Open github-actions[bot] opened 2 years ago
# npm audit report
ansi-html *
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix --force`
Will install @tarojs/webpack-runner@3.0.29, which is a breaking change
node_modules/ansi-html
@pmmmwh/react-refresh-webpack-plugin <=0.5.0-rc.6
Depends on vulnerable versions of ansi-html
node_modules/@pmmmwh/react-refresh-webpack-plugin
@tarojs/webpack-runner 0.0.0-experimental.2 || 0.0.26 - 0.0.68-beta.4 || >=1.2.9
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of copy-webpack-plugin
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/@tarojs/webpack-runner
webpack-dev-server 2.0.0-beta - 4.1.0
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
No fix available
node_modules/@tarojs/cli/node_modules/ansi-regex
node_modules/@tarojs/transformer-wx/node_modules/ansi-regex
node_modules/@tarojs/transformer-wx/node_modules/inquirer/node_modules/ansi-regex
node_modules/ansi-align/node_modules/ansi-regex
node_modules/ansi-regex
node_modules/boxen/node_modules/ansi-regex
node_modules/stylelint/node_modules/ansi-regex
node_modules/widest-line/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/@tarojs/cli/node_modules/strip-ansi
node_modules/@tarojs/transformer-wx/node_modules/inquirer/node_modules/strip-ansi
node_modules/@tarojs/transformer-wx/node_modules/strip-ansi
node_modules/ansi-align/node_modules/strip-ansi
node_modules/boxen/node_modules/strip-ansi
node_modules/strip-ansi
node_modules/stylelint/node_modules/strip-ansi
node_modules/widest-line/node_modules/strip-ansi
cliui 4.0.0 - 5.0.0
Depends on vulnerable versions of strip-ansi
Depends on vulnerable versions of wrap-ansi
node_modules/cliui
yargs 10.1.0 - 15.0.0
Depends on vulnerable versions of cliui
Depends on vulnerable versions of string-width
node_modules/yargs
depcheck 0.8.0 - 0.9.1
Depends on vulnerable versions of yargs
node_modules/depcheck
npm-check >=5.0.1
Depends on vulnerable versions of depcheck
Depends on vulnerable versions of meow
node_modules/npm-check
webpack-dev-server 2.0.0-beta - 4.1.0
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
@tarojs/webpack-runner 0.0.0-experimental.2 || 0.0.26 - 0.0.68-beta.4 || >=1.2.9
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of copy-webpack-plugin
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/@tarojs/webpack-runner
eslint 4.5.0 - 7.15.0
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of strip-ansi
Depends on vulnerable versions of table
node_modules/@tarojs/transformer-wx/node_modules/eslint
node_modules/eslint
@tarojs/cli *
Depends on vulnerable versions of @tarojs/transformer-wx
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-plugin-vue
Depends on vulnerable versions of fbjs
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of mem-fs-editor
Depends on vulnerable versions of ora
Depends on vulnerable versions of stylelint
Depends on vulnerable versions of vinyl-fs
node_modules/@tarojs/cli
@tarojs/transformer-wx >=1.2.0-alpha.0
Depends on vulnerable versions of eslint
node_modules/@tarojs/transformer-wx
eslint-plugin-vue 5.0.0-beta.0 - 7.0.0-beta.4
Depends on vulnerable versions of eslint
node_modules/eslint-plugin-vue
inquirer 3.2.0 - 7.0.4
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/@tarojs/cli/node_modules/inquirer
node_modules/@tarojs/transformer-wx/node_modules/inquirer
ora 2.0.0 - 4.0.2
Depends on vulnerable versions of strip-ansi
node_modules/@tarojs/cli/node_modules/ora
node_modules/ora
@tarojs/mini-runner *
Depends on vulnerable versions of copy-webpack-plugin
Depends on vulnerable versions of ora
Depends on vulnerable versions of webpack
node_modules/@tarojs/mini-runner
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/@tarojs/cli/node_modules/string-width
node_modules/@tarojs/transformer-wx/node_modules/string-width
node_modules/ansi-align/node_modules/string-width
node_modules/boxen/node_modules/string-width
