looker-open-source/components

High number of dependency vulnerabilities

pwm1991 opened this issue · 0 comments

pwm1991 commented

Installing many looker packages leads to warnings around vulnerable packages.

Are these packages still supported?

Running fix doesn't fix the errors...

PM looker-playground % npm install @looker/filter-components

removed 940 packages, and audited 165 packages in 32s

12 packages are looking for funding
  run `npm fund` for details

10 vulnerabilities (6 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
PM looker-playground % npm audit fix

up to date, audited 165 packages in 1s

12 packages are looking for funding
  run `npm fund` for details

# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix`
node_modules/d3-hsv/node_modules/d3-color
  d3-hsv  *
  Depends on vulnerable versions of d3-color
  node_modules/d3-hsv
    @looker/components  *
    Depends on vulnerable versions of d3-hsv
    node_modules/@looker/components

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
No fix available
node_modules/request
  @looker/sdk  *
  Depends on vulnerable versions of @looker/sdk-rtl
  Depends on vulnerable versions of request
  Depends on vulnerable versions of request-promise-native
  node_modules/@looker/sdk
    @looker/filter-components  *
    Depends on vulnerable versions of @looker/components
    Depends on vulnerable versions of @looker/filter-expressions
    Depends on vulnerable versions of @looker/sdk
    Depends on vulnerable versions of @looker/sdk-rtl
    node_modules/@looker/filter-components
    @looker/filter-expressions  *
    Depends on vulnerable versions of @looker/sdk
    node_modules/@looker/filter-expressions
  @looker/sdk-rtl  *
  Depends on vulnerable versions of request
  Depends on vulnerable versions of request-promise-native
  node_modules/@looker/sdk-rtl
  request-promise-core  *
  Depends on vulnerable versions of request
  node_modules/request-promise-core
    request-promise-native  >=1.0.0
    Depends on vulnerable versions of request
    Depends on vulnerable versions of request-promise-core
    node_modules/request-promise-native

10 vulnerabilities (6 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.