Microsoft defender reported many vulnerabilities at two levels:
The Nodejs image (node:12-alpine)
The node modules used in kutt
103 vulnerabilities were recorded by Microsoft defender, both on the Node image level and in node modules
Below is the npm audit report before changes
npm audit
# npm audit report
d3-color <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix`
node_modules/d3-interpolate/node_modules/d3-color
d3-interpolate 0.1.3 - 2.0.1
Depends on vulnerable versions of d3-color
node_modules/d3-interpolate
d3-scale 0.1.5 - 3.3.0
Depends on vulnerable versions of d3-interpolate
node_modules/d3-scale
recharts 0.2.0 - 2.3.0-alpha.1
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-scale
node_modules/recharts
decode-uri-component <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component
http-cache-semantics <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix`
node_modules/http-cache-semantics
json5 <1.0.2 || >=2.0.0 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/json5
node_modules/tsconfig-paths/node_modules/json5
jsonwebtoken <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install jsonwebtoken@9.0.2, which is a breaking change
node_modules/jsonwebtoken
passport-jwt <=4.0.0
Depends on vulnerable versions of jsonwebtoken
node_modules/passport-jwt
knex <2.4.0
Severity: high
Knex.js has a limited SQL injection vulnerability - https://github.com/advisories/GHSA-4jv9-3563-23j3
fix available via `npm audit fix`
node_modules/knex
luxon 3.0.0 - 3.2.0
Severity: high
Luxon Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-3xq5-wjfh-ppjc
fix available via `npm audit fix`
node_modules/luxon
semver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install nodemon@3.0.1, which is a breaking change
node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/@npmcli/fs/node_modules/semver
node_modules/@typescript-eslint/eslint-plugin/node_modules/semver
node_modules/@typescript-eslint/typescript-estree/node_modules/semver
node_modules/@typescript-eslint/utils/node_modules/semver
node_modules/bull/node_modules/semver
node_modules/eslint-plugin-jsx-a11y/node_modules/semver
node_modules/eslint-plugin-react/node_modules/semver
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/jest-snapshot/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/node-gyp/node_modules/semver
node_modules/nodemon/node_modules/semver
node_modules/semver
node_modules/simple-update-notifier/node_modules/semver
simple-update-notifier 1.0.7 - 1.1.0
Depends on vulnerable versions of semver
node_modules/simple-update-notifier
nodemon 2.0.19 - 2.0.22
Depends on vulnerable versions of simple-update-notifier
node_modules/nodemon
word-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
15 vulnerabilities (6 moderate, 9 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Upgrade the nodejs alpine image to a later version and carefully update affected node modules as well.
Microsoft defender reported many vulnerabilities at two levels:
103 vulnerabilities were recorded by Microsoft defender, both on the Node image level and in node modules
Below is the npm audit report before changes
Upgrade the nodejs alpine image to a later version and carefully update affected node modules as well.