stack-chan/firmware$ npm audit
# npm audit report
axios 0.8.1 - 0.27.2 || 1.0.0 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
No fix available
node_modules/apisauce/node_modules/axios
node_modules/axios
apisauce <=3.0.0
Depends on vulnerable versions of axios
node_modules/apisauce
gluegun >=0.3.0
Depends on vulnerable versions of apisauce
Depends on vulnerable versions of ejs
Depends on vulnerable versions of lodash.trim
Depends on vulnerable versions of lodash.trimend
Depends on vulnerable versions of semver
node_modules/gluegun
xs-dev *
Depends on vulnerable versions of gluegun
node_modules/xs-dev
ejs <=3.1.9
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
ejs lacks certain pollution protection - https://github.com/advisories/GHSA-ghr5-ch3p-vcr6
No fix available
node_modules/ejs
follow-redirects <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/follow-redirects
lodash.trim *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
No fix available
node_modules/lodash.trim
lodash.trimend *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
fix available via `npm audit fix`
node_modules/lodash.trimend
protobufjs 7.0.0 - 7.2.4
Severity: critical
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix --force`
Will install @google-cloud/text-to-speech@5.2.0, which is a breaking change
node_modules/protobufjs
google-gax 2.2.1-pre - 2.2.1-pre.2 || 2.28.2-alpha.1 - 2.28.4-alpha.1 || 3.1.4 - 4.0.3
Depends on vulnerable versions of protobufjs
Depends on vulnerable versions of protobufjs-cli
node_modules/google-gax
@google-cloud/text-to-speech 4.0.3 - 4.2.3
Depends on vulnerable versions of google-gax
node_modules/@google-cloud/text-to-speech
semver 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/gluegun/node_modules/semver
node_modules/semver
taffydb *
Severity: high
TaffyDB can allow access to any data items in the DB - https://github.com/advisories/GHSA-mxhp-79qh-mcx6
fix available via `npm audit fix --force`
Will install @google-cloud/text-to-speech@5.2.0, which is a breaking change
node_modules/taffydb
jsdoc 3.2.0-dev - 3.6.11
Depends on vulnerable versions of taffydb
node_modules/jsdoc
protobufjs-cli <=1.0.2
Depends on vulnerable versions of jsdoc
node_modules/protobufjs-cli
word-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
16 vulnerabilities (9 moderate, 3 high, 4 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
不具合の概要
セキュリティの脆弱性について警告される。
再現手順
GitHubのセキュリティタブ上でも確認できます。
stack-chan/firmware
のディレクトリに移動しますnpm audit
で警告を確認します想定する挙動
セキュリティの警告が出力されない。
ログ
npm audit
の出力結果環境 (次の項目を埋めてください):