The scope is partly related to issue #30, where we were planning to upgrade the rest of ui dependencies, however, let's treat this as a smaller scope to see if potentially we can also mitigate these 49 (28 critical) vulnerabilities. So, the scope of this issue is to assess if some of the dependencies below can get upgraded with upstream fixes, but let's only try to deal with the ones where refactoring is minimal or seamless. The rest we'll address on issue #30
To reproduce:
npm i
npm audit
49 vulnerabilities (7 moderate, 14 high, 28 critical)
❯ npm audit
# npm audit report
@babel/traverse <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse
async 2.0.0 - 2.6.3
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix`
node_modules/async
babel-traverse *
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix --force`
Will install babel-core@4.7.16, which is a breaking change
node_modules/babel-traverse
babel-core 5.8.20 - 7.0.0-beta.3
Depends on vulnerable versions of babel-helpers
Depends on vulnerable versions of babel-register
Depends on vulnerable versions of babel-template
Depends on vulnerable versions of babel-traverse
Depends on vulnerable versions of json5
node_modules/babel-core
babel-register *
Depends on vulnerable versions of babel-core
node_modules/babel-register
babel-helper-call-delegate *
Depends on vulnerable versions of babel-traverse
node_modules/babel-helper-call-delegate
babel-helper-explode-assignable-expression *
Depends on vulnerable versions of babel-traverse
node_modules/babel-helper-explode-assignable-expression
babel-helper-builder-binary-assignment-operator-visitor *
Depends on vulnerable versions of babel-helper-explode-assignable-expression
node_modules/babel-helper-builder-binary-assignment-operator-visitor
babel-plugin-transform-exponentiation-operator *
Depends on vulnerable versions of babel-helper-builder-binary-assignment-operator-visitor
node_modules/babel-plugin-transform-exponentiation-operator
babel-helper-function-name *
Depends on vulnerable versions of babel-template
Depends on vulnerable versions of babel-traverse
node_modules/babel-helper-function-name
babel-helper-define-map *
Depends on vulnerable versions of babel-helper-function-name
node_modules/babel-helper-define-map
babel-helper-remap-async-to-generator *
Depends on vulnerable versions of babel-helper-function-name
Depends on vulnerable versions of babel-template
Depends on vulnerable versions of babel-traverse
node_modules/babel-helper-remap-async-to-generator
babel-plugin-transform-async-to-generator *
Depends on vulnerable versions of babel-helper-remap-async-to-generator
node_modules/babel-plugin-transform-async-to-generator
babel-plugin-transform-es2015-function-name *
Depends on vulnerable versions of babel-helper-function-name
node_modules/babel-plugin-transform-es2015-function-name
babel-helper-replace-supers *
Depends on vulnerable versions of babel-template
Depends on vulnerable versions of babel-traverse
node_modules/babel-helper-replace-supers
babel-plugin-transform-es2015-object-super *
Depends on vulnerable versions of babel-helper-replace-supers
node_modules/babel-plugin-transform-es2015-object-super
babel-plugin-transform-es2015-block-scoping *
Depends on vulnerable versions of babel-template
Depends on vulnerable versions of babel-traverse
node_modules/babel-plugin-transform-es2015-block-scoping
babel-preset-env >=0.0.1
Depends on vulnerable versions of babel-plugin-transform-async-to-generator
Depends on vulnerable versions of babel-plugin-transform-es2015-block-scoping
Depends on vulnerable versions of babel-plugin-transform-es2015-classes
Depends on vulnerable versions of babel-plugin-transform-es2015-computed-properties
Depends on vulnerable versions of babel-plugin-transform-es2015-function-name
Depends on vulnerable versions of babel-plugin-transform-es2015-modules-amd
Depends on vulnerable versions of babel-plugin-transform-es2015-modules-commonjs
Depends on vulnerable versions of babel-plugin-transform-es2015-modules-systemjs
Depends on vulnerable versions of babel-plugin-transform-es2015-modules-umd
Depends on vulnerable versions of babel-plugin-transform-es2015-object-super
Depends on vulnerable versions of babel-plugin-transform-es2015-parameters
Depends on vulnerable versions of babel-plugin-transform-exponentiation-operator
node_modules/babel-preset-env
babel-plugin-transform-es2015-classes *
Depends on vulnerable versions of babel-helper-define-map
Depends on vulnerable versions of babel-helper-function-name
Depends on vulnerable versions of babel-helper-replace-supers
Depends on vulnerable versions of babel-template
Depends on vulnerable versions of babel-traverse
node_modules/babel-plugin-transform-es2015-classes
babel-plugin-transform-es2015-parameters *
Depends on vulnerable versions of babel-helper-call-delegate
Depends on vulnerable versions of babel-template
Depends on vulnerable versions of babel-traverse
node_modules/babel-plugin-transform-es2015-parameters
