@5.7.1 Check for updates to the npm package.
npm warn audit fix ansi-regex@3.0.0 node_modules/npm/node_modules/string-width/node_modules/ansi-regex
npm warn audit fix ansi-regex@3.0.0 is a bundled dependency of
npm warn audit fix ansi-regex@3.0.0 npm@6.14.18 at node_modules/npm
npm warn audit fix ansi-regex@3.0.0 It cannot be fixed automatically.
npm warn audit fix ansi-regex@3.0.0 Check for updates to the npm package.
npm warn audit fix ansi-regex@4.1.0 node_modules/npm/node_modules/yargs/node_modules/ansi-regex
npm warn audit fix ansi-regex@4.1.0 is a bundled dependency of
npm warn audit fix ansi-regex@4.1.0 npm@6.14.18 at node_modules/npm
npm warn audit fix ansi-regex@4.1.0 It cannot be fixed automatically.
npm warn audit fix ansi-regex@4.1.0 Check for updates to the npm package.
npm warn audit fix got@6.7.1 node_modules/npm/node_modules/got
npm warn audit fix got@6.7.1 is a bundled dependency of
npm warn audit fix got@6.7.1 npm@6.14.18 at node_modules/npm
npm warn audit fix got@6.7.1 It cannot be fixed automatically.
npm warn audit fix got@6.7.1 Check for updates to the npm package.
npm warn audit fix http-cache-semantics@3.8.1 node_modules/npm/node_modules/http-cache-semantics
npm warn audit fix http-cache-semantics@3.8.1 is a bundled dependency of
npm warn audit fix http-cache-semantics@3.8.1 npm@6.14.18 at node_modules/npm
npm warn audit fix http-cache-semantics@3.8.1 It cannot be fixed automatically.
npm warn audit fix http-cache-semantics@3.8.1 Check for updates to the npm package.
npm warn audit fix ip@1.1.5 node_modules/npm/node_modules/ip
npm warn audit fix ip@1.1.5 is a bundled dependency of
npm warn audit fix ip@1.1.5 npm@6.14.18 at node_modules/npm
npm warn audit fix ip@1.1.5 It cannot be fixed automatically.
npm warn audit fix ip@1.1.5 Check for updates to the npm package.
npm warn audit fix request@2.88.2 node_modules/npm/node_modules/request
npm warn audit fix request@2.88.2 is a bundled dependency of
npm warn audit fix request@2.88.2 npm@6.14.18 at node_modules/npm
npm warn audit fix request@2.88.2 It cannot be fixed automatically.
npm warn audit fix request@2.88.2 Check for updates to the npm package.
npm warn audit fix tar@4.4.19 node_modules/npm/node_modules/tar
npm warn audit fix tar@4.4.19 is a bundled dependency of
npm warn audit fix tar@4.4.19 npm@6.14.18 at node_modules/npm
npm warn audit fix tar@4.4.19 It cannot be fixed automatically.
npm warn audit fix tar@4.4.19 Check for updates to the npm package.
npm warn audit fix tough-cookie@2.5.0 node_modules/npm/node_modules/tough-cookie
npm warn audit fix tough-cookie@2.5.0 is a bundled dependency of
npm warn audit fix tough-cookie@2.5.0 npm@6.14.18 at node_modules/npm
npm warn audit fix tough-cookie@2.5.0 It cannot be fixed automatically.
npm warn audit fix tough-cookie@2.5.0 Check for updates to the npm package.
npm warn audit fix package-json@4.0.1 node_modules/npm/node_modules/package-json
npm warn audit fix package-json@4.0.1 is a bundled dependency of
npm warn audit fix package-json@4.0.1 npm@6.14.18 at node_modules/npm
npm warn audit fix package-json@4.0.1 It cannot be fixed automatically.
npm warn audit fix package-json@4.0.1 Check for updates to the npm package.
npm warn audit fix make-fetch-happen@5.0.2 node_modules/npm/node_modules/make-fetch-happen
npm warn audit fix make-fetch-happen@5.0.2 is a bundled dependency of
npm warn audit fix make-fetch-happen@5.0.2 npm@6.14.18 at node_modules/npm
npm warn audit fix make-fetch-happen@5.0.2 It cannot be fixed automatically.
npm warn audit fix make-fetch-happen@5.0.2 Check for updates to the npm package.
npm warn audit fix socks@2.3.3 node_modules/npm/node_modules/socks
npm warn audit fix socks@2.3.3 is a bundled dependency of
npm warn audit fix socks@2.3.3 npm@6.14.18 at node_modules/npm
npm warn audit fix socks@2.3.3 It cannot be fixed automatically.
npm warn audit fix socks@2.3.3 Check for updates to the npm package.
