search

microlinkhq / metascraper

Get unified metadata from websites using Open Graph, Microdata, RDFa, Twitter Cards, JSON-LD, HTML, and more.
https://metascraper.js.org
MIT License
2.35k stars 168 forks source link

[metascraper-media-provider] npm audit vulnerability #405

Closed spicemix closed 3 years ago

spicemix commented 3 years ago

Prerequisites

Subject of the issue

npm-audit complains about vulnerabilities in the hosted-git-info dependency of metascraper-media-provider

Steps to reproduce

npm i metascraper-media-provider --save
npm audit

Expected behaviour

Should pass audit cleanly

Actual behaviour


                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Deinal of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hosted-git-info                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.8                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ metascraper-media-provider                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ metascraper-media-provider > youtube-dl-exec >               │
│               │ bin-version-check-cli > meow > read-pkg-up > read-pkg >      │
│               │ normalize-package-data > hosted-git-info                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1677                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
Kikobeats commented 3 years ago

Hello,

hosted-git-info is not a dependency directly used in this project.

Open the issue in https://github.com/npm/normalize-package-data instead 🙂