npm audit reports 6 vulnerabilities (5 moderate, 1 critical) that we can't address yet:
# npm audit report
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install request-promise-native@0.0.0, which is a breaking change
node_modules/request
request-promise-core *
Depends on vulnerable versions of request
node_modules/request-promise-core
request-promise-native >=1.0.0
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-core
Depends on vulnerable versions of tough-cookie
node_modules/request-promise-native
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install request-promise-native@0.0.0, which is a breaking change
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie
xmldom *
Severity: critical
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-h6q6-9hqw-rwfv
xmldom allows multiple root nodes in a DOM - https://github.com/advisories/GHSA-crh6-fp67-6883
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
fix available via `npm audit fix --force`
Will install dom-compare@0.1.1, which is a breaking change
node_modules/xmldom
dom-compare >=0.2.0
Depends on vulnerable versions of xmldom
node_modules/dom-compare
6 vulnerabilities (5 moderate, 1 critical)
Describe the improvement you'd like
To summarize the above logs, we need to:
[ ] replace request and request-promise-native with a more modern alternative because they're both deprecated. Most alternatives proposed are either ESM-only, unstable, or not production ready
[ ] replace dom-compare. It's not longer maintained and uses a vulnerable version of xmldom. We could fork it and use the more recent version of xmldom, inline the dom comparison logic in cht-conf, or find a maintained alternative. TBD.
Dependencies that cannot be updated until we migrate to ESM:
[ ] chai
[ ] chai-as-promised
[ ] chai-exclude
[ ] open
Dependencies that need a higher version of Node.js:
[ ] semantic-release
PouchDB-related dependencies should probably be updated along with cht-core's.
Additionally, xpath has a new minor version available but no changelog is provided.
Describe the issue
Follow-up from medic/cht-conf#621
npm auditreports 6 vulnerabilities (5 moderate, 1 critical) that we can't address yet:Describe the improvement you'd like
To summarize the above logs, we need to:
requestandrequest-promise-nativewith a more modern alternative because they're both deprecated. Most alternatives proposed are either ESM-only, unstable, or not production readydom-compare. It's not longer maintained and uses a vulnerable version ofxmldom. We could fork it and use the more recent version of xmldom, inline the dom comparison logic in cht-conf, or find a maintained alternative. TBD.Dependencies that cannot be updated until we migrate to ESM:
chaichai-as-promisedchai-excludeopenDependencies that need a higher version of Node.js:
semantic-releasePouchDB-related dependencies should probably be updated along with cht-core's.
Additionally,
xpathhas a new minor version available but no changelog is provided.