Request: Vulnerabilities in documentation module

Question

Request: Vulnerabilities in documentation module

hong6316 opened this issue 3 years ago · 0 comments

When I installing documentation@14.0.0:

npm audit report
parse-url <=8.0.0
Severity: critical
parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing - GHSA-pqw5-jmp5-px4v
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url - GHSA-j9fq-vwqv-2fm2
fix available via npm audit fix --force
Will install documentation@3.0.4, which is a breaking change
node_modules/parse-url
git-up <=6.0.0
Depends on vulnerable versions of parse-url
node_modules/git-up
git-url-parse 4.0.0 - 12.0.0
Depends on vulnerable versions of git-up
node_modules/git-url-parse
documentation >=4.0.0-beta
Depends on vulnerable versions of git-url-parse
node_modules/documentation
4 vulnerabilities (3 moderate, 1 critical)
To address all issues (including breaking changes), run:
npm audit fix --force
└─┬ documentation@14.0.0
└─┬ git-url-parse@12.0.0
└─┬ git-up@6.0.0
└── parse-url@7.0.2

Could you check these vulnerabilities, and update module versions?