BuilderIO/mitosis

critical/high Vulnerabilities

paul-asvb opened this issue · 0 comments

paul-asvb commented

I am interested in helping provide a fix!

Yes

Which generators are impacted?

  • All
  • Angular
  • HTML
  • Preact
  • Qwik
  • React
  • React-Native
  • Solid
  • Stencil
  • Svelte
  • Vue
  • Web components

Reproduction case

No UI Problem

Expected Behaviour

Have no CRITICAL / HIGH vulnerabilites

Actual Behaviour

pnpm audit + trivy audit both get the same vulnerabilities:

Severity Vulnerability Description Package Vulnerable Versions Patched Versions Paths More Info
critical vm2 Sandbox Escape vulnerability vm2 <=3.9.19 <0.0.0 . > vm2@3.9.19 Link
mypackage > @builder.io/mitosis@0.0.112 > @builder.io/react@1.1.52 > vm2@3.9.19
mypackage > @builder.io/mitosis-cli@0.0.80 > @builder.io/mitosis@0.0.122 > @builder.io/react@1.1.52 > vm2@3.9.19
critical Prototype Pollution in lodash lodash.template <4.5.0 >=4.5.0 . > lodash.template@4.2.4 Link
mypackage > @builder.io/mitosis@0.0.112 > module@1.2.5 > lodash.template@4.2.4
high glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex glob-parent <5.1.2 >=5.1.2 mypackage > @builder.io/mitosis@0.0.112 > module@1.2.5 > vinyl-fs@2.4.3 > glob-stream@5.3.5 > glob-parent@3.1.0 Link
mypackage > @builder.io/mitosis@0.0.112 > module@1.2.5 > vinyl-fs@2.4.3 > glob-stream@5.3.5 > micromatch@2.3.11 > parse-glob@3.0.4 > glob-base@0.3.0 > glob-parent@2.0.0
high node-fetch forwards secure headers to untrusted sites node-fetch <2.6.7 >=2.6.7 mypackage > @builder.io/mitosis@0.0.112 > @builder.io/react@1.1.52 > create-react-context@0.2.3 > fbjs@0.8.18 > isomorphic-fetch@2.2.1 > node-fetch@1.7.3 Link
mypackage > @builder.io/mitosis-cli@0.0.80 > @builder.io/mitosis@0.0.122 > @builder.io/react@1.1.52 > create-react-context@0.2.3 > fbjs@0.8.18 > isomorphic-fetch@2.2.1 > node-fetch@1.7.3

Additional Information

I love this project, happy to provide a fix.