search

norrissw / gh-actions-npm-audit

gh actions test
0 stars 0 forks source link

npm audit found vulnerabilities #1

Open github-actions[bot] opened 2 years ago

github-actions[bot] commented 2 years ago 
# npm audit report

async  2.0.0 - 2.6.3
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
Depends on vulnerable versions of lodash
fix available via `npm audit fix --force`
Will install mongoose@6.5.1, which is a breaking change
node_modules/async
  mongoose  <=6.4.5
  Depends on vulnerable versions of async
  Depends on vulnerable versions of bson
  Depends on vulnerable versions of mongodb
  Depends on vulnerable versions of mpath
  Depends on vulnerable versions of mquery
  node_modules/mongoose

base64url  <3.0.0
Severity: moderate
Out-of-bounds Read in base64url - https://github.com/advisories/GHSA-rvg8-pwq2-xj7q
fix available via `npm audit fix`
node_modules/base64url
  ecdsa-sig-formatter  1.0.9
  Depends on vulnerable versions of base64url
  node_modules/ecdsa-sig-formatter
    jwa  <=1.1.5
    Depends on vulnerable versions of base64url
    Depends on vulnerable versions of ecdsa-sig-formatter
    node_modules/jwa
      jws  <=3.1.4
      Depends on vulnerable versions of base64url
      Depends on vulnerable versions of jwa
      node_modules/jws
        jsonwebtoken  <=4.2.2
        Depends on vulnerable versions of jws
        node_modules/jsonwebtoken

bson  <=1.1.3
Severity: high
Deserialization of Untrusted Data in bson - https://github.com/advisories/GHSA-4jwp-vfvf-657p
Deserialization of Untrusted Data in bson - https://github.com/advisories/GHSA-v8w9-2789-6hhr
fix available via `npm audit fix --force`
Will install mongoose@6.5.1, which is a breaking change
node_modules/bson
  mongodb-core  <=3.1.1
  Depends on vulnerable versions of bson
  node_modules/mongodb-core
    mongodb  <=3.1.12
    Depends on vulnerable versions of mongodb-core
    node_modules/mongodb

clean-css  <4.1.11
Regular Expression Denial of Service in clean-css - https://github.com/advisories/GHSA-wxhq-pm8v-cw75
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/clean-css
  jade  >=0.30.0
  Depends on vulnerable versions of clean-css
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of mkdirp
  Depends on vulnerable versions of transformers
  node_modules/jade

constantinople  <3.1.1
Severity: critical
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople - https://github.com/advisories/GHSA-4vmm-mhcq-4x9j
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/constantinople

dicer  *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
fix available via `npm audit fix --force`
Will install express-fileupload@1.4.0, which is a breaking change
node_modules/dicer
  busboy  <=0.3.1
  Depends on vulnerable versions of dicer
  node_modules/busboy
    express-fileupload  <=1.3.1
    Depends on vulnerable versions of busboy
    node_modules/express-fileupload
    multer  <=2.0.0-rc.3
    Depends on vulnerable versions of busboy
    Depends on vulnerable versions of mkdirp
    node_modules/multer

helmet-csp  1.2.2 - 2.9.0
Severity: moderate
Configuration Override in helmet-csp - https://github.com/advisories/GHSA-c3m8-x3cg-qm2c
fix available via `npm audit fix`
node_modules/helmet-csp
  helmet  2.1.2 - 3.20.1
  Depends on vulnerable versions of helmet-csp
  node_modules/helmet

js-yaml  <=3.13.0
Severity: high
Denial of Service in js-yaml - https://github.com/advisories/GHSA-2pr6-76vf-7546
Code Injection in js-yaml - https://github.com/advisories/GHSA-8j8c-7jfh-h6hx
fix available via `npm audit fix`
node_modules/js-yaml

lodash  <=4.17.20
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install mongoose@6.5.1, which is a breaking change
node_modules/lodash
  express-validator  0.2.0 - 6.4.1
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of validator
  node_modules/express-validator

mime  <1.4.1
Severity: moderate
Regular Expression Denial of Service in mime - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix --force`
Will install express@4.18.1, which is outside the stated dependency range
node_modules/mime
  send  <=0.15.6
  Depends on vulnerable versions of mime
  node_modules/send
    express  3.0.0-alpha1 - 4.15.5 || 5.0.0-alpha.1 - 5.0.0-alpha.6
    Depends on vulnerable versions of send
    Depends on vulnerable versions of serve-static
    node_modules/express
    serve-static  <=1.12.6
    Depends on vulnerable versions of send
    node_modules/serve-static

minimist  <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/mkdirp
    mv  
    Depends on vulnerable versions of mkdirp
    node_modules/mv

moment  <=2.29.3
Severity: high
Inefficient Regular Expression Complexity in moment - https://github.com/advisories/GHSA-wc69-rhjr-hc9g
Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4
fix available via `npm audit fix`
node_modules/moment
  bunyan  
  Depends on vulnerable versions of moment
  node_modules/bunyan

morgan  <1.9.1
Severity: moderate
Code Injection in morgan - https://github.com/advisories/GHSA-gwg9-rgvj-4h5j
fix available via `npm audit fix`
node_modules/morgan

mpath  <=0.8.3
Severity: critical
Type confusion in mpath - https://github.com/advisories/GHSA-p92x-r36w-9395
Prototype Pollution in mpath - https://github.com/advisories/GHSA-h466-j336-74wx
fix available via `npm audit fix --force`
Will install mongoose@6.5.1, which is a breaking change
node_modules/mpath

mquery  <3.2.3
Severity: moderate
Code Injection in mquery - https://github.com/advisories/GHSA-45q2-34rf-mr94
fix available via `npm audit fix --force`
Will install mongoose@6.5.1, which is a breaking change
node_modules/mquery

node-serialize  *
Severity: critical
Code Execution through IIFE in node-serialize - https://github.com/advisories/GHSA-q4v7-4rhw-9hqm
No fix available
node_modules/node-serialize

uglify-js  <=2.5.0
Severity: critical
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c
Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/transformers/node_modules/uglify-js
  transformers  2.0.0 - 3.0.1
  Depends on vulnerable versions of uglify-js
  node_modules/transformers

validator  <13.7.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5
fix available via `npm audit fix`
node_modules/validator

38 vulnerabilities (1 low, 17 moderate, 10 high, 10 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.
github-actions[bot] commented 2 years ago 
# npm audit report

base64url  <3.0.0
Severity: moderate
Out-of-bounds Read in base64url - https://github.com/advisories/GHSA-rvg8-pwq2-xj7q
fix available via `npm audit fix`
node_modules/base64url
  ecdsa-sig-formatter  1.0.9
  Depends on vulnerable versions of base64url
  node_modules/ecdsa-sig-formatter
    jwa  <=1.1.5
    Depends on vulnerable versions of base64url
    Depends on vulnerable versions of ecdsa-sig-formatter
    node_modules/jwa
  jws  <=3.1.4
  Depends on vulnerable versions of base64url
  node_modules/jsonwebtoken/node_modules/jws

clean-css  <4.1.11
Regular Expression Denial of Service in clean-css - https://github.com/advisories/GHSA-wxhq-pm8v-cw75
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/clean-css
  jade  >=0.30.0
  Depends on vulnerable versions of clean-css
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of transformers
  node_modules/jade

constantinople  <3.1.1
Severity: critical
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople - https://github.com/advisories/GHSA-4vmm-mhcq-4x9j
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/constantinople

dicer  *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
No fix available
node_modules/dicer
  busboy  <=0.3.1
  Depends on vulnerable versions of dicer
  node_modules/busboy
    multer  <=2.0.0-rc.3
    Depends on vulnerable versions of busboy
    node_modules/multer

minimist  <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix`
node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/jade/node_modules/mkdirp
  node_modules/multer/node_modules/mkdirp
  node_modules/mv/node_modules/mkdirp

moment  <=2.29.3
Severity: high
Inefficient Regular Expression Complexity in moment - https://github.com/advisories/GHSA-wc69-rhjr-hc9g
Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4
fix available via `npm audit fix`
node_modules/bunyan/node_modules/moment

node-serialize  *
Severity: critical
Code Execution through IIFE in node-serialize - https://github.com/advisories/GHSA-q4v7-4rhw-9hqm
No fix available
node_modules/node-serialize

uglify-js  <=2.5.0
Severity: critical
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c
Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/transformers/node_modules/uglify-js
  transformers  2.0.0 - 3.0.1
  Depends on vulnerable versions of uglify-js
  node_modules/transformers

16 vulnerabilities (1 low, 5 moderate, 4 high, 6 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.