search

techninja / cncserver

A RESTful API server for driving serial based CNC devices
133 stars 39 forks source link

update deps with npm audit fix #141

Open alexrudd2 opened 7 months ago

alexrudd2 commented 7 months ago

Before:

# npm audit report

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios

engine.io  5.1.0 - 6.4.1
Severity: moderate
engine.io Uncaught Exception vulnerability - https://github.com/advisories/GHSA-q9mw-68c2-j6m5
fix available via `npm audit fix`
node_modules/engine.io

follow-redirects  <1.15.4
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
fix available via `npm audit fix`
node_modules/follow-redirects

get-func-name  <2.0.1
Severity: high
Chaijs/get-func-name vulnerable to ReDoS - https://github.com/advisories/GHSA-4q6p-r6v2-jvc5
fix available via `npm audit fix`
node_modules/get-func-name

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request

socket.io-parser  4.0.4 - 4.2.2
Severity: high
Insufficient validation when decoding a Socket.IO packet - https://github.com/advisories/GHSA-cqmj-92xf-r6r9
fix available via `npm audit fix`
node_modules/socket.io-parser

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie

7 vulnerabilities (5 moderate, 2 high)

after:

# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie

2 moderate severity vulnerabilities
alexrudd2 commented 7 months ago

The tests pass on my local Linux machine (node 20.11.0), but I haven't tested on real hardware yet.

The remaining security vulnerabilities will require replacing request with another library, since it's been deprecated since 2020.