search

reveal / multiplex

The reveal.js Multiplex Plugin
MIT License
116 stars 22 forks source link

npm audit finds 10 vulnerabilities (2 moderate, 5 high, 3 critical) #36

Closed instantiator closed 1 year ago

instantiator commented 1 year ago

At the moment, there are number of vulnerabilities in the various npm package dependencies.

Running npm audit gives:

# npm audit report

engine.io  <=3.6.0
Severity: high
Resource exhaustion in engine.io - https://github.com/advisories/GHSA-j4f2-536g-r55m
Uncaught exception in engine.io - https://github.com/advisories/GHSA-r7qp-cfhv-p84w
fix available via `npm audit fix --force`
Will install socket.io@2.5.0, which is outside the stated dependency range
node_modules/engine.io
  socket.io  <=2.4.1
  Depends on vulnerable versions of engine.io
  Depends on vulnerable versions of socket.io-client
  node_modules/socket.io

qs  6.7.0 - 6.7.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/qs
  body-parser  1.19.0
  Depends on vulnerable versions of qs
  node_modules/body-parser
  express  4.17.0 - 4.17.1 || 5.0.0-alpha.1 - 5.0.0-alpha.8
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of qs
  node_modules/express

socket.io-parser  <=3.3.2 || 3.4.0 - 3.4.2
Severity: critical
Resource exhaustion in socket.io-parser - https://github.com/advisories/GHSA-xfhh-g9f5-x4m4
Resource exhaustion in socket.io-parser - https://github.com/advisories/GHSA-xfhh-g9f5-x4m4
Insufficient validation when decoding a Socket.IO packet - https://github.com/advisories/GHSA-qm95-pgcg-qqfq
Insufficient validation when decoding a Socket.IO packet - https://github.com/advisories/GHSA-qm95-pgcg-qqfq
Insufficient validation when decoding a Socket.IO packet - https://github.com/advisories/GHSA-cqmj-92xf-r6r9
fix available via `npm audit fix`
node_modules/socket.io-client/node_modules/socket.io-parser
node_modules/socket.io-parser

ws  6.0.0 - 6.2.1 || 7.0.0 - 7.4.5
Severity: moderate
ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693
ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693
fix available via `npm audit fix --force`
Will install socket.io@2.5.0, which is outside the stated dependency range
node_modules/engine.io-client/node_modules/ws
node_modules/ws
  engine.io-client  0.7.0 || 0.7.8 - 0.7.9 || 1.6.0 - 1.8.5 || 2.0.0 - 3.5.1 || 4.0.0-alpha.0 - 4.1.3
  Depends on vulnerable versions of ws
  Depends on vulnerable versions of xmlhttprequest-ssl
  node_modules/engine.io-client
    socket.io-client  2.2.0 - 2.3.1
    Depends on vulnerable versions of engine.io-client
    node_modules/socket.io-client

xmlhttprequest-ssl  <=1.6.1
Severity: critical
Improper Certificate Validation in xmlhttprequest-ssl - https://github.com/advisories/GHSA-72mh-269x-7mh5
xmlhttprequest and xmlhttprequest-ssl vulnerable to Arbitrary Code Injection - https://github.com/advisories/GHSA-h4j5-c7cj-74xg
fix available via `npm audit fix --force`
Will install socket.io@2.5.0, which is outside the stated dependency range
node_modules/xmlhttprequest-ssl

10 vulnerabilities (2 moderate, 5 high, 3 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues, run:
  npm audit fix --force

Running npm audit fix --force gives:

npm WARN using --force Recommended protections disabled.
npm WARN audit Updating socket.io to 2.5.0, which is outside your stated dependency range.

added 2 packages, removed 10 packages, changed 49 packages, and audited 89 packages in 1s

2 packages are looking for funding
  run `npm fund` for details

# npm audit report

socket.io-parser  3.4.0 - 3.4.2
Severity: critical
Resource exhaustion in socket.io-parser - https://github.com/advisories/GHSA-xfhh-g9f5-x4m4
Insufficient validation when decoding a Socket.IO packet - https://github.com/advisories/GHSA-qm95-pgcg-qqfq
Insufficient validation when decoding a Socket.IO packet - https://github.com/advisories/GHSA-cqmj-92xf-r6r9
fix available via `npm audit fix`
node_modules/socket.io-parser

1 critical severity vulnerability

To address all issues, run:
  npm audit fix
instantiator commented 1 year ago

Closed, with thanks for merging the PR