There are 58 vulnerabilities in this package dependecies (8 low, 35 moderate, 14 high, 1 critical)
Tried to fix them but most of them have breaking changes.
$ npm audit fix
npm WARN ERESOLVE overriding peer dependency
npm WARN While resolving: react-side-effect@1.2.0
npm WARN Found: react@17.0.2
npm WARN node_modules/react
npm WARN react@"^17.0.1" from the root project
npm WARN 28 more (@web3-react/core, ...)
npm WARN
npm WARN Could not resolve dependency:
npm WARN peer react@"^0.13.0 || ^0.14.0 || ^15.0.0 || ^16.0.0" from react-side-effect@1.2.0
npm WARN node_modules/react-document-meta/node_modules/react-side-effect
npm WARN react-side-effect@"^1.1.0" from react-document-meta@3.0.0-beta.2
npm WARN node_modules/react-document-meta
npm WARN
npm WARN Conflicting peer dependency: react@16.14.0
npm WARN node_modules/react
npm WARN peer react@"^0.13.0 || ^0.14.0 || ^15.0.0 || ^16.0.0" from react-side-effect@1.2.0
npm WARN node_modules/react-document-meta/node_modules/react-side-effect
npm WARN react-side-effect@"^1.1.0" from react-document-meta@3.0.0-beta.2
npm WARN node_modules/react-document-meta
up to date, audited 2787 packages in 1m
313 packages are looking for funding
run npm fund for details
npm audit report
axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via npm audit fix --force
Will install axios@1.6.7, which is a breaking change
node_modules/@json-rpc-tools/provider/node_modules/axios
node_modules/axios
@json-rpc-tools/provider <=2.0.0-beta.1
Depends on vulnerable versions of axios
node_modules/@json-rpc-tools/provider
eip1193-provider >=1.0.0
Depends on vulnerable versions of @json-rpc-tools/provider
node_modules/eip1193-provider
@walletconnect/ethereum-provider <=2.4.3
Depends on vulnerable versions of eip1193-provider
node_modules/@walletconnect/ethereum-provider
@web3-react/walletconnect-connector >=6.2.6
Depends on vulnerable versions of @walletconnect/ethereum-provider
node_modules/@web3-react/walletconnect-connector
elliptic <=6.5.3
Severity: high
Elliptic Uses a Broken or Risky Cryptographic Algorithm - https://github.com/advisories/GHSA-r9p9-mrjm-926w
Signature Malleabillity in elliptic - https://github.com/advisories/GHSA-vh7m-p724-62c2
No fix available
node_modules/ghost-bitcore-lib/node_modules/elliptic
ghost-bitcore-lib
Depends on vulnerable versions of elliptic
Depends on vulnerable versions of lodash
node_modules/ghost-bitcore-lib
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via npm audit fix --force
Will install ava@6.1.1, which is a breaking change
node_modules/package-json/node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
ava 0.1.0 - 4.0.0-rc.1
Depends on vulnerable versions of update-notifier
node_modules/ava
jpeg-js <=0.4.3
Severity: high
Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6
Uncontrolled resource consumption in jpeg-js - https://github.com/advisories/GHSA-w7q9-p3jq-fmhm
fix available via npm audit fix --force
Will install favicons@7.1.5, which is a breaking change
node_modules/resize-img/node_modules/jimp/node_modules/jpeg-js
node_modules/resize-img/node_modules/jpeg-js
jimp <=0.3.5
Depends on vulnerable versions of jpeg-js
Depends on vulnerable versions of mkdirp
Depends on vulnerable versions of request
Depends on vulnerable versions of url-regex
node_modules/resize-img/node_modules/jimp
resize-img <=1.1.2
Depends on vulnerable versions of jimp
Depends on vulnerable versions of jpeg-js
node_modules/resize-img
to-ico >=1.1.0
Depends on vulnerable versions of resize-img
node_modules/to-ico
favicons 4.8.3 - 7.1.1
Depends on vulnerable versions of sharp
Depends on vulnerable versions of to-ico
Depends on vulnerable versions of xml2js
node_modules/favicons
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via npm audit fix --force
Will install babel-plugin-module-resolver@5.0.0, which is a breaking change
node_modules/find-babel-config/node_modules/json5
find-babel-config <=1.2.0
Depends on vulnerable versions of json5
node_modules/find-babel-config
babel-plugin-module-resolver 2.3.0 - 4.1.0
Depends on vulnerable versions of find-babel-config
node_modules/babel-plugin-module-resolver
libp2p <=0.38.0-fc2224a
Severity: high
libp2p DoS vulnerability from lack of resource management - https://github.com/advisories/GHSA-f44q-634c-jvwv
