fix: npm audit fix to resolve vulnerabilities 1 low, 3 moderate, 1 high #108

jsnbuchanan · 2024-03-22T15:42:58Z

jsnbuchanan commented

2024-03-22 15:42:58 +00:00

Previously an npm audit revealed 14 vulnerabilities (1 low, 12 moderate, 1 high)

I ran npm audit fix to resolve 5 vulnerabilities (1 low, 3 moderate, 1 high).

There are still 9 moderate severity vulnerabilities, but I will work on those independentally because they may involve updating to library version that have breaking changes.

Fixed

Severity: moderate (follow-redirects <=1.15.5)
follow-redirects' Proxy-Authorization header kept across hosts
see https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
Severity: moderate (ip <1.1.9)
NPM IP package incorrectly identifies some private IP addresses as public
see https://github.com/advisories/GHSA-78xj-cgh5-2h22
Severity: moderate (jose 3.0.0 - 4.15.4)
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
see https://github.com/advisories/GHSA-hhhv-q57g-882q
Severity: low (undici <=5.28.2)
Undici proxy-authorization header not cleared on cross-origin redirect in fetch
see https://github.com/advisories/GHSA-3787-6prv-h9w3
Severity: high (webpack-dev-middleware <=5.3.3)
Path traversal in webpack-dev-middleware
see https://github.com/advisories/GHSA-wr3j-pwj9-hqq6

Previously an `npm audit` revealed `14 vulnerabilities (1 low, 12 moderate, 1 high)` I ran `npm audit fix` to resolve `5 vulnerabilities (1 low, 3 moderate, 1 high)`. There are still `9 moderate severity vulnerabilities`, but I will work on those independentally because they may involve updating to library version that have breaking changes. # Fixed - **Severity: moderate** *(follow-redirects <=1.15.5)* follow-redirects' Proxy-Authorization header kept across hosts see https://github.com/advisories/GHSA-cxjh-pqwp-8mfp - **Severity: moderate** *(ip <1.1.9)* NPM IP package incorrectly identifies some private IP addresses as public see https://github.com/advisories/GHSA-78xj-cgh5-2h22 - **Severity: moderate** *(jose 3.0.0 - 4.15.4)* jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext see https://github.com/advisories/GHSA-hhhv-q57g-882q - **Severity: low** *(undici <=5.28.2)* Undici proxy-authorization header not cleared on cross-origin redirect in fetch see https://github.com/advisories/GHSA-3787-6prv-h9w3 - **Severity: high** *(webpack-dev-middleware <=5.3.3)* Path traversal in webpack-dev-middleware see https://github.com/advisories/GHSA-wr3j-pwj9-hqq6

jsnbuchanan added 1 commit 2024-03-22 15:42:59 +00:00

deps: npm audit fix to resolve vulnerabilities 1 low, 3 moderate, 1 high 7ce00b86e8

There are still 9 moderate severity vulnerabilities, but I will work on those independentally because they may involve updating to library version that have breaking changes.

jsnbuchanan requested review from trentlarson 2024-03-22 15:44:35 +00:00

trentlarson merged commit cc6d0958dc into master

2024-03-22 16:01:21 +00:00

trentlarson referenced this issue from a commit

2024-03-22 16:01:21 +00:00

Merge pull request 'fix: npm audit fix to resolve vulnerabilities 1 low, 3 moderate, 1 high' (#108) from jsnbuchanan/crowd-funder-for-time-pwa:master into master

anomalist referenced this issue from a commit

2025-01-08 02:46:06 +00:00

Merge pull request 'fix: npm audit fix to resolve vulnerabilities 1 low, 3 moderate, 1 high' (#108) from jsnbuchanan/crowd-funder-for-time-pwa:master into master

Sign in to join this conversation.