npm warn audit fix node-gyp@5.1.1 node_modules/npm/node_modules/node-gyp
npm warn audit fix node-gyp@5.1.1 is a bundled dependency of
npm warn audit fix node-gyp@5.1.1 npm@6.14.18 at node_modules/npm
npm warn audit fix node-gyp@5.1.1 It cannot be fixed automatically.
npm warn audit fix node-gyp@5.1.1 Check for updates to the npm package.
npm warn audit fix pacote@9.5.12 node_modules/npm/node_modules/pacote
npm warn audit fix pacote@9.5.12 is a bundled dependency of
npm warn audit fix pacote@9.5.12 npm@6.14.18 at node_modules/npm
npm warn audit fix pacote@9.5.12 It cannot be fixed automatically.
npm warn audit fix pacote@9.5.12 Check for updates to the npm package.
npm warn audit fix latest-version@3.1.0 node_modules/npm/node_modules/latest-version
npm warn audit fix latest-version@3.1.0 is a bundled dependency of
npm warn audit fix latest-version@3.1.0 npm@6.14.18 at node_modules/npm
npm warn audit fix latest-version@3.1.0 It cannot be fixed automatically.
npm warn audit fix latest-version@3.1.0 Check for updates to the npm package.
npm warn audit fix npm-registry-fetch@4.0.7 node_modules/npm/node_modules/npm-registry-fetch
npm warn audit fix npm-registry-fetch@4.0.7 is a bundled dependency of
npm warn audit fix npm-registry-fetch@4.0.7 npm@6.14.18 at node_modules/npm
npm warn audit fix npm-registry-fetch@4.0.7 It cannot be fixed automatically.
npm warn audit fix npm-registry-fetch@4.0.7 Check for updates to the npm package.
npm warn audit fix socks-proxy-agent@4.0.2 node_modules/npm/node_modules/socks-proxy-agent
npm warn audit fix socks-proxy-agent@4.0.2 is a bundled dependency of
npm warn audit fix socks-proxy-agent@4.0.2 npm@6.14.18 at node_modules/npm
npm warn audit fix socks-proxy-agent@4.0.2 It cannot be fixed automatically.
npm warn audit fix socks-proxy-agent@4.0.2 Check for updates to the npm package.
npm warn audit fix npm-lifecycle@3.1.5 node_modules/npm/node_modules/npm-lifecycle
npm warn audit fix npm-lifecycle@3.1.5 is a bundled dependency of
npm warn audit fix npm-lifecycle@3.1.5 npm@6.14.18 at node_modules/npm
npm warn audit fix npm-lifecycle@3.1.5 It cannot be fixed automatically.
npm warn audit fix npm-lifecycle@3.1.5 Check for updates to the npm package.
npm warn audit fix libnpm@3.0.1 node_modules/npm/node_modules/libnpm
npm warn audit fix libnpm@3.0.1 is a bundled dependency of
npm warn audit fix libnpm@3.0.1 npm@6.14.18 at node_modules/npm
npm warn audit fix libnpm@3.0.1 It cannot be fixed automatically.
npm warn audit fix libnpm@3.0.1 Check for updates to the npm package.
npm warn audit fix libcipm@4.0.8 node_modules/npm/node_modules/libcipm
npm warn audit fix libcipm@4.0.8 is a bundled dependency of
npm warn audit fix libcipm@4.0.8 npm@6.14.18 at node_modules/npm
npm warn audit fix libcipm@4.0.8 It cannot be fixed automatically.
npm warn audit fix libcipm@4.0.8 Check for updates to the npm package.
npm warn audit fix update-notifier@2.5.0 node_modules/npm/node_modules/update-notifier
npm warn audit fix update-notifier@2.5.0 is a bundled dependency of
npm warn audit fix update-notifier@2.5.0 npm@6.14.18 at node_modules/npm
npm warn audit fix update-notifier@2.5.0 It cannot be fixed automatically.
npm warn audit fix update-notifier@2.5.0 Check for updates to the npm package.
npm warn audit fix libnpmpublish@1.1.2 node_modules/npm/node_modules/libnpmpublish
npm warn audit fix libnpmpublish@1.1.2 is a bundled dependency of
npm warn audit fix libnpmpublish@1.1.2 npm@6.14.18 at node_modules/npm
npm warn audit fix libnpmpublish@1.1.2 It cannot be fixed automatically.
npm warn audit fix libnpmpublish@1.1.2 Check for updates to the npm package.
npm warn audit fix libnpmaccess@3.0.2 node_modules/npm/node_modules/libnpmaccess
npm warn audit fix libnpmaccess@3.0.2 is a bundled dependency of
npm warn audit fix libnpmaccess@3.0.2 npm@6.14.18 at node_modules/npm
npm warn audit fix libnpmaccess@3.0.2 It cannot be fixed automatically.
npm warn audit fix libnpmaccess@3.0.2 Check for updates to the npm package.
npm warn audit fix npm-profile@4.0.4 node_modules/npm/node_modules/npm-profile
npm warn audit fix npm-profile@4.0.4 is a bundled dependency of
npm warn audit fix npm-profile@4.0.4 npm@6.14.18 at node_modules/npm
npm warn audit fix npm-profile@4.0.4 It cannot be fixed automatically.
npm warn audit fix npm-profile@4.0.4 Check for updates to the npm package.
npm warn audit fix libnpmhook@5.0.3 node_modules/npm/node_modules/libnpmhook
npm warn audit fix libnpmhook@5.0.3 is a bundled dependency of
npm warn audit fix libnpmhook@5.0.3 npm@6.14.18 at node_modules/npm
npm warn audit fix libnpmhook@5.0.3 It cannot be fixed automatically.
npm warn audit fix libnpmhook@5.0.3 Check for updates to the npm package.
npm warn audit fix libnpmorg@1.0.1 node_modules/npm/node_modules/libnpmorg
npm warn audit fix libnpmorg@1.0.1 is a bundled dependency of
npm warn audit fix libnpmorg@1.0.1 npm@6.14.18 at node_modules/npm
npm warn audit fix libnpmorg@1.0.1 It cannot be fixed automatically.
npm warn audit fix libnpmorg@1.0.1 Check for updates to the npm package.
npm warn audit fix libnpmteam@1.0.2 node_modules/npm/node_modules/libnpmteam
npm warn audit fix libnpmteam@1.0.2 is a bundled dependency of
npm warn audit fix libnpmteam@1.0.2 npm@6.14.18 at node_modules/npm
npm warn audit fix libnpmteam@1.0.2 It cannot be fixed automatically.
npm warn audit fix libnpmteam@1.0.2 Check for updates to the npm package.
npm warn audit fix libnpmsearch@2.0.2 node_modules/npm/node_modules/libnpmsearch
npm warn audit fix libnpmsearch@2.0.2 is a bundled dependency of
npm warn audit fix libnpmsearch@2.0.2 npm@6.14.18 at node_modules/npm
npm warn audit fix libnpmsearch@2.0.2 It cannot be fixed automatically.
npm warn audit fix libnpmsearch@2.0.2 Check for updates to the npm package.
npm warn audit fix libnpx@10.2.4 node_modules/npm/node_modules/libnpx
npm warn audit fix libnpx@10.2.4 is a bundled dependency of
npm warn audit fix libnpx@10.2.4 npm@6.14.18 at node_modules/npm
npm warn audit fix libnpx@10.2.4 It cannot be fixed automatically.
npm warn audit fix libnpx@10.2.4 Check for updates to the npm package.
npm warn audit Updating css-loader to 7.1.2, which is a SemVer major change.
npm warn audit Updating npm to 10.8.3, which is a SemVer major change.
npm warn audit No fix available for leaflet-splitmap@*
npm warn audit No fix available for leaflet-transform@*
npm warn deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported
npm warn deprecated @humanwhocodes/config-array@0.11.14: Use @eslint/config-array instead
npm warn deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm warn deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm warn deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm warn deprecated glob@7.1.7: Glob versions prior to v9 are no longer supported
npm warn deprecated point-geometry@0.0.0: This module has moved: please install @mapbox/point-geometry instead
npm warn deprecated vector-tile@1.3.0: This module has moved: please install @mapbox/vector-tile instead

added 621 packages, and audited 822 packages in 11s

167 packages are looking for funding
  run `npm fund` for details

# npm audit report

mime  <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix`
node_modules/mime

underscore  1.3.2 - 1.12.0
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
No fix available
node_modules/css-img-datauri-stream/node_modules/underscore
  css-img-datauri-stream  *
  Depends on vulnerable versions of mime
  Depends on vulnerable versions of underscore
  node_modules/css-img-datauri-stream
    leaflet-splitmap  *
    Depends on vulnerable versions of css-img-datauri-stream
    node_modules/leaflet-splitmap
    leaflet-transform  *
    Depends on vulnerable versions of css-img-datauri-stream
    node_modules/leaflet-transform

5 vulnerabilities (1 high, 4 critical)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.