node_modules/string-width
node_modules/stylelint/node_modules/string-width
node_modules/widest-line/node_modules/string-width
stylelint 7.7.1 - 13.6.1
Depends on vulnerable versions of globby
Depends on vulnerable versions of meow
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of postcss-markdown
Depends on vulnerable versions of string-width
Depends on vulnerable versions of table
node_modules/@tarojs/cli/node_modules/stylelint
node_modules/stylelint
table 4.0.2 - 5.4.6
Depends on vulnerable versions of string-width
node_modules/stylelint/node_modules/table
node_modules/table
widest-line 2.0.0 - 2.0.1
Depends on vulnerable versions of string-width
node_modules/widest-line
boxen 1.3.0 - 3.2.0
Depends on vulnerable versions of widest-line
node_modules/boxen
wrap-ansi 3.0.0 - 6.1.0
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/wrap-ansi
braces <2.3.1
Regular Expression Denial of Service in braces - https://github.com/advisories/GHSA-g95f-p29q-9xw4
No fix available
node_modules/stylelint/node_modules/micromatch/node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/stylelint/node_modules/micromatch
stylelint 7.7.1 - 13.6.1
Depends on vulnerable versions of globby
Depends on vulnerable versions of meow
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of postcss-markdown
Depends on vulnerable versions of string-width
Depends on vulnerable versions of table
node_modules/@tarojs/cli/node_modules/stylelint
node_modules/stylelint
@tarojs/cli *
Depends on vulnerable versions of @tarojs/transformer-wx
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-plugin-vue
Depends on vulnerable versions of fbjs
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of mem-fs-editor
Depends on vulnerable versions of ora
Depends on vulnerable versions of stylelint
Depends on vulnerable versions of vinyl-fs
node_modules/@tarojs/cli
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @tarojs/webpack-runner@3.0.29, which is a breaking change
node_modules/@tarojs/webpack-runner/node_modules/glob-parent
node_modules/copy-webpack-plugin/node_modules/glob-parent
node_modules/glob-base/node_modules/glob-parent
node_modules/glob-stream/node_modules/glob-parent
node_modules/mem-fs-editor/node_modules/glob-parent
node_modules/stylelint/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
@tarojs/mini-runner *
Depends on vulnerable versions of copy-webpack-plugin
Depends on vulnerable versions of ora
Depends on vulnerable versions of webpack
node_modules/@tarojs/mini-runner
@tarojs/webpack-runner 0.0.0-experimental.2 || 0.0.26 - 0.0.68-beta.4 || >=1.2.9
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of copy-webpack-plugin
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/@tarojs/webpack-runner
webpack-dev-server 2.0.0-beta - 4.1.0
Depends on vulnerable versions of ansi-html
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of yargs
node_modules/webpack-dev-server
copy-webpack-plugin 4.3.0 - 5.1.2
Depends on vulnerable versions of glob-parent
Depends on vulnerable versions of serialize-javascript
node_modules/@tarojs/webpack-runner/node_modules/copy-webpack-plugin
node_modules/copy-webpack-plugin
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
node_modules/mem-fs-editor/node_modules/fast-glob
node_modules/stylelint/node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/mem-fs-editor/node_modules/globby
node_modules/stylelint/node_modules/globby
mem-fs-editor 4.0.1 - 4.0.2 || 5.0.0 - 6.0.0 || 7.0.1 - 7.1.0
Depends on vulnerable versions of globby
node_modules/mem-fs-editor
@tarojs/cli *
Depends on vulnerable versions of @tarojs/transformer-wx
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-plugin-vue
Depends on vulnerable versions of fbjs
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of mem-fs-editor
Depends on vulnerable versions of ora
Depends on vulnerable versions of stylelint
