search

psi-4ward / psitransfer

Simple open source self-hosted file sharing solution.
BSD 2-Clause "Simplified" License
1.46k stars 211 forks source link

NPM: Fix 1 Critical 8 High 1 Low vulnerabilities #248

Closed Alkl58 closed 1 year ago

Alkl58 commented 1 year ago

App:

# npm audit report

loader-utils  <=1.4.1 || 2.0.0 - 2.0.3
Severity: critical
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable - https://github.com/advisories/GHSA-3rfm-jhwj-7488
fix available via `npm audit fix`
node_modules/babel-loader/node_modules/loader-utils
node_modules/css-loader/node_modules/loader-utils
node_modules/file-loader/node_modules/loader-utils
node_modules/loader-utils

terser  5.0.0 - 5.14.1
Severity: high
Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc
fix available via `npm audit fix`
node_modules/terser

2 vulnerabilities (1 high, 1 critical)

Other:

# npm audit report

async  2.0.0 - 2.6.3
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix`
node_modules/firefox-profile/node_modules/async
  firefox-profile  0.4.3 - 4.0.0
  Depends on vulnerable versions of async
  node_modules/firefox-profile
    testcafe-browser-provider-browserstack  1.13.0-alpha.1 - 1.13.2 || >=1.14.1-alpha.1
    Depends on vulnerable versions of firefox-profile
    node_modules/testcafe-browser-provider-browserstack

decode-uri-component  <0.2.1
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component

jpeg-js  <0.4.4
Severity: high
Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6
fix available via `npm audit fix`
node_modules/jpeg-js
  @jimp/jpeg  <=0.12.0 || 0.16.1 - 0.16.2-canary.1094.1345.0
  Depends on vulnerable versions of jpeg-js
  node_modules/@jimp/jpeg

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch

moment  2.18.0 - 2.29.3
Severity: high
Moment.js vulnerable to Inefficient Regular Expression Complexity - https://github.com/advisories/GHSA-wc69-rhjr-hc9g
fix available via `npm audit fix`
node_modules/moment

8 vulnerabilities (1 low, 7 high)
droplinxuser commented 1 year ago

Why is this closed and not merged?