I am using vite-plugin-imagemin in my project and noticed that it has some dependencies with known security vulnerabilities. Specifically, the following packages are affected:
got (via download)
http-cache-semantics (via cacheable-request)
semver-regex (via bin-version-check)
trim-newlines (via meow)
here is the dependencies tree:
and this is the npm audit report, it recommand the safer version:
got <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via npm audit fix --force
Will install vite-plugin-imagemin@0.4.6, which is a breaking change
node_modules/bin-wrapper/node_modules/got
node_modules/got
download >=4.0.0
Depends on vulnerable versions of got
node_modules/bin-wrapper/node_modules/download
node_modules/download
bin-build >=2.1.2
Depends on vulnerable versions of download
node_modules/bin-build
cwebp-bin >=3.0.0
Depends on vulnerable versions of bin-build
Depends on vulnerable versions of bin-wrapper
node_modules/cwebp-bin
imagemin-webp >=4.1.0
Depends on vulnerable versions of cwebp-bin
node_modules/imagemin-webp
gifsicle >=3.0.0
Depends on vulnerable versions of bin-build
Depends on vulnerable versions of bin-wrapper
node_modules/gifsicle
node_modules/vite-plugin-imagemin/node_modules/gifsicle
imagemin-gifsicle >=6.0.0
Depends on vulnerable versions of gifsicle
node_modules/imagemin-gifsicle
vite-plugin-imagemin >=0.2.0
Depends on vulnerable versions of gifsicle
Depends on vulnerable versions of imagemin-gifsicle
Depends on vulnerable versions of imagemin-jpegtran
Depends on vulnerable versions of imagemin-mozjpeg
Depends on vulnerable versions of imagemin-optipng
Depends on vulnerable versions of imagemin-pngquant
Depends on vulnerable versions of imagemin-webp
Depends on vulnerable versions of jpegtran-bin
node_modules/vite-plugin-imagemin
jpegtran-bin >=3.0.0
Depends on vulnerable versions of bin-build
Depends on vulnerable versions of bin-wrapper
node_modules/jpegtran-bin
node_modules/vite-plugin-imagemin/node_modules/jpegtran-bin
imagemin-jpegtran >=6.0.0
Depends on vulnerable versions of jpegtran-bin
node_modules/imagemin-jpegtran
mozjpeg >=4.0.0
Depends on vulnerable versions of bin-build
Depends on vulnerable versions of bin-wrapper
node_modules/mozjpeg
imagemin-mozjpeg >=7.0.0
Depends on vulnerable versions of mozjpeg
node_modules/imagemin-mozjpeg
optipng-bin >=3.0.0
Depends on vulnerable versions of bin-build
Depends on vulnerable versions of bin-wrapper
node_modules/optipng-bin
imagemin-optipng >=6.0.0
Depends on vulnerable versions of optipng-bin
node_modules/imagemin-optipng
pngquant-bin >=3.0.0
Depends on vulnerable versions of bin-build
Depends on vulnerable versions of bin-wrapper
node_modules/pngquant-bin
imagemin-pngquant >=5.1.0
Depends on vulnerable versions of pngquant-bin
node_modules/imagemin-pngquant
bin-wrapper >=0.4.0
Depends on vulnerable versions of bin-version-check
Depends on vulnerable versions of download
node_modules/bin-wrapper
http-cache-semantics <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via npm audit fix --force
Will install vite-plugin-imagemin@0.4.6, which is a breaking change
node_modules/bin-wrapper/node_modules/http-cache-semantics
cacheable-request 0.1.0 - 2.1.4
Depends on vulnerable versions of http-cache-semantics
node_modules/bin-wrapper/node_modules/cacheable-request
semver-regex <=3.1.3
Severity: high
semver-regex Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
fix available via npm audit fix --force
Will install vite-plugin-imagemin@0.4.6, which is a breaking change
node_modules/semver-regex
find-versions <=3.2.0
Depends on vulnerable versions of semver-regex
node_modules/find-versions
bin-version <=4.0.0
Depends on vulnerable versions of find-versions
node_modules/bin-version
bin-version-check <=4.0.0
Depends on vulnerable versions of bin-version
node_modules/bin-version-check
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via npm audit fix
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/meow
Could you please update these dependencies to their latest secure versions?
