Open github-actions[bot] opened 2 hours ago
# npm audit report
async 2.0.0 - 2.6.3
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
Depends on vulnerable versions of lodash
fix available via `npm audit fix`
node_modules/async
mongoose <=5.13.19 || 6.0.0-rc0 - 6.0.3
Depends on vulnerable versions of async
Depends on vulnerable versions of bson
Depends on vulnerable versions of mongodb
Depends on vulnerable versions of mpath
Depends on vulnerable versions of mquery
node_modules/mongoose
base64url <3.0.0
Severity: moderate
Out-of-bounds Read in base64url - https://github.com/advisories/GHSA-rvg8-pwq2-xj7q
fix available via `npm audit fix --force`
Will install jsonwebtoken@9.0.2, which is a breaking change
node_modules/base64url
ecdsa-sig-formatter 1.0.9
Depends on vulnerable versions of base64url
node_modules/ecdsa-sig-formatter
jwa <=1.1.5
Depends on vulnerable versions of base64url
Depends on vulnerable versions of ecdsa-sig-formatter
node_modules/jwa
jws <=3.1.4
Depends on vulnerable versions of base64url
Depends on vulnerable versions of jwa
node_modules/jws
jsonwebtoken <=8.5.1
Depends on vulnerable versions of jws
node_modules/jsonwebtoken
body-parser <=1.20.2
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
Depends on vulnerable versions of qs
fix available via `npm audit fix --force`
Will install body-parser@1.20.3, which is outside the stated dependency range
node_modules/body-parser
bson <=1.1.3
Severity: critical
Deserialization of Untrusted Data in bson - https://github.com/advisories/GHSA-4jwp-vfvf-657p
Deserialization of Untrusted Data in bson - https://github.com/advisories/GHSA-v8w9-2789-6hhr
fix available via `npm audit fix`
node_modules/bson
mongodb-core *
Depends on vulnerable versions of bson
Depends on vulnerable versions of require_optional
node_modules/mongodb-core
mongodb <=3.1.12
Depends on vulnerable versions of mongodb-core
node_modules/mongodb
clean-css <4.1.11
Regular Expression Denial of Service in clean-css - https://github.com/advisories/GHSA-wxhq-pm8v-cw75
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/clean-css
jade >=0.30.0
Depends on vulnerable versions of clean-css
Depends on vulnerable versions of constantinople
Depends on vulnerable versions of mkdirp
Depends on vulnerable versions of transformers
node_modules/jade
constantinople <3.1.1
Severity: critical
Sandbox Bypass Leading to Arbitrary Code Execution in constantinople - https://github.com/advisories/GHSA-4vmm-mhcq-4x9j
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/constantinople
cookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/cookie
cookie-parser 1.0.1 - 1.4.6
Depends on vulnerable versions of cookie
node_modules/cookie-parser
express <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
Depends on vulnerable versions of cookie
Depends on vulnerable versions of path-to-regexp
Depends on vulnerable versions of qs
Depends on vulnerable versions of send
Depends on vulnerable versions of serve-static
node_modules/express
dicer *
Severity: high
Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2
No fix available
node_modules/dicer
busboy <=0.3.1
Depends on vulnerable versions of dicer
node_modules/busboy
express-fileupload <=1.3.1
Depends on vulnerable versions of busboy
node_modules/express-fileupload
multer <=2.0.0-rc.3
Depends on vulnerable versions of busboy
Depends on vulnerable versions of mkdirp
node_modules/multer
helmet-csp 1.2.2 - 2.9.0
Severity: moderate
Configuration Override in helmet-csp - https://github.com/advisories/GHSA-c3m8-x3cg-qm2c
fix available via `npm audit fix`
node_modules/helmet-csp
helmet 2.1.2 - 3.20.1
Depends on vulnerable versions of helmet-csp
node_modules/helmet
js-yaml <=3.13.0
Severity: high
Denial of Service in js-yaml - https://github.com/advisories/GHSA-2pr6-76vf-7546
Code Injection in js-yaml - https://github.com/advisories/GHSA-8j8c-7jfh-h6hx
fix available via `npm audit fix`
node_modules/js-yaml
lodash <=4.17.20
Severity: critical
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via `npm audit fix`
node_modules/lodash
express-validator 0.2.0 - 6.4.1
Depends on vulnerable versions of lodash
Depends on vulnerable versions of validator
node_modules/express-validator
mime <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/mime
send <=0.18.0
Depends on vulnerable versions of mime
node_modules/send
serve-static <=1.16.0
Depends on vulnerable versions of send
node_modules/serve-static
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch
glob 3.0.0 - 5.0.14
Depends on vulnerable versions of minimatch
node_modules/glob
minimist <=0.2.3
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mkdirp
mv
Depends on vulnerable versions of mkdirp
node_modules/mv
moment <=2.29.3
Severity: high
Moment.js vulnerable to Inefficient Regular Expression Complexity - https://github.com/advisories/GHSA-wc69-rhjr-hc9g
Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4
fix available via `npm audit fix`
node_modules/moment
bunyan
Depends on vulnerable versions of moment
node_modules/bunyan
morgan <1.9.1
Severity: critical
Code Injection in morgan - https://github.com/advisories/GHSA-gwg9-rgvj-4h5j
fix available via `npm audit fix`
node_modules/morgan
mpath <=0.8.3
Severity: high
Prototype Pollution in mpath - https://github.com/advisories/GHSA-h466-j336-74wx
Type confusion in mpath - https://github.com/advisories/GHSA-p92x-r36w-9395
fix available via `npm audit fix`
node_modules/mpath
mquery <3.2.3
Severity: moderate
Code Injection in mquery - https://github.com/advisories/GHSA-45q2-34rf-mr94
fix available via `npm audit fix`
node_modules/mquery
node-serialize *
Severity: critical
Code Execution through IIFE in node-serialize - https://github.com/advisories/GHSA-q4v7-4rhw-9hqm
No fix available
node_modules/node-serialize
path-to-regexp <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/path-to-regexp
qs 6.5.0 - 6.5.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install express@4.21.1, which is outside the stated dependency range
node_modules/express/node_modules/qs
node_modules/qs
semver <5.7.2
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/semver
require_optional
Depends on vulnerable versions of semver
node_modules/require_optional
uglify-js <=2.5.0
Severity: critical
Regular Expression Denial of Service in uglify-js - https://github.com/advisories/GHSA-c9f4-xj24-8jqx
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - https://github.com/advisories/GHSA-34r7-q49f-h37c
fix available via `npm audit fix --force`
Will install jade@1.9.2, which is a breaking change
node_modules/transformers/node_modules/uglify-js
transformers >=2.0.0
Depends on vulnerable versions of uglify-js
node_modules/transformers
validator <13.7.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5
fix available via `npm audit fix`
node_modules/validator
47 vulnerabilities (3 low, 9 moderate, 22 high, 13 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.