Need to Fix All vulnerabilities of Kafka-node
mma3069 opened this issue · 2 comments
Hi Team as part security and vulnerability checking we have downloaded code and did npm audit:
we found 27 vulnerabilities which are high and critical and moderate in number. please find bellow logs. As a part our internal audit fix, we have modified snappy as dependency version 7.1.1 (also we moved it from optional dependency to regular dependency).
we are running latest node version 16.13.0 LTA
we request you to kindly fix all vulnerabilities and release latest version of Kafka-node.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Users\mma3069\webStormWorkspace\kafka-node> npm audit
npm audit report
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - GHSA-93q8-gq69-wqmw
fix available via npm audit fix --force
Will install eslint@8.8.0, which is a breaking change
node_modules/ansi-regex
node_modules/inquirer/node_modules/ansi-regex
node_modules/table/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/inquirer/node_modules/strip-ansi
node_modules/strip-ansi
node_modules/table/node_modules/strip-ansi
eslint 4.5.0 - 7.15.0
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of strip-ansi
Depends on vulnerable versions of table
node_modules/eslint
inquirer 3.2.0 - 7.0.4
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/inquirer
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/string-width
node_modules/table/node_modules/string-width
table 4.0.2 - 5.4.6
Depends on vulnerable versions of string-width
node_modules/table
cryptiles <=4.1.1
Severity: critical
Insufficient Entropy in cryptiles - GHSA-rq8g-5pc5-wrhr
Depends on vulnerable versions of boom
fix available via npm audit fix --force
Will install coveralls@3.1.1, which is a breaking change
node_modules/cryptiles
hawk 0.0.6 - 6.0.2
Depends on vulnerable versions of boom
Depends on vulnerable versions of cryptiles
Depends on vulnerable versions of hoek
Depends on vulnerable versions of sntp
node_modules/hawk
request 2.16.0 - 2.83.0 || 2.85.0 - 2.86.0
Depends on vulnerable versions of hawk
Depends on vulnerable versions of tunnel-agent
node_modules/request
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
debug <2.6.9
Regular Expression Denial of Service in debug - GHSA-gxpj-cx7g-858c
fix available via npm audit fix --force
Will install mocha@9.2.0, which is a breaking change
node_modules/mocha/node_modules/debug
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
diff <3.5.0
Severity: high
Regular Expression Denial of Service (ReDoS) - GHSA-h6ch-v84p-w6p9
fix available via npm audit fix --force
Will install mocha@9.2.0, which is a breaking change
node_modules/diff
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
growl <1.10.0
Severity: critical
Command Injection in growl - GHSA-qh2h-chj9-jffq
fix available via npm audit fix --force
Will install mocha@9.2.0, which is a breaking change
node_modules/growl
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
hoek <4.2.1
Severity: moderate
Prototype Pollution in hoek - GHSA-jp4x-w63m-7wgm
fix available via npm audit fix --force
Will install coveralls@3.1.1, which is a breaking change
node_modules/hoek
boom <=3.1.2
Depends on vulnerable versions of hoek
node_modules/boom
cryptiles <=4.1.1
Depends on vulnerable versions of boom
node_modules/cryptiles
hawk 0.0.6 - 6.0.2
Depends on vulnerable versions of boom
Depends on vulnerable versions of cryptiles
Depends on vulnerable versions of hoek
Depends on vulnerable versions of sntp
node_modules/hawk
request 2.16.0 - 2.83.0 || 2.85.0 - 2.86.0
Depends on vulnerable versions of hawk
Depends on vulnerable versions of tunnel-agent
node_modules/request
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
sntp 0.0.0 || 0.1.1 - 2.0.0
Depends on vulnerable versions of hoek
node_modules/sntp
js-yaml <=3.13.0
Severity: high
Denial of Service in js-yaml - GHSA-2pr6-76vf-7546
Code Injection in js-yaml - GHSA-8j8c-7jfh-h6hx
fix available via npm audit fix --force
Will install coveralls@3.1.1, which is a breaking change
node_modules/js-yaml
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
minimist >=1.0.0 <1.2.3 || <0.2.1
Severity: moderate
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
fix available via npm audit fix --force
Will install coveralls@3.1.1, which is a breaking change
node_modules/minimist
node_modules/mocha/node_modules/minimist
node_modules/optimist/node_modules/minimist
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mocha/node_modules/mkdirp
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha
optimist >=0.6.0
Depends on vulnerable versions of minimist
node_modules/optimist
trim <0.0.3
Severity: high
Regular Expression Denial of Service in trim - GHSA-w5p7-h5w8-2hfq
fix available via npm audit fix
node_modules/trim
remark-parse <=8.0.3
Depends on vulnerable versions of trim
node_modules/remark-parse
@textlint/markdown-to-ast 6.0.8 - 6.3.5
Depends on vulnerable versions of remark-parse
node_modules/@textlint/markdown-to-ast
doctoc >=1.3.0
Depends on vulnerable versions of @textlint/markdown-to-ast
Depends on vulnerable versions of underscore
node_modules/doctoc
tunnel-agent <0.6.0
Severity: moderate
Memory Exposure in tunnel-agent - GHSA-xc7v-wxcw-j472
fix available via npm audit fix --force
Will install coveralls@3.1.1, which is a breaking change
node_modules/tunnel-agent
request 2.16.0 - 2.83.0 || 2.85.0 - 2.86.0
Depends on vulnerable versions of hawk
Depends on vulnerable versions of tunnel-agent
node_modules/request
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
underscore 1.3.2 - 1.12.0
Severity: high
Arbitrary Code Execution in underscore - GHSA-cf4h-3jhx-xvhq
fix available via npm audit fix
node_modules/underscore
doctoc >=1.3.0
Depends on vulnerable versions of @textlint/markdown-to-ast
Depends on vulnerable versions of underscore
node_modules/doctoc
27 vulnerabilities (1 low, 14 moderate, 7 high, 5 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
if u install using npm install --no-optional
some of the vulnerabilities go away..
also as per #1445
maybe repo is not maintained.. and so maybe its time to move out ... dnno
but suggestion seems to be kafkajs
also i read:
tulios/kafkajs#289