ondrejjcizek
commented
1 month ago
Hi,
I am using
vite-plugin-imageminin my project and noticed that it has some dependencies with known security vulnerabilities. Specifically, the following packages are affected:got(viadownload)http-cache-semantics(viacacheable-request)semver-regex(viabin-version-check)trim-newlines(viameow)here is the dependencies tree:
and this is the npm audit report, it recommand the safer version:
got <=11.8.3 Severity: high Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97 Depends on vulnerable versions of cacheable-request fix available via
npm audit fix --forceWill install vite-plugin-imagemin@0.4.6, which is a breaking change node_modules/bin-wrapper/node_modules/got node_modules/got download >=4.0.0 Depends on vulnerable versions of got node_modules/bin-wrapper/node_modules/download node_modules/download bin-build >=2.1.2 Depends on vulnerable versions of download node_modules/bin-build cwebp-bin >=3.0.0 Depends on vulnerable versions of bin-build Depends on vulnerable versions of bin-wrapper node_modules/cwebp-bin imagemin-webp >=4.1.0 Depends on vulnerable versions of cwebp-bin node_modules/imagemin-webp gifsicle >=3.0.0 Depends on vulnerable versions of bin-build Depends on vulnerable versions of bin-wrapper node_modules/gifsicle node_modules/vite-plugin-imagemin/node_modules/gifsicle imagemin-gifsicle >=6.0.0 Depends on vulnerable versions of gifsicle node_modules/imagemin-gifsicle vite-plugin-imagemin >=0.2.0 Depends on vulnerable versions of gifsicle Depends on vulnerable versions of imagemin-gifsicle Depends on vulnerable versions of imagemin-jpegtran Depends on vulnerable versions of imagemin-mozjpeg Depends on vulnerable versions of imagemin-optipng Depends on vulnerable versions of imagemin-pngquant Depends on vulnerable versions of imagemin-webp Depends on vulnerable versions of jpegtran-bin node_modules/vite-plugin-imagemin jpegtran-bin >=3.0.0 Depends on vulnerable versions of bin-build Depends on vulnerable versions of bin-wrapper node_modules/jpegtran-bin node_modules/vite-plugin-imagemin/node_modules/jpegtran-bin imagemin-jpegtran >=6.0.0 Depends on vulnerable versions of jpegtran-bin node_modules/imagemin-jpegtran mozjpeg >=4.0.0 Depends on vulnerable versions of bin-build Depends on vulnerable versions of bin-wrapper node_modules/mozjpeg imagemin-mozjpeg >=7.0.0 Depends on vulnerable versions of mozjpeg node_modules/imagemin-mozjpeg optipng-bin >=3.0.0 Depends on vulnerable versions of bin-build Depends on vulnerable versions of bin-wrapper node_modules/optipng-bin imagemin-optipng >=6.0.0 Depends on vulnerable versions of optipng-bin node_modules/imagemin-optipng pngquant-bin >=3.0.0 Depends on vulnerable versions of bin-build Depends on vulnerable versions of bin-wrapper node_modules/pngquant-bin imagemin-pngquant >=5.1.0 Depends on vulnerable versions of pngquant-bin node_modules/imagemin-pngquant bin-wrapper >=0.4.0 Depends on vulnerable versions of bin-version-check Depends on vulnerable versions of download node_modules/bin-wrapperhttp-cache-semantics <4.1.1 Severity: high http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j fix available via
npm audit fix --forceWill install vite-plugin-imagemin@0.4.6, which is a breaking change node_modules/bin-wrapper/node_modules/http-cache-semantics cacheable-request 0.1.0 - 2.1.4 Depends on vulnerable versions of http-cache-semantics node_modules/bin-wrapper/node_modules/cacheable-requestsemver-regex <=3.1.3 Severity: high semver-regex Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch fix available via
npm audit fix --forceWill install vite-plugin-imagemin@0.4.6, which is a breaking change node_modules/semver-regex find-versions <=3.2.0 Depends on vulnerable versions of semver-regex node_modules/find-versions bin-version <=4.0.0 Depends on vulnerable versions of find-versions node_modules/bin-version bin-version-check <=4.0.0 Depends on vulnerable versions of bin-version node_modules/bin-version-checktrim-newlines <3.0.1 Severity: high Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v fix available via
npm audit fixnode_modules/trim-newlines meow 3.4.0 - 5.0.0 Depends on vulnerable versions of trim-newlines node_modules/meowCould you please update these dependencies to their latest secure versions?