Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

high and moderate security vulns in 0.4.2 via globby and yargs dependencies #54

Open
jmhodges opened this issue Jan 1, 2022 · 0 comments
Open

high and moderate security vulns in 0.4.2 via globby and yargs dependencies #54

jmhodges opened this issue Jan 1, 2022 · 0 comments

Comments

@jmhodges
Copy link

jmhodges commented Jan 1, 2022
edited 

$  npm audit
# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install prettier-tslint@0.2.0, which is a breaking change
node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/strip-ansi
    cliui  4.0.0 - 5.0.0
    Depends on vulnerable versions of strip-ansi
    node_modules/cliui
      yargs  8.0.0-candidate.0 - 15.0.0
      Depends on vulnerable versions of cliui
      Depends on vulnerable versions of yargs-parser
      node_modules/yargs
        prettier-tslint  >=0.3.0
        Depends on vulnerable versions of globby
        Depends on vulnerable versions of yargs
        node_modules/prettier-tslint
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/string-width

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install prettier-tslint@0.2.0, which is a breaking change
node_modules/glob-parent
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/globby
      prettier-tslint  >=0.3.0
      Depends on vulnerable versions of globby
      Depends on vulnerable versions of yargs
      node_modules/prettier-tslint

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install prettier-tslint@0.2.0, which is a breaking change
node_modules/yargs-parser
  yargs  8.0.0-candidate.0 - 15.0.0
  Depends on vulnerable versions of cliui
  Depends on vulnerable versions of yargs-parser
  node_modules/yargs
    prettier-tslint  >=0.3.0
    Depends on vulnerable versions of globby
    Depends on vulnerable versions of yargs
    node_modules/prettier-tslint

10 vulnerabilities (6 moderate, 4 high)
@jmhodges jmhodges changed the title high security vulns in 0.4.2 via globby and yargs dependencies high and moderate security vulns in 0.4.2 via globby and yargs dependencies Jan 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jmhodges