vipfo123 / gh-actions-npm-audit

0 stars 0 forks source link

npm audit found vulnerabilities #1

Open github-actions[bot] opened 2 hours ago

github-actions[bot] commented 2 hours ago
# npm audit report

async  2.0.0 - 2.6.3
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
Depends on vulnerable versions of lodash
fix available via `npm audit fix`
node_modules/async
  mongoose  <=5.13.19 || 6.0.0-rc0 - 6.0.3
  Depends on vulnerable versions of async
  Depends on vulnerable versions of bson
  Depends on vulnerable versions of mongodb
  Depends on vulnerable versions of mpath
  Depends on vulnerable versions of mquery
  node_modules/mongoose

base64url  <3.0.0
Severity: moderate
Out-of-bounds Read in base64url - https://github.com/advisories/GHSA-rvg8-pwq2-xj7q
fix available via `npm audit fix --force`
Will install jsonwebtoken@9.0.2, which is a breaking change
node_modules/base64url
  ecdsa-sig-formatter  1.0.9
  Depends on vulnerable versions of base64url
  node_modules/ecdsa-sig-formatter
    jwa  <=1.1.5
    Depends on vulnerable versions of base64url
    Depends on vulnerable versions of ecdsa-sig-formatter
    node_modules/jwa
      jws  <=3.1.4
      Depends on vulnerable versions of base64url
      Depends on vulnerable versions of jwa
      node_modules/jws
        jsonwebtoken  <=8.5.1
        Depends on vulnerable versions of jws
        node_modules/jsonwebtoken

body-parser  <=1.20.2
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
Depends on vulnerable versions of qs
fix available via `npm audit fix --force`
Will install body-parser@1.20.3, which is outside the stated dependency range
node_modules/body-parser

bson  <=1.1.3
Severity: critical
Deserialization of Untrusted Data in bson - https://github.com/advisories/GHSA-4jwp-vfvf-657p
Deserialization of Untrusted Data in bson - https://github.com/advisories/GHSA-v8w9-2789-6hhr
fix available via `npm audit fix`
node_modules/bson
  mongodb-core  *
  Depends on vulnerable versions of bson
  Depends on vulnerable versions of require_optional
  node_modules/mongodb-core
    mongodb  <=3.1.12
    Depends on vulnerable versions of mongodb-core
    node_modules/mongodb

clean-css  <4.1.11
Regular Expression Denial of Service in clean-css - https://github.com/advisories/GHSA-wxhq-pm8v-cw75
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/clean-css
  jade  >=0.30.0
  Depends on vulnerable versions of clean-css
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of mkdirp
  Depends on vulnerable versions of transformers
  node_modules/jade

constantinople  <3.1.1
Severity: critical
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople - https://github.com/advisories/GHSA-4vmm-mhcq-4x9j
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/constantinople

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/cookie
  cookie-parser  1.0.1 - 1.4.6
  Depends on vulnerable versions of cookie
  node_modules/cookie-parser
  express  <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of qs
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/express

dicer  *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
No fix available
node_modules/dicer
  busboy  <=0.3.1
  Depends on vulnerable versions of dicer
  node_modules/busboy
    express-fileupload  <=1.3.1
    Depends on vulnerable versions of busboy
    node_modules/express-fileupload
    multer  <=2.0.0-rc.3
    Depends on vulnerable versions of busboy
    Depends on vulnerable versions of mkdirp
    node_modules/multer

helmet-csp  1.2.2 - 2.9.0
Severity: moderate
Configuration Override in helmet-csp - https://github.com/advisories/GHSA-c3m8-x3cg-qm2c
fix available via `npm audit fix`
node_modules/helmet-csp
  helmet  2.1.2 - 3.20.1
  Depends on vulnerable versions of helmet-csp
  node_modules/helmet

js-yaml  <=3.13.0
Severity: high
Denial of Service in js-yaml - https://github.com/advisories/GHSA-2pr6-76vf-7546
Code Injection in js-yaml - https://github.com/advisories/GHSA-8j8c-7jfh-h6hx
fix available via `npm audit fix`
node_modules/js-yaml

lodash  <=4.17.20
Severity: critical
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via `npm audit fix`
node_modules/lodash
  express-validator  0.2.0 - 6.4.1
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of validator
  node_modules/express-validator

mime  <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/mime
  send  <=0.18.0
  Depends on vulnerable versions of mime
  node_modules/send
    serve-static  <=1.16.0
    Depends on vulnerable versions of send
    node_modules/serve-static