Depends on vulnerable versions of vinyl-fs
node_modules/@tarojs/cli
stylelint 7.7.1 - 13.6.1
Depends on vulnerable versions of globby
Depends on vulnerable versions of meow
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of postcss-markdown
Depends on vulnerable versions of string-width
Depends on vulnerable versions of table
node_modules/@tarojs/cli/node_modules/stylelint
node_modules/stylelint
glob-base *
Depends on vulnerable versions of glob-parent
node_modules/glob-base
parse-glob >=2.1.0
Depends on vulnerable versions of glob-base
node_modules/parse-glob
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/stylelint/node_modules/micromatch
glob-stream 5.3.0 - 6.1.0
Depends on vulnerable versions of glob-parent
node_modules/glob-stream
vinyl-fs >=2.4.2
Depends on vulnerable versions of glob-stream
node_modules/vinyl-fs
jpeg-js <0.4.0
Severity: moderate
Uncontrolled resource consumption in jpeg-js - https://github.com/advisories/GHSA-w7q9-p3jq-fmhm
fix available via `npm audit fix --force`
Will install miniprogram-ci@1.0.1, which is a breaking change
node_modules/jpeg-js
@jimp/jpeg <=0.12.0
Depends on vulnerable versions of jpeg-js
node_modules/@jimp/jpeg
@jimp/types <=0.11.1-canary.891.908.0
Depends on vulnerable versions of @jimp/jpeg
node_modules/@jimp/types
jimp 0.3.6-alpha.5 - 0.11.1-canary.891.908.0
Depends on vulnerable versions of @jimp/types
node_modules/jimp
miniprogram-ci >=1.0.2
Depends on vulnerable versions of jimp
node_modules/miniprogram-ci
json-schema <0.4.0
Severity: moderate
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
Depends on vulnerable versions of json-schema
node_modules/jsprim
node-fetch <2.6.1
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
No fix available
node_modules/node-fetch
isomorphic-fetch 2.0.0 - 2.2.1
Depends on vulnerable versions of node-fetch
node_modules/isomorphic-fetch
fbjs 0.7.0 - 1.0.0
Depends on vulnerable versions of isomorphic-fetch
node_modules/fbjs
@tarojs/cli *
Depends on vulnerable versions of @tarojs/transformer-wx
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-plugin-vue
Depends on vulnerable versions of fbjs
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of mem-fs-editor
Depends on vulnerable versions of ora
Depends on vulnerable versions of stylelint
Depends on vulnerable versions of vinyl-fs
node_modules/@tarojs/cli
postcss 7.0.0 - 7.0.35
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-hwj9-h5mp-3pm3
fix available via `npm audit fix --force`
Will install @tarojs/webpack-runner@3.0.29, which is a breaking change
node_modules/@tarojs/webpack-runner/node_modules/resolve-url-loader/node_modules/postcss
resolve-url-loader 3.0.1 - 3.1.3 || 4.0.0-alpha.1 - 4.0.0-beta.2
Depends on vulnerable versions of postcss
node_modules/@tarojs/webpack-runner/node_modules/resolve-url-loader
@tarojs/webpack-runner 0.0.0-experimental.2 || 0.0.26 - 0.0.68-beta.4 || >=1.2.9
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of copy-webpack-plugin
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/@tarojs/webpack-runner
serialize-javascript <3.1.0
Severity: high
Insecure serialization leading to RCE in serialize-javascript - https://github.com/advisories/GHSA-hxcc-f52p-wc94
fix available via `npm audit fix --force`
Will install @tarojs/webpack-runner@3.0.29, which is a breaking change
node_modules/@tarojs/webpack-runner/node_modules/serialize-javascript
copy-webpack-plugin 4.3.0 - 5.1.2
Depends on vulnerable versions of glob-parent
Depends on vulnerable versions of serialize-javascript
node_modules/@tarojs/webpack-runner/node_modules/copy-webpack-plugin
node_modules/copy-webpack-plugin
@tarojs/mini-runner *
Depends on vulnerable versions of copy-webpack-plugin
Depends on vulnerable versions of ora
Depends on vulnerable versions of webpack
node_modules/@tarojs/mini-runner
@tarojs/webpack-runner 0.0.0-experimental.2 || 0.0.26 - 0.0.68-beta.4 || >=1.2.9
