Skip to content

Vulnerabilities in dependencies #493

New issue
New issue
Closed
#641
Closed
Vulnerabilities in dependencies#493
#641
@pilwon

Description

@pilwon
pilwon
opened on May 24, 2018

Bug report

2 Vulnerabilities found after npm install vuepress

+ vuepress@0.9.0
added 1184 packages from 655 contributors in 54.018s
[!] 2 vulnerabilities found [11060 packages audited]
    Severity: 2 High
    Run `npm audit` for more detail

Version

v0.9.0

Steps to reproduce

$ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ string                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > markdown-it-anchor > string                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/536                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ string                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > markdown-it-table-of-contents > string            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/536                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[!] 2 vulnerabilities found - Packages audited: 11060 (11060 dev, 199 optional)
    Severity: 2 High

What is expected?

No error message after npm install vuepress

What is actually happening?

Vulnerabilities found in dependencies

Other relevant information

  • Your OS: MacOS 10.13.4
  • Node.js version: v8.11.1
  • Browser version: n/a
  • Is this a global or local install? local
  • Which package manager did you use for the install? npm (v6.0.1)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions