search

kalamuna / kalastatic

:electric_plug: Facilitate the front-end experience through Styleguides and Prototypes
https://kalamuna.github.io/kalastatic/
41 stars 14 forks source link

npm vulnerabilities #609

Closed ceciliaschiebel closed 5 years ago

ceciliaschiebel commented 5 years ago

I run npm i and found some vulnerabilities related to this package. I run npm audit fix and fixed some of them, but 2 require manual review.

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ kalastatic                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ kalastatic > metalsmith-assets-convention >                  │
│               │ metalsmith-assets > recursive-readdir > minimatch            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ kalastatic                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ kalastatic > metalsmith-assets-convention >                  │
│               │ metalsmith-assets > debug                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 vulnerabilities (1 low, 1 high) in 12838 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

kalastatic: '4.2.0', npm: '6.4.1', node: '10.13.0',

RobLoach commented 5 years ago

Thanks for the heads up! :+1:

Should get it updated today.

RobLoach commented 5 years ago

Fixed.