セキュリティの脆弱性について警告される

[KuraZuzu]

不具合の概要

セキュリティの脆弱性について警告される。

再現手順

GitHubのセキュリティタブ上でも確認できます。

1. stack-chan/firmwareのディレクトリに移動します
2. npm auditで警告を確認します

想定する挙動

セキュリティの警告が出力されない。

ログ

npm auditの出力結果

stack-chan/firmware$ npm audit
# npm audit report

axios  0.8.1 - 0.27.2 || 1.0.0 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
No fix available
node_modules/apisauce/node_modules/axios
node_modules/axios
  apisauce  <=3.0.0
  Depends on vulnerable versions of axios
  node_modules/apisauce
    gluegun  >=0.3.0
    Depends on vulnerable versions of apisauce
    Depends on vulnerable versions of ejs
    Depends on vulnerable versions of lodash.trim
    Depends on vulnerable versions of lodash.trimend
    Depends on vulnerable versions of semver
    node_modules/gluegun
      xs-dev  *
      Depends on vulnerable versions of gluegun
      node_modules/xs-dev

ejs  <=3.1.9
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
ejs lacks certain pollution protection - https://github.com/advisories/GHSA-ghr5-ch3p-vcr6
No fix available
node_modules/ejs

follow-redirects  <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/follow-redirects

lodash.trim  *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
No fix available
node_modules/lodash.trim

lodash.trimend  *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
fix available via `npm audit fix`
node_modules/lodash.trimend

protobufjs  7.0.0 - 7.2.4
Severity: critical
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install @google-cloud/text-to-speech@5.2.0, which is a breaking change
node_modules/protobufjs
  google-gax  2.2.1-pre - 2.2.1-pre.2 || 2.28.2-alpha.1 - 2.28.4-alpha.1 || 3.1.4 - 4.0.3
  Depends on vulnerable versions of protobufjs
  Depends on vulnerable versions of protobufjs-cli
  node_modules/google-gax
    @google-cloud/text-to-speech  4.0.3 - 4.2.3
    Depends on vulnerable versions of google-gax
    node_modules/@google-cloud/text-to-speech

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/gluegun/node_modules/semver
node_modules/semver

taffydb  *
Severity: high
TaffyDB can allow access to any data items in the DB - https://github.com/advisories/GHSA-mxhp-79qh-mcx6
fix available via `npm audit fix --force`
Will install @google-cloud/text-to-speech@5.2.0, which is a breaking change
node_modules/taffydb
  jsdoc  3.2.0-dev - 3.6.11
  Depends on vulnerable versions of taffydb
  node_modules/jsdoc
    protobufjs-cli  <=1.0.2
    Depends on vulnerable versions of jsdoc
    node_modules/protobufjs-cli

word-wrap  <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap

16 vulnerabilities (9 moderate, 3 high, 4 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

環境 (次の項目を埋めてください):

• GitHub上
• Ubuntu22.04（CLI確認環境）

[KuraZuzu]

npm audit fix --forceコマンドを実行してパッケージをアップグレードするPR https://github.com/rt-net/stack-chan/pull/6 を出しました。 critical警告は全て対応できます。