search

tencent-connect / bot-node-sdk

QQ频道机器人 NODESDK
MIT License
103 stars 33 forks source link

ci: 增加敏感信息和npm audit检测 #40

Closed ostli closed 2 years ago

github-actions[bot] commented 2 years ago 
# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install commitizen@3.0.0, which is a breaking change
node_modules/inquirer/node_modules/ansi-regex
node_modules/string-length/node_modules/ansi-regex
node_modules/string-width/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/inquirer/node_modules/strip-ansi
  node_modules/string-length/node_modules/strip-ansi
  node_modules/string-width/node_modules/strip-ansi
    inquirer  3.2.0 - 7.0.4
    Depends on vulnerable versions of string-width
    Depends on vulnerable versions of strip-ansi
    node_modules/inquirer
      commitizen  >=3.0.1
      Depends on vulnerable versions of cz-conventional-changelog
      Depends on vulnerable versions of inquirer
      node_modules/commitizen
        cz-conventional-changelog  >=3.0.2
        Depends on vulnerable versions of commitizen
        node_modules/commitizen/node_modules/cz-conventional-changelog
        node_modules/cz-conventional-changelog
    string-length  2.0.0 - 3.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/string-length
      @jest/reporters  <=26.4.0
      Depends on vulnerable versions of node-notifier
      Depends on vulnerable versions of string-length
      node_modules/@jest/reporters
        @jest/core  <=25.5.4
        Depends on vulnerable versions of @jest/reporters
        node_modules/@jest/core
          jest  24.2.0-alpha.0 - 25.5.4
          Depends on vulnerable versions of @jest/core
          Depends on vulnerable versions of jest-cli
          node_modules/jest
          jest-cli  24.2.0-alpha.0 - 25.5.4
          Depends on vulnerable versions of @jest/core
          node_modules/jest-cli
      jest-watcher  <=26.0.0-alpha.2
      Depends on vulnerable versions of string-length
      node_modules/jest-watcher
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/string-width

follow-redirects  <1.14.7
Severity: high
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
fix available via `npm audit fix`
node_modules/follow-redirects

json-schema  <0.4.0
Severity: moderate
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim

node-notifier  <8.0.1
Severity: moderate
OS Command Injection in node-notifier - https://github.com/advisories/GHSA-5fw9-fq32-wv5p
fix available via `npm audit fix --force`
Will install jest@27.4.7, which is a breaking change
node_modules/node-notifier
  @jest/reporters  <=26.4.0
  Depends on vulnerable versions of node-notifier
  Depends on vulnerable versions of string-length
  node_modules/@jest/reporters
    @jest/core  <=25.5.4
    Depends on vulnerable versions of @jest/reporters
    node_modules/@jest/core
      jest  24.2.0-alpha.0 - 25.5.4
      Depends on vulnerable versions of @jest/core
      Depends on vulnerable versions of jest-cli
      node_modules/jest
      jest-cli  24.2.0-alpha.0 - 25.5.4
      Depends on vulnerable versions of @jest/core
      node_modules/jest-cli

16 vulnerabilities (15 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force