`1 critical` vulnerability when running `npm install`

[hamirmahal]

[hamirmahal]

hamir@hamir-desktop:~/linguist (master)$  npm install
npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated @stylelint/postcss-markdown@0.36.2: Use the original unforked package instead: postcss-markdown
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
npm WARN deprecated @stylelint/postcss-css-in-js@0.37.3: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated core-js@3.21.0: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

> browser-addon@5.0.7 prepare
> husky install

husky - Git hooks installed

added 1949 packages, and audited 1950 packages in 10s

262 packages are looking for funding
  run `npm fund` for details

55 vulnerabilities (1 low, 34 moderate, 19 high, 1 critical)

[vitonsky]

What a problem here? Which exactly package are vulnerable and how it may be exploited?

[hamirmahal]

There are a lot of details, but you should be able to see all of them when running npm audit.

[hamirmahal]

output of npm audit on main branch

``` ~/linguist (master)$ npm audit # npm audit report @babel/traverse <7.23.2 Severity: critical Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92 fix available via `npm audit fix` node_modules/@babel/traverse axios 0.8.1 - 0.27.2 Severity: moderate Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx fix available via `npm audit fix --force` Will install google-tts-api@0.0.6, which is a breaking change node_modules/axios node_modules/google-tts-api/node_modules/axios @translate-tools/core >=0.0.11 Depends on vulnerable versions of axios node_modules/@translate-tools/core google-tts-api >=2.0.0 Depends on vulnerable versions of axios node_modules/google-tts-api color-string <1.5.5 Severity: moderate Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-257v-vj4p-3w2h fix available via `npm audit fix` node_modules/color-string color <=0.11.4 Depends on vulnerable versions of color-string node_modules/color css-color-function * Depends on vulnerable versions of color node_modules/css-color-function @yandex/themekit <=1.6.8 Depends on vulnerable versions of css-color-function Depends on vulnerable versions of json5 node_modules/@yandex/themekit express <=4.19.1 || 5.0.0-alpha.1 - 5.0.0-beta.1 Severity: high Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc Depends on vulnerable versions of body-parser Depends on vulnerable versions of qs fix available via `npm audit fix --force` Will install web-ext@7.11.0, which is a breaking change node_modules/express addons-scanner-utils * Depends on vulnerable versions of body-parser Depends on vulnerable versions of download Depends on vulnerable versions of express node_modules/addons-scanner-utils addons-linter * Depends on vulnerable versions of addons-scanner-utils Depends on vulnerable versions of ajv-merge-patch Depends on vulnerable versions of postcss Depends on vulnerable versions of semver node_modules/addons-linter web-ext 1.0.0 - 7.6.2 Depends on vulnerable versions of @devicefarmer/adbkit Depends on vulnerable versions of addons-linter Depends on vulnerable versions of firefox-profile Depends on vulnerable versions of sign-addon Depends on vulnerable versions of update-notifier node_modules/web-ext fast-json-patch <3.1.1 Severity: high Starcounter-Jack JSON-Patch Prototype Pollution vulnerability - https://github.com/advisories/GHSA-8gh8-hqwg-xf34 fix available via `npm audit fix --force` Will install web-ext@7.11.0, which is a breaking change node_modules/fast-json-patch ajv-merge-patch * Depends on vulnerable versions of fast-json-patch node_modules/ajv-merge-patch follow-redirects <=1.15.5 Severity: moderate Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp fix available via `npm audit fix` node_modules/follow-redirects got <=11.8.3 Severity: high Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 Depends on vulnerable versions of cacheable-request fix available via `npm audit fix --force` Will install web-ext@7.11.0, which is a breaking change node_modules/got node_modules/package-json/node_modules/got download >=4.0.0 Depends on vulnerable versions of got node_modules/download package-json <=6.5.0 Depends on vulnerable versions of got node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version node_modules/update-notifier http-cache-semantics <4.1.1 Severity: high http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j fix available via `npm audit fix --force` Will install web-ext@7.11.0, which is a breaking change node_modules/http-cache-semantics cacheable-request 0.1.0 - 2.1.4 Depends on vulnerable versions of http-cache-semantics node_modules/cacheable-request json5 2.0.0 - 2.2.1 Severity: high Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h fix available via `npm audit fix` node_modules/@yandex/themekit/node_modules/json5 jsonwebtoken <=8.5.1 Severity: moderate jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33 jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959 jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6 fix available via `npm audit fix --force` Will install web-ext@7.11.0, which is a breaking change node_modules/jsonwebtoken sign-addon * Depends on vulnerable versions of jsonwebtoken Depends on vulnerable versions of request node_modules/sign-addon node-forge <=1.2.1 Severity: high Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5 URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765 Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g fix available via `npm audit fix --force` Will install web-ext@7.11.0, which is a breaking change node_modules/node-forge @devicefarmer/adbkit <=3.2.1 