[Vulnerability] npm audit issues

Question

[Vulnerability] npm audit issues

Opened this issue 2 years ago · 1 comments

When we ran npm audit --json for my project which has html-pdf-node as one of its dependencies, we got the following advisory.
Please note that the severity is critical.
Any help would be really helpful.

{
  "1070415": {
        "findings": [
          {
            "version": "1.0.2",
            "paths": [
              "html-pdf-node>inline-css>cheerio>css-select>nth-check",
              "html-pdf-node>inline-css>extract-css>list-stylesheets>cheerio>css-select>nth-check"
            ]
          }
        ],
        "metadata": null,
        "vulnerable_versions": "<2.0.1",
        "module_name": "nth-check",
        "severity": "high",
        "github_advisory_id": "GHSA-rp65-9cf3-cjxr",
        "cves": [
          "CVE-2021-3803"
        ],
        "access": "public",
        "patched_versions": ">=2.0.1",
        "cvss": {
          "score": 7.5,
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
        },
        "updated": "2022-05-26T19:57:03.000Z",
        "recommendation": "Upgrade to version 2.0.1 or later",
        "cwe": [
          "CWE-1333"
        ],
        "found_by": null,
        "deleted": null,
        "id": 1070415,
        "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr",
        "created": "2021-09-20T20:47:31.000Z",
        "reported_by": null,
        "title": "Inefficient Regular Expression Complexity in nth-check",
        "npm_advisory_id": null,
        "overview": "nth-check is vulnerable to Inefficient Regular Expression Complexity",
        "url": "https://github.com/advisories/GHSA-rp65-9cf3-cjxr"
      },
"1084495": {
      "findings": [
        {
          "version": "2.6.1",
          "paths": [
            "html-pdf-node>puppeteer>node-fetch"
          ]
        }
      ],
      "metadata": null,
      "vulnerable_versions": "<2.6.7",
      "module_name": "node-fetch",
      "severity": "high",
      "github_advisory_id": "GHSA-r683-j2x4-v87g",
      "cves": [
        "CVE-2022-0235"
      ],
      "access": "public",
      "patched_versions": ">=2.6.7",
      "cvss": {
        "score": 8.8,
        "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
      },
      "updated": "2022-09-19T22:12:10.000Z",
      "recommendation": "Upgrade to version 2.6.7 or later",
      "cwe": [
        "CWE-173",
        "CWE-200",
        "CWE-601"
      ],
      "found_by": null,
      "deleted": null,
      "id": 1084495,
      "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0235\n- https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10\n- https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7\n- https://github.com/node-fetch/node-fetch/pull/1453\n- https://github.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e60\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-r683-j2x4-v87g",
      "created": "2022-01-21T23:55:52.000Z",
      "reported_by": null,
      "title": "node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor",
      "npm_advisory_id": null,
      "overview": "node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor",
      "url": "https://github.com/advisories/GHSA-r683-j2x4-v87g"
    }
}

Answer 1 · 2023-06-08T15:07:06.000Z

Refer to my post in issue 71 for 2 methods of resolving dependencies/vulnerabilities. Hopefully it's helpful.
#71 (comment)