You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As of today (d969b3e), the project seems to be using a bunch of vulnerable dependencies. Please update the dependencies:
# npm audit report
@babel/traverse <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse
decode-uri-component <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component
glob-parent <5.1.2
Severity: high
glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install xo@0.58.0, which is a breaking change
node_modules/xo/node_modules/glob-parent
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
node_modules/xo/node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/xo/node_modules/globby
xo 0.4.0 - 0.41.0
Depends on vulnerable versions of globby
Depends on vulnerable versions of update-notifier
node_modules/xo
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install npm-keyword@8.0.0, which is a breaking change
node_modules/latest-version/node_modules/got
node_modules/npm-keyword/node_modules/got
node_modules/update-notifier/node_modules/got
npm-keyword <=6.1.0
Depends on vulnerable versions of got
node_modules/npm-keyword
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/latest-version/node_modules/package-json
node_modules/update-notifier/node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
node_modules/update-notifier/node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
yeoman-doctor >=1.4.0
Depends on vulnerable versions of bin-version-check
Depends on vulnerable versions of latest-version
node_modules/yeoman-doctor
ip 2.0.0
Severity: moderate
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix`
node_modules/ip
json-schema <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
Depends on vulnerable versions of json-schema
node_modules/jsprim
lodash.set *
Severity: high
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix`
node_modules/lodash.set
nock 13.0.0-beta.1 - 13.2.4
Depends on vulnerable versions of lodash.set
node_modules/nock
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch
mocha 5.1.0 - 9.2.1
Depends on vulnerable versions of minimatch
Depends on vulnerable versions of nanoid
node_modules/mocha
mockery *
Severity: critical
mockery is vulnerable to prototype pollution - https://github.com/advisories/GHSA-gmwp-3pwc-3j3g
No fix available
node_modules/mockery
nanoid 3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix`
node_modules/nanoid
qs 6.5.0 - 6.5.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/request/node_modules/qs
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request
coveralls *
Depends on vulnerable versions of request
node_modules/coveralls
semver-regex <=3.1.3
Severity: high
semver-regex Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
fix available via `npm audit fix --force`
Will install yeoman-doctor@2.1.0, which is a breaking change
node_modules/semver-regex
find-versions <=3.2.0
Depends on vulnerable versions of semver-regex
node_modules/find-versions
bin-version <=4.0.0
Depends on vulnerable versions of find-versions
node_modules/bin-version
bin-version-check <=4.0.0
Depends on vulnerable versions of bin-version
node_modules/bin-version-check
tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar
terser 5.0.0 - 5.14.1
Severity: high
Terser insecure use of regular expressions leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc
fix available via `npm audit fix`
node_modules/terser-webpack-plugin/node_modules/terser
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/request/node_modules/tough-cookie
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix --force`
Will install meow@13.2.0, which is a breaking change
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
Depends on vulnerable versions of yargs-parser
node_modules/meow
webpack 5.0.0 - 5.75.0
Severity: critical
Cross-realm object access in Webpack 5 - https://github.com/advisories/GHSA-hc6q-2mpp-qw7j
fix available via `npm audit fix`
node_modules/webpack
word-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
yargs-parser 6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install meow@13.2.0, which is a breaking change
node_modules/meow/node_modules/yargs-parser
36 vulnerabilities (13 moderate, 18 high, 5 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Steps to recreate
Start a container with node image:
docker run -it node@sha256:cbd62dc7ba7e50d01520f2c0a8d9853ec872187fa806ed61d0f87081c220386d bash
Inside the container run the following commands:
npm --version
git clone https://github.com/yeoman/yo
cd yo
npm audit
The text was updated successfully, but these errors were encountered:
Problem
As of today (d969b3e), the project seems to be using a bunch of vulnerable dependencies. Please update the dependencies:
Steps to recreate
Start a container with node image:
Inside the container run the following commands:
npm --version git clone https://github.com/yeoman/yo cd yo npm auditThe text was updated successfully, but these errors were encountered: