Critical vulnerabilities in pkgcloud and swagger-ui

giovanni-bertoncelli commented 3 years ago

I wanted to report some vulnerabilities that should be fixed before this package gets out of LTS. Here's the list:

Gravity: high, package: minimatch, path: loopback-component-storage > pkgcloud > liboneandone > mocha > glob > minimatch, patched in: 3.0.2
Gravity: CRITICAL, package: growl, path: loopback-component-storage > pkgcloud > liboneandone > mocha > growl, patched in: 1.10.2
Gravity: Low, package: debug, patched in 3.1.0
Gravity: Moderate, package: swagger-ui, fixed in 3.20
Gravity: Low, package: minimist, patched in: 1.2.3
Gravity: High, package: node-forge, patched in 0.10.0

How to reproduce

npm audit will show the vulnerabilities.

dhmlau commented 3 years ago

@giovanni-bertoncelli, thanks for reporting this. Would you like to submit a PR? thanks.

dhmlau commented 3 years ago

@giovanni-bertoncelli, we're also waiting for security fixes in liboneandone (see https://github.com/strongloop/loopback-component-storage/pull/285#issuecomment-574837835).

giovanni-bertoncelli commented 3 years ago

@dhmlau Sorry, I have not so much time to spend on this...

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

strongloop / loopback-component-storage

Critical vulnerabilities in pkgcloud and swagger-ui #293

How to reproduce