Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:
npm audit report
debug <=2.6.8 || 3.0.0 - 3.0.1
Regular Expression Denial of Service - https://npmjs.com/advisories/534
fix available via npm audit fix --force
Will install mocha@9.0.3, which is a breaking change
node_modules/debug
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
diff <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via npm audit fix --force
Will install mocha@9.0.3, which is a breaking change
node_modules/diff
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
dot-prop <4.2.1 || >=5.0.0 <5.1.1
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1213
fix available via npm audit fix --force
Will install standard-version@9.3.1, which is a breaking change
node_modules/dot-prop
compare-func <=1.3.4
Depends on vulnerable versions of dot-prop
node_modules/compare-func
conventional-changelog-angular 0.0.1 - 5.0.10
Depends on vulnerable versions of compare-func
node_modules/conventional-changelog-angular
conventional-changelog 1.0.0 - 2.0.3
Depends on vulnerable versions of conventional-changelog-angular
Depends on vulnerable versions of conventional-changelog-core
Depends on vulnerable versions of conventional-changelog-jshint
node_modules/conventional-changelog
standard-version <=5.0.2 || 7.1.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of yargs
node_modules/standard-version
conventional-changelog-jshint <=2.0.7
Depends on vulnerable versions of compare-func
node_modules/conventional-changelog-jshint
conventional-changelog-writer <=4.0.16
Depends on vulnerable versions of compare-func
Depends on vulnerable versions of meow
node_modules/conventional-changelog-writer
conventional-changelog-core <=4.2.1
Depends on vulnerable versions of conventional-changelog-writer
Depends on vulnerable versions of conventional-commits-parser
Depends on vulnerable versions of git-raw-commits
Depends on vulnerable versions of git-semver-tags
node_modules/conventional-changelog-core
growl <1.10.2
Severity: critical
Command Injection - https://npmjs.com/advisories/146
fix available via npm audit fix --force
Will install mocha@9.0.3, which is a breaking change
node_modules/growl
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
mem <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via npm audit fix --force
Will install standard-version@9.3.1, which is a breaking change
node_modules/mem
os-locale 2.0.0 - 3.0.0
Depends on vulnerable versions of mem
node_modules/os-locale
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/yargs
standard-version <=5.0.2 || 7.1.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of yargs
node_modules/standard-version
minimist <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via npm audit fix --force
Will install mocha@9.0.3, which is a breaking change
node_modules/mkdirp/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mkdirp
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
trim-newlines <3.0.1 || =4.0.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1753
fix available via npm audit fix --force
Will install xo@0.43.0, which is a breaking change
node_modules/conventional-recommended-bump/node_modules/trim-newlines
node_modules/get-pkg-repo/node_modules/trim-newlines
node_modules/trim-newlines
node_modules/xo/node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/conventional-recommended-bump/node_modules/meow
node_modules/get-pkg-repo/node_modules/meow
node_modules/meow
node_modules/xo/node_modules/meow
conventional-changelog-writer <=4.0.16
Depends on vulnerable versions of compare-func
Depends on vulnerable versions of meow
node_modules/conventional-changelog-writer
conventional-changelog-core <=4.2.1
Depends on vulnerable versions of conventional-changelog-writer
Depends on vulnerable versions of conventional-commits-parser
Depends on vulnerable versions of git-raw-commits
Depends on vulnerable versions of git-semver-tags
node_modules/conventional-changelog-core
conventional-changelog 1.0.0 - 2.0.3
Depends on vulnerable versions of conventional-changelog-angular
Depends on vulnerable versions of conventional-changelog-core
Depends on vulnerable versions of conventional-changelog-jshint
node_modules/conventional-changelog
standard-version <=5.0.2 || 7.1.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of yargs
node_modules/standard-version
conventional-commits-parser 2.1.5 - 3.0.8
Depends on vulnerable versions of meow
node_modules/conventional-commits-parser
git-raw-commits 1.3.4 - 2.0.3
Depends on vulnerable versions of meow
node_modules/git-raw-commits
git-semver-tags 1.3.4 - 3.0.1
Depends on vulnerable versions of meow
node_modules/git-semver-tags
xo 0.10.0 - 0.32.0
Depends on vulnerable versions of meow
node_modules/xo
yargs-parser <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via npm audit fix --force
Will install standard-version@9.3.1, which is a breaking change
node_modules/yargs-parser
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/yargs
standard-version <=5.0.2 || 7.1.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of yargs
node_modules/standard-version
24 vulnerabilities (7 low, 15 high, 2 critical)
To address all issues (including breaking changes), run:
npm audit fix --force
Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:
Will you fix the vulnerabilities mentioned above? (Yes/No), and why?:
Do you have any additional comments? (If so, please write it down):
For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.
Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].
Steps to reproduce:
Go to the root folder of the project where the package.json file located
Execute “npm audit”
Look at the list of vulnerabilities reported
Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.
Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:
npm audit report
debug <=2.6.8 || 3.0.0 - 3.0.1 Regular Expression Denial of Service - https://npmjs.com/advisories/534 fix available via
npm audit fix --force
Will install mocha@9.0.3, which is a breaking change node_modules/debug mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mochadiff <3.5.0 Severity: high Regular Expression Denial of Service - https://npmjs.com/advisories/1631 fix available via
npm audit fix --force
Will install mocha@9.0.3, which is a breaking change node_modules/diff mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mochadot-prop <4.2.1 || >=5.0.0 <5.1.1 Severity: high Prototype Pollution - https://npmjs.com/advisories/1213 fix available via
npm audit fix --force
Will install standard-version@9.3.1, which is a breaking change node_modules/dot-prop compare-func <=1.3.4 Depends on vulnerable versions of dot-prop node_modules/compare-func conventional-changelog-angular 0.0.1 - 5.0.10 Depends on vulnerable versions of compare-func node_modules/conventional-changelog-angular conventional-changelog 1.0.0 - 2.0.3 Depends on vulnerable versions of conventional-changelog-angular Depends on vulnerable versions of conventional-changelog-core Depends on vulnerable versions of conventional-changelog-jshint node_modules/conventional-changelog standard-version <=5.0.2 || 7.1.0 Depends on vulnerable versions of conventional-changelog Depends on vulnerable versions of yargs node_modules/standard-version conventional-changelog-jshint <=2.0.7 Depends on vulnerable versions of compare-func node_modules/conventional-changelog-jshint conventional-changelog-writer <=4.0.16 Depends on vulnerable versions of compare-func Depends on vulnerable versions of meow node_modules/conventional-changelog-writer conventional-changelog-core <=4.2.1 Depends on vulnerable versions of conventional-changelog-writer Depends on vulnerable versions of conventional-commits-parser Depends on vulnerable versions of git-raw-commits Depends on vulnerable versions of git-semver-tags node_modules/conventional-changelog-coregrowl <1.10.2 Severity: critical Command Injection - https://npmjs.com/advisories/146 fix available via
npm audit fix --force
Will install mocha@9.0.3, which is a breaking change node_modules/growl mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mochamem <4.0.0 Denial of Service - https://npmjs.com/advisories/1084 fix available via
npm audit fix --force
Will install standard-version@9.3.1, which is a breaking change node_modules/mem os-locale 2.0.0 - 3.0.0 Depends on vulnerable versions of mem node_modules/os-locale yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0 Depends on vulnerable versions of os-locale Depends on vulnerable versions of yargs-parser node_modules/yargs standard-version <=5.0.2 || 7.1.0 Depends on vulnerable versions of conventional-changelog Depends on vulnerable versions of yargs node_modules/standard-versionminimist <0.2.1 || >=1.0.0 <1.2.3 Prototype Pollution - https://npmjs.com/advisories/1179 fix available via
npm audit fix --force
Will install mocha@9.0.3, which is a breaking change node_modules/mkdirp/node_modules/minimist mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/mkdirp mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0 Depends on vulnerable versions of debug Depends on vulnerable versions of diff Depends on vulnerable versions of growl Depends on vulnerable versions of mkdirp node_modules/mochatrim-newlines <3.0.1 || =4.0.0 Severity: high Regular Expression Denial of Service - https://npmjs.com/advisories/1753 fix available via
npm audit fix --force
Will install xo@0.43.0, which is a breaking change node_modules/conventional-recommended-bump/node_modules/trim-newlines node_modules/get-pkg-repo/node_modules/trim-newlines node_modules/trim-newlines node_modules/xo/node_modules/trim-newlines meow 3.4.0 - 5.0.0 Depends on vulnerable versions of trim-newlines node_modules/conventional-recommended-bump/node_modules/meow node_modules/get-pkg-repo/node_modules/meow node_modules/meow node_modules/xo/node_modules/meow conventional-changelog-writer <=4.0.16 Depends on vulnerable versions of compare-func Depends on vulnerable versions of meow node_modules/conventional-changelog-writer conventional-changelog-core <=4.2.1 Depends on vulnerable versions of conventional-changelog-writer Depends on vulnerable versions of conventional-commits-parser Depends on vulnerable versions of git-raw-commits Depends on vulnerable versions of git-semver-tags node_modules/conventional-changelog-core conventional-changelog 1.0.0 - 2.0.3 Depends on vulnerable versions of conventional-changelog-angular Depends on vulnerable versions of conventional-changelog-core Depends on vulnerable versions of conventional-changelog-jshint node_modules/conventional-changelog standard-version <=5.0.2 || 7.1.0 Depends on vulnerable versions of conventional-changelog Depends on vulnerable versions of yargs node_modules/standard-version conventional-commits-parser 2.1.5 - 3.0.8 Depends on vulnerable versions of meow node_modules/conventional-commits-parser git-raw-commits 1.3.4 - 2.0.3 Depends on vulnerable versions of meow node_modules/git-raw-commits git-semver-tags 1.3.4 - 3.0.1 Depends on vulnerable versions of meow node_modules/git-semver-tags xo 0.10.0 - 0.32.0 Depends on vulnerable versions of meow node_modules/xoyargs-parser <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1 Prototype Pollution - https://npmjs.com/advisories/1500 fix available via
npm audit fix --force
Will install standard-version@9.3.1, which is a breaking change node_modules/yargs-parser yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0 Depends on vulnerable versions of os-locale Depends on vulnerable versions of yargs-parser node_modules/yargs standard-version <=5.0.2 || 7.1.0 Depends on vulnerable versions of conventional-changelog Depends on vulnerable versions of yargs node_modules/standard-version24 vulnerabilities (7 low, 15 high, 2 critical)
To address all issues (including breaking changes), run: npm audit fix --force
Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:
For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.
Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].
Steps to reproduce:
Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.
References: