fix security issues #450
Open
fix security issues #450
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
$ npm audit fix npm WARN old lockfile npm WARN old lockfile The package-lock.json file was created with an old version of npm, npm WARN old lockfile so supplemental metadata must be fetched from the registry. npm WARN old lockfile npm WARN old lockfile This is a one-time fix-up, please be patient... npm WARN old lockfile npm WARN audit fix [email protected] node_modules/fsevents/node_modules/tar npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit fix [email protected] node_modules/fsevents/node_modules/rc/node_modules/minimist npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit fix [email protected] node_modules/fsevents/node_modules/minimist npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit fix [email protected] node_modules/fsevents/node_modules/ini npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN audit fix [email protected] node_modules/fsevents/node_modules/mkdirp npm WARN audit fix [email protected] is a bundled dependency of npm WARN audit fix [email protected] [email protected] at node_modules/fsevents npm WARN audit fix [email protected] It cannot be fixed automatically. npm WARN audit fix [email protected] Check for updates to the fsevents package. npm WARN deprecated [email protected]: Please upgrade to kleur@3 or migrate to 'ansi-colors' if you prefer the old syntax. Visit <https://github.com/lukeed/kleur/releases/tag/v3.0.0\> for migration path(s). npm WARN deprecated [email protected]: this library is no longer supported npm WARN deprecated [email protected]: use String.prototype.padStart() npm WARN deprecated [email protected]: CircularJSON is in maintenance only, flatted is its successor. npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated [email protected]: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added npm WARN deprecated [email protected]: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797) npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated [email protected]: request has been deprecated, see request/request#3142 npm WARN deprecated [email protected]: request-promise-native has been deprecated because it extends the now deprecated request package, see request/request#3142 npm WARN deprecated [email protected]: request-promise has been deprecated because it extends the now deprecated request package, see request/request#3142 npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated [email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. npm WARN deprecated [email protected]: The gitlab package has found a new home in the @gitbeaker organization. For the latest gitlab node library, check out @gitbeaker/node. A full list of the features can be found here: https://github.com/jdalrymple/gitbeaker#readme npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated @octokit/[email protected]: '@octokit/app' will be repurposed in future. Use '@octokit/auth-app' instead npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. added 1021 packages, and audited 1022 packages in 28s 39 packages are looking for funding run `npm fund` for details ajv <6.12.3 Severity: moderate Prototype Pollution in Ajv - GHSA-v88g-cgmw-v5xw fix available via `npm audit fix` node_modules/table/node_modules/ajv table 3.7.10 - 4.0.2 Depends on vulnerable versions of ajv node_modules/table braces <=2.3.0 Regular Expression Denial of Service (ReDoS) in braces - GHSA-cwfw-4gq5-mrqx Regular Expression Denial of Service in braces - GHSA-g95f-p29q-9xw4 fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/jest-cli/node_modules/braces node_modules/jest-config/node_modules/braces node_modules/jest-haste-map/node_modules/braces node_modules/jest-message-util/node_modules/braces node_modules/jest-runtime/node_modules/braces node_modules/test-exclude/node_modules/braces micromatch 0.2.0 - 2.3.11 Depends on vulnerable versions of braces Depends on vulnerable versions of parse-glob node_modules/jest-cli/node_modules/micromatch node_modules/jest-config/node_modules/micromatch node_modules/jest-haste-map/node_modules/micromatch node_modules/jest-message-util/node_modules/micromatch node_modules/jest-runtime/node_modules/micromatch node_modules/test-exclude/node_modules/micromatch jest-cli 0.10.2 - 24.8.0 Depends on vulnerable versions of jest-config Depends on vulnerable versions of jest-environment-jsdom Depends on vulnerable versions of jest-haste-map Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-resolve-dependencies Depends on vulnerable versions of jest-runner Depends on vulnerable versions of jest-runtime Depends on vulnerable versions of jest-snapshot Depends on vulnerable versions of jest-util Depends on vulnerable versions of micromatch Depends on vulnerable versions of node-notifier Depends on vulnerable versions of yargs node_modules/jest-cli jest 13.3.0-alpha.4eb0c908 - 23.6.0 Depends on vulnerable versions of jest-cli node_modules/jest jest-config 12.1.1-alpha.2935e14d - 25.5.4 Depends on vulnerable versions of babel-jest Depends on vulnerable versions of jest-environment-jsdom Depends on vulnerable versions of jest-environment-node Depends on vulnerable versions of jest-jasmine2 Depends on vulnerable versions of jest-util Depends on vulnerable versions of micromatch node_modules/jest-config jest-runner 21.0.0-alpha.1 - 22.4.4 || 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-config Depends on vulnerable versions of jest-haste-map Depends on vulnerable versions of jest-jasmine2 Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-runtime Depends on vulnerable versions of jest-util node_modules/jest-runner jest-runtime 14.1.0 - 24.8.0 Depends on vulnerable versions of babel-plugin-istanbul Depends on vulnerable versions of jest-config Depends on vulnerable versions of jest-haste-map Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-snapshot Depends on vulnerable versions of jest-util Depends on vulnerable versions of micromatch Depends on vulnerable versions of yargs node_modules/jest-runtime jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0 Depends on vulnerable versions of micromatch Depends on vulnerable versions of sane node_modules/jest-haste-map jest-message-util 18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16 Depends on vulnerable versions of micromatch node_modules/jest-message-util expect 21.0.0-beta.1 - 22.4.3 || 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-message-util node_modules/expect jest-jasmine2 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0 Depends on vulnerable versions of expect Depends on vulnerable versions of jest-message-util Depends on vulnerable versions of jest-snapshot Depends on vulnerable versions of jest-util node_modules/jest-jasmine2 jest-snapshot 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-message-util node_modules/jest-snapshot jest-resolve-dependencies 23.4.0 - 23.6.0 Depends on vulnerable versions of jest-snapshot node_modules/jest-resolve-dependencies jest-util 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0 Depends on vulnerable versions of jest-message-util node_modules/jest-util jest-environment-jsdom 10.0.2 - 25.5.0 Depends on vulnerable versions of jest-util Depends on vulnerable versions of jsdom node_modules/jest-environment-jsdom jest-environment-node 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0 Depends on vulnerable versions of jest-util node_modules/jest-environment-node test-exclude <=4.2.3 Depends on vulnerable versions of micromatch node_modules/test-exclude babel-plugin-istanbul <=5.0.0 Depends on vulnerable versions of test-exclude node_modules/babel-plugin-istanbul babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16 Depends on vulnerable versions of babel-plugin-istanbul node_modules/babel-jest convict <=6.2.2 Severity: critical Prototype Pollution in convict - GHSA-jjf5-wx3j-3fv7 Prototype Pollution in convict - GHSA-x2w5-725j-gf2g Depends on vulnerable versions of moment Depends on vulnerable versions of validator Depends on vulnerable versions of yargs-parser fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/convict express-brute * Severity: high Rate Limiting Bypass in express-brute - GHSA-984p-xq9m-4rjw Depends on vulnerable versions of underscore No fix available node_modules/express-brute glob-parent <=5.1.1 Severity: high Regular expression denial of service in glob-parent - GHSA-ww39-953v-wcq6 glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-cj88-88mr-972w fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/glob-base/node_modules/glob-parent node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of glob-parent node_modules/chokidar nodemon 1.3.5 - 2.0.16 || 2.0.18 Depends on vulnerable versions of chokidar Depends on vulnerable versions of update-notifier node_modules/nodemon glob-base * Depends on vulnerable versions of glob-parent node_modules/glob-base parse-glob >=2.1.0 Depends on vulnerable versions of glob-base node_modules/parse-glob got <11.8.5 Severity: moderate Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97 fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/got package-json <=6.5.0 Depends on vulnerable versions of got node_modules/package-json latest-version 0.2.0 - 5.1.0 Depends on vulnerable versions of package-json node_modules/latest-version update-notifier 0.2.0 - 5.1.0 Depends on vulnerable versions of latest-version node_modules/update-notifier ini <1.3.6 Severity: high Prototype Pollution - GHSA-qqgx-2p2h-9c37 fix available via `npm audit fix` node_modules/ini jsdom <=16.4.0 Severity: moderate Insufficient Granularity of Access Control in JSDom - GHSA-f4c9-cqv8-9v98 fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/jsdom merge <2.1.1 Severity: high Prototype Pollution in merge - GHSA-7wpw-2hjm-89gp fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/merge exec-sh <=0.3.1 Depends on vulnerable versions of merge node_modules/exec-sh sane 1.0.4 - 4.0.2 Depends on vulnerable versions of exec-sh Depends on vulnerable versions of watch node_modules/sane watch >=0.14.0 Depends on vulnerable versions of exec-sh node_modules/watch minimist <=1.2.5 Severity: critical Prototype Pollution in minimist - GHSA-xvch-5gv4-984h Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m fix available via `npm audit fix` node_modules/minimist node_modules/rc/node_modules/minimist mkdirp 0.4.1 - 0.5.1 Depends on vulnerable versions of minimist node_modules/mkdirp moment <=2.29.3 Severity: high Path Traversal: 'dir/../../filename' in moment.locale - GHSA-8hfj-j24r-96c4 Inefficient Regular Expression Complexity in moment - GHSA-wc69-rhjr-hc9g fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/convict/node_modules/moment netmask <=2.0.0 Severity: critical Improper parsing of octal bytes in netmask - GHSA-4c7m-wxvm-r7gc netmask npm package vulnerable to octal input data - GHSA-pch5-whg9-qr2r fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/netmask pac-resolver <=4.2.0 Depends on vulnerable versions of netmask node_modules/pac-resolver pac-proxy-agent <=4.1.0 Depends on vulnerable versions of pac-resolver node_modules/pac-proxy-agent proxy-agent 1.1.0 - 4.0.1 Depends on vulnerable versions of pac-proxy-agent node_modules/proxy-agent mailgun-js >=0.6.8 Depends on vulnerable versions of proxy-agent node_modules/mailgun-js node-notifier <8.0.1 Severity: moderate OS Command Injection in node-notifier - GHSA-5fw9-fq32-wv5p fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/node-notifier parse-link-header <2.0.0 Severity: high Uncontrolled Resource Consumption in parse-link-header - GHSA-q674-xm3x-2926 fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/parse-link-header gitlab 3.0.0 - 4.5.1 Depends on vulnerable versions of parse-link-header node_modules/gitlab shelljs <=0.8.4 Severity: high Improper Privilege Management in shelljs - GHSA-4rq4-32rv-6wp6 Improper Privilege Management in shelljs - GHSA-64g7-mvw6-v9qj fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/shelljs eslint 1.4.0 - 4.0.0-rc.0 Depends on vulnerable versions of shelljs node_modules/eslint eslint-plugin-import 1.0.0-beta.0 - 2.5.0 Depends on vulnerable versions of eslint node_modules/eslint-plugin-import standard 3.3.0 || 4.1.0 - 4.3.3 || 6.0.0 - 10.0.3 Depends on vulnerable versions of eslint Depends on vulnerable versions of eslint-plugin-import Depends on vulnerable versions of eslint-plugin-react node_modules/standard eslint-plugin-react 6.0.0-alpha.1 - 7.0.1 Depends on vulnerable versions of eslint node_modules/eslint-plugin-react tar <=4.4.17 Severity: high Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - GHSA-5955-9wpr-37jh Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - GHSA-qq89-hq3f-393p Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - GHSA-9r2w-394v-53qc Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - GHSA-3jfq-g458-7qm9 Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - GHSA-r628-mhmh-qjhw fix available via `npm audit fix` node_modules/tar underscore 1.3.2 - 1.12.0 Severity: high Arbitrary Code Execution in underscore - GHSA-cf4h-3jhx-xvhq No fix available node_modules/underscore validator <13.7.0 Severity: moderate Inefficient Regular Expression Complexity in validator.js - GHSA-qgmg-gppg-76g5 fix available via `npm audit fix` node_modules/validator yargs-parser 6.0.0 - 13.1.1 Severity: moderate Prototype Pollution in yargs-parser - GHSA-p9pc-299p-vxgp fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/yargs-parser node_modules/yargs/node_modules/yargs-parser yargs 8.0.0-candidate.0 - 12.0.5 Depends on vulnerable versions of yargs-parser node_modules/yargs 59 vulnerabilities (12 low, 22 moderate, 21 high, 4 critical) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
$ npm audit fix
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile
npm WARN audit fix [email protected] node_modules/fsevents/node_modules/tar
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/fsevents/node_modules/rc/node_modules/minimist
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/fsevents/node_modules/minimist
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/fsevents/node_modules/ini
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN audit fix [email protected] node_modules/fsevents/node_modules/mkdirp
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/fsevents
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the fsevents package.
npm WARN deprecated [email protected]: Please upgrade to kleur@3 or migrate to 'ansi-colors' if you prefer the old syntax. Visit https://github.com/lukeed/kleur/releases/tag/v3.0.0\ for migration path(s).
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: use String.prototype.padStart()
npm WARN deprecated [email protected]: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated [email protected]: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated [email protected]: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated [email protected]: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated [email protected]: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated [email protected]: request has been deprecated, see request/request#3142
npm WARN deprecated [email protected]: request-promise-native has been deprecated because it extends the now deprecated request package, see request/request#3142
npm WARN deprecated [email protected]: request-promise has been deprecated because it extends the now deprecated request package, see request/request#3142
npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated [email protected]: The gitlab package has found a new home in the @gitbeaker organization. For the latest gitlab node library, check out @gitbeaker/node. A full list of the features can be found here: https://github.com/jdalrymple/gitbeaker#readme
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated @octokit/[email protected]: '@octokit/app' will be repurposed in future. Use '@octokit/auth-app' instead
npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
added 1021 packages, and audited 1022 packages in 28s
39 packages are looking for funding
run
npm fundfor detailsajv <6.12.3
Severity: moderate
Prototype Pollution in Ajv - GHSA-v88g-cgmw-v5xw
fix available via
npm audit fixnode_modules/table/node_modules/ajv
table 3.7.10 - 4.0.2
Depends on vulnerable versions of ajv
node_modules/table
braces <=2.3.0
Regular Expression Denial of Service (ReDoS) in braces - GHSA-cwfw-4gq5-mrqx
Regular Expression Denial of Service in braces - GHSA-g95f-p29q-9xw4
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/jest-cli/node_modules/braces
node_modules/jest-config/node_modules/braces
node_modules/jest-haste-map/node_modules/braces
node_modules/jest-message-util/node_modules/braces
node_modules/jest-runtime/node_modules/braces
node_modules/test-exclude/node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/jest-cli/node_modules/micromatch
node_modules/jest-config/node_modules/micromatch
node_modules/jest-haste-map/node_modules/micromatch
node_modules/jest-message-util/node_modules/micromatch
node_modules/jest-runtime/node_modules/micromatch
node_modules/test-exclude/node_modules/micromatch
jest-cli 0.10.2 - 24.8.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-environment-jsdom
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-resolve-dependencies
Depends on vulnerable versions of jest-runner
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
jest-config 12.1.1-alpha.2935e14d - 25.5.4
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of jest-environment-jsdom
Depends on vulnerable versions of jest-environment-node
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
node_modules/jest-config
jest-runner 21.0.0-alpha.1 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of jest-util
node_modules/jest-runner
jest-runtime 14.1.0 - 24.8.0
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-message-util 18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16
Depends on vulnerable versions of micromatch
node_modules/jest-message-util
expect 21.0.0-beta.1 - 22.4.3 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-message-util
node_modules/expect
jest-jasmine2 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of expect
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of jest-util
node_modules/jest-jasmine2
jest-snapshot 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-message-util
node_modules/jest-snapshot
jest-resolve-dependencies 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-snapshot
node_modules/jest-resolve-dependencies
jest-util 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-message-util
node_modules/jest-util
jest-environment-jsdom 10.0.2 - 25.5.0
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of jsdom
node_modules/jest-environment-jsdom
jest-environment-node 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-util
node_modules/jest-environment-node
test-exclude <=4.2.3
Depends on vulnerable versions of micromatch
node_modules/test-exclude
babel-plugin-istanbul <=5.0.0
Depends on vulnerable versions of test-exclude
node_modules/babel-plugin-istanbul
babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/babel-jest
convict <=6.2.2
Severity: critical
Prototype Pollution in convict - GHSA-jjf5-wx3j-3fv7
Prototype Pollution in convict - GHSA-x2w5-725j-gf2g
Depends on vulnerable versions of moment
Depends on vulnerable versions of validator
