srod/node-minify

Security vulnerabilities

zefir-git opened this issue · 0 comments

zefir-git commented

Vulnerabilities are inherited from the dependencies (see full report below). Fixing the vulnerabilities requires --force which will install breaking changes.

npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install node-minify@2.0.3, which is a breaking change
node_modules/ansi-align/node_modules/ansi-regex
node_modules/boxen/node_modules/ansi-regex
node_modules/ora/node_modules/ansi-regex
node_modules/widest-line/node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/ansi-align/node_modules/strip-ansi
  node_modules/boxen/node_modules/strip-ansi
  node_modules/ora/node_modules/strip-ansi
  node_modules/widest-line/node_modules/strip-ansi
    ora  2.0.0 - 4.0.2
    Depends on vulnerable versions of strip-ansi
    node_modules/ora
      node-minify  0.12.1 - 2.0.0-beta.2 || >=2.0.4
      Depends on vulnerable versions of crass
      Depends on vulnerable versions of mkdirp
      Depends on vulnerable versions of ora
      node_modules/node-minify
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/ansi-align/node_modules/string-width
    node_modules/boxen/node_modules/string-width
    node_modules/widest-line/node_modules/string-width
      widest-line  2.0.0 - 2.0.1
      Depends on vulnerable versions of string-width
      node_modules/widest-line
        boxen  1.3.0 - 3.2.0
        Depends on vulnerable versions of widest-line
        node_modules/boxen

js-yaml  <=3.13.0
Severity: high
Denial of Service in js-yaml - https://github.com/advisories/GHSA-2pr6-76vf-7546
Code Injection in js-yaml - https://github.com/advisories/GHSA-8j8c-7jfh-h6hx
fix available via `npm audit fix --force`
Will install node-minify@2.0.3, which is a breaking change
node_modules/js-yaml
  svgo  0.4.2 - 1.0.5
  Depends on vulnerable versions of js-yaml
  node_modules/svgo
    crass  >=0.9.2
    Depends on vulnerable versions of svgo
    node_modules/crass
      node-minify  0.12.1 - 2.0.0-beta.2 || >=2.0.4
      Depends on vulnerable versions of crass
      Depends on vulnerable versions of mkdirp
      Depends on vulnerable versions of ora
      node_modules/node-minify

minimist  <0.2.1
Severity: moderate
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix --force`
Will install node-minify@2.0.3, which is a breaking change
node_modules/node-minify/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/node-minify/node_modules/mkdirp
    node-minify  0.12.1 - 2.0.0-beta.2 || >=2.0.4
    Depends on vulnerable versions of crass
    Depends on vulnerable versions of mkdirp
    Depends on vulnerable versions of ora
    node_modules/node-minify

12 vulnerabilities (11 moderate, 1 high)