babel-template *
Depends on vulnerable versions of babel-traverse
node_modules/babel-template
babel-helpers *
Depends on vulnerable versions of babel-template
node_modules/babel-helpers
babel-plugin-transform-es2015-computed-properties *
Depends on vulnerable versions of babel-template
node_modules/babel-plugin-transform-es2015-computed-properties
babel-plugin-transform-es2015-modules-amd *
Depends on vulnerable versions of babel-plugin-transform-es2015-modules-commonjs
Depends on vulnerable versions of babel-template
node_modules/babel-plugin-transform-es2015-modules-amd
babel-plugin-transform-es2015-modules-umd *
Depends on vulnerable versions of babel-plugin-transform-es2015-modules-amd
Depends on vulnerable versions of babel-template
node_modules/babel-plugin-transform-es2015-modules-umd
babel-plugin-transform-es2015-modules-commonjs <=7.0.0-beta.0
Depends on vulnerable versions of babel-template
node_modules/babel-plugin-transform-es2015-modules-commonjs
babel-plugin-transform-es2015-modules-systemjs *
Depends on vulnerable versions of babel-template
node_modules/babel-plugin-transform-es2015-modules-systemjs
d3-color <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install d3@7.9.0, which is a breaking change
node_modules/d3-color
d3 4.0.0-alpha.1 - 6.7.0
Depends on vulnerable versions of d3-brush
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-scale
Depends on vulnerable versions of d3-transition
Depends on vulnerable versions of d3-zoom
node_modules/d3
d3-interpolate 0.1.3 - 2.0.1
Depends on vulnerable versions of d3-color
node_modules/d3-interpolate
d3-brush 0.1.0 - 2.1.0
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-transition
node_modules/d3-brush
d3-scale 0.1.3 - 3.3.0
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
node_modules/d3-scale
d3-transition 0.0.7 - 2.0.0
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
node_modules/d3-transition
d3-zoom 0.0.2 - 2.0.0
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-transition
node_modules/d3-zoom
express <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix`
node_modules/express
follow-redirects <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/follow-redirects
ip <1.1.9
Severity: moderate
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix`
node_modules/ip
json5 <1.0.2 || >=2.0.0 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install babel-core@4.7.16, which is a breaking change
node_modules/babel-core/node_modules/json5
node_modules/json5
node_modules/loader-utils/node_modules/json5
loader-utils <=1.4.1 || 2.0.0 - 2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-hhq3-ff78-jv3g
fix available via `npm audit fix`
node_modules/file-loader/node_modules/loader-utils
node_modules/loader-utils
minimist 1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist
moment <=2.29.3
Severity: high
Moment.js vulnerable to Inefficient Regular Expression Complexity - https://github.com/advisories/GHSA-wc69-rhjr-hc9g
Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4
fix available via `npm audit fix`
node_modules/moment
node-forge <=1.2.1
Severity: high
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via `npm audit fix`
node_modules/node-forge
postcss <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install vue-loader@17.4.2, which is a breaking change
node_modules/@vue/component-compiler-utils/node_modules/postcss
node_modules/postcss
@vue/component-compiler-utils *
Depends on vulnerable versions of postcss
node_modules/@vue/component-compiler-utils
vue-loader 15.0.0-beta.1 - 15.11.1
Depends on vulnerable versions of @vue/component-compiler-utils
node_modules/vue-loader
semver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/babel-preset-env/node_modules/semver
node_modules/css-loader/node_modules/semver
node_modules/semver
terser 5.0.0 - 5.14.1
Severity: high
Terser insecure use of regular expressions leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc
fix available via `npm audit fix`
node_modules/terser
webpack 5.0.0 - 5.75.0
Severity: critical
Cross-realm object access in Webpack 5 - https://github.com/advisories/GHSA-hc6q-2mpp-qw7j
fix available via `npm audit fix`
node_modules/webpack
webpack-dev-middleware <=5.3.3
Severity: high
Path traversal in webpack-dev-middleware - https://github.com/advisories/GHSA-wr3j-pwj9-hqq6
fix available via `npm audit fix`
node_modules/webpack-dev-middleware
49 vulnerabilities (7 moderate, 14 high, 28 critical)
The scope is partly related to issue #30, where we were planning to upgrade the rest of ui dependencies, however, let's treat this as a smaller scope to see if potentially we can also mitigate these 49 (28 critical) vulnerabilities. So, the scope of this issue is to assess if some of the dependencies below can get upgraded with upstream fixes, but let's only try to deal with the ones where refactoring is minimal or seamless. The rest we'll address on issue #30
To reproduce:
npm inpm audit