install(packages): overcome CVEs #89
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 3 commits
July 21, 2022 19:50
Manually installed the four packages according to the versions on the CVE site. Then I ran rpm audit fix, then make build-local, then npm run dev. Packages affected: eventsource <1.1.1 Severity: critical Exposure of Sensitive Information in eventsource - GHSA-6h5x-7c5m-7cr7 fix available via up to date, audited 1756 packages in 6s 58 packages are looking for funding run `npm fund` for details # npm audit report ajv <6.12.3 Severity: moderate Prototype Pollution in Ajv - GHSA-v88g-cgmw-v5xw fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/istanbul-instrumenter-loader/node_modules/ajv schema-utils <=0.4.3 Depends on vulnerable versions of ajv node_modules/istanbul-instrumenter-loader/node_modules/schema-utils istanbul-instrumenter-loader >=3.0.0-beta.0 Depends on vulnerable versions of schema-utils node_modules/istanbul-instrumenter-loader glob-parent <=5.1.1 Severity: high Regular expression denial of service in glob-parent - GHSA-ww39-953v-wcq6 glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-cj88-88mr-972w fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server copy-webpack-plugin 5.0.1 - 5.1.2 Depends on vulnerable versions of glob-parent node_modules/copy-webpack-plugin json-bigint <1.0.0 Severity: high Uncontrolled Resource Consumption in json-bigint - GHSA-wgfq-7857-4jcc fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/gcp-metadata/node_modules/json-bigint gcp-metadata 0.8.0 - 4.1.0 Depends on vulnerable versions of json-bigint node_modules/gcp-metadata google-auth-library 0.9.4 - 5.10.1 Depends on vulnerable versions of gcp-metadata Depends on vulnerable versions of gtoken node_modules/google-auth-library karma <=6.3.15 Severity: high Open redirect in karma - GHSA-rc3x-jf5g-xvc5 Cross-site Scripting in karma - GHSA-7x7c-qm48-pq9c Depends on vulnerable versions of ua-parser-js fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/karma node-forge <=1.2.1 Severity: high Open Redirect in node-forge - GHSA-8fr3-hfg3-gpgp Prototype Pollution in node-forge debug API. - GHSA-5rrq-pxf6-6jx5 URL parsing in node-forge could lead to undesired behavior. - GHSA-gf8q-jrpm-jvxq Improper Verification of Cryptographic Signature in `node-forge` - GHSA-2r2c-g63r-vccr Improper Verification of Cryptographic Signature in node-forge - GHSA-x4jg-mjrx-434g Improper Verification of Cryptographic Signature in node-forge - GHSA-cfm4-qjh2-4765 fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/node-forge google-p12-pem <=3.1.2 Depends on vulnerable versions of node-forge node_modules/google-p12-pem gtoken <=5.0.0 Depends on vulnerable versions of google-p12-pem node_modules/gtoken selfsigned 1.1.1 - 1.10.14 Depends on vulnerable versions of node-forge node_modules/selfsigned pug <3.0.1 Severity: high Remote code execution via the `pretty` option. - GHSA-p493-635q-r6gr fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/pug pug-loader >=2.0.0 Depends on vulnerable versions of pug node_modules/pug-loader ua-parser-js <=0.7.23 Severity: high Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-394c-5j6w-4xmx Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-78cj-fxph-m83p fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/ua-parser-js 21 vulnerabilities (12 moderate, 9 high) To address all issues (including breaking changes), run: npm audit fix --force node_modules/eventsource --- xmlhttprequest-ssl <=1.6.1 Severity: critical Improper Certificate Validation in xmlhttprequest-ssl - GHSA-72mh-269x-7mh5 Arbitrary Code Injection - GHSA-h4j5-c7cj-74xg fix available via up to date, audited 1756 packages in 4s 58 packages are looking for funding run `npm fund` for details # npm audit report ajv <6.12.3 Severity: moderate Prototype Pollution in Ajv - GHSA-v88g-cgmw-v5xw fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/istanbul-instrumenter-loader/node_modules/ajv schema-utils <=0.4.3 Depends on vulnerable versions of ajv node_modules/istanbul-instrumenter-loader/node_modules/schema-utils istanbul-instrumenter-loader >=3.0.0-beta.0 Depends on vulnerable versions of schema-utils node_modules/istanbul-instrumenter-loader glob-parent <=5.1.1 Severity: high Regular expression denial of service in glob-parent - GHSA-ww39-953v-wcq6 glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-cj88-88mr-972w fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server copy-webpack-plugin 5.0.1 - 5.1.2 Depends on vulnerable versions of glob-parent node_modules/copy-webpack-plugin json-bigint <1.0.0 Severity: high Uncontrolled Resource Consumption in json-bigint - GHSA-wgfq-7857-4jcc fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/gcp-metadata/node_modules/json-bigint gcp-metadata 0.8.0 - 4.1.0 Depends on vulnerable versions of json-bigint node_modules/gcp-metadata google-auth-library 0.9.4 - 5.10.1 Depends on vulnerable versions of gcp-metadata Depends on vulnerable versions of gtoken node_modules/google-auth-library karma <=6.3.15 Severity: high Open redirect in karma - GHSA-rc3x-jf5g-xvc5 Cross-site Scripting in karma - GHSA-7x7c-qm48-pq9c Depends on vulnerable versions of ua-parser-js fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/karma node-forge <=1.2.1 Severity: high Open Redirect in node-forge - GHSA-8fr3-hfg3-gpgp Prototype Pollution in node-forge debug API. - GHSA-5rrq-pxf6-6jx5 URL parsing in node-forge could lead to undesired behavior. - GHSA-gf8q-jrpm-jvxq Improper Verification of Cryptographic Signature in `node-forge` - GHSA-2r2c-g63r-vccr Improper Verification of Cryptographic Signature in node-forge - GHSA-x4jg-mjrx-434g Improper Verification of Cryptographic Signature in node-forge - GHSA-cfm4-qjh2-4765 fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/node-forge google-p12-pem <=3.1.2 Depends on vulnerable versions of node-forge node_modules/google-p12-pem gtoken <=5.0.0 Depends on vulnerable versions of google-p12-pem node_modules/gtoken selfsigned 1.1.1 - 1.10.14 Depends on vulnerable versions of node-forge node_modules/selfsigned pug <3.0.1 Severity: high Remote code execution via the `pretty` option. - GHSA-p493-635q-r6gr fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/pug pug-loader >=2.0.0 Depends on vulnerable versions of pug node_modules/pug-loader ua-parser-js <=0.7.23 Severity: high Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-394c-5j6w-4xmx Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-78cj-fxph-m83p fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/ua-parser-js 21 vulnerabilities (12 moderate, 9 high) To address all issues (including breaking changes), run: npm audit fix --force node_modules/xmlhttprequest-ssl --- url-parse <=1.5.8 Severity: critical Incorrect hostname / protocol due to unstripped leading control characters. - GHSA-jf5r-8hm2-f872 Authorization Bypass Through User-Controlled Key in url-parse - GHSA-hgjh-723h-mx2j Authorization bypass in url-parse - GHSA-rqff-837h-mm52 Open redirect in url-parse - GHSA-hh27-ffr2-f2jc Incorrect returned href via an '@' sign but no user info and hostname - GHSA-8v38-pw62-9cw2 Path traversal in url-parse - GHSA-9m6j-fcg5-2442 fix available via up to date, audited 1756 packages in 5s 58 packages are looking for funding run `npm fund` for details # npm audit report ajv <6.12.3 Severity: moderate Prototype Pollution in Ajv - GHSA-v88g-cgmw-v5xw fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/istanbul-instrumenter-loader/node_modules/ajv schema-utils <=0.4.3 Depends on vulnerable versions of ajv node_modules/istanbul-instrumenter-loader/node_modules/schema-utils istanbul-instrumenter-loader >=3.0.0-beta.0 Depends on vulnerable versions of schema-utils node_modules/istanbul-instrumenter-loader glob-parent <=5.1.1 Severity: high Regular expression denial of service in glob-parent - GHSA-ww39-953v-wcq6 glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-cj88-88mr-972w fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server copy-webpack-plugin 5.0.1 - 5.1.2 Depends on vulnerable versions of glob-parent node_modules/copy-webpack-plugin json-bigint <1.0.0 Severity: high Uncontrolled Resource Consumption in json-bigint - GHSA-wgfq-7857-4jcc fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/gcp-metadata/node_modules/json-bigint gcp-metadata 0.8.0 - 4.1.0 Depends on vulnerable versions of json-bigint node_modules/gcp-metadata google-auth-library 0.9.4 - 5.10.1 Depends on vulnerable versions of gcp-metadata Depends on vulnerable versions of gtoken node_modules/google-auth-library karma <=6.3.15 Severity: high Open redirect in karma - GHSA-rc3x-jf5g-xvc5 Cross-site Scripting in karma - GHSA-7x7c-qm48-pq9c Depends on vulnerable versions of ua-parser-js fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/karma node-forge <=1.2.1 Severity: high Open Redirect in node-forge - GHSA-8fr3-hfg3-gpgp Prototype Pollution in node-forge debug API. - GHSA-5rrq-pxf6-6jx5 URL parsing in node-forge could lead to undesired behavior. - GHSA-gf8q-jrpm-jvxq Improper Verification of Cryptographic Signature in `node-forge` - GHSA-2r2c-g63r-vccr Improper Verification of Cryptographic Signature in node-forge - GHSA-x4jg-mjrx-434g Improper Verification of Cryptographic Signature in node-forge - GHSA-cfm4-qjh2-4765 fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/node-forge google-p12-pem <=3.1.2 Depends on vulnerable versions of node-forge node_modules/google-p12-pem gtoken <=5.0.0 Depends on vulnerable versions of google-p12-pem node_modules/gtoken selfsigned 1.1.1 - 1.10.14 Depends on vulnerable versions of node-forge node_modules/selfsigned pug <3.0.1 Severity: high Remote code execution via the `pretty` option. - GHSA-p493-635q-r6gr fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/pug pug-loader >=2.0.0 Depends on vulnerable versions of pug node_modules/pug-loader ua-parser-js <=0.7.23 Severity: high Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-394c-5j6w-4xmx Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-78cj-fxph-m83p fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/ua-parser-js 21 vulnerabilities (12 moderate, 9 high) To address all issues (including breaking changes), run: npm audit fix --force node_modules/url-parse --- minimist <1.2.6 Severity: critical Prototype Pollution in minimist - GHSA-xvch-5gv4-984h fix available via up to date, audited 1756 packages in 4s 58 packages are looking for funding run `npm fund` for details # npm audit report ajv <6.12.3 Severity: moderate Prototype Pollution in Ajv - GHSA-v88g-cgmw-v5xw fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/istanbul-instrumenter-loader/node_modules/ajv schema-utils <=0.4.3 Depends on vulnerable versions of ajv node_modules/istanbul-instrumenter-loader/node_modules/schema-utils istanbul-instrumenter-loader >=3.0.0-beta.0 Depends on vulnerable versions of schema-utils node_modules/istanbul-instrumenter-loader glob-parent <=5.1.1 Severity: high Regular expression denial of service in glob-parent - GHSA-ww39-953v-wcq6 glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-cj88-88mr-972w fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/watchpack-chokidar2/node_modules/chokidar node_modules/webpack-dev-server/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.44.0 - 4.46.0 Depends on vulnerable versions of watchpack node_modules/webpack webpack-dev-server 2.0.0-beta - 4.7.2 Depends on vulnerable versions of chokidar Depends on vulnerable versions of selfsigned node_modules/webpack-dev-server copy-webpack-plugin 5.0.1 - 5.1.2 Depends on vulnerable versions of glob-parent node_modules/copy-webpack-plugin json-bigint <1.0.0 Severity: high Uncontrolled Resource Consumption in json-bigint - GHSA-wgfq-7857-4jcc fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/gcp-metadata/node_modules/json-bigint gcp-metadata 0.8.0 - 4.1.0 Depends on vulnerable versions of json-bigint node_modules/gcp-metadata google-auth-library 0.9.4 - 5.10.1 Depends on vulnerable versions of gcp-metadata Depends on vulnerable versions of gtoken node_modules/google-auth-library karma <=6.3.15 Severity: high Open redirect in karma - GHSA-rc3x-jf5g-xvc5 Cross-site Scripting in karma - GHSA-7x7c-qm48-pq9c Depends on vulnerable versions of ua-parser-js fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/karma node-forge <=1.2.1 Severity: high Open Redirect in node-forge - GHSA-8fr3-hfg3-gpgp Prototype Pollution in node-forge debug API. - GHSA-5rrq-pxf6-6jx5 URL parsing in node-forge could lead to undesired behavior. - GHSA-gf8q-jrpm-jvxq Improper Verification of Cryptographic Signature in `node-forge` - GHSA-2r2c-g63r-vccr Improper Verification of Cryptographic Signature in node-forge - GHSA-x4jg-mjrx-434g Improper Verification of Cryptographic Signature in node-forge - GHSA-cfm4-qjh2-4765 fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/node-forge google-p12-pem <=3.1.2 Depends on vulnerable versions of node-forge node_modules/google-p12-pem gtoken <=5.0.0 Depends on vulnerable versions of google-p12-pem node_modules/gtoken selfsigned 1.1.1 - 1.10.14 Depends on vulnerable versions of node-forge node_modules/selfsigned pug <3.0.1 Severity: high Remote code execution via the `pretty` option. - GHSA-p493-635q-r6gr fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/pug pug-loader >=2.0.0 Depends on vulnerable versions of pug node_modules/pug-loader ua-parser-js <=0.7.23 Severity: high Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-394c-5j6w-4xmx Regular Expression Denial of Service (ReDoS) in ua-parser-js - GHSA-78cj-fxph-m83p fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/ua-parser-js 21 vulnerabilities (12 moderate, 9 high) To address all issues (including breaking changes), run: npm audit fix --force node_modules/@babel/core/node_modules/minimist node_modules/babel-loader/node_modules/minimist node_modules/minimist node_modules/portfinder/node_modules/minimist node_modules/webpack/node_modules/minimist
Closed
7 tasks
|
Duplicate |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Manually installed the four packages according to the versions on the CVE site. Then I ran
npm audit fix, thenmake build-local, thennpm run dev.