Makio64
commented
1 year ago Using yarn install instead of npm i & ncu -u followed by yarn audit fix I got the report bellow.
Most of the errors come from gh-release (which isnt use anymore from my understanding of the changelog?) and a very old packages access-sniff with a lot of deprecated lib.
As Spring is there, i highly suggest a Spring cleanup
yarn audit v1.22.19 │ moderate │ Got allows a redirect to a UNIX socket │ │ Package │ got │ │ Patched in │ >=11.8.5 │ │ Dependency of │ gh-release │ │ Path │ gh-release > update-notifier > latest-version > package-json │ │ │ > got │ │ More info │ https://www.npmjs.com/advisories/1088948 │
│ moderate │ Insufficient Granularity of Access Control in JSDom │ │ Package │ jsdom │ │ Patched in │ >=16.5.0 │ │ Dependency of │ access-sniff │ │ Path │ access-sniff > jsdom │ │ More info │ https://www.npmjs.com/advisories/1089185 │
│ moderate │ Inefficient Regular Expression Complexity in validator.js │ │ Package │ validator │ │ Patched in │ >=13.7.0 │ │ Dependency of │ access-sniff │ │ Path │ access-sniff > validator │ │ More info │ https://www.npmjs.com/advisories/1089600 │
│ moderate │ Axios vulnerable to Server-Side Request Forgery │ │ Package │ axios │ │ Patched in │ >=0.21.1 │ │ Dependency of │ access-sniff │ │ Path │ access-sniff > axios │ │ More info │ https://www.npmjs.com/advisories/1090049 │
│ high │ axios Inefficient Regular Expression Complexity │ │ │ vulnerability │ │ Package │ axios │ │ Patched in │ >=0.21.2 │ │ Dependency of │ access-sniff │ │ Path │ access-sniff > axios │ │ More info │ https://www.npmjs.com/advisories/1091366 │
│ moderate │ Exposure of Sensitive Information to an Unauthorized Actor │ │ │ in follow-redirects │ │ Package │ follow-redirects │ │ Patched in │ >=1.14.8 │ │ Dependency of │ access-sniff │ │ Path │ access-sniff > axios > follow-redirects │ │ More info │ https://www.npmjs.com/advisories/1090431 │
│ high │ Exposure of sensitive information in follow-redirects │ │ Package │ follow-redirects │ │ Patched in │ >=1.14.7 │ │ Dependency of │ access-sniff │ │ Path │ access-sniff > axios > follow-redirects │ │ More info │ https://www.npmjs.com/advisories/1091238 │
│ high │ glob-parent before 5.1.2 vulnerable to Regular Expression │ │ │ Denial of Service in enclosure regex │ │ Package │ glob-parent │ │ Patched in │ >=5.1.2 │ │ Dependency of │ videojs-languages │ │ Path │ videojs-languages > globby > fast-glob > glob-parent │ │ More info │ https://www.npmjs.com/advisories/1091181 │
│ high │ Uncontrolled Resource Consumption in trim-newlines │ │ Package │ trim-newlines │ │ Patched in │ >=3.0.1 │ │ Dependency of │ videojs-generate-karma-config │ │ Path │ videojs-generate-karma-config > karma-coverage > dateformat │ │ │ > meow > trim-newlines │ │ More info │ https://www.npmjs.com/advisories/1091360 │
│ critical │ Arbitrary Code Execution in underscore │ │ Package │ underscore │ │ Patched in │ >=1.12.1 │ │ Dependency of │ videojs-standard │ │ Path │ videojs-standard > eslint-plugin-json-light > jsonlint > │ │ │ nomnom > underscore │ │ More info │ https://www.npmjs.com/advisories/1091470 │
│ moderate │ Server-Side Request Forgery in Request │ │ Package │ request │ │ Patched in │ No patch available │ │ Dependency of │ access-sniff │ │ Path │ access-sniff > jsdom > request │ │ More info │ https://www.npmjs.com/advisories/1091725 │
11 vulnerabilities found - Packages audited: 1707 Severity: 6 Moderate | 4 High | 1 Critical
Description
Just checked and Videojs currently have a lot of vulnerabilities and many dependencies out of dates
Update dependencies & fix vulnerable issues would be great.
Reduced test case
https://videojs.com/
Steps to reproduce
Errors
47 vulnerabilities (2 low, 14 moderate, 25 high, 6 critical)
What version of Video.js are you using?
v8.3.0
Video.js plugins used.
none
What browser(s) including version(s) does this occur with?
all
What OS(es) and version(s) does this occur with?
all