(frontend) npm audit 12 vulnerabilities (4 moderate, 7 high, 1 critical)
Closed this issue · 2 comments
Mrostgaard commented
Running npm audit returns this:
❯ npm audit
# npm audit report
ajv <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
No fix available
node_modules/tailwind/node_modules/ajv
tailwind *
Depends on vulnerable versions of ajv
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of datasette
Depends on vulnerable versions of express
Depends on vulnerable versions of flaschenpost
Depends on vulnerable versions of limes
Depends on vulnerable versions of lodash
Depends on vulnerable versions of ws
node_modules/tailwind
express <=4.19.1 || 5.0.0-alpha.1 - 5.0.0-alpha.7
Severity: high
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of qs
fix available via `npm audit fix`
node_modules/express
jsonwebtoken <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix`
node_modules/jsonwebtoken
limes *
Depends on vulnerable versions of jsonwebtoken
node_modules/limes
lodash <=4.17.20
Severity: critical
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via `npm audit fix`
node_modules/datasette/node_modules/lodash
node_modules/lodash
datasette *
Depends on vulnerable versions of lodash
node_modules/datasette
flaschenpost <=5.0.5
Depends on vulnerable versions of lodash
Depends on vulnerable versions of moment
node_modules/flaschenpost
moment <=2.29.3
Severity: high
Moment.js vulnerable to Inefficient Regular Expression Complexity - https://github.com/advisories/GHSA-wc69-rhjr-hc9g
Path Traversal: 'dir/../../filename' in moment.locale - https://github.com/advisories/GHSA-8hfj-j24r-96c4
fix available via `npm audit fix`
node_modules/moment
qs 6.5.0 - 6.5.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
No fix available
node_modules/qs
body-parser 1.18.0 - 1.18.3
Depends on vulnerable versions of qs
node_modules/body-parser
ws 6.0.0 - 6.2.1
Severity: moderate
ReDoS in Sec-Websocket-Protocol header - https://github.com/advisories/GHSA-6fc8-4gx4-v693
No fix available
node_modules/ws
12 vulnerabilities (4 moderate, 7 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.
npm audit fix doesn't seem to affect this.
The 7 high and 1 critical vulnerabilities should probably be looked at, maybe there is a 'easy' way to fix?
The critical one seems to be a dependency on tailwind (note, NOT tailwindcss)
Is tailwind a mistake? I can't see where it's used, the repository haven't been updated in 5 years, there are a lot of downloads of the npm package, but I wonder how many is because they think its tailwindcss.
Mrostgaard commented
Removing tailwind: "4.0.0" removed all the vulnerabillities
Jibola commented
Hi @Mrostgaard, thank you for the insight! We'll remove tailwind and check it doesn't break any of the existing frontend.