Giters

foreversd / forever

A simple CLI tool for ensuring that a given script runs continuously (i.e. forever)

Home Page:http://github.com/foreverjs/forever

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Vulnerable dependencies on forever@4.0.1

freedude opened this issue · comments

commented

Snyk report is showing multiple vulnerable dependencies on latest version of this repo.

1 high, 2 Medium, 1 low in severity
https://snyk.io/test/npm/forever

Do you have any fix in the pipeline or an ETA on when this will be patched and resolved?

Thanks,

commented

Screen Shot 2022-01-18 at 08 49 17

still happening for glob-parent

commented

This still seems to be an issue. I'm using forever v4.0.3

# npm audit report

glob-parent  <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install forever@0.14.2, which is a breaking change
node_modules/chokidar/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    forever-monitor  >=1.6.0
    Depends on vulnerable versions of chokidar
    node_modules/forever-monitor
      forever  >=0.10.11
      Depends on vulnerable versions of flatiron
      Depends on vulnerable versions of forever-monitor
      node_modules/forever

minimist  <0.2.1
Severity: moderate
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix --force`
Will install forever@0.14.2, which is a breaking change
node_modules/optimist/node_modules/minimist
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/optimist
    flatiron  >=0.3.9
    Depends on vulnerable versions of optimist
    node_modules/flatiron
      forever  >=0.10.11
      Depends on vulnerable versions of flatiron
      Depends on vulnerable versions of forever-monitor
      node_modules/forever
    nconf  0.6.9 - 0.7.1
    Depends on vulnerable versions of optimist
    node_modules/nconf
      broadway  0.2.9 - 0.3.6
      Depends on vulnerable versions of nconf
      node_modules/broadway

9 vulnerabilities (5 moderate, 4 high)```
commented

Still an issue.
npm WARN deprecated source-map-url@0.4.1: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated source-map-resolve@0.5.3: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies

changed 297 packages, and audited 298 packages in 4s

44 packages are looking for funding
run npm fund for details

13 vulnerabilities (1 moderate, 11 high, 1 critical)

audit fix won't solve the problem