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of node-forge
Depends on vulnerable versions of peer-id
fix available via npm audit fix --force
Will install libp2p@1.2.3, which is a breaking change
node_modules/libp2p
minimist <=0.2.3
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via npm audit fix --force
Will install favicons@7.1.5, which is a breaking change
node_modules/resize-img/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/resize-img/node_modules/mkdirp
node-fetch <2.6.7
Severity: high
node-fetch forwards secure headers to untrusted sites - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via npm audit fix --force
Will install puppeteer@22.3.0, which is a breaking change
node_modules/puppeteer/node_modules/node-fetch
puppeteer 10.0.0 - 13.1.1
Depends on vulnerable versions of node-fetch
node_modules/puppeteer
node-forge <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
Prototype Pollution in node-forge util.setPath API - https://github.com/advisories/GHSA-wxgw-qj99-44c2
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge - https://github.com/advisories/GHSA-92xj-mqp7-vmcj
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via npm audit fix --force
Will install libp2p@1.2.3, which is a breaking change
node_modules/libp2p-secio/node_modules/node-forge
node_modules/libp2p-secio/node_modules/peer-id/node_modules/node-forge
node_modules/node-forge
libp2p-crypto <=0.6.1 || 0.12.0 - 0.21.1
Depends on vulnerable versions of node-forge
node_modules/libp2p-crypto
node_modules/libp2p-interfaces/node_modules/libp2p-crypto
node_modules/libp2p-secio/node_modules/libp2p-crypto
node_modules/libp2p-secio/node_modules/peer-id/node_modules/libp2p-crypto
node_modules/peer-id/node_modules/libp2p-crypto
libp2p-interfaces <=1.3.1
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of peer-id
node_modules/libp2p-interfaces
node_modules/libp2p-secio/node_modules/libp2p-interfaces
libp2p-gossipsub <=0.11.5
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of peer-id
node_modules/libp2p-gossipsub
libp2p-kad-dht 0.6.3 - 0.27.0
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of peer-id
node_modules/libp2p-kad-dht
libp2p-secio <=0.5.0 || >=0.9.1
Depends on vulnerable versions of libp2p-crypto
Depends on vulnerable versions of libp2p-interfaces
Depends on vulnerable versions of peer-id
node_modules/libp2p-secio
peer-id 0.7.0 || 0.10.5 - 0.15.4
Depends on vulnerable versions of libp2p-crypto
node_modules/libp2p-secio/node_modules/peer-id
node_modules/peer-id
libp2p-bootstrap <=0.13.0
Depends on vulnerable versions of peer-id
node_modules/libp2p-bootstrap
libp2p-webrtc-star 0.2.0 - 0.4.5 || 0.13.4 - 0.24.1
Depends on vulnerable versions of peer-id
node_modules/libp2p-webrtc-star
request
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via npm audit fix --force
Will install web3@4.5.0, which is a breaking change
node_modules/request
request-promise-cache
Depends on vulnerable versions of request
node_modules/request-promise-cache
request-promise-core
Depends on vulnerable versions of request
node_modules/request-promise-core
request-promise-native >=1.0.0
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-core
Depends on vulnerable versions of tough-cookie
node_modules/request-promise-native
servify
Depends on vulnerable versions of request
node_modules/servify
eth-lib 0.1.24 - 0.1.29
Depends on vulnerable versions of servify
node_modules/eth-lib
swarm-js >=0.1.36
Depends on vulnerable versions of eth-lib
node_modules/swarm-js
web3-bzz
Depends on vulnerable versions of swarm-js
node_modules/web3-bzz
web3 1.0.0-beta.1 - 3.0.0-rc.0
Depends on vulnerable versions of web3-bzz
node_modules/web3
@1inch/limit-order-protocol >=1.4.0
Depends on vulnerable versions of web3
node_modules/@1inch/limit-order-protocol
web3-provider-engine
Depends on vulnerable versions of ethereumjs-block
Depends on vulnerable versions of ethereumjs-vm
Depends on vulnerable versions of request
node_modules/web3-provider-engine
@walletconnect/web3-provider *
Depends on vulnerable versions of web3-provider-engine
node_modules/@walletconnect/web3-provider
semver >=7.0.0 <7.5.2 || <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/levelup/node_modules/semver
node_modules/simple-update-notifier/node_modules/semver
