search

theAlinP / twitter-link-deobfuscator

A Firefox add-on that restores the original destination of the links (from tweets) that have been shortened by the Twitter servers. It only runs while browsing Twitter's website (twitter.com).
https://addons.mozilla.org/en-US/firefox/addon/twitter-link-deobfuscator/
MIT License
36 stars 5 forks source link

chore: update the dependencies #33

Closed PeterDaveHello closed 1 year ago

PeterDaveHello commented 1 year ago

This PR updates the dated/vulnerable packages in package-lock.json

Dated/vulnerable packages reference (npm audit report):

# npm audit report

fast-json-patch  <3.1.1
Severity: moderate
Starcounter-Jack JSON-Patch Prototype Pollution vulnerability - https://github.com/advisories/GHSA-8gh8-hqwg-xf34
fix available via `npm audit fix`
node_modules/fast-json-patch
  ajv-merge-patch  *
  Depends on vulnerable versions of fast-json-patch
  node_modules/ajv-merge-patch
    addons-linter  0.35.0 - 5.26.0
    Depends on vulnerable versions of ajv-merge-patch
    node_modules/addons-linter
      web-ext  1.0.0 - 7.6.0
      Depends on vulnerable versions of addons-linter
      Depends on vulnerable versions of firefox-profile
      Depends on vulnerable versions of sign-addon
      node_modules/web-ext

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix`
node_modules/http-cache-semantics

jsonwebtoken  <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix`
node_modules/jsonwebtoken
  sign-addon  *
  Depends on vulnerable versions of jsonwebtoken
  Depends on vulnerable versions of request
  node_modules/sign-addon

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix`
node_modules/request

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution  - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix`
node_modules/xml2js
  firefox-profile  <=4.2.2
  Depends on vulnerable versions of xml2js
  node_modules/firefox-profile

10 vulnerabilities (9 moderate, 1 high)

To address all issues, run:
  npm audit fix

This PR can also replace #29 #30 #31

PeterDaveHello commented 1 year ago

@theAlinP not sure if you'd like to get security related patch get merged sooner?

theAlinP commented 1 year ago

@PeterDaveHello I will merge this PR first.