search

scottdurow / dataverse-ify

Easily call the Dataverse WebApi from TypeScript using SDK style types, with a NodeJS implementation for integration testing.
MIT License
57 stars 16 forks source link

High Severity Vulnerability in 'moment' #31

Open tylersand opened 2 years ago

tylersand commented 2 years ago

npm audit report

moment 2.18.0 - 2.29.3 Severity: high Inefficient Regular Expression Complexity in moment - https://github.com/advisories/GHSA-wc69-rhjr-hc9g fix available via npm audit fix node_modules/moment

1 high severity vulnerability

Avishekpathania commented 2 years ago

Any updates on this issue? How to resolve it?

PlanBernhard commented 2 years ago

After a new installation of NodeJS and doing the steps of the quick-start I have 4 vulnerabilities (1 low, 2 moderate, 1 high) on my side.

# npm audit report

electron  *
Severity: high
Depends on vulnerable versions of @electron/get
Renderers can obtain access to random bluetooth device without permission in Electron - https://github.com/advisories/GHSA-3p22-ghq8-v749
Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled - https://github.com/advisories/GHSA-mq8j-3h7h-p8g7
AutoUpdater module fails to validate certain nested components of the bundle - https://github.com/advisories/GHSA-77xc-hjv8-ww97
Electron's sandboxed renderers can obtain thumbnails of arbitrary files through the nativeImage API - https://github.com/advisories/GHSA-mpjm-v997-c4h4
IPC messages delivered to the wrong frame in Electron - https://github.com/advisories/GHSA-hvf8-h2qh-37m9
Google Chrome base/memory/weak_ptr.h WeakPtr Class Template Use-after-free DoS Weakness - https://github.com/chromium/chromium/commit/0b308a0e37b9d14a335c3b487511b7117c98d74b,https://bugs.chromium.org/p/chromium/issues/detail?id=817982,https://github.com/electron/electron/commit/3ad830c8044d3b194bfffcbf9d58c79d5b2b7e2a,https://github.com/electron/electron/pull/26438,https://github.com/electron/electron/releases/tag/v10.1.6
Google Chrome ANGLE Unspecified Out-of-bounds Read Memory Disclosure - https://github.com/electron/electron/releases/tag/v16.1.1,https://github.com/electron/electron/releases/tag/v15.4.2,https://github.com/electron/electron/releases/tag/v14.2.8,https://security-tracker.debian.org/tracker/CVE-2022-0792,https://www.debian.org/security/2022/dsa-5089,https://forums.opensuse.org/showthread.php/567514-openSUSE-SU-2022-0075-1-important-Security-update-for-chromium,https://www.forbes.com/sites/gordonkelly/2022/03/02/google-chrome-warning-upgrade-hack-security-new-chrome-update/,https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#march-3-2022,https://bugs.chromium.org/p/chromium/issues/detail?id=1285885,http://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0792,https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop.html
Google Chrome MediaStream Unspecified Use-after-free Issue - https://github.com/electron/electron/releases/tag/v16.1.1,https://github.com/electron/electron/releases/tag/v15.4.2,https://github.com/electron/electron/releases/tag/v14.2.8,https://security-tracker.debian.org/tracker/CVE-2022-0798,https://www.debian.org/security/2022/dsa-5089,https://forums.opensuse.org/showthread.php/567514-openSUSE-SU-2022-0075-1-important-Security-update-for-chromium,https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#march-3-2022,https://bugs.chromium.org/p/chromium/issues/detail?id=1283402,http://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0798,https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop.html
Google Chrome Unspecified High Severity Issue (1305655) - https://github.com/electron/electron/releases/tag/v14.2.9,https://github.com/electron/electron/releases/tag/v16.2.0,https://github.com/electron/electron/releases/tag/v15.5.0,https://bugs.chromium.org/p/chromium/issues/detail?id=1296876,https://bugs.chromium.org/p/chromium/issues/detail?id=1305655,https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_15.html
Google Chrome ANGLE Unspecified Use-after-free Arbitrary Code Execution (2022-0978) - https://github.com/electron/electron/releases/tag/v16.2.0,https://kb.igel.com/securitysafety/en/isn-2022-07-chromium-browser-vulnerabilities-57327412.html,https://www.debian.org/security/2022/dsa-5104,https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#march-17-2022,https://www.forbes.com/sites/gordonkelly/2022/03/16/google-issues-warning-for-millions-of-chrome-users/,https://bugs.chromium.org/p/chromium/issues/detail?id=1299264,http://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0978,https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_15.html
Google Chrome GPU Unspecified Heap Buffer Overflow - https://github.com/electron/electron/releases/tag/v14.2.9,https://github.com/electron/electron/releases/tag/v16.2.0,https://github.com/electron/electron/releases/tag/v16.1.1,https://github.com/electron/electron/releases/tag/v15.4.2,https://kb.igel.com/securitysafety/en/isn-2022-07-chromium-browser-vulnerabilities-57327412.html,https://bugzilla.suse.com/show_bug.cgi?id=1197163,https://forums.opensuse.org/showthread.php/567998-openSUSE-SU-2022-0085-1-important-Security-update-for-chromium,https://www.debian.org/security/2022/dsa-5104,https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#march-17-2022,https://www.forbes.com/sites/gordonkelly/2022/03/16/google-issues-warning-for-millions-of-chrome-users/,https://bugs.chromium.org/p/chromium/issues/detail?id=1296866,http://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-0976,https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_15.html
Side-channel information leakage in autofill in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. - https://crbug.com/1182767,https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop.html
fix available via `npm audit fix --force`
Will install dataverse-auth@2.0.2, which is a breaking change
node_modules/electron
  dataverse-auth  <=1.0.9
  Depends on vulnerable versions of electron
  node_modules/dataverse-auth

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install dataverse-auth@2.0.2, which is a breaking change
node_modules/got
  @electron/get  <=1.14.1
  Depends on vulnerable versions of got
  node_modules/@electron/get

4 vulnerabilities (1 low, 2 moderate, 1 high)

To address all issues (including breaking changes), run:
  npm audit fix --force