Three high severity vulnerabilities found in npm dependencies

Question

Three high severity vulnerabilities found in npm dependencies

Closed this issue 2 years ago · 2 comments

When I did npm install, it mentioned about 3 high severity vulnerabilities. Is this already noticed and getting fixed?

# npm audit report

marked  <=4.0.9
Severity: high
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
Regular Expression Denial of Service (REDoS) in Marked - https://github.com/advisories/GHSA-4r62-v4vq-hr96
No fix available
node_modules/marked
  @hapipal/hpal  *
  Depends on vulnerable versions of marked
  Depends on vulnerable versions of marked-terminal
  node_modules/@hapipal/hpal
  marked-terminal  <=4.2.0
  Depends on vulnerable versions of marked
  node_modules/marked-terminal

3 high severity vulnerabilities

Answer 1 · 2022-08-18T12:08:30.000Z

Thank you for the report. Not sure if it was flag or not already by someone else. This is likely low severity because IIRC marked is only used for dev CLI commands that help you search through hapi's documentation through your terminal. It shouldn't impact any of the production code because it's not run during that time.

Answer 2 · 2022-08-24T19:41:11.000Z

Fair question! If anyone wants to perform the marked upgrade, we'd definitely take a PR on hpal 👍 https://github.com/hapipal/hpal