levelup 0.9.0 - 1.3.9
Depends on vulnerable versions of semver
node_modules/levelup
merkle-patricia-tree 0.1.22 - 2.3.2
Depends on vulnerable versions of levelup
node_modules/merkle-patricia-tree
ethereumjs-block >=0.0.3
Depends on vulnerable versions of merkle-patricia-tree
node_modules/ethereumjs-block
node_modules/ethereumjs-vm/node_modules/ethereumjs-block
ethereumjs-vm >=0.1.1
Depends on vulnerable versions of ethereumjs-block
Depends on vulnerable versions of merkle-patricia-tree
node_modules/ethereumjs-vm
simple-update-notifier 1.0.7 - 1.1.0
Depends on vulnerable versions of semver
node_modules/simple-update-notifier
nodemon 2.0.19 - 2.0.22
Depends on vulnerable versions of simple-update-notifier
node_modules/nodemon
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via npm audit fix --force
Will install web3@4.5.0, which is a breaking change
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie
xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via npm audit fix --force
Will install favicons@7.1.5, which is a breaking change
node_modules/xml2js
Screenshot or description
There are 58 vulnerabilities in this package dependecies (8 low, 35 moderate, 14 high, 1 critical)
Tried to fix them but most of them have breaking changes.
$ npm audit fix npm WARN ERESOLVE overriding peer dependency npm WARN While resolving: react-side-effect@1.2.0 npm WARN Found: react@17.0.2 npm WARN node_modules/react npm WARN react@"^17.0.1" from the root project npm WARN 28 more (@web3-react/core, ...) npm WARN npm WARN Could not resolve dependency: npm WARN peer react@"^0.13.0 || ^0.14.0 || ^15.0.0 || ^16.0.0" from react-side-effect@1.2.0 npm WARN node_modules/react-document-meta/node_modules/react-side-effect npm WARN react-side-effect@"^1.1.0" from react-document-meta@3.0.0-beta.2 npm WARN node_modules/react-document-meta npm WARN npm WARN Conflicting peer dependency: react@16.14.0 npm WARN node_modules/react npm WARN peer react@"^0.13.0 || ^0.14.0 || ^15.0.0 || ^16.0.0" from react-side-effect@1.2.0 npm WARN node_modules/react-document-meta/node_modules/react-side-effect npm WARN react-side-effect@"^1.1.0" from react-document-meta@3.0.0-beta.2 npm WARN node_modules/react-document-meta
up to date, audited 2787 packages in 1m
313 packages are looking for funding run
npm fund
for detailsnpm audit report
axios 0.8.1 - 0.27.2 Severity: moderate Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx fix available via
npm audit fix --force
Will install axios@1.6.7, which is a breaking change node_modules/@json-rpc-tools/provider/node_modules/axios node_modules/axios @json-rpc-tools/provider <=2.0.0-beta.1 Depends on vulnerable versions of axios node_modules/@json-rpc-tools/provider eip1193-provider >=1.0.0 Depends on vulnerable versions of @json-rpc-tools/provider node_modules/eip1193-provider @walletconnect/ethereum-provider <=2.4.3 Depends on vulnerable versions of eip1193-provider node_modules/@walletconnect/ethereum-provider @web3-react/walletconnect-connector >=6.2.6 Depends on vulnerable versions of @walletconnect/ethereum-provider node_modules/@web3-react/walletconnect-connectorelliptic <=6.5.3 Severity: high Elliptic Uses a Broken or Risky Cryptographic Algorithm - https://github.com/advisories/GHSA-r9p9-mrjm-926w Signature Malleabillity in elliptic - https://github.com/advisories/GHSA-vh7m-p724-62c2 No fix available node_modules/ghost-bitcore-lib/node_modules/elliptic ghost-bitcore-lib
Depends on vulnerable versions of elliptic Depends on vulnerable versions of lodash node_modules/ghost-bitcore-lib
got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 fix available via
npm audit fix --force
Will install ava@6.1.1, which is a breaking change node_modules/package-json/node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version node_modules/update-notifier ava 0.1.0 - 4.0.0-rc.1 Depends on vulnerable versions of update-notifier node_modules/avajpeg-js <=0.4.3 Severity: high Infinite loop in jpeg-js - https://github.com/advisories/GHSA-xvf7-4v9q-58w6 Uncontrolled resource consumption in jpeg-js - https://github.com/advisories/GHSA-w7q9-p3jq-fmhm fix available via
npm audit fix --force
