Giters

unfolding-io / nebulix

Nebulix, a Fast & Green Theme Based on Astro + Static CMS + Snipcart

Home Page:https://nebulix.unfolding.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

vulnerabilities on install

rowemoore opened this issue · comments

commented

Windows 10. audit fix and audit fix --force not working.

`# npm audit report

file-type 17.0.0 - 17.1.2
Severity: high
file-type vulnerable to Infinite Loop via malformed MKV file - GHSA-mhxj-85r3-2x55
fix available via npm audit fix --force
Will install astro-imagetools@0.2.7, which is a breaking change
node_modules/astro-imagetools/node_modules/file-type
astro-imagetools *
Depends on vulnerable versions of file-type
Depends on vulnerable versions of imagetools-core
Depends on vulnerable versions of potrace
node_modules/astro-imagetools

sharp <0.30.5
Severity: moderate
sharp vulnerable to Command Injection in post-installation over build environment - GHSA-gp95-ppv5-3jc5
fix available via npm audit fix --force
Will install astro-imagetools@0.2.7, which is a breaking change
node_modules/imagetools-core/node_modules/sharp
imagetools-core <=3.0.2
Depends on vulnerable versions of sharp
node_modules/imagetools-core

xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - GHSA-776f-qx25-q3cc
fix available via npm audit fix
node_modules/xml2js
parse-bmfont-xml *
Depends on vulnerable versions of xml2js
node_modules/parse-bmfont-xml
load-bmfont >=1.1.0
Depends on vulnerable versions of parse-bmfont-xml
node_modules/load-bmfont
@jimp/core <=0.17.1 || 0.17.3--canary.1136.7f5f5d8.0 || 0.18.0--canary.1133.54bf269.0 - 0.18.0--canary.1135.911ed04.0
Depends on vulnerable versions of load-bmfont
node_modules/potrace/node_modules/@jimp/core
@jimp/custom <=0.17.0--canary.1131.af3cb94.0 || 0.17.3--canary.1136.7f5f5d8.0 || 0.18.0--canary.1133.54bf269.0 - 0.18.0--canary.1135.911ed04.0
Depends on vulnerable versions of @jimp/core
node_modules/potrace/node_modules/@jimp/custom
jimp >=0.3.6-alpha.5
Depends on vulnerable versions of @jimp/custom
Depends on vulnerable versions of @jimp/plugins
node_modules/potrace/node_modules/jimp
potrace >=2.1.2
Depends on vulnerable versions of jimp
node_modules/potrace
@jimp/plugin-print *
Depends on vulnerable versions of load-bmfont
node_modules/@jimp/plugin-print
@jimp/plugins *
Depends on vulnerable versions of @jimp/plugin-print
node_modules/@jimp/plugins

13 vulnerabilities (11 moderate, 2 high)
`

commented

Hi @rowemoore,
Think this is related to astro-imagetools. The latest version is 0.9. so I cant imagine that a fix would be to downgrade.

I can be wrong, but the site is build in SSG, so the vulnerabilities are not exposed on the live site, can you let me know how someone could exploit this?

Thanks for the report,
I will investigate if I can find a fix for this.