Audit vulnerabilities detected in the httpstatuscodes project on Tag: v2.1.4
Closed this issue · 1 comments
Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:
npm audit report
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via npm audit fix
node_modules/glob-parent
hosted-git-info <2.8.9 || >=3.0.0 <3.0.8
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1677
fix available via npm audit fix
node_modules/hosted-git-info
lodash <4.17.21
Severity: high
Command Injection - https://npmjs.com/advisories/1673
fix available via npm audit fix
node_modules/lodash
ws 5.0.0 - 5.2.2 || 6.0.0 - 6.2.1 || 7.0.0 - 7.4.5
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1748
fix available via npm audit fix
node_modules/ws
y18n <3.2.2||=4.0.0||>=5.0.0 <5.0.5
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1654
fix available via npm audit fix
node_modules/y18n
5 vulnerabilities (3 moderate, 2 high)
To address all issues, run:
npm audit fix
Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:
- Will you fix the vulnerabilities mentioned above? (Yes/No), and why?:
- Do you have any additional comments? (If so, please write it down):
For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.
Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].
Steps to reproduce:
- Go to the root folder of the project where the package.json file located
- Execute “npm audit”
- Look at the list of vulnerabilities reported
Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.
References:
2019. 10 npm Security Best Practices. https://snyk.io/blog/ten-npm-security-best-practices/.
2021. npm-audit. https://docs.npmjs.com/cli/v7/commands/npm-audit.
Thanks, but this project has no runtime dependencies so I don't believe any of these vulnerabilities apply here.
Also, I'll just leave this here: https://overreacted.io/npm-audit-broken-by-design/#why-is-npm-audit-broken