Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: run npm audit fix #205

Merged
merged 1 commit into from
Nov 11, 2024
Merged

fix: run npm audit fix #205

merged 1 commit into from
Nov 11, 2024

Conversation

melsener
Copy link
Member

Change description

run npm audit fix

Before 
# npm audit report

@sentry/browser  <7.119.1
Severity: moderate
Sentry SDK Prototype Pollution gadget in JavaScript SDKs - https://github.com/advisories/GHSA-593m-55hh-j8gv
fix available via `npm audit fix --force`
Will install @sentry/[email protected], which is a breaking change
node_modules/@sentry/browser

axios  1.3.2 - 1.7.3
Severity: high
Server-Side Request Forgery in axios - https://github.com/advisories/GHSA-8hc4-vh64-cxmj
fix available via `npm audit fix`
node_modules/axios

body-parser  <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via `npm audit fix`
node_modules/body-parser
  express  <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of send
  node_modules/express

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@jest/core/node_modules/braces
node_modules/@jest/transform/node_modules/braces
node_modules/braces
node_modules/fast-glob/node_modules/braces
node_modules/jest-config/node_modules/braces
node_modules/jest-haste-map/node_modules/braces
node_modules/jest-message-util/node_modules/braces
node_modules/jest-util/node_modules/braces
node_modules/lint-staged/node_modules/braces
  micromatch  <=4.0.7
  Depends on vulnerable versions of braces
  node_modules/@jest/core/node_modules/micromatch
  node_modules/@jest/transform/node_modules/micromatch
  node_modules/fast-glob/node_modules/micromatch
  node_modules/find-yarn-workspace-root/node_modules/micromatch
  node_modules/jest-config/node_modules/micromatch
  node_modules/jest-haste-map/node_modules/micromatch
  node_modules/jest-message-util/node_modules/micromatch
  node_modules/jest-util/node_modules/micromatch
  node_modules/lint-staged/node_modules/micromatch
  node_modules/micromatch
    anymatch  1.2.0 - 2.0.0
    Depends on vulnerable versions of micromatch
    node_modules/anymatch
      sane  1.5.0 - 4.1.0
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of micromatch
      node_modules/sane
        jest-haste-map  24.0.0-alpha.0 - 26.6.2
        Depends on vulnerable versions of sane
        node_modules/jest-haste-map
          @jest/core  <=26.6.3
          Depends on vulnerable versions of jest-config
          Depends on vulnerable versions of jest-haste-map
          Depends on vulnerable versions of jest-snapshot
          node_modules/@jest/core
            jest  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/core
            Depends on vulnerable versions of jest-cli
            node_modules/jest
            jest-cli  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/core
            Depends on vulnerable versions of jest-config
            node_modules/jest/node_modules/jest-cli
          @jest/reporters  <=26.6.2
          Depends on vulnerable versions of jest-haste-map
          node_modules/@jest/reporters
          @jest/test-sequencer  <=26.6.3
          Depends on vulnerable versions of jest-haste-map
          node_modules/@jest/test-sequencer
            jest-config  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/test-sequencer
            Depends on vulnerable versions of babel-jest
            Depends on vulnerable versions of jest-jasmine2
            node_modules/jest-config
              jest-runner  24.0.0-alpha.0 - 26.6.3
              Depends on vulnerable versions of jest-config
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-jasmine2
              node_modules/jest-runner
              jest-runtime  24.0.0-alpha.0 - 26.6.3
              Depends on vulnerable versions of @jest/transform
              Depends on vulnerable versions of jest-config
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-snapshot
              node_modules/jest-runtime
                jest-jasmine2  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of jest-runtime
                Depends on vulnerable versions of jest-snapshot
                node_modules/jest-jasmine2
          @jest/transform  <=26.6.2
          Depends on vulnerable versions of jest-haste-map
          node_modules/@jest/transform
            babel-jest  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/transform
            node_modules/babel-jest
          jest-snapshot  24.2.0-alpha.0 - 24.5.0 || 26.1.0 - 26.6.2
          Depends on vulnerable versions of jest-haste-map
          node_modules/jest-snapshot
            jest-resolve-dependencies  26.1.0 - 26.6.3
            Depends on vulnerable versions of jest-snapshot
            node_modules/jest-resolve-dependencies

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install @sentry/[email protected], which is a breaking change
node_modules/@sentry/node/node_modules/cookie
node_modules/cookie
  @sentry/node  4.0.0-beta.0 - 7.74.2-alpha.1
  Depends on vulnerable versions of cookie
  node_modules/@sentry/node
  express  <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of send
  node_modules/express

express  <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
Severity: high
express vulnerable to XSS via response.redirect() - https://github.com/advisories/GHSA-qw6h-vgh9-j6wx
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of cookie
Depends on vulnerable versions of path-to-regexp
Depends on vulnerable versions of send
fix available via `npm audit fix`
node_modules/express

micromatch  <=4.0.7
Severity: high
Regular Expression Denial of Service (ReDoS) in micromatch - https://github.com/advisories/GHSA-952p-6rrq-rcjv
Depends on vulnerable versions of braces
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@jest/core/node_modules/micromatch
node_modules/@jest/transform/node_modules/micromatch
node_modules/fast-glob/node_modules/micromatch
node_modules/find-yarn-workspace-root/node_modules/micromatch
node_modules/jest-config/node_modules/micromatch
node_modules/jest-haste-map/node_modules/micromatch
node_modules/jest-message-util/node_modules/micromatch
node_modules/jest-util/node_modules/micromatch
node_modules/lint-staged/node_modules/micromatch
node_modules/micromatch
  anymatch  1.2.0 - 2.0.0
  Depends on vulnerable versions of micromatch
  node_modules/anymatch
    sane  1.5.0 - 4.1.0
    Depends on vulnerable versions of anymatch
    Depends on vulnerable versions of micromatch
    node_modules/sane
      jest-haste-map  24.0.0-alpha.0 - 26.6.2
      Depends on vulnerable versions of sane
      node_modules/jest-haste-map
        @jest/core  <=26.6.3
        Depends on vulnerable versions of jest-config
        Depends on vulnerable versions of jest-haste-map
        Depends on vulnerable versions of jest-snapshot
        node_modules/@jest/core
          jest  24.2.0-alpha.0 - 26.6.3
          Depends on vulnerable versions of @jest/core
          Depends on vulnerable versions of jest-cli
          node_modules/jest
          jest-cli  24.2.0-alpha.0 - 26.6.3
          Depends on vulnerable versions of @jest/core
          Depends on vulnerable versions of jest-config
          node_modules/jest/node_modules/jest-cli
        @jest/reporters  <=26.6.2
        Depends on vulnerable versions of jest-haste-map
        node_modules/@jest/reporters
        @jest/test-sequencer  <=26.6.3
        Depends on vulnerable versions of jest-haste-map
        node_modules/@jest/test-sequencer
          jest-config  24.2.0-alpha.0 - 26.6.3
          Depends on vulnerable versions of @jest/test-sequencer
          Depends on vulnerable versions of babel-jest
          Depends on vulnerable versions of jest-jasmine2
          node_modules/jest-config
            jest-runner  24.0.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of jest-config
            Depends on vulnerable versions of jest-haste-map
            Depends on vulnerable versions of jest-jasmine2
            node_modules/jest-runner
            jest-runtime  24.0.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/transform
            Depends on vulnerable versions of jest-config
            Depends on vulnerable versions of jest-haste-map
            Depends on vulnerable versions of jest-snapshot
            node_modules/jest-runtime
              jest-jasmine2  24.2.0-alpha.0 - 26.6.3
              Depends on vulnerable versions of jest-runtime
              Depends on vulnerable versions of jest-snapshot
              node_modules/jest-jasmine2
        @jest/transform  <=26.6.2
        Depends on vulnerable versions of jest-haste-map
        node_modules/@jest/transform
          babel-jest  24.2.0-alpha.0 - 26.6.3
          Depends on vulnerable versions of @jest/transform
          node_modules/babel-jest
        jest-snapshot  24.2.0-alpha.0 - 24.5.0 || 26.1.0 - 26.6.2
        Depends on vulnerable versions of jest-haste-map
        node_modules/jest-snapshot
          jest-resolve-dependencies  26.1.0 - 26.6.3
          Depends on vulnerable versions of jest-snapshot
          node_modules/jest-resolve-dependencies

next  0.9.9 - 14.2.6
Severity: moderate
Next.js missing cache-control header may lead to CDN caching empty reply - https://github.com/advisories/GHSA-c59h-r6p8-q9wc
Denial of Service condition in Next.js image optimization - https://github.com/advisories/GHSA-g77x-44xx-532m
Depends on vulnerable versions of postcss
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/next

path-to-regexp  <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix`
node_modules/path-to-regexp
  express  <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of send
  node_modules/express

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postcss
  next  0.9.9 - 14.2.6
  Depends on vulnerable versions of postcss
  node_modules/next

send  <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix`
node_modules/send
  express  <=4.21.0 || 5.0.0-alpha.1 - 5.0.0
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of cookie
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of send
  node_modules/express
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static

serve-static  <=1.16.0
Severity: moderate
serve-static vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-cm22-4g7w-348p
Depends on vulnerable versions of send
fix available via `npm audit fix`
node_modules/serve-static

29 vulnerabilities (2 low, 21 moderate, 6 high)
After 
# npm audit report

@sentry/browser  <7.119.1
Severity: moderate
Sentry SDK Prototype Pollution gadget in JavaScript SDKs - https://github.com/advisories/GHSA-593m-55hh-j8gv
fix available via `npm audit fix --force`
Will install @sentry/[email protected], which is a breaking change
node_modules/@sentry/browser

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/sane/node_modules/braces
  micromatch  <=4.0.7
  Depends on vulnerable versions of braces
  node_modules/sane/node_modules/micromatch
    anymatch  1.2.0 - 2.0.0
    Depends on vulnerable versions of micromatch
    node_modules/sane/node_modules/anymatch
      sane  1.5.0 - 4.1.0
      Depends on vulnerable versions of anymatch
      Depends on vulnerable versions of micromatch
      node_modules/sane
        jest-haste-map  24.0.0-alpha.0 - 26.6.2
        Depends on vulnerable versions of sane
        node_modules/jest-haste-map
          @jest/core  <=26.6.3
          Depends on vulnerable versions of jest-config
          Depends on vulnerable versions of jest-haste-map
          Depends on vulnerable versions of jest-snapshot
          node_modules/@jest/core
            jest  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/core
            Depends on vulnerable versions of jest-cli
            node_modules/jest
            jest-cli  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/core
            Depends on vulnerable versions of jest-config
            node_modules/jest-cli
          @jest/reporters  <=26.6.2
          Depends on vulnerable versions of jest-haste-map
          node_modules/@jest/reporters
          @jest/test-sequencer  <=26.6.3
          Depends on vulnerable versions of jest-haste-map
          node_modules/@jest/test-sequencer
            jest-config  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/test-sequencer
            Depends on vulnerable versions of babel-jest
            node_modules/@jest/core/node_modules/jest-config
            node_modules/jest-cli/node_modules/jest-config
            node_modules/jest-runner/node_modules/jest-config
            node_modules/jest-runtime/node_modules/jest-config
              jest-runner  24.0.0-alpha.0 - 26.6.3
              Depends on vulnerable versions of jest-config
              Depends on vulnerable versions of jest-haste-map
              node_modules/jest-runner
              jest-runtime  24.0.0-alpha.0 - 26.6.3
              Depends on vulnerable versions of @jest/transform
              Depends on vulnerable versions of jest-config
              Depends on vulnerable versions of jest-haste-map
              Depends on vulnerable versions of jest-snapshot
              node_modules/jest-runtime
                jest-jasmine2  24.2.0-alpha.0 - 26.6.3
                Depends on vulnerable versions of jest-runtime
                Depends on vulnerable versions of jest-snapshot
                node_modules/jest-jasmine2
          @jest/transform  <=26.6.2
          Depends on vulnerable versions of jest-haste-map
          node_modules/@jest/transform
            babel-jest  24.2.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/transform
            node_modules/babel-jest
          jest-snapshot  24.2.0-alpha.0 - 24.5.0 || 26.1.0 - 26.6.2
          Depends on vulnerable versions of jest-haste-map
          node_modules/jest-snapshot
            jest-resolve-dependencies  26.1.0 - 26.6.3
            Depends on vulnerable versions of jest-snapshot
            node_modules/jest-resolve-dependencies

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via `npm audit fix --force`
Will install @sentry/[email protected], which is a breaking change
node_modules/cookie
  @sentry/node  4.0.0-beta.0 - 7.74.2-alpha.1
  Depends on vulnerable versions of cookie
  node_modules/@sentry/node

