Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:
npm audit report
debug <=2.6.8 || 3.0.0 - 3.0.1
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/534
Depends on vulnerable versions of ms
fix available via npm audit fix --force
Will install mocha@9.0.3, which is a breaking change
node_modules/debug
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
diff <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via npm audit fix --force
Will install diff@5.0.0, which is a breaking change
node_modules/diff
node_modules/mocha/node_modules/diff
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
growl <1.10.2
Severity: critical
Command Injection - https://npmjs.com/advisories/146
fix available via npm audit fix --force
Will install mocha@9.0.3, which is a breaking change
node_modules/growl
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
minimatch <=3.0.1
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/118
fix available via npm audit fix --force
Will install mocha@9.0.3, which is a breaking change
node_modules/minimatch
glob 3.0.0 - 5.0.14
Depends on vulnerable versions of minimatch
node_modules/glob
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
minimist <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via npm audit fix --force
Will install mocha@9.0.3, which is a breaking change
node_modules/mkdirp/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mkdirp
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
ms <=0.7.0
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/46
fix available via npm audit fix --force
Will install mocha@9.0.3, which is a breaking change
node_modules/ms
debug <=2.6.8 || 3.0.0 - 3.0.1
Depends on vulnerable versions of ms
node_modules/debug
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
To address all issues (including breaking changes), run:
npm audit fix --force
Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:
Will you fix the vulnerabilities mentioned above? (Yes/No), and why?:
Do you have any additional comments? (If so, please write it down):
For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.
Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].
Steps to reproduce:
Go to the root folder of the project where the package.json file located
Execute “npm audit”
Look at the list of vulnerabilities reported
Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.
Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:
npm audit report
debug <=2.6.8 || 3.0.0 - 3.0.1 Severity: moderate Regular Expression Denial of Service - https://npmjs.com/advisories/534 Depends on vulnerable versions of ms fix available via
npm audit fix --force
Will install mocha@9.0.3, which is a breaking change node_modules/debug mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of glob Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mochadiff <3.5.0 Severity: high Regular Expression Denial of Service - https://npmjs.com/advisories/1631 fix available via
npm audit fix --force
Will install diff@5.0.0, which is a breaking change node_modules/diff node_modules/mocha/node_modules/diff mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of glob Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mochagrowl <1.10.2 Severity: critical Command Injection - https://npmjs.com/advisories/146 fix available via
npm audit fix --force
Will install mocha@9.0.3, which is a breaking change node_modules/growl mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of glob Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mochalodash <=4.17.20 Severity: high Prototype Pollution - https://npmjs.com/advisories/1065 Prototype Pollution - https://npmjs.com/advisories/1523 Command Injection - https://npmjs.com/advisories/1673 Prototype Pollution - https://npmjs.com/advisories/577 Prototype Pollution - https://npmjs.com/advisories/782 fix available via
npm audit fix --force
Will install inquirer@8.1.2, which is a breaking change node_modules/lodash inquirer <=0.11.4 Depends on vulnerable versions of lodash node_modules/inquirerminimatch <=3.0.1 Severity: high Regular Expression Denial of Service - https://npmjs.com/advisories/118 fix available via
npm audit fix --force
Will install mocha@9.0.3, which is a breaking change node_modules/minimatch glob 3.0.0 - 5.0.14 Depends on vulnerable versions of minimatch node_modules/glob mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of glob Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mochaminimist <0.2.1 || >=1.0.0 <1.2.3 Prototype Pollution - https://npmjs.com/advisories/1179 fix available via
npm audit fix --force
Will install mocha@9.0.3, which is a breaking change node_modules/mkdirp/node_modules/minimist mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/mkdirp mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of glob Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mochams <=0.7.0 Severity: moderate Regular Expression Denial of Service - https://npmjs.com/advisories/46 fix available via
npm audit fix --force
Will install mocha@9.0.3, which is a breaking change node_modules/ms debug <=2.6.8 || 3.0.0 - 3.0.1 Depends on vulnerable versions of ms node_modules/debug mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of glob Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mocha11 vulnerabilities (2 low, 2 moderate, 5 high, 2 critical)
To address all issues (including breaking changes), run: npm audit fix --force
Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:
For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.
Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].
Steps to reproduce:
Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.
References: