search

xibyte / jsketcher

Parametric 2D and 3D modeler written in pure javascript
http://web-cad.org
Other
1.45k stars 275 forks source link

critical vulnerabilities #192

Open wanfuse123 opened 1 year ago

wanfuse123 commented 1 year ago

2 critical severity vulnerabilities (how do I fix)?

Some issues need review, and may require choosing a different dependency.

Run npm audit for details. (base) steven@Desktop-1d:/backup/jsketcher$ npm audit

npm audit report

loader-utils <1.4.1 Severity: critical Prototype pollution in webpack loader-utils - https://github.com/advisories/GHSA-76p3-8jx3-jpfq No fix available node_modules/less-vars-loader/node_modules/loader-utils less-vars-loader * Depends on vulnerable versions of loader-utils node_modules/less-vars-loader

2 critical severity vulnerabilities

Some issues need review, and may require choosing a different dependency. (base) steven@Desktop-1d:/backup/jsketcher$ npm update less-vars-loader loader-utils

up to date, audited 1049 packages in 2s

128 packages are looking for funding run npm fund for details

2 critical severity vulnerabilities

Some issues need review, and may require choosing a different dependency.

Run npm audit for details.

mmiscool commented 1 year ago

So I upgraded all the packages in the dev branch. Did not test every thing for regressions but the 2D and 3D environments seemed to be working.

After upgrading all the packages was still getting vulnerability warnings. If you remove the 2 electron packages these warnings go away. 

    "electron": "^22.0.0",
    "electron-builder": "^22.10.3",

For now I don't think it is a big issue. The electron packages are only used to make the desktop application builds and are not included in the web pack that is served using npm run start or npm run build