This repost about vulnerabilities is normal?
Unsolved
Technical Support
-
I was get this result today, it's ok or I need manually something upgrade?
Ubuntu: v18.04
Npm: v8.19.4
Node: v16.20.0
NodeBB: latest(develop)root@host:/var/www/nodebb# npm update added 5 packages, removed 5 packages, changed 70 packages, and audited 1450 packages in 2m 189 packages are looking for funding run `npm fund` for details 34 vulnerabilities (30 moderate, 4 high) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. Run `npm audit` for details. root@host:/var/www/nodebb#npm audit fix
root@host:/var/www/nodebb# npm audit fix changed 2 packages, and audited 1450 packages in 13s 189 packages are looking for funding run `npm fund` for details # npm audit report dicer * Severity: high Crash in HeaderParser in dicer - https://github.com/advisories/GHSA-wm7h-9275-46v2 fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/dicer busboy <=0.3.1 Depends on vulnerable versions of dicer node_modules/busboy multer <=2.0.0-rc.3 Depends on vulnerable versions of busboy node_modules/multer nodebb-plugin-emoji >=2.0.0 Depends on vulnerable versions of multer node_modules/nodebb-plugin-emoji request * Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/request akismet >=1.0.0 Depends on vulnerable versions of request node_modules/akismet nodebb-plugin-spam-be-gone >=0.4.5 Depends on vulnerable versions of akismet node_modules/nodebb-plugin-spam-be-gone coveralls * Depends on vulnerable versions of request node_modules/coveralls semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/@babel/core/node_modules/semver node_modules/@babel/helper-compilation-targets/node_modules/semver node_modules/@commitlint/is-ignored/node_modules/semver node_modules/caching-transform/node_modules/semver node_modules/eslint-config-airbnb-base/node_modules/semver node_modules/eslint-plugin-import/node_modules/semver node_modules/find-cache-dir/node_modules/semver node_modules/istanbul-lib-instrument/node_modules/semver node_modules/istanbul-lib-report/node_modules/semver node_modules/make-dir/node_modules/semver node_modules/nyc/node_modules/semver node_modules/read-pkg/node_modules/semver node_modules/spawn-wrap/node_modules/semver @babel/core * Depends on vulnerable versions of @babel/helper-compilation-targets Depends on vulnerable versions of semver node_modules/@babel/core istanbul-lib-instrument >=1.2.0 Depends on vulnerable versions of @babel/core Depends on vulnerable versions of semver node_modules/istanbul-lib-instrument nyc >=7.0.0-alpha.1 Depends on vulnerable versions of caching-transform Depends on vulnerable versions of find-cache-dir Depends on vulnerable versions of istanbul-lib-instrument Depends on vulnerable versions of istanbul-lib-report Depends on vulnerable versions of istanbul-reports Depends on vulnerable versions of make-dir Depends on vulnerable versions of spawn-wrap node_modules/nyc @babel/helper-compilation-targets >=7.8.1 Depends on vulnerable versions of semver node_modules/@babel/helper-compilation-targets @commitlint/is-ignored * Depends on vulnerable versions of semver node_modules/@commitlint/is-ignored @commitlint/lint * Depends on vulnerable versions of @commitlint/is-ignored Depends on vulnerable versions of @commitlint/parse node_modules/@commitlint/lint @commitlint/cli >=6.1.2 Depends on vulnerable versions of @commitlint/lint Depends on vulnerable versions of @commitlint/read node_modules/@commitlint/cli eslint-config-airbnb-base >=15.0.0 Depends on vulnerable versions of semver node_modules/eslint-config-airbnb-base eslint-config-nodebb >=0.1.0 Depends on vulnerable versions of eslint-config-airbnb-base node_modules/eslint-config-nodebb eslint-plugin-import >=2.27.4 Depends on vulnerable versions of semver node_modules/eslint-plugin-import make-dir >=2.0.0 Depends on vulnerable versions of semver node_modules/caching-transform/node_modules/make-dir node_modules/find-cache-dir/node_modules/make-dir node_modules/istanbul-lib-report/node_modules/make-dir node_modules/make-dir node_modules/nyc/node_modules/make-dir node_modules/spawn-wrap/node_modules/make-dir caching-transform >=3.0.2 Depends on vulnerable versions of make-dir node_modules/caching-transform find-cache-dir 2.1.0 - 3.3.2 Depends on vulnerable versions of make-dir node_modules/find-cache-dir istanbul-lib-report >=2.0.5 Depends on vulnerable versions of make-dir node_modules/istanbul-lib-report istanbul-reports >=3.0.0-alpha.0 Depends on vulnerable versions of istanbul-lib-report node