When running npm audit fix to fix the send < 0.19.0 vulnerability, I get a message saying the fix can't be done because it will install a (very) old version of webpack-dev-server, which is a breaking change.
The latest version of webpack-dev-server is 5.1.0, and my product is on 4.15.2. To fix the send vulnerability, webpack-dev-server version 1.2.9 would be installed.
npm audit report
send <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via npm audit fix --forceWill install webpack-dev-server@1.2.9, which is a breaking change
node_modules/serve-static/node_modules/send
serve-static <=1.16.0
Depends on vulnerable versions of send
node_modules/serve-static
express 4.0.0-rc1 - 5.0.0-beta.3
Depends on vulnerable versions of serve-static
node_modules/express
webpack-dev-server >=1.3.0
Depends on vulnerable versions of express
node_modules/webpack-dev-server
4 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Forcing a fix installs the old version of webpack-dev-server, and creates 18 vulnerabilities, 4 of which are critical, and 12 high:
When running
npm audit fix
to fix thesend
< 0.19.0 vulnerability, I get a message saying the fix can't be done because it will install a (very) old version ofwebpack-dev-server
, which is a breaking change.The latest version of
webpack-dev-server
is 5.1.0, and my product is on 4.15.2. To fix thesend
vulnerability,webpack-dev-server
version 1.2.9 would be installed.npm audit report
send <0.19.0 Severity: moderate send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg fix available via
npm audit fix --force
Will install webpack-dev-server@1.2.9, which is a breaking change node_modules/serve-static/node_modules/send serve-static <=1.16.0 Depends on vulnerable versions of send node_modules/serve-static express 4.0.0-rc1 - 5.0.0-beta.3 Depends on vulnerable versions of serve-static node_modules/express webpack-dev-server >=1.3.0 Depends on vulnerable versions of express node_modules/webpack-dev-server4 moderate severity vulnerabilities
To address all issues (including breaking changes), run: npm audit fix --force
Forcing a fix installs the old version of webpack-dev-server, and creates 18 vulnerabilities, 4 of which are critical, and 12 high:
18 vulnerabilities (2 moderate, 12 high, 4 critical)
Maybe I'm missing a step?