npm ci -> 3 vulnerabilities (2 high, 1 critical)
mralusw opened this issue · comments
Same setup as in #414; in addition to the problems there, there was also this message at the end of npm ci: 3 vulnerabilities (2 high, 1 critical).
npm audit reports:
# npm audit report
json5 <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/@babel/core/node_modules/json5
node_modules/adjust-sourcemap-loader/node_modules/json5
node_modules/file-loader/node_modules/json5
node_modules/json5
node_modules/mini-css-extract-plugin/node_modules/json5
node_modules/posthtml-loader/node_modules/json5
node_modules/resolve-url-loader/node_modules/json5
node_modules/thread-loader/node_modules/json5
node_modules/vue-loader/node_modules/json5
node_modules/yaml-loader/node_modules/json5
loader-utils <=1.4.2
Depends on vulnerable versions of json5
node_modules/loader-utils
qs 6.5.0 - 6.5.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/request/node_modules/qs
3 vulnerabilities (2 high, 1 critical)
Is this... something to be expected?
Yes, it's quite common for there to be some vulnerabilities listed for dependencies. Feel free to open a PR to resolve them if you wish.