Looping between versions due to vulnerabilities
allanquartz opened this issue · 2 comments
SDK you're using (please complete the following information):
- Version [e.g. 3.x.x]
- latest
Describe the bug
A clear and concise description of what the bug is.
audit keeps looping between versions to fix vulnerabilites
To Reproduce
Steps to reproduce the behavior:
- Go to '...'
- Click on '....'
- Scroll down to '....'
- See error
install latest and then try to force audit fixes
Expected behavior
A clear and concise description of what you expected to happen.
Vulnerabilites get fixed
Screenshots
If applicable, add screenshots to help explain your problem.
See npm help init for definitive documentation on these fields
and exactly what they do.
Use npm install <pkg> afterwards to install a package and
save it as a dependency in the package.json file.
package name: (xero) xero
version: (1.0.0)
description:
entry point: (index.js)
test command:
git repository:
keywords:
author:
license: (ISC)
About to write to C:\Xero\package.json:
{
"dependencies": {
"xero-node": "^4.33.0"
},
"name": "xero",
"version": "1.0.0",
"main": "index.js",
"devDependencies": {},
"scripts": {
"test": "echo "Error: no test specified" && exit 1"
},
"author": "",
"license": "ISC",
"description": ""
}
Is this OK? (yes)
C:\Xero>npm install xero-node
up to date, audited 90 packages in 1s
13 packages are looking for funding
run npm fund for details
2 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run npm audit for details.
C:\Xero>npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating xero-node to 3.1.2, which is a SemVer major change.
npm WARN deprecated highlight.js@9.18.5: Support has ended for 9.x series. Upgrade to @latest
added 41 packages, removed 86 packages, changed 1 package, and audited 45 packages in 47s
5 packages are looking for funding
run npm fund for details
npm audit report
highlight.js 9.0.0 - 10.4.0
Severity: moderate
ReDOS vulnerabities: multiple grammars - GHSA-7wwv-vh3v-89cq
fix available via npm audit fix --force
Will install xero-node@4.33.0, which is a breaking change
node_modules/highlight.js
typedoc <=0.21.9 || 0.22.0-beta.0 - 0.22.10 || >=1.0.0-dev.1
Depends on vulnerable versions of highlight.js
Depends on vulnerable versions of marked
node_modules/typedoc
xero-node 3.1.1 - 3.1.2
Depends on vulnerable versions of typedoc
node_modules/xero-node
marked <=4.0.9
Severity: high
Inefficient Regular Expression Complexity in marked - GHSA-5v2h-r2cx-5xgj
Inefficient Regular Expression Complexity in marked - GHSA-rrrm-qjm4-v8hf
fix available via npm audit fix --force
Will install xero-node@4.33.0, which is a breaking change
node_modules/marked
4 vulnerabilities (2 moderate, 2 high)
To address all issues (including breaking changes), run:
npm audit fix --force
C:\Xero>npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating xero-node to 4.33.0, which is a SemVer major change.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see request/request#3142
added 86 packages, removed 41 packages, changed 1 package, and audited 90 packages in 28s
13 packages are looking for funding
run npm fund for details
npm audit report
request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
fix available via npm audit fix --force
Will install xero-node@3.1.2, which is a breaking change
node_modules/request
xero-node >=4.0.0-alpha.1
Depends on vulnerable versions of request
node_modules/xero-node
2 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
C:\Xero>npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating xero-node to 3.1.2, which is a SemVer major change.
