Labels Milestones

fix: npm audit fix to resolve vulnerabilities 1 low, 3 moderate, 1 high #108

Merged

trentlarson merged 1 commits from jsnbuchanan/crowd-funder-for-time-pwa:master into master 6 months ago

Conversation 0 Commits 1 Files Changed 1

jsnbuchanan commented 6 months ago

Owner

Previously an npm audit revealed 14 vulnerabilities (1 low, 12 moderate, 1 high)

I ran npm audit fix to resolve 5 vulnerabilities (1 low, 3 moderate, 1 high).

There are still 9 moderate severity vulnerabilities, but I will work on those independentally because they may involve updating to library version that have breaking changes.

Fixed

• Severity: moderate (follow-redirects <=1.15.5)
  follow-redirects' Proxy-Authorization header kept across hosts
  see https://github.com/advisories/GHSA-cxjh-pqwp-8mfp

• Severity: moderate (ip <1.1.9)
  NPM IP package incorrectly identifies some private IP addresses as public
  see https://github.com/advisories/GHSA-78xj-cgh5-2h22

• Severity: moderate (jose 3.0.0 - 4.15.4)
  jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
  see https://github.com/advisories/GHSA-hhhv-q57g-882q

• Severity: low (undici <=5.28.2)
  Undici proxy-authorization header not cleared on cross-origin redirect in fetch
  see https://github.com/advisories/GHSA-3787-6prv-h9w3

• Severity: high (webpack-dev-middleware <=5.3.3)
  Path traversal in webpack-dev-middleware
  see https://github.com/advisories/GHSA-wr3j-pwj9-hqq6

Previously an `npm audit` revealed `14 vulnerabilities (1 low, 12 moderate, 1 high)` I ran `npm audit fix` to resolve `5 vulnerabilities (1 low, 3 moderate, 1 high)`. There are still `9 moderate severity vulnerabilities`, but I will work on those independentally because they may involve updating to library version that have breaking changes. # Fixed - **Severity: moderate** *(follow-redirects <=1.15.5)* follow-redirects' Proxy-Authorization header kept across hosts see https://github.com/advisories/GHSA-cxjh-pqwp-8mfp - **Severity: moderate** *(ip <1.1.9)* NPM IP package incorrectly identifies some private IP addresses as public see https://github.com/advisories/GHSA-78xj-cgh5-2h22 - **Severity: moderate** *(jose 3.0.0 - 4.15.4)* jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext see https://github.com/advisories/GHSA-hhhv-q57g-882q - **Severity: low** *(undici <=5.28.2)* Undici proxy-authorization header not cleared on cross-origin redirect in fetch see https://github.com/advisories/GHSA-3787-6prv-h9w3 - **Severity: high** *(webpack-dev-middleware <=5.3.3)* Path traversal in webpack-dev-middleware see https://github.com/advisories/GHSA-wr3j-pwj9-hqq6

jsnbuchanan added 1 commit 6 months ago

7ce00b86e8

deps: npm audit fix to resolve vulnerabilities 1 low, 3 moderate, 1 high

There are still 9 moderate severity vulnerabilities, but I will work on those independentally because they may involve updating to library version that have breaking changes.

jsnbuchanan requested review from trentlarson 6 months ago

trentlarson merged commit cc6d0958dc into master 6 months ago

trentlarson referenced this issue from a commit 6 months ago

Merge pull request 'fix: npm audit fix to resolve vulnerabilities 1 low, 3 moderate, 1 high' (#108) from jsnbuchanan/crowd-funder-for-time-pwa:master into master

Reviewers

trentlarson was requested for review 6 months ago

The pull request has been merged as cc6d0958dc.

Sign in to join this conversation.

Reviewers

Request review

No reviewers

trentlarson

Labels

Apply labels

Clear labels

No items

No Label

Milestone

Set milestone

Clear milestone

No items

No Milestone

Assignees

Assign users

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

This pull request currently doesn't have any dependencies.

Write Preview

Loading…

Cancel

Save

There is no content yet.