pmb0 / express-sharp

🏞 Real-time image processing for your express application.
MIT License
149 stars 31 forks source link

npm install is showing vulnaribility due to class-validator ^0.13.1 #595

Open naqibfaiyaz opened 1 year ago

naqibfaiyaz commented 1 year ago

Hello Whenever I am running npm install, I am getting critical severity vulnerabilities. npm audit fix --force rollback express-sharp to 3.1.1, however, it again shows vulnerabilities there for other packages. Currently, I am in a loop and cannot solve this. Can someone please help me here to solve this?

Any help or guidance is much appreciated. Thanks in advance.

Error when express-sharp 4.2.41 is used:

class-validator  <0.14.0
Severity: critical
SQL Injection and Cross-site Scripting in class-validator - https://github.com/advisories/GHSA-fj58-h2fr-3pp2
fix available via `npm audit fix --force`
Will install express-sharp@3.1.1, which is a breaking change
node_modules/class-validator
  express-sharp  >=4.0.1
  Depends on vulnerable versions of class-validator
  node_modules/express-sharp

2 critical severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
image

Error when express-sharp 3.1.1 is used:


# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install express-sharp@4.2.41, which is a breaking change
node_modules/got
  express-sharp  <=4.2.40
  Depends on vulnerable versions of express-validator
  Depends on vulnerable versions of got
  Depends on vulnerable versions of sharp
  node_modules/express-sharp

sharp  <0.30.5
Severity: moderate
sharp vulnerable to Command Injection in post-installation over build environment - https://github.com/advisories/GHSA-gp95-ppv5-3jc5
fix available via `npm audit fix --force`
Will install express-sharp@4.2.41, which is a breaking change
node_modules/sharp

validator  <13.7.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5
fix available via `npm audit fix --force`
Will install express-sharp@4.2.41, which is a breaking change
node_modules/express-sharp/node_modules/validator
  express-validator  0.2.0 - 6.4.1
  Depends on vulnerable versions of validator
  node_modules/express-sharp/node_modules/express-validator

5 moderate severity vulnerabilities