Will install favicons@7.1.5, which is a breaking change node_modules/resize-img/node_modules/jimp/node_modules/jpeg-js node_modules/resize-img/node_modules/jpeg-js jimp <=0.3.5 Depends on vulnerable versions of jpeg-js Depends on vulnerable versions of mkdirp Depends on vulnerable versions of request Depends on vulnerable versions of url-regex node_modules/resize-img/node_modules/jimp resize-img <=1.1.2 Depends on vulnerable versions of jimp Depends on vulnerable versions of jpeg-js node_modules/resize-img to-ico >=1.1.0 Depends on vulnerable versions of resize-img node_modules/to-ico favicons 4.8.3 - 7.1.1 Depends on vulnerable versions of sharp Depends on vulnerable versions of to-ico Depends on vulnerable versions of xml2js node_modules/faviconsjson5 <1.0.2 Severity: high Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h fix available via
npm audit fix --force
Will install babel-plugin-module-resolver@5.0.0, which is a breaking change node_modules/find-babel-config/node_modules/json5 find-babel-config <=1.2.0 Depends on vulnerable versions of json5 node_modules/find-babel-config babel-plugin-module-resolver 2.3.0 - 4.1.0 Depends on vulnerable versions of find-babel-config node_modules/babel-plugin-module-resolverlibp2p <=0.38.0-fc2224a Severity: high libp2p DoS vulnerability from lack of resource management - https://github.com/advisories/GHSA-f44q-634c-jvwv Depends on vulnerable versions of libp2p-crypto Depends on vulnerable versions of libp2p-interfaces Depends on vulnerable versions of node-forge Depends on vulnerable versions of peer-id fix available via
npm audit fix --force
Will install libp2p@1.2.3, which is a breaking change node_modules/libp2plodash <=4.17.20 Severity: high Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9 Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm fix available via
npm audit fix
node_modules/ghost-bitcore-lib/node_modules/lodashminimist <=0.2.3 Severity: critical Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h fix available via
npm audit fix --force
Will install favicons@7.1.5, which is a breaking change node_modules/resize-img/node_modules/minimist mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/resize-img/node_modules/mkdirpnode-fetch <2.6.7 Severity: high node-fetch forwards secure headers to untrusted sites - https://github.com/advisories/GHSA-r683-j2x4-v87g fix available via
npm audit fix --force
Will install puppeteer@22.3.0, which is a breaking change node_modules/puppeteer/node_modules/node-fetch puppeteer 10.0.0 - 13.1.1 Depends on vulnerable versions of node-fetch node_modules/puppeteernode-forge <=1.2.1 Severity: high Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5 Prototype Pollution in node-forge util.setPath API - https://github.com/advisories/GHSA-wxgw-qj99-44c2 URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq Improper Verification of Cryptographic Signature in
node-forge
- https://github.com/advisories/GHSA-2r2c-g63r-vccr Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp Prototype Pollution in node-forge - https://github.com/advisories/GHSA-92xj-mqp7-vmcj Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765 Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g fix available vianpm audit fix --force
Will install libp2p@1.2.3, which is a breaking change node_modules/libp2p-secio/node_modules/node-forge node_modules/libp2p-secio/node_modules/peer-id/node_modules/node-forge node_modules/node-forge libp2p-crypto <=0.6.1 || 0.12.0 - 0.21.1 Depends on vulnerable versions of node-forge node_modules/libp2p-crypto node_modules/libp2p-interfaces/node_modules/libp2p-crypto node_modules/libp2p-secio/node_modules/libp2p-crypto node_modules/libp2p-secio/node_modules/peer-id/node_modules/libp2p-crypto node_modules/peer-id/node_modules/libp2p-crypto libp2p-interfaces <=1.3.1 Depends on vulnerable versions of libp2p-crypto Depends on vulnerable versions of peer-id node_modules/libp2p-interfaces node_modules/libp2p-secio/node_modules/libp2p-interfaces libp2p-gossipsub <=0.11.5 Depends on vulnerable versions of libp2p-interfaces Depends on vulnerable versions of peer-id node_modules/libp2p-gossipsub libp2p-kad-dht 0.6.3 - 0.27.0 Depends on vulnerable versions of libp2p-crypto Depends on vulnerable versions of libp2p-interfaces Depends on vulnerable versions of peer-id node_modules/libp2p-kad-dht libp2p-secio <=0.5.0 || >=0.9.1 Depends on vulnerable versions of libp2p-crypto Depends on vulnerable versions of libp2p-interfaces Depends on vulnerable versions of peer-id node_modules/libp2p-secio peer-id 0.7.0 || 0.10.5 - 0.15.4 Depends on vulnerable versions of libp2p-crypto node_modules/libp2p-secio/node_modules/peer-id node_modules/peer-id libp2p-bootstrap <=0.13.0 Depends on vulnerable versions of peer-id node_modules/libp2p-bootstrap libp2p-webrtc-star 0.2.0 - 0.4.5 || 0.13.4 - 0.24.1 Depends on vulnerable versions of peer-id node_modules/libp2p-webrtc-starrequest Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie fix available via
