Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There are 10 critical vulnerabilities from old dependencies #7

Open
bpmooch opened this issue Jul 12, 2023 · 2 comments
Open

There are 10 critical vulnerabilities from old dependencies #7

bpmooch opened this issue Jul 12, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@bpmooch
Copy link
Contributor

bpmooch commented Jul 12, 2023

mooch@basement2:~/p/electronWebGCS$ npm audit
# npm audit report

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install electron-builder@23.4.0, which is a breaking change
node_modules/dir-compare/node_modules/minimatch
  dir-compare  <=2.4.0
  Depends on vulnerable versions of minimatch
  node_modules/dir-compare
    @electron/universal  1.0.1 - 1.3.3
    Depends on vulnerable versions of dir-compare
    node_modules/@electron/universal
      app-builder-lib  22.10.4 - 24.0.0-alpha.13
      Depends on vulnerable versions of @electron/universal
      node_modules/app-builder-lib
        dmg-builder  22.10.4 - 24.0.0-alpha.13
        Depends on vulnerable versions of app-builder-lib
        node_modules/dmg-builder
          electron-builder  19.25.0 || >=22.10.4
          Depends on vulnerable versions of app-builder-lib
          Depends on vulnerable versions of dmg-builder
          Depends on vulnerable versions of simple-update-notifier
          node_modules/electron-builder

minimist  <=0.2.3 || 1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix --force`
Will install leaflet-omnivore@0.3.0, which is a breaking change
node_modules/@mapbox/togeojson/node_modules/minimist
node_modules/optimist/node_modules/minimist
node_modules/static-module/node_modules/minimist
node_modules/togeojson/node_modules/minimist
node_modules/wellknown/node_modules/minimist
  @mapbox/togeojson  *
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of xmldom
  node_modules/@mapbox/togeojson
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/optimist
    csv2geojson  3.8.0 - 5.1.1
    Depends on vulnerable versions of optimist
    node_modules/csv2geojson
  quote-stream  <=1.0.0
  Depends on vulnerable versions of minimist
  node_modules/static-module/node_modules/quote-stream
  togeojson  >=0.4.0
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of xmldom
  node_modules/togeojson
    leaflet-omnivore  >=0.3.1
    Depends on vulnerable versions of brfs
    Depends on vulnerable versions of csv2geojson
    Depends on vulnerable versions of togeojson
    Depends on vulnerable versions of wellknown
    node_modules/leaflet-omnivore
  wellknown  0.3.2 - 0.4.2
  Depends on vulnerable versions of minimist
  node_modules/wellknown

protobufjs  6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix`
node_modules/protobufjs

semver  <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install eslint-plugin-compat@3.5.1, which is a breaking change
node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/@babel/helper-define-polyfill-provider/node_modules/semver
node_modules/@babel/preset-env/node_modules/semver
node_modules/@electron/get/node_modules/semver
node_modules/babel-plugin-polyfill-corejs2/node_modules/semver
node_modules/eslint-config-airbnb-base/node_modules/semver
node_modules/eslint-import-resolver-webpack/node_modules/semver
node_modules/eslint-plugin-import/node_modules/semver
node_modules/eslint-plugin-jsx-a11y/node_modules/semver
node_modules/eslint-plugin-react/node_modules/semver
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/semver
node_modules/simple-update-notifier/node_modules/semver
  eslint-plugin-compat  >=3.6.0-0
  Depends on vulnerable versions of semver
  node_modules/eslint-plugin-compat
    eslint-config-erb  >=1.0.0-0
    Depends on vulnerable versions of eslint-plugin-compat
    node_modules/eslint-config-erb
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier

static-eval  <=2.0.1
Severity: high
Sandbox Breakout / Arbitrary Code Execution in static-eval - https://github.com/advisories/GHSA-x9hc-rw35-f44h
Sandbox Breakout / Arbitrary Code Execution in static-eval - https://github.com/advisories/GHSA-5mjw-6jrh-hvfq
fix available via `npm audit fix`
node_modules/static-eval
  static-module  <=1.5.0
  Depends on vulnerable versions of quote-stream
  Depends on vulnerable versions of static-eval
  node_modules/static-module
    brfs  1.1.0 - 1.4.3
    Depends on vulnerable versions of static-module
    node_modules/brfs

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix`
node_modules/tough-cookie

word-wrap  *
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
  optionator  0.8.3 - 0.9.1
  Depends on vulnerable versions of word-wrap
  node_modules/escodegen/node_modules/optionator
  node_modules/optionator

xmldom  *
Severity: critical
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-h6q6-9hqw-rwfv
xmldom allows multiple root nodes in a DOM - https://github.com/advisories/GHSA-crh6-fp67-6883
fix available via `npm audit fix --force`
Will install leaflet-omnivore@0.3.0, which is a breaking change
node_modules/xmldom

26 vulnerabilities (8 moderate, 8 high, 10 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

too many vulnerabilities

@bpmooch bpmooch added the bug Something isn't working label Jul 12, 2023
@danielhonies
Copy link
Collaborator

Are these fixed with the latest PR?

@bpmooch
Copy link
Contributor Author

bpmooch commented Jul 30, 2023

I don't believe so. It seems like upgrading electron deps will fix a good amount of these. Been pretty busy at $dayjob last couple of weeks but i will probably tackle this soon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants