Security issues and and a dependency clash with esbuild
SuperSonicHub1 opened this issue · 0 comments
SuperSonicHub1 commented
On running npm audit
:
# npm audit report
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install prettier-eslint@8.2.2, which is a breaking change
node_modules/ansi-align/node_modules/ansi-regex
node_modules/ansi-regex
node_modules/strip-ansi/node_modules/ansi-regex
pretty-format 20.1.0-alpha.1 - 25.0.0
Depends on vulnerable versions of ansi-regex
node_modules/pretty-format
prettier-eslint >=8.2.3
Depends on vulnerable versions of pretty-format
node_modules/prettier-eslint
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/ansi-align/node_modules/strip-ansi
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/ansi-align/node_modules/string-width
ansi-align 3.0.0
Depends on vulnerable versions of string-width
node_modules/ansi-align
css-what 4.0.0 - 5.0.0
Severity: high
Denial of service in css-what - https://github.com/advisories/GHSA-q8pj-2vqx-8ggc
fix available via `npm audit fix`
node_modules/css-what
cheerio-select-tmp *
Depends on vulnerable versions of css-what
node_modules/cheerio-select-tmp
cheerio 1.0.0-rc.1 - 1.0.0-rc.5
Depends on vulnerable versions of cheerio-select-tmp
node_modules/cheerio
css-select 3.1.1 - 3.1.2
Depends on vulnerable versions of css-what
node_modules/css-select
express-handlebars <5.3.1
Severity: high
Insecure template handling in Express-handlebars - https://github.com/advisories/GHSA-fr76-2wp8-fp92
fix available via `npm audit fix`
node_modules/express-handlebars
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
No fix available
node_modules/cpy/node_modules/glob-parent
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
node_modules/cpy/node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/cpy/node_modules/globby
cpy 7.0.0 - 8.1.2
Depends on vulnerable versions of globby
node_modules/cpy
esbuild-node-tsc *
Depends on vulnerable versions of cpy
node_modules/esbuild-node-tsc
json-schema <0.4.0
Severity: moderate
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
Depends on vulnerable versions of json-schema
node_modules/jsprim
path-parse <1.0.7
Severity: moderate
Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9
fix available via `npm audit fix`
node_modules/path-parse
19 vulnerabilities (9 moderate, 10 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Looks like a bunch of stuff that needs to be fixed. Let's run npm audit fix
:
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! While resolving: adolla@1.0.0
npm ERR! Found: esbuild@0.7.22
npm ERR! node_modules/esbuild
npm ERR! optional esbuild@"^0.7.22" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer esbuild@">=0.13.0" from esbuild-node-tsc@1.8.3
npm ERR! node_modules/esbuild-node-tsc
npm ERR! optional esbuild-node-tsc@"^1.0.5" from the root project
Seems like there's a dependency clash between esbuild and this TypeScript plugin you've added which gets in the way of npm audit fix
running; this likely happened due to the nature of optionalDependencies
. I'd recommend you fix this conflict and then resolve these security issues, seeing as this is a network-exposed service after all.