`1 critical` vulnerability when running `npm install`
hamirmahal opened this issue · comments
hamir@hamir-desktop:~/linguist (master)$ npm install
npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated @stylelint/postcss-markdown@0.36.2: Use the original unforked package instead: postcss-markdown
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated sourcemap-codec@1.4.8: Please use @jridgewell/sourcemap-codec instead
npm WARN deprecated @stylelint/postcss-css-in-js@0.37.3: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated core-js@3.21.0: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
> browser-addon@5.0.7 prepare
> husky install
husky - Git hooks installed
added 1949 packages, and audited 1950 packages in 10s
262 packages are looking for funding
run `npm fund` for details
55 vulnerabilities (1 low, 34 moderate, 19 high, 1 critical)
What a problem here? Which exactly package are vulnerable and how it may be exploited?
There are a lot of details, but you should be able to see all of them when running npm audit
.
output of npm audit on main branch
~/linguist (master)$ npm audit
# npm audit report
@babel/traverse <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse
axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install google-tts-api@0.0.6, which is a breaking change
node_modules/axios
node_modules/google-tts-api/node_modules/axios
@translate-tools/core >=0.0.11
Depends on vulnerable versions of axios
node_modules/@translate-tools/core
google-tts-api >=2.0.0
Depends on vulnerable versions of axios
node_modules/google-tts-api
color-string <1.5.5
Severity: moderate
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-257v-vj4p-3w2h
fix available via `npm audit fix`
node_modules/color-string
color <=0.11.4
Depends on vulnerable versions of color-string
node_modules/color
css-color-function *
Depends on vulnerable versions of color
node_modules/css-color-function
@yandex/themekit <=1.6.8
Depends on vulnerable versions of css-color-function
Depends on vulnerable versions of json5
node_modules/@yandex/themekit
express <=4.19.1 || 5.0.0-alpha.1 - 5.0.0-beta.1
Severity: high
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of qs
fix available via `npm audit fix --force`
Will install web-ext@7.11.0, which is a breaking change
node_modules/express
addons-scanner-utils *
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of download
Depends on vulnerable versions of express
node_modules/addons-scanner-utils
addons-linter *
Depends on vulnerable versions of addons-scanner-utils
Depends on vulnerable versions of ajv-merge-patch
Depends on vulnerable versions of postcss
Depends on vulnerable versions of semver
node_modules/addons-linter
web-ext 1.0.0 - 7.6.2
Depends on vulnerable versions of @devicefarmer/adbkit
Depends on vulnerable versions of addons-linter
Depends on vulnerable versions of firefox-profile
Depends on vulnerable versions of sign-addon
Depends on vulnerable versions of update-notifier
node_modules/web-ext
fast-json-patch <3.1.1
Severity: high
Starcounter-Jack JSON-Patch Prototype Pollution vulnerability - https://github.com/advisories/GHSA-8gh8-hqwg-xf34
fix available via `npm audit fix --force`
Will install web-ext@7.11.0, which is a breaking change
node_modules/fast-json-patch
ajv-merge-patch *
Depends on vulnerable versions of fast-json-patch
node_modules/ajv-merge-patch
follow-redirects <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/follow-redirects
got <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install web-ext@7.11.0, which is a breaking change
node_modules/got
node_modules/package-json/node_modules/got
download >=4.0.0
Depends on vulnerable versions of got
node_modules/download
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
http-cache-semantics <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install web-ext@7.11.0, which is a breaking change
node_modules/http-cache-semantics
cacheable-request 0.1.0 - 2.1.4
Depends on vulnerable versions of http-cache-semantics
node_modules/cacheable-request
json5 2.0.0 - 2.2.1
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/@yandex/themekit/node_modules/json5
jsonwebtoken <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install web-ext@7.11.0, which is a breaking change
node_modules/jsonwebtoken
sign-addon *
Depends on vulnerable versions of jsonwebtoken
Depends on vulnerable versions of request
node_modules/sign-addon
node-forge <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via `npm audit fix --force`
Will install web-ext@7.11.0, which is a breaking change
node_modules/node-forge
