MathieuGilbert
commented
1 year ago Are there any plans to update these dependencies with known vulnerabilities?
Open thoffmann-fms opened 2 years ago
MathieuGilbert
commented
1 year ago Are there any plans to update these dependencies with known vulnerabilities?
Describe the bug
npm audit is claiming react-rainbow is dependent on a questionable version of remark-parse, trim, & xlsx. The suggested fix to --force the audit reverts react-rainbow to a very old version (1.3.1 vs the current 1.30.0 release).
npm audit report
trim <0.0.3 Severity: high Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq fix available via
npm audit fix --forceWill install react-rainbow-components@1.3.1, which is a breaking change node_modules/trim remark-parse <=8.0.3 Depends on vulnerable versions of trim node_modules/remark-parse react-rainbow-components 1.3.1-canary.1471156 - 1.3.1-canary.5f2bd76 || >=1.4.0-canary.2815665 Depends on vulnerable versions of remark-parse Depends on vulnerable versions of xlsx node_modules/react-rainbow-componentsxlsx <0.17.0 Severity: moderate Denial of Service in SheetJS Pro - https://github.com/advisories/GHSA-g973-978j-2c3p fix available via
npm audit fix --forceWill install react-rainbow-components@1.3.1, which is a breaking change node_modules/xlsx react-rainbow-components 1.3.1-canary.1471156 - 1.3.1-canary.5f2bd76 || >=1.4.0-canary.2815665 Depends on vulnerable versions of remark-parse Depends on vulnerable versions of xlsx node_modules/react-rainbow-components4 vulnerabilities (1 moderate, 3 high)
Screenshots
If applicable, add screenshots to help explain your problem.
To Reproduce 🕹
run npm audit
Expected Behavior 🤔
Would like to upgrade any dependencies to ones without known vulnerablities.
Current Behavior 😯
Warning messages from npm.
Context 🔦
Not a critical issue but nice to have clean components.
Your Environment 🌎
Windows 10, npm 8.1.2, nodes.js 16.13.1