micromatch  <=4.0.7
Severity: high
Regular Expression Denial of Service (ReDoS) in micromatch - https://github.com/advisories/GHSA-952p-6rrq-rcjv
Depends on vulnerable versions of braces
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/sane/node_modules/micromatch
  anymatch  1.2.0 - 2.0.0
  Depends on vulnerable versions of micromatch
  node_modules/sane/node_modules/anymatch
    sane  1.5.0 - 4.1.0
    Depends on vulnerable versions of anymatch
    Depends on vulnerable versions of micromatch
    node_modules/sane
      jest-haste-map  24.0.0-alpha.0 - 26.6.2
      Depends on vulnerable versions of sane
      node_modules/jest-haste-map
        @jest/core  <=26.6.3
        Depends on vulnerable versions of jest-config
        Depends on vulnerable versions of jest-haste-map
        Depends on vulnerable versions of jest-snapshot
        node_modules/@jest/core
          jest  24.2.0-alpha.0 - 26.6.3
          Depends on vulnerable versions of @jest/core
          Depends on vulnerable versions of jest-cli
          node_modules/jest
          jest-cli  24.2.0-alpha.0 - 26.6.3
          Depends on vulnerable versions of @jest/core
          Depends on vulnerable versions of jest-config
          node_modules/jest-cli
        @jest/reporters  <=26.6.2
        Depends on vulnerable versions of jest-haste-map
        node_modules/@jest/reporters
        @jest/test-sequencer  <=26.6.3
        Depends on vulnerable versions of jest-haste-map
        node_modules/@jest/test-sequencer
          jest-config  24.2.0-alpha.0 - 26.6.3
          Depends on vulnerable versions of @jest/test-sequencer
          Depends on vulnerable versions of babel-jest
          node_modules/@jest/core/node_modules/jest-config
          node_modules/jest-cli/node_modules/jest-config
          node_modules/jest-runner/node_modules/jest-config
          node_modules/jest-runtime/node_modules/jest-config
            jest-runner  24.0.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of jest-config
            Depends on vulnerable versions of jest-haste-map
            node_modules/jest-runner
            jest-runtime  24.0.0-alpha.0 - 26.6.3
            Depends on vulnerable versions of @jest/transform
            Depends on vulnerable versions of jest-config
            Depends on vulnerable versions of jest-haste-map
            Depends on vulnerable versions of jest-snapshot
            node_modules/jest-runtime
              jest-jasmine2  24.2.0-alpha.0 - 26.6.3
              Depends on vulnerable versions of jest-runtime
              Depends on vulnerable versions of jest-snapshot
              node_modules/jest-jasmine2
        @jest/transform  <=26.6.2
        Depends on vulnerable versions of jest-haste-map
        node_modules/@jest/transform
          babel-jest  24.2.0-alpha.0 - 26.6.3
          Depends on vulnerable versions of @jest/transform
          node_modules/babel-jest
        jest-snapshot  24.2.0-alpha.0 - 24.5.0 || 26.1.0 - 26.6.2
        Depends on vulnerable versions of jest-haste-map
        node_modules/jest-snapshot
          jest-resolve-dependencies  26.1.0 - 26.6.3
          Depends on vulnerable versions of jest-snapshot
          node_modules/jest-resolve-dependencies

next  0.9.9 - 14.2.6
Severity: moderate
Next.js missing cache-control header may lead to CDN caching empty reply - https://github.com/advisories/GHSA-c59h-r6p8-q9wc
Denial of Service condition in Next.js image optimization - https://github.com/advisories/GHSA-g77x-44xx-532m
Depends on vulnerable versions of postcss
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/next

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/postcss
  next  0.9.9 - 14.2.6
  Depends on vulnerable versions of postcss
  node_modules/next

23 vulnerabilities (2 low, 19 moderate, 2 high)

Type of change

  • Bug fix (fixes an issue)
  • New feature (adds functionality)

Related issues

Fix #1

Checklists

Development

  • Lint rules pass locally
  • Application changes have been tested thoroughly
  • Automated tests covering modified code pass

Security

  • Security impact of change has been considered
  • Code follows company security practices and guidelines

Code review

  • Pull request has a descriptive title and it follows conventional commit format and breaking change indicator if required (You can use the Angular convention)
  • Screenshots or screencasts are attached as necessary
  • "Ready for review" label attached and reviewers assigned
  • Changes have been reviewed by at least one other contributor
  • Pull request linked to task tracker where applicable

@melsener melsener merged commit 5aedbfd into main Nov 11, 2024
1 check passed
@melsener melsener deleted the fix/npm-audit-2024-11 branch November 11, 2024 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aykutbulca aykutbulca aykutbulca approved these changes

@dorukgunes dorukgunes dorukgunes approved these changes

@yuqu yuqu Awaiting requested review from yuqu

@yuksely yuksely Awaiting requested review from yuksely

@okan-cakmak okan-cakmak Awaiting requested review from okan-cakmak

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@melsener @dorukgunes @aykutbulca