gts 3.1.0 has 13 vulnerabilities - npm audit fix --force loop 3.1.0 => 4.0.0 => 2.0.2 => 4.0.0
Timothy-Dement opened this issue · comments
Overview
The 3.1.0 and 4.0.0 versions of gts each have a set of moderate vulnerabilities, and running npm audit fix --force causes an upgrade loop.
Versions
- node.js
v16.16.0 - npm
8.14.0 - gts
3.1.0
Details
The 3.1.0 version of gts has 13 moderate vulnerabilities:
3.1.0 audit details
Will install gts@4.0.0, which is a breaking change
# npm audit report
glob-parent <6.0.1
Severity: moderate
glob-parent before 6.0.1 vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-cj88-88mr-972w
fix available via `npm audit fix --force`
Will install gts@4.0.0, which is a breaking change
node_modules/glob-parent
eslint 6.0.0-alpha.0 - 7.32.0
Depends on vulnerable versions of glob-parent
node_modules/eslint
gts *
Depends on vulnerable versions of @typescript-eslint/eslint-plugin
Depends on vulnerable versions of @typescript-eslint/parser
Depends on vulnerable versions of eslint
Depends on vulnerable versions of update-notifier
node_modules/gts
fast-glob *
Depends on vulnerable versions of glob-parent
node_modules/fast-glob
globby >=8.0.0
Depends on vulnerable versions of fast-glob
node_modules/globby
@typescript-eslint/typescript-estree >=3.10.2-alpha.0
Depends on vulnerable versions of globby
node_modules/@typescript-eslint/typescript-estree
@typescript-eslint/experimental-utils 3.10.2-alpha.0 - 5.9.1
Depends on vulnerable versions of @typescript-eslint/typescript-estree
node_modules/@typescript-eslint/experimental-utils
@typescript-eslint/eslint-plugin >=3.10.2-alpha.0
Depends on vulnerable versions of @typescript-eslint/experimental-utils
Depends on vulnerable versions of @typescript-eslint/parser
node_modules/@typescript-eslint/eslint-plugin
@typescript-eslint/parser >=3.10.2-alpha.0
Depends on vulnerable versions of @typescript-eslint/typescript-estree
node_modules/@typescript-eslint/parser
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install gts@4.0.0, which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
13 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Running npm audit fix --force upgrades to the 4.0.0 version of gts which still has 9 moderate vulnerabilites:
4.0.0 audit details
Will install gts@2.0.2, which is a breaking change
# npm audit report
glob-parent <6.0.1
Severity: moderate
glob-parent before 6.0.1 vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-cj88-88mr-972w
fix available via `npm audit fix --force`
Will install gts@2.0.2, which is a breaking change
node_modules/fast-glob/node_modules/glob-parent
fast-glob *
Depends on vulnerable versions of glob-parent
node_modules/fast-glob
globby >=8.0.0
Depends on vulnerable versions of fast-glob
node_modules/globby
@typescript-eslint/typescript-estree >=3.10.2-alpha.0
Depends on vulnerable versions of globby
node_modules/@typescript-eslint/typescript-estree
@typescript-eslint/parser >=3.10.2-alpha.0
Depends on vulnerable versions of @typescript-eslint/typescript-estree
node_modules/@typescript-eslint/parser
@typescript-eslint/eslint-plugin >=4.0.1-alpha.0
Depends on vulnerable versions of @typescript-eslint/parser
Depends on vulnerable versions of @typescript-eslint/type-utils
Depends on vulnerable versions of @typescript-eslint/utils
node_modules/@typescript-eslint/eslint-plugin
gts >=3.0.0-alpha.1
Depends on vulnerable versions of @typescript-eslint/eslint-plugin
Depends on vulnerable versions of @typescript-eslint/parser
node_modules/gts
@typescript-eslint/utils *
Depends on vulnerable versions of @typescript-eslint/typescript-estree
node_modules/@typescript-eslint/utils
@typescript-eslint/type-utils >=5.9.2-alpha.0
Depends on vulnerable versions of @typescript-eslint/utils
node_modules/@typescript-eslint/type-utils
9 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Running npm audit fix --force once more improperly downgrades to the 2.0.0 version of gts, which introduces a loop:
2.0.2 audit details
Will install gts@4.0.0, which is a breaking change
# npm audit report
glob-parent <6.0.1
Severity: moderate
glob-parent before 6.0.1 vulnerable to Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-cj88-88mr-972w
fix available via `npm audit fix --force`
Will install gts@4.0.0, which is a breaking change
node_modules/glob-parent
eslint 6.0.0-alpha.0 - 7.32.0
Depends on vulnerable versions of glob-parent
node_modules/eslint
gts <=3.1.0
Depends on vulnerable versions of eslint
Depends on vulnerable versions of update-notifier
node_modules/gts
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install gts@4.0.0, which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
7 moderate severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
The alert is false, report this to GitHub: github/advisory-database#531
Ah thank you @paulmillr - closing here 👍