@devicefarmer/adbkit <=3.2.1
Depends on vulnerable versions of node-forge
node_modules/@devicefarmer/adbkit
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install @svgr/webpack@8.1.0, which is a breaking change
node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
postcss <=8.4.30
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install stylelint@16.3.1, which is a breaking change
node_modules/addons-linter/node_modules/postcss
node_modules/autoprefixer/node_modules/postcss
node_modules/postcss
node_modules/postcss-less/node_modules/postcss
node_modules/postcss-rem-to-pixel/node_modules/postcss
node_modules/postcss-safe-parser/node_modules/postcss
node_modules/postcss-sass/node_modules/postcss
node_modules/postcss-scss/node_modules/postcss
node_modules/stylelint/node_modules/postcss
node_modules/sugarss/node_modules/postcss
autoprefixer 1.0.20131222 - 9.8.8
Depends on vulnerable versions of postcss
node_modules/autoprefixer
stylelint 0.1.0 - 13.13.1
Depends on vulnerable versions of autoprefixer
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-less
Depends on vulnerable versions of postcss-safe-parser
Depends on vulnerable versions of postcss-sass
Depends on vulnerable versions of postcss-scss
Depends on vulnerable versions of sugarss
node_modules/stylelint
stylelint-config-recommended <=2.2.0 || 4.0.0 - 5.0.0
Depends on vulnerable versions of stylelint
node_modules/stylelint-config-recommended
stylelint-config-standard 4.0.1 - 18.3.0 || 21.0.0 - 22.0.0
Depends on vulnerable versions of stylelint
Depends on vulnerable versions of stylelint-config-recommended
node_modules/stylelint-config-standard
postcss-less <=3.1.4
Depends on vulnerable versions of postcss
node_modules/postcss-less
postcss-rem-to-pixel *
Depends on vulnerable versions of postcss
node_modules/postcss-rem-to-pixel
postcss-safe-parser <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-safe-parser
postcss-sass <=0.4.4
Depends on vulnerable versions of postcss
node_modules/postcss-sass
postcss-scss <=2.1.1
Depends on vulnerable versions of postcss
node_modules/postcss-scss
sugarss <=2.0.0
Depends on vulnerable versions of postcss
node_modules/sugarss
qs 6.9.0 - 6.9.6
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install web-ext@7.11.0, which is a breaking change
node_modules/qs
body-parser 1.19.1 || 2.0.0-beta.1
Depends on vulnerable versions of qs
node_modules/body-parser
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install web-ext@7.11.0, which is a breaking change
node_modules/request
semver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install web-ext@7.11.0, which is a breaking change
node_modules/@commitlint/is-ignored/node_modules/semver
node_modules/@npmcli/fs/node_modules/semver
node_modules/@oclif/command/node_modules/semver
node_modules/@typescript-eslint/eslint-plugin/node_modules/semver
node_modules/@typescript-eslint/typescript-estree/node_modules/semver
node_modules/@typescript-eslint/utils/node_modules/semver
node_modules/addons-linter/node_modules/semver
node_modules/conf/node_modules/semver
node_modules/css-loader/node_modules/semver
node_modules/download/node_modules/semver
node_modules/jest-snapshot/node_modules/semver
node_modules/jsonwebtoken/node_modules/semver
node_modules/node-abi/node_modules/semver
node_modules/node-notifier/node_modules/semver
node_modules/normalize-package-data/node_modules/semver
node_modules/postcss-loader/node_modules/semver
node_modules/read-pkg/node_modules/semver
node_modules/semver
node_modules/sharp/node_modules/semver
node_modules/ts-jest/node_modules/semver
node_modules/ts-loader/node_modules/semver
node_modules/update-notifier/node_modules/semver
@commitlint/is-ignored 9.0.0 - 17.6.5
Depends on vulnerable versions of semver
node_modules/@commitlint/is-ignored
@commitlint/lint 9.0.0 - 16.2.4
Depends on vulnerable versions of @commitlint/is-ignored
node_modules/@commitlint/lint
@commitlint/cli 9.0.0 - 16.3.0
Depends on vulnerable versions of @commitlint/lint
node_modules/@commitlint/cli
sharp <0.32.6
Severity: high
sharp vulnerability in libwebp dependency CVE-2023-4863 - https://github.com/advisories/GHSA-54xq-cgqr-rpm3
fix available via `npm audit fix`
node_modules/sharp
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install web-ext@7.11.0, which is a breaking change
node_modules/tough-cookie
word-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install web-ext@7.11.0, which is a breaking change
node_modules/xml2js
firefox-profile <=4.2.2
Depends on vulnerable versions of xml2js
node_modules/firefox-profile
55 vulnerabilities (1 low, 34 moderate, 19 high, 1 critical)