critical/high Vulnerabilities
paul-asvb opened this issue · 0 comments
paul-asvb commented
I am interested in helping provide a fix!
Yes
Which generators are impacted?
- All
- Angular
- HTML
- Preact
- Qwik
- React
- React-Native
- Solid
- Stencil
- Svelte
- Vue
- Web components
Reproduction case
No UI Problem
Expected Behaviour
Have no CRITICAL / HIGH vulnerabilites
Actual Behaviour
pnpm audit + trivy audit both get the same vulnerabilities:
Severity | Vulnerability Description | Package | Vulnerable Versions | Patched Versions | Paths | More Info |
---|---|---|---|---|---|---|
critical | vm2 Sandbox Escape vulnerability | vm2 | <=3.9.19 | <0.0.0 | . > vm2@3.9.19 | Link |
mypackage > @builder.io/mitosis@0.0.112 > @builder.io/react@1.1.52 > vm2@3.9.19 | ||||||
mypackage > @builder.io/mitosis-cli@0.0.80 > @builder.io/mitosis@0.0.122 > @builder.io/react@1.1.52 > vm2@3.9.19 | ||||||
critical | Prototype Pollution in lodash | lodash.template | <4.5.0 | >=4.5.0 | . > lodash.template@4.2.4 | Link |
mypackage > @builder.io/mitosis@0.0.112 > module@1.2.5 > lodash.template@4.2.4 | ||||||
high | glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex | glob-parent | <5.1.2 | >=5.1.2 | mypackage > @builder.io/mitosis@0.0.112 > module@1.2.5 > vinyl-fs@2.4.3 > glob-stream@5.3.5 > glob-parent@3.1.0 | Link |
mypackage > @builder.io/mitosis@0.0.112 > module@1.2.5 > vinyl-fs@2.4.3 > glob-stream@5.3.5 > micromatch@2.3.11 > parse-glob@3.0.4 > glob-base@0.3.0 > glob-parent@2.0.0 | ||||||
high | node-fetch forwards secure headers to untrusted sites | node-fetch | <2.6.7 | >=2.6.7 | mypackage > @builder.io/mitosis@0.0.112 > @builder.io/react@1.1.52 > create-react-context@0.2.3 > fbjs@0.8.18 > isomorphic-fetch@2.2.1 > node-fetch@1.7.3 | Link |
mypackage > @builder.io/mitosis-cli@0.0.80 > @builder.io/mitosis@0.0.122 > @builder.io/react@1.1.52 > create-react-context@0.2.3 > fbjs@0.8.18 > isomorphic-fetch@2.2.1 > node-fetch@1.7.3 |
Additional Information
I love this project, happy to provide a fix.