shipped wheels and PyPI tarballs fail npm audit
Opened this issue · 0 comments
bnavigator commented
# npm audit report
braces <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/braces
express <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix`
node_modules/express
@verdaccio/middleware <=7.0.0-next-7.15
Depends on vulnerable versions of @verdaccio/config
Depends on vulnerable versions of @verdaccio/core
Depends on vulnerable versions of @verdaccio/url
Depends on vulnerable versions of @verdaccio/utils
Depends on vulnerable versions of express
node_modules/@verdaccio/middleware
verdaccio <=5.31.0 || 6.0.0-6-next.21 - 7.0.0-next-7.15
Depends on vulnerable versions of @verdaccio/config
Depends on vulnerable versions of @verdaccio/core
Depends on vulnerable versions of @verdaccio/logger-7
Depends on vulnerable versions of @verdaccio/middleware
Depends on vulnerable versions of @verdaccio/tarball
Depends on vulnerable versions of @verdaccio/url
Depends on vulnerable versions of @verdaccio/utils
Depends on vulnerable versions of express
Depends on vulnerable versions of request
Depends on vulnerable versions of semver
Depends on vulnerable versions of verdaccio-audit
node_modules/verdaccio
verdaccio-audit 0.0.2 - 12.0.0-next-7.15
Depends on vulnerable versions of @verdaccio/config
Depends on vulnerable versions of @verdaccio/core
Depends on vulnerable versions of express
node_modules/verdaccio-audit
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install @jupyterlab/buildutils@4.2.3, which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
@jupyterlab/buildutils 0.9.0 - 4.0.0-rc.1
Depends on vulnerable versions of package-json
node_modules/@jupyterlab/buildutils
postcss <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix`
node_modules/postcss
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix`
node_modules/request
semver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/duplicate-package-checker-webpack-plugin/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/package-json/node_modules/semver
node_modules/semver
@verdaccio/core <=6.0.0-6-next.72
Depends on vulnerable versions of semver
node_modules/@verdaccio/core
node_modules/verdaccio-audit/node_modules/@verdaccio/core
@verdaccio/config <=6.0.0-6-next.72
Depends on vulnerable versions of @verdaccio/core
Depends on vulnerable versions of @verdaccio/utils
Depends on vulnerable versions of yaml
node_modules/@verdaccio/config
node_modules/verdaccio-audit/node_modules/@verdaccio/config
@verdaccio/logger-commons <=6.0.0-6-next.40
Depends on vulnerable versions of @verdaccio/core
node_modules/@verdaccio/logger-commons
@verdaccio/logger-7 <=6.0.0-6-next.17
Depends on vulnerable versions of @verdaccio/logger-commons
node_modules/@verdaccio/logger-7
@verdaccio/tarball <=11.0.0-6-next.41
Depends on vulnerable versions of @verdaccio/core
Depends on vulnerable versions of @verdaccio/url
Depends on vulnerable versions of @verdaccio/utils
node_modules/@verdaccio/tarball
@verdaccio/url <=11.0.0-6-next.38
Depends on vulnerable versions of @verdaccio/core
node_modules/@verdaccio/url
@verdaccio/utils <=6.0.0-6-next.40
Depends on vulnerable versions of @verdaccio/core
Depends on vulnerable versions of semver
node_modules/@verdaccio/utils
node_modules/verdaccio-audit/node_modules/@verdaccio/utils
tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar
three <0.125.0
Severity: high
Denial of service in three - https://github.com/advisories/GHSA-fq6p-x6j3-cmmq
fix available via `npm audit fix --force`
Will install three@0.166.1, which is a breaking change
node_modules/three
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix`
node_modules/tough-cookie
webpack 5.0.0 - 5.75.0
Severity: critical
Cross-realm object access in Webpack 5 - https://github.com/advisories/GHSA-hc6q-2mpp-qw7j
fix available via `npm audit fix`
node_modules/webpack
word-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
ws 7.0.0 - 7.5.9
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/ws
yaml 2.0.0-5 - 2.2.1
Severity: high
Uncaught Exception in yaml - https://github.com/advisories/GHSA-f9xv-q969-pqx4
fix available via `npm audit fix`
node_modules/yaml
25 vulnerabilities (18 moderate, 6 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Running audit fix and thus updating three and jupyterlab to a recent version does not let me build the wheel:
[ 14s] Building wheels for collected packages: pythreejs
[ 14s] Building wheel for pythreejs (pyproject.toml): started
[ 14s] Running command Building wheel for pythreejs (pyproject.toml)
[ 14s] running bdist_wheel
[ 14s] running js
[ 14s] node_modules are up to date, skipping npm install!
...
[ 15s] > jupyter-threejs@2.4.1 build:bundles-prod
[ 15s] > webpack --mode production && node ./scripts/post-build.js
...
[ 23s] node:internal/process/promises:391
[ 23s] triggerUncaughtException(err, true /* fromPromise */);
[ 23s] ^
[ 23s]
[ 23s] [Error: ENOENT: no such file or directory, lstat '/home/abuild/rpmbuild/BUILD/pythreejs-2.4.2/js/node_modules/three/build/three.min.js'] {
[ 23s] errno: -2,
[ 23s] code: 'ENOENT',
[ 23s] syscall: 'lstat',
[ 23s] path: '/home/abuild/rpmbuild/BUILD/pythreejs-2.4.2/js/node_modules/three/build/three.min.js'
[ 23s] }
[ 23s]
[ 23s] Node.js v22.3.0
[ 23s] npm error code 1
[ 23s] npm error path /home/abuild/rpmbuild/BUILD/pythreejs-2.4.2/js
[ 23s] npm error command failed
[ 23s] npm error command sh -c npm run build:bundles-prod