Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPM flags many vulnerabilities #99

Open
toufali opened this issue Oct 18, 2022 · 4 comments
Open

NPM flags many vulnerabilities #99

toufali opened this issue Oct 18, 2022 · 4 comments

Comments

@toufali
Copy link
Contributor

toufali commented Oct 18, 2022

Wondering if this project is still maintained? Upon install I see 12 vulnerabilities (5 moderate, 7 high)

Thanks!
@papandreou
Copy link
Owner

Sure! Mind sharing some more details? PR welcome.

@toufali
Copy link
Contributor Author

toufali commented Oct 18, 2022

Sure thing! After npm install pngquant I see the following:

added 227 packages, and audited 1101 packages in 7s

125 packages are looking for funding
  run `npm fund` for details

12 vulnerabilities (5 moderate, 7 high)

(I had 0 vulnerabilities prior to install.)

After running npm audit I get the following report:

# npm audit report

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install pngquant@0.4.0, which is a breaking change
node_modules/bin-wrapper/node_modules/got
node_modules/download/node_modules/got
  download  >=4.0.0
  Depends on vulnerable versions of got
  node_modules/bin-wrapper/node_modules/download
  node_modules/download
    bin-build  >=2.1.2
    Depends on vulnerable versions of download
    node_modules/bin-build
      pngquant-bin  >=3.0.0
      Depends on vulnerable versions of bin-build
      Depends on vulnerable versions of bin-wrapper
      node_modules/pngquant-bin
        pngquant  >=0.5.0
        Depends on vulnerable versions of pngquant-bin
        node_modules/pngquant
    bin-wrapper  >=0.4.0
    Depends on vulnerable versions of bin-version-check
    Depends on vulnerable versions of download
    node_modules/bin-wrapper

semver-regex  <=3.1.3
Severity: high
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-44c6-4v22-4mhx
Regular expression denial of service in semver-regex - https://github.com/advisories/GHSA-4x5v-gmq8-25ch
fix available via `npm audit fix --force`
Will install pngquant@0.4.0, which is a breaking change
node_modules/semver-regex
  find-versions  <=3.2.0
  Depends on vulnerable versions of semver-regex
  node_modules/find-versions
    bin-version  <=4.0.0
    Depends on vulnerable versions of find-versions
    node_modules/bin-version
      bin-version-check  <=4.0.0
      Depends on vulnerable versions of bin-version
      node_modules/bin-version-check

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/lpad-align/node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/lpad-align/node_modules/meow

12 vulnerabilities (5 moderate, 7 high)

I imagine if we update trim-newlines, semver-regex, and got, most of the work would be done. If I can find time, I may open a PR!

@toufali toufali mentioned this issue Oct 19, 2022
Closed
@papandreou
Copy link
Owner

Cool! Please do :)

@toufali
Copy link
Contributor Author

toufali commented Oct 19, 2022

PR opened: #100

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

update dependencies to non-vulnerable versions toufali/node-pngquant
2 participants
@papandreou @toufali