search

unfolding-io / nebulix

Nebulix, a Fast & Green Theme Based on Astro + Static CMS + Snipcart
https://nebulix.unfolding.io/
Other
232 stars 112 forks source link

vulnerabilities on install #3

Open rowemoore opened 11 months ago

rowemoore commented 11 months ago

Windows 10. audit fix and audit fix --force not working.

`# npm audit report

file-type 17.0.0 - 17.1.2 Severity: high file-type vulnerable to Infinite Loop via malformed MKV file - https://github.com/advisories/GHSA-mhxj-85r3-2x55 fix available via npm audit fix --force Will install astro-imagetools@0.2.7, which is a breaking change node_modules/astro-imagetools/node_modules/file-type astro-imagetools * Depends on vulnerable versions of file-type Depends on vulnerable versions of imagetools-core Depends on vulnerable versions of potrace node_modules/astro-imagetools

sharp <0.30.5 Severity: moderate sharp vulnerable to Command Injection in post-installation over build environment - https://github.com/advisories/GHSA-gp95-ppv5-3jc5 fix available via npm audit fix --force Will install astro-imagetools@0.2.7, which is a breaking change node_modules/imagetools-core/node_modules/sharp imagetools-core <=3.0.2 Depends on vulnerable versions of sharp node_modules/imagetools-core

xml2js <0.5.0 Severity: moderate xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc fix available via npm audit fix node_modules/xml2js parse-bmfont-xml Depends on vulnerable versions of xml2js node_modules/parse-bmfont-xml load-bmfont >=1.1.0 Depends on vulnerable versions of parse-bmfont-xml node_modules/load-bmfont @jimp/core <=0.17.1 || 0.17.3--canary.1136.7f5f5d8.0 || 0.18.0--canary.1133.54bf269.0 - 0.18.0--canary.1135.911ed04.0 Depends on vulnerable versions of load-bmfont node_modules/potrace/node_modules/@jimp/core @jimp/custom <=0.17.0--canary.1131.af3cb94.0 || 0.17.3--canary.1136.7f5f5d8.0 || 0.18.0--canary.1133.54bf269.0 - 0.18.0--canary.1135.911ed04.0 Depends on vulnerable versions of @jimp/core node_modules/potrace/node_modules/@jimp/custom jimp >=0.3.6-alpha.5 Depends on vulnerable versions of @jimp/custom Depends on vulnerable versions of @jimp/plugins node_modules/potrace/node_modules/jimp potrace >=2.1.2 Depends on vulnerable versions of jimp node_modules/potrace @jimp/plugin-print Depends on vulnerable versions of load-bmfont node_modules/@jimp/plugin-print @jimp/plugins * Depends on vulnerable versions of @jimp/plugin-print node_modules/@jimp/plugins

13 vulnerabilities (11 moderate, 2 high) `

preetamslot commented 11 months ago

Hi @rowemoore, Think this is related to astro-imagetools. The latest version is 0.9. so I cant imagine that a fix would be to downgrade.

I can be wrong, but the site is build in SSG, so the vulnerabilities are not exposed on the live site, can you let me know how someone could exploit this?

Thanks for the report, I will investigate if I can find a fix for this.