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch
  glob  3.0.0 - 5.0.14
  Depends on vulnerable versions of minimatch
  node_modules/glob

minimist  <=0.2.3
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/mkdirp
    mv  
    Depends on vulnerable versions of mkdirp
    node_modules/mv

moment  <=2.29.3
Severity: high
Moment.js vulnerable to Inefficient Regular Expression Complexity - https://github.com/advisories/GHSA-wc69-rhjr-hc9g
Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4
fix available via `npm audit fix`
node_modules/moment
  bunyan  
  Depends on vulnerable versions of moment
  node_modules/bunyan

morgan  <1.9.1
Severity: critical
Code Injection in morgan - https://github.com/advisories/GHSA-gwg9-rgvj-4h5j
fix available via `npm audit fix`
node_modules/morgan

mpath  <=0.8.3
Severity: high
Prototype Pollution in mpath - https://github.com/advisories/GHSA-h466-j336-74wx
Type confusion in mpath - https://github.com/advisories/GHSA-p92x-r36w-9395
fix available via `npm audit fix`
node_modules/mpath

mquery  <3.2.3
Severity: moderate
Code Injection in mquery - https://github.com/advisories/GHSA-45q2-34rf-mr94
fix available via `npm audit fix`
node_modules/mquery

node-serialize  *
Severity: critical
Code Execution through IIFE in node-serialize - https://github.com/advisories/GHSA-q4v7-4rhw-9hqm
No fix available
node_modules/node-serialize

path-to-regexp  <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/path-to-regexp

qs  6.5.0 - 6.5.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/express/node_modules/qs
node_modules/qs

semver  <5.7.2
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/semver
  require_optional  
  Depends on vulnerable versions of semver
  node_modules/require_optional

uglify-js  <=2.5.0
Severity: critical
Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/transformers/node_modules/uglify-js
  transformers  >=2.0.0
  Depends on vulnerable versions of uglify-js
  node_modules/transformers

validator  <13.7.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5
fix available via `npm audit fix`
node_modules/validator

47 vulnerabilities (3 low, 9 moderate, 22 high, 13 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.
vipfo123 commented 2 hours ago
# npm audit report

async  2.0.0 - 2.6.3
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
Depends on vulnerable versions of lodash
fix available via `npm audit fix`
node_modules/async
  mongoose  <=5.13.19 || 6.0.0-rc0 - 6.0.3
  Depends on vulnerable versions of async
  Depends on vulnerable versions of bson
  Depends on vulnerable versions of mongodb
  Depends on vulnerable versions of mpath
  Depends on vulnerable versions of mquery
  node_modules/mongoose

base64url  <3.0.0
Severity: moderate
Out-of-bounds Read in base64url - https://github.com/advisories/GHSA-rvg8-pwq2-xj7q
fix available via `npm audit fix --force`
Will install jsonwebtoken@9.0.2, which is a breaking change
node_modules/base64url
  ecdsa-sig-formatter  1.0.9
  Depends on vulnerable versions of base64url
  node_modules/ecdsa-sig-formatter
    jwa  <=1.1.5
    Depends on vulnerable versions of base64url
    Depends on vulnerable versions of ecdsa-sig-formatter
    node_modules/jwa
      jws  <=3.1.4
      Depends on vulnerable versions of base64url
      Depends on vulnerable versions of jwa
      node_modules/jws
        jsonwebtoken  <=8.5.1
        Depends on vulnerable versions of jws
        node_modules/jsonwebtoken

body-parser  <=1.20.2
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
Depends on vulnerable versions of qs
fix available via `npm audit fix --force`
Will install body-parser@1.20.3, which is outside the stated dependency range
node_modules/body-parser

bson  <=1.1.3
Severity: critical
Deserialization of Untrusted Data in bson - https://github.com/advisories/GHSA-4jwp-vfvf-657p
Deserialization of Untrusted Data in bson - https://github.com/advisories/GHSA-v8w9-2789-6hhr
fix available via `npm audit fix`
node_modules/bson
  mongodb-core  *
  Depends on vulnerable versions of bson
  Depends on vulnerable versions of require_optional
  node_modules/mongodb-core
    mongodb  <=3.1.12
    Depends on vulnerable versions of mongodb-core
    node_modules/mongodb

clean-css  <4.1.11
Regular Expression Denial of Service in clean-css - https://github.com/advisories/GHSA-wxhq-pm8v-cw75
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/clean-css
  jade  >=0.30.0
  Depends on vulnerable versions of clean-css
  Depends on vulnerable versions of constantinople
  Depends on vulnerable versions of mkdirp
  Depends on vulnerable versions of transformers
  node_modules/jade

constantinople  <3.1.1
Severity: critical
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople - https://github.com/advisories/GHSA-4vmm-mhcq-4x9j
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/constantinople