npm audit fix --force
Will install web3@4.5.0, which is a breaking change node_modules/request request-promise-cache Depends on vulnerable versions of request node_modules/request-promise-cache request-promise-core Depends on vulnerable versions of request node_modules/request-promise-core request-promise-native >=1.0.0 Depends on vulnerable versions of request Depends on vulnerable versions of request-promise-core Depends on vulnerable versions of tough-cookie node_modules/request-promise-native servify Depends on vulnerable versions of request node_modules/servify eth-lib 0.1.24 - 0.1.29 Depends on vulnerable versions of servify node_modules/eth-lib swarm-js >=0.1.36 Depends on vulnerable versions of eth-lib node_modules/swarm-js web3-bzz Depends on vulnerable versions of swarm-js node_modules/web3-bzz web3 1.0.0-beta.1 - 3.0.0-rc.0 Depends on vulnerable versions of web3-bzz node_modules/web3 @1inch/limit-order-protocol >=1.4.0 Depends on vulnerable versions of web3 node_modules/@1inch/limit-order-protocol web3-provider-engine Depends on vulnerable versions of ethereumjs-block Depends on vulnerable versions of ethereumjs-vm Depends on vulnerable versions of request node_modules/web3-provider-engine @walletconnect/web3-provider * Depends on vulnerable versions of web3-provider-engine node_modules/@walletconnect/web3-providersemver >=7.0.0 <7.5.2 || <5.7.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix available node_modules/levelup/node_modules/semver node_modules/simple-update-notifier/node_modules/semver levelup 0.9.0 - 1.3.9 Depends on vulnerable versions of semver node_modules/levelup merkle-patricia-tree 0.1.22 - 2.3.2 Depends on vulnerable versions of levelup node_modules/merkle-patricia-tree ethereumjs-block >=0.0.3 Depends on vulnerable versions of merkle-patricia-tree node_modules/ethereumjs-block node_modules/ethereumjs-vm/node_modules/ethereumjs-block ethereumjs-vm >=0.1.1 Depends on vulnerable versions of ethereumjs-block Depends on vulnerable versions of merkle-patricia-tree node_modules/ethereumjs-vm simple-update-notifier 1.0.7 - 1.1.0 Depends on vulnerable versions of semver node_modules/simple-update-notifier nodemon 2.0.19 - 2.0.22 Depends on vulnerable versions of simple-update-notifier node_modules/nodemon
sharp <=0.32.5 Severity: high sharp vulnerable to Command Injection in post-installation over build environment - https://github.com/advisories/GHSA-gp95-ppv5-3jc5 sharp vulnerability in libwebp dependency CVE-2023-4863 - https://github.com/advisories/GHSA-54xq-cgqr-rpm3 fix available via
npm audit fix
node_modules/sharptough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 fix available via
npm audit fix --force
Will install web3@4.5.0, which is a breaking change node_modules/request-promise-native/node_modules/tough-cookie node_modules/request/node_modules/tough-cookieurl-regex * Severity: high Regular expression denial of service in url-regex - https://github.com/advisories/GHSA-v4rh-8p82-6h5w fix available via
npm audit fix
node_modules/url-regexxml2js <0.5.0 Severity: moderate xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc fix available via
npm audit fix --force
Will install favicons@7.1.5, which is a breaking change node_modules/xml2js58 vulnerabilities (8 low, 35 moderate, 14 high, 1 critical)
To address issues that do not require attention, run: npm audit fix
To address all issues possible (including breaking changes), run: npm audit fix --force
Some issues need review, and may require choosing a different dependency.
Steps to reproduce
nvm install 18 npm i
Environment
Your version
Does this affect atomic swap flow?
Are real funds at risk?