search

scinos / yarn-deduplicate

Deduplication tool for yarn.lock files
Apache License 2.0
1.38k stars 55 forks source link

12 high, 3 critical vulnerabilities in latest version (6.0.2) #258

Open BradMcDev opened 2 months ago

BradMcDev commented 2 months ago 
# npm audit report

ip  *
Severity: high
ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp
fix available via `npm audit fix --force`
Will install release-it@17.6.0, which is a breaking change
node_modules/ip
  pac-resolver  1.3.0 - 7.0.0
  Depends on vulnerable versions of degenerator
  Depends on vulnerable versions of ip
  node_modules/pac-resolver
    pac-proxy-agent  1.1.0 - 6.0.4
    Depends on vulnerable versions of pac-resolver
    node_modules/pac-proxy-agent
      proxy-agent  2.1.0 - 6.2.2
      Depends on vulnerable versions of pac-proxy-agent
      node_modules/proxy-agent
        release-it  12.5.0-next.0 - 16.1.2
        Depends on vulnerable versions of proxy-agent
        Depends on vulnerable versions of semver
        node_modules/release-it
          @release-it/keep-a-changelog  <=3.1.0
          Depends on vulnerable versions of release-it
          node_modules/@release-it/keep-a-changelog

semver  7.0.0 - 7.5.1
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install release-it@17.6.0, which is a breaking change
node_modules/release-it/node_modules/semver

trim  <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
No fix available
node_modules/trim
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/remark-parse
    remark  5.0.0 - 12.0.1
    Depends on vulnerable versions of remark-parse
    node_modules/remark
      eslint-plugin-md  *
      Depends on vulnerable versions of remark
      node_modules/eslint-plugin-md
  unified-message-control  <=1.0.4
  Depends on vulnerable versions of trim
  node_modules/unified-message-control
    remark-message-control  4.1.0 - 4.2.0
    Depends on vulnerable versions of unified-message-control
    node_modules/remark-message-control

vm2  *
Severity: critical
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-cchq-frgv-rjh5
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-g644-9gfx-q4q4
fix available via `npm audit fix --force`
Will install release-it@17.6.0, which is a breaking change
node_modules/vm2
  degenerator  3.0.0 - 4.0.4
  Depends on vulnerable versions of vm2
  node_modules/degenerator

15 vulnerabilities (12 high, 3 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.