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/cookie
  cookie-parser  1.0.1 - 1.4.6
  Depends on vulnerable versions of cookie
  node_modules/cookie-parser
  express  <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of qs
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/express

dicer  *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
No fix available
node_modules/dicer
  busboy  <=0.3.1
  Depends on vulnerable versions of dicer
  node_modules/busboy
    express-fileupload  <=1.3.1
    Depends on vulnerable versions of busboy
    node_modules/express-fileupload
    multer  <=2.0.0-rc.3
    Depends on vulnerable versions of busboy
    Depends on vulnerable versions of mkdirp
    node_modules/multer

helmet-csp  1.2.2 - 2.9.0
Severity: moderate
Configuration Override in helmet-csp - https://github.com/advisories/GHSA-c3m8-x3cg-qm2c
fix available via `npm audit fix`
node_modules/helmet-csp
  helmet  2.1.2 - 3.20.1
  Depends on vulnerable versions of helmet-csp
  node_modules/helmet

js-yaml  <=3.13.0
Severity: high
Denial of Service in js-yaml - https://github.com/advisories/GHSA-2pr6-76vf-7546
Code Injection in js-yaml - https://github.com/advisories/GHSA-8j8c-7jfh-h6hx
fix available via `npm audit fix`
node_modules/js-yaml

lodash  <=4.17.20
Severity: critical
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via `npm audit fix`
node_modules/lodash
  express-validator  0.2.0 - 6.4.1
  Depends on vulnerable versions of lodash
  Depends on vulnerable versions of validator
  node_modules/express-validator

mime  <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/mime
  send  <=0.18.0
  Depends on vulnerable versions of mime
  node_modules/send
    serve-static  <=1.16.0
    Depends on vulnerable versions of send
    node_modules/serve-static

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch
  glob  3.0.0 - 5.0.14
  Depends on vulnerable versions of minimatch
  node_modules/glob

minimist  <=0.2.3
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/mkdirp
    mv  
    Depends on vulnerable versions of mkdirp
    node_modules/mv

moment  <=2.29.3
Severity: high
Moment.js vulnerable to Inefficient Regular Expression Complexity - https://github.com/advisories/GHSA-wc69-rhjr-hc9g
Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4
fix available via `npm audit fix`
node_modules/moment
  bunyan  
  Depends on vulnerable versions of moment
  node_modules/bunyan

morgan  <1.9.1
Severity: critical
Code Injection in morgan - https://github.com/advisories/GHSA-gwg9-rgvj-4h5j
fix available via `npm audit fix`
node_modules/morgan

mpath  <=0.8.3
Severity: high
Prototype Pollution in mpath - https://github.com/advisories/GHSA-h466-j336-74wx
Type confusion in mpath - https://github.com/advisories/GHSA-p92x-r36w-9395
fix available via `npm audit fix`
node_modules/mpath

mquery  <3.2.3
Severity: moderate
Code Injection in mquery - https://github.com/advisories/GHSA-45q2-34rf-mr94
fix available via `npm audit fix`
node_modules/mquery

node-serialize  *
Severity: critical
Code Execution through IIFE in node-serialize - https://github.com/advisories/GHSA-q4v7-4rhw-9hqm
No fix available
node_modules/node-serialize

path-to-regexp  <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/path-to-regexp

qs  6.5.0 - 6.5.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/express/node_modules/qs
node_modules/qs

semver  <5.7.2
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/semver
  require_optional  
  Depends on vulnerable versions of semver
  node_modules/require_optional

uglify-js  <=2.5.0
Severity: critical
Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/transformers/node_modules/uglify-js
  transformers  >=2.0.0
  Depends on vulnerable versions of uglify-js
  node_modules/transformers

validator  <13.7.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5
fix available via `npm audit fix`
node_modules/validator

47 vulnerabilities (3 low, 9 moderate, 22 high, 13 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.