Update dependencies and security vulnerabilities
Opened this issue · 0 comments
mattpaz commented
In addition to #91 flat dependencies are growing long in the tooth.
As of 2024-02-17, there are 32 vulnerabilities (15 moderate, 12 high, 5 critical).
Outdated Modules
Package Current Wanted Latest Location Depended by
@actions/core 1.2.6 1.10.1 1.10.1 node_modules/@actions/core flat
@actions/exec 1.0.4 1.1.1 1.1.1 node_modules/@actions/exec flat
@actions/github 4.0.0 4.0.0 6.0.0 node_modules/@actions/github flat
@tinyhttp/content-disposition 1.2.0 1.3.0 2.2.0 node_modules/@tinyhttp/content-disposition flat
@types/jest 26.0.20 26.0.24 29.5.12 node_modules/@types/jest flat
@types/node 14.14.37 14.18.63 20.11.19 node_modules/@types/node flat
@vercel/ncc 0.27.0 0.27.0 0.38.1 node_modules/@vercel/ncc flat
axios 0.21.1 0.21.4 1.6.7 node_modules/axios flat
connection-string 4.3.2 4.4.0 4.4.0 node_modules/connection-string flat
csv-stringify 5.6.2 5.6.5 6.4.5 node_modules/csv-stringify flat
es-mime-types 0.0.16 0.0.16 0.1.4 node_modules/es-mime-types flat
husky 6.0.0 6.0.0 9.0.11 node_modules/husky flat
jest 26.6.3 26.6.3 29.7.0 node_modules/jest flat
jest-circus 26.6.3 26.6.3 29.7.0 node_modules/jest-circus flat
mssql 6.3.1 6.4.1 10.0.2 node_modules/mssql flat
pg 8.5.1 8.11.3 8.11.3 node_modules/pg flat
prettier 2.2.1 2.8.8 3.2.5 node_modules/prettier flat
reflect-metadata 0.1.13 0.1.14 0.2.1 node_modules/reflect-metadata flat
sqlite3 5.1.6 5.1.7 5.1.7 node_modules/sqlite3 flat
ts-jest 26.5.3 26.5.6 29.1.2 node_modules/ts-jest flat
typeorm 0.2.31 0.2.45 0.3.20 node_modules/typeorm flat
typescript 4.2.3 4.9.5 5.3.3 node_modules/typescript flat
zod 3.0.0-alpha.4 3.22.4 3.22.4 node_modules/zod flat
Audit Summary
@actions/core <=1.9.0
Severity: moderate
@actions/core has Delimiter Injection Vulnerability in exportVariable - https://github.com/advisories/GHSA-7r3h-m5j6-3q42
fix available via `npm audit fix`
node_modules/@actions/core
@azure/ms-rest-nodeauth <=3.0.9
Severity: high
Depends on vulnerable versions of @azure/ms-rest-js
Improper Privilege Management in Azure ms-rest-nodeauth - https://github.com/advisories/GHSA-qpfw-4m9x-rxx8
Depends on vulnerable versions of adal-node
fix available via `npm audit fix`
node_modules/@azure/ms-rest-nodeauth
tedious 6.3.0 - 6.7.0 || 7.0.0 - 9.2.1
Depends on vulnerable versions of @azure/ms-rest-nodeauth
node_modules/tedious
@babel/traverse <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse
async 3.0.0 - 3.2.1
Severity: high
Prototype Pollution in async - https://github.com/advisories/GHSA-fwr7-v2mv-hh25
fix available via `npm audit fix`
node_modules/async
axios <=1.5.1
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
fix available via `npm audit fix`
node_modules/axios
browserslist 4.0.0 - 4.16.4
Severity: moderate
Regular Expression Denial of Service in browserslist - https://github.com/advisories/GHSA-w8qv-6jwh-64r5
fix available via `npm audit fix`
node_modules/browserslist
decode-uri-component <0.2.1
Severity: high
decode-uri-component vulnerable to Denial of Service (DoS) - https://github.com/advisories/GHSA-w573-4hg7-7wgq
fix available via `npm audit fix`
node_modules/decode-uri-component
follow-redirects <=1.15.3
Severity: high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
fix available via `npm audit fix`
node_modules/follow-redirects
ip *
Severity: high
NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix`
node_modules/ip
socks 1.0.0 - 2.7.1
Depends on vulnerable versions of ip
node_modules/socks
json-schema <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
Depends on vulnerable versions of json-schema
node_modules/jsprim
json5 2.0.0 - 2.2.1
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/json5
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch
minimist 1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist
path-parse <1.0.7
Severity: moderate
Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9
fix available via `npm audit fix`
node_modules/path-parse
qs 6.5.0 - 6.5.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/qs
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix`
node_modules/request
adal-node <=0.2.2 || >=2.0.0-pre
Depends on vulnerable versions of request
Depends on vulnerable versions of xmldom
node_modules/adal-node
jsdom 0.1.20 || 0.2.0 - 16.5.3
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-native
node_modules/jsdom
request-promise-core *
Depends on vulnerable versions of request
node_modules/request-promise-core
request-promise-native >=1.0.0
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-core
Depends on vulnerable versions of tough-cookie
node_modules/request-promise-native
semver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/@mapbox/node-pre-gyp/node_modules/semver
node_modules/@npmcli/fs/node_modules/semver
node_modules/jest-snapshot/node_modules/semver
node_modules/node-gyp/node_modules/semver
node_modules/node-notifier/node_modules/semver
node_modules/normalize-package-data/node_modules/semver
node_modules/sane/node_modules/semver
node_modules/semver
node_modules/ts-jest/node_modules/semver
tmpl <1.0.5
Severity: high
tmpl vulnerable to Inefficient Regular Expression Complexity which may lead to resource exhaustion - https://github.com/advisories/GHSA-jgrx-mgxx-jf9v
fix available via `npm audit fix`
node_modules/tmpl
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix`
node_modules/@azure/ms-rest-js/node_modules/tough-cookie
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie
node_modules/tough-cookie
@azure/ms-rest-js <=2.6.6
Depends on vulnerable versions of tough-cookie
Depends on vulnerable versions of xml2js
node_modules/@azure/ms-rest-js
word-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
ws 7.0.0 - 7.4.5
Severity: moderate
ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693
fix available via `npm audit fix`
node_modules/ws
xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install typeorm@0.3.20, which is a breaking change
node_modules/xml2js
typeorm 0.1.0-alpha.1 - 0.3.14-dev.daf1b47 || >=0.3.21-dev.28a8383
Depends on vulnerable versions of xml2js
node_modules/typeorm
xmldom *
Severity: critical
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
xmldom allows multiple root nodes in a DOM - https://github.com/advisories/GHSA-crh6-fp67-6883
fix available via `npm audit fix`
node_modules/xmldom