Depends on vulnerable versions of yargs-parser
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/convict
express-brute *
Severity: high
Rate Limiting Bypass in express-brute - GHSA-984p-xq9m-4rjw
Depends on vulnerable versions of underscore
No fix available
node_modules/express-brute
glob-parent <=5.1.1
Severity: high
Regular expression denial of service in glob-parent - GHSA-ww39-953v-wcq6
glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-cj88-88mr-972w
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/glob-base/node_modules/glob-parent
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/chokidar
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of update-notifier
node_modules/nodemon
glob-base *
Depends on vulnerable versions of glob-parent
node_modules/glob-base
parse-glob >=2.1.0
Depends on vulnerable versions of glob-base
node_modules/parse-glob
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
ini <1.3.6
Severity: high
Prototype Pollution - GHSA-qqgx-2p2h-9c37
fix available via
npm audit fixnode_modules/ini
jsdom <=16.4.0
Severity: moderate
Insufficient Granularity of Access Control in JSDom - GHSA-f4c9-cqv8-9v98
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/jsdom
merge <2.1.1
Severity: high
Prototype Pollution in merge - GHSA-7wpw-2hjm-89gp
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/merge
exec-sh <=0.3.1
Depends on vulnerable versions of merge
node_modules/exec-sh
sane 1.0.4 - 4.0.2
Depends on vulnerable versions of exec-sh
Depends on vulnerable versions of watch
node_modules/sane
watch >=0.14.0
Depends on vulnerable versions of exec-sh
node_modules/watch
minimist <=1.2.5
Severity: critical
Prototype Pollution in minimist - GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
fix available via
npm audit fixnode_modules/minimist
node_modules/rc/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mkdirp
moment <=2.29.3
Severity: high
Path Traversal: 'dir/../../filename' in moment.locale - GHSA-8hfj-j24r-96c4
Inefficient Regular Expression Complexity in moment - GHSA-wc69-rhjr-hc9g
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/convict/node_modules/moment
netmask <=2.0.0
Severity: critical
Improper parsing of octal bytes in netmask - GHSA-4c7m-wxvm-r7gc
netmask npm package vulnerable to octal input data - GHSA-pch5-whg9-qr2r
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/netmask
pac-resolver <=4.2.0
Depends on vulnerable versions of netmask
node_modules/pac-resolver
pac-proxy-agent <=4.1.0
Depends on vulnerable versions of pac-resolver
node_modules/pac-proxy-agent
proxy-agent 1.1.0 - 4.0.1
Depends on vulnerable versions of pac-proxy-agent
node_modules/proxy-agent
mailgun-js >=0.6.8
Depends on vulnerable versions of proxy-agent
node_modules/mailgun-js
node-notifier <8.0.1
Severity: moderate
OS Command Injection in node-notifier - GHSA-5fw9-fq32-wv5p
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/node-notifier
parse-link-header <2.0.0
Severity: high
Uncontrolled Resource Consumption in parse-link-header - GHSA-q674-xm3x-2926
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/parse-link-header
gitlab 3.0.0 - 4.5.1
Depends on vulnerable versions of parse-link-header
node_modules/gitlab
shelljs <=0.8.4
Severity: high
Improper Privilege Management in shelljs - GHSA-4rq4-32rv-6wp6
Improper Privilege Management in shelljs - GHSA-64g7-mvw6-v9qj
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/shelljs
eslint 1.4.0 - 4.0.0-rc.0
Depends on vulnerable versions of shelljs
node_modules/eslint
eslint-plugin-import 1.0.0-beta.0 - 2.5.0
Depends on vulnerable versions of eslint
node_modules/eslint-plugin-import
standard 3.3.0 || 4.1.0 - 4.3.3 || 6.0.0 - 10.0.3
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of eslint-plugin-react
node_modules/standard
eslint-plugin-react 6.0.0-alpha.1 - 7.0.1
Depends on vulnerable versions of eslint
node_modules/eslint-plugin-react
tar <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - GHSA-qq89-hq3f-393p
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - GHSA-r628-mhmh-qjhw
fix available via
npm audit fixnode_modules/tar
underscore 1.3.2 - 1.12.0
Severity: high
Arbitrary Code Execution in underscore - GHSA-cf4h-3jhx-xvhq
No fix available
node_modules/underscore
validator <13.7.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - GHSA-qgmg-gppg-76g5
fix available via
npm audit fixnode_modules/validator
yargs-parser 6.0.0 - 13.1.1
Severity: moderate
Prototype Pollution in yargs-parser - GHSA-p9pc-299p-vxgp
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/yargs-parser
node_modules/yargs/node_modules/yargs-parser
yargs 8.0.0-candidate.0 - 12.0.5
Depends on vulnerable versions of yargs-parser
node_modules/yargs
59 vulnerabilities (12 low, 22 moderate, 21 high, 4 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.