npm WARN deprecated highlight.js@9.18.5: Support has ended for 9.x series. Upgrade to @latest
added 41 packages, removed 86 packages, changed 1 package, and audited 45 packages in 31s
5 packages are looking for funding
run npm fund for details
npm audit report
highlight.js 9.0.0 - 10.4.0
Severity: moderate
ReDOS vulnerabities: multiple grammars - GHSA-7wwv-vh3v-89cq
fix available via npm audit fix --force
Will install xero-node@4.33.0, which is a breaking change
node_modules/highlight.js
typedoc <=0.21.9 || 0.22.0-beta.0 - 0.22.10 || >=1.0.0-dev.1
Depends on vulnerable versions of highlight.js
Depends on vulnerable versions of marked
node_modules/typedoc
xero-node 3.1.1 - 3.1.2
Depends on vulnerable versions of typedoc
node_modules/xero-node
marked <=4.0.9
Severity: high
Inefficient Regular Expression Complexity in marked - GHSA-5v2h-r2cx-5xgj
Inefficient Regular Expression Complexity in marked - GHSA-rrrm-qjm4-v8hf
fix available via npm audit fix --force
Will install xero-node@4.33.0, which is a breaking change
node_modules/marked
4 vulnerabilities (2 moderate, 2 high)
To address all issues (including breaking changes), run:
npm audit fix --force
C:\Xero>npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating xero-node to 4.33.0, which is a SemVer major change.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see request/request#3142
added 86 packages, removed 41 packages, changed 1 package, and audited 90 packages in 43s
13 packages are looking for funding
run npm fund for details
npm audit report
request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
fix available via npm audit fix --force
Will install xero-node@3.1.2, which is a breaking change
node_modules/request
xero-node >=4.0.0-alpha.1
Depends on vulnerable versions of request
node_modules/xero-node
2 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
C:\Xero>npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating xero-node to 3.1.2, which is a SemVer major change.
npm WARN deprecated highlight.js@9.18.5: Support has ended for 9.x series. Upgrade to @latest
added 41 packages, removed 86 packages, changed 1 package, and audited 45 packages in 1m
5 packages are looking for funding
run npm fund for details
npm audit report
highlight.js 9.0.0 - 10.4.0
Severity: moderate
ReDOS vulnerabities: multiple grammars - GHSA-7wwv-vh3v-89cq
fix available via npm audit fix --force
Will install xero-node@4.33.0, which is a breaking change
node_modules/highlight.js
typedoc <=0.21.9 || 0.22.0-beta.0 - 0.22.10 || >=1.0.0-dev.1
Depends on vulnerable versions of highlight.js
Depends on vulnerable versions of marked
node_modules/typedoc
xero-node 3.1.1 - 3.1.2
Depends on vulnerable versions of typedoc
node_modules/xero-node
marked <=4.0.9
Severity: high
Inefficient Regular Expression Complexity in marked - GHSA-5v2h-r2cx-5xgj
Inefficient Regular Expression Complexity in marked - GHSA-rrrm-qjm4-v8hf
fix available via npm audit fix --force
Will install xero-node@4.33.0, which is a breaking change
node_modules/marked
4 vulnerabilities (2 moderate, 2 high)
To address all issues (including breaking changes), run:
npm audit fix --force
C:\Xero>npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating xero-node to 4.33.0, which is a SemVer major change.
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see request/request#3142
added 86 packages, removed 41 packages, changed 1 package, and audited 90 packages in 42s
13 packages are looking for funding
run npm fund for details
npm audit report
request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
fix available via npm audit fix --force
Will install xero-node@3.1.2, which is a breaking change
node_modules/request
xero-node >=4.0.0-alpha.1
Depends on vulnerable versions of request
node_modules/xero-node
2 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
C:\Xero>npm uninstall xero-node
removed 89 packages, and audited 1 package in 2s
found 0 vulnerabilities
C:\Xero>npm install xero-node@latest
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see request/request#3142
added 89 packages, and audited 90 packages in 19s
13 packages are looking for funding
run npm fund for details
2 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run npm audit for details.
C:\Xero>npm audit
npm audit report
request *
Severity: moderate
Server-Side Request Forgery in Request - GHSA-p8p7-x288-28g6
fix available via npm audit fix --force
Will install xero-node@3.1.2, which is a breaking change
node_modules/request
xero-node >=4.0.0-alpha.1
Depends on vulnerable versions of request
node_modules/xero-node
2 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
C:\Xero>
Additional context
Add any other context about the problem here.
I installed package before doing an init,
We have updated the required packages in our new version. npm audit report should be clean now.
Please use version v5.0.1
let us know with any further issues on this ticket. @allanquartz
Please use version v5.0.1