relative-ci / bundle-stats

Analyze bundle stats(bundle size, assets, modules, packages) and compare the results between different builds. Support for webpack, rspack, rollup and vite.
MIT License
572 stars 20 forks source link

5 moderate severity vulnerabilities #3399

Open kamilluc opened 1 year ago

kamilluc commented 1 year ago

Hi, there are 5 security issues all of them related to "got" package.

npm audit report

got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 fix available via npm audit fix --force Will install bundle-stats@1.2.3, which is a breaking change node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version node_modules/update-notifier bundle-stats 0.12.0-beta.7 || >=1.3.0-alpha.0 Depends on vulnerable versions of update-notifier node_modules/bundle-stats

So it would be great if you could update update-notifier package. I saw PR from almost year ago but it is still not completed. #2462

vio commented 1 year ago

thanks for creating the issue @kamilluc!

Aware of some old dependencies that are flagged by dependabot/renovate as having security issues, though they should not be as problematic since bundle-stats is a dev dependency. In general, I try to keep the dependencies up to date, but since the current major (v4) is still supporting node v14, it was not easy to upgrade some dependencies that migrated to esm (min node v16).

I am currently working on a new major (v5) and the supported node version will be v16. Will keep this issue open for reference and to get notified when v5 is ready

github-actions[bot] commented 1 year ago

This issue is stale because it has been open for 30 days with no activity.

github-actions[bot] commented 1 year ago

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] commented 11 months ago

This issue was closed because it has been inactive for 30 days since being marked as stale.

github-actions[bot] commented 4 months ago

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] commented 1 month ago

This issue is stale because it has been open for 90 days with no activity.