Depends on vulnerable versions of node-forge node_modules/@devicefarmer/adbkit nth-check <2.0.1 Severity: high Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr fix available via `npm audit fix --force` Will install @svgr/webpack@8.1.0, which is a breaking change node_modules/nth-check css-select <=3.1.0 Depends on vulnerable versions of nth-check node_modules/css-select svgo 1.0.0 - 1.3.2 Depends on vulnerable versions of css-select node_modules/svgo @svgr/plugin-svgo <=5.5.0 Depends on vulnerable versions of svgo node_modules/@svgr/plugin-svgo @svgr/webpack 4.0.0 - 5.5.0 Depends on vulnerable versions of @svgr/plugin-svgo node_modules/@svgr/webpack postcss <=8.4.30 Severity: moderate Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5 PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j fix available via `npm audit fix --force` Will install stylelint@16.3.1, which is a breaking change node_modules/addons-linter/node_modules/postcss node_modules/autoprefixer/node_modules/postcss node_modules/postcss node_modules/postcss-less/node_modules/postcss node_modules/postcss-rem-to-pixel/node_modules/postcss node_modules/postcss-safe-parser/node_modules/postcss node_modules/postcss-sass/node_modules/postcss node_modules/postcss-scss/node_modules/postcss node_modules/stylelint/node_modules/postcss node_modules/sugarss/node_modules/postcss autoprefixer 1.0.20131222 - 9.8.8 Depends on vulnerable versions of postcss node_modules/autoprefixer stylelint 0.1.0 - 13.13.1 Depends on vulnerable versions of autoprefixer Depends on vulnerable versions of postcss Depends on vulnerable versions of postcss-less Depends on vulnerable versions of postcss-safe-parser Depends on vulnerable versions of postcss-sass Depends on vulnerable versions of postcss-scss Depends on vulnerable versions of sugarss node_modules/stylelint stylelint-config-recommended <=2.2.0 || 4.0.0 - 5.0.0 Depends on vulnerable versions of stylelint node_modules/stylelint-config-recommended stylelint-config-standard 4.0.1 - 18.3.0 || 21.0.0 - 22.0.0 Depends on vulnerable versions of stylelint Depends on vulnerable versions of stylelint-config-recommended node_modules/stylelint-config-standard postcss-less <=3.1.4 Depends on vulnerable versions of postcss node_modules/postcss-less postcss-rem-to-pixel * Depends on vulnerable versions of postcss node_modules/postcss-rem-to-pixel postcss-safe-parser <=4.0.2 Depends on vulnerable versions of postcss node_modules/postcss-safe-parser postcss-sass <=0.4.4 Depends on vulnerable versions of postcss node_modules/postcss-sass postcss-scss <=2.1.1 Depends on vulnerable versions of postcss node_modules/postcss-scss sugarss <=2.0.0 Depends on vulnerable versions of postcss node_modules/sugarss qs 6.9.0 - 6.9.6 Severity: high qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp fix available via `npm audit fix --force` Will install web-ext@7.11.0, which is a breaking change node_modules/qs body-parser 1.19.1 || 2.0.0-beta.1 Depends on vulnerable versions of qs node_modules/body-parser request * Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie fix available via `npm audit fix --force` Will install web-ext@7.11.0, which is a breaking change node_modules/request semver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw fix available via `npm audit fix --force` Will install web-ext@7.11.0, which is a breaking change node_modules/@commitlint/is-ignored/node_modules/semver node_modules/@npmcli/fs/node_modules/semver node_modules/@oclif/command/node_modules/semver node_modules/@typescript-eslint/eslint-plugin/node_modules/semver node_modules/@typescript-eslint/typescript-estree/node_modules/semver node_modules/@typescript-eslint/utils/node_modules/semver node_modules/addons-linter/node_modules/semver node_modules/conf/node_modules/semver node_modules/css-loader/node_modules/semver node_modules/download/node_modules/semver node_modules/jest-snapshot/node_modules/semver node_modules/jsonwebtoken/node_modules/semver node_modules/node-abi/node_modules/semver node_modules/node-notifier/node_modules/semver node_modules/normalize-package-data/node_modules/semver node_modules/postcss-loader/node_modules/semver node_modules/read-pkg/node_modules/semver node_modules/semver node_modules/sharp/node_modules/semver node_modules/ts-jest/node_modules/semver node_modules/ts-loader/node_modules/semver node_modules/update-notifier/node_modules/semver @commitlint/is-ignored 9.0.0 - 17.6.5 Depends on vulnerable versions of semver node_modules/@commitlint/is-ignored @commitlint/lint 9.0.0 - 16.2.4 Depends on vulnerable versions of @commitlint/is-ignored node_modules/@commitlint/lint @commitlint/cli 9.0.0 - 16.3.0 Depends on vulnerable versions of @commitlint/lint node_modules/@commitlint/cli sharp <0.32.6 Severity: high sharp vulnerability in libwebp dependency CVE-2023-4863 - https://github.com/advisories/GHSA-54xq-cgqr-rpm3 fix available via `npm audit fix` node_modules/sharp tough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 fix available via `npm audit fix --force` Will install web-ext@7.11.0, which is a breaking change node_modules/tough-cookie word-wrap <1.2.4 Severity: moderate word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7 fix available via `npm audit fix` node_modules/word-wrap xml2js <0.5.0 Severity: moderate xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc fix available via `npm audit fix --force` Will install web-ext@7.11.0, which is a breaking change node_modules/xml2js firefox-profile <=4.2.2 Depends on vulnerable versions of xml2js node_modules/firefox-profile 55 vulnerabilities (1 low, 34 moderate, 19 high, 1 critical) ```