Depends on vulnerable versions of @pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of copy-webpack-plugin
Depends on vulnerable versions of resolve-url-loader
Depends on vulnerable versions of webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/@tarojs/webpack-runner
trim <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
No fix available
node_modules/trim
remark-parse <=8.0.3
Depends on vulnerable versions of trim
node_modules/remark-parse
remark 5.0.0 - 12.0.1
Depends on vulnerable versions of remark-parse
node_modules/remark
postcss-markdown <=0.36.0
Depends on vulnerable versions of remark
node_modules/postcss-markdown
stylelint 7.7.1 - 13.6.1
Depends on vulnerable versions of globby
Depends on vulnerable versions of meow
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of postcss-markdown
Depends on vulnerable versions of string-width
Depends on vulnerable versions of table
node_modules/@tarojs/cli/node_modules/stylelint
node_modules/stylelint
@tarojs/cli *
Depends on vulnerable versions of @tarojs/transformer-wx
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-plugin-vue
Depends on vulnerable versions of fbjs
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of mem-fs-editor
Depends on vulnerable versions of ora
Depends on vulnerable versions of stylelint
Depends on vulnerable versions of vinyl-fs
node_modules/@tarojs/cli
trim-newlines <3.0.1
Severity: high
Regular Expression Denial of Service in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
No fix available
node_modules/npm-check/node_modules/trim-newlines
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
Depends on vulnerable versions of yargs-parser
node_modules/meow
node_modules/npm-check/node_modules/meow
npm-check >=5.0.1
Depends on vulnerable versions of depcheck
Depends on vulnerable versions of meow
node_modules/npm-check
stylelint 7.7.1 - 13.6.1
Depends on vulnerable versions of globby
Depends on vulnerable versions of meow
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of postcss-markdown
Depends on vulnerable versions of string-width
Depends on vulnerable versions of table
node_modules/@tarojs/cli/node_modules/stylelint
node_modules/stylelint
@tarojs/cli *
Depends on vulnerable versions of @tarojs/transformer-wx
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-plugin-vue
Depends on vulnerable versions of fbjs
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of mem-fs-editor
Depends on vulnerable versions of ora
Depends on vulnerable versions of stylelint
Depends on vulnerable versions of vinyl-fs
node_modules/@tarojs/cli
yargs-parser 6.0.0 - 13.1.1
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
No fix available
node_modules/meow/node_modules/yargs-parser
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
Depends on vulnerable versions of yargs-parser
node_modules/meow
node_modules/npm-check/node_modules/meow
npm-check >=5.0.1
Depends on vulnerable versions of depcheck
Depends on vulnerable versions of meow
node_modules/npm-check
stylelint 7.7.1 - 13.6.1
Depends on vulnerable versions of globby
Depends on vulnerable versions of meow
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of postcss-markdown
Depends on vulnerable versions of string-width
Depends on vulnerable versions of table
node_modules/@tarojs/cli/node_modules/stylelint
node_modules/stylelint
@tarojs/cli *
Depends on vulnerable versions of @tarojs/transformer-wx
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-plugin-vue
Depends on vulnerable versions of fbjs
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of mem-fs-editor
Depends on vulnerable versions of ora
Depends on vulnerable versions of stylelint
Depends on vulnerable versions of vinyl-fs
node_modules/@tarojs/cli
58 vulnerabilities (4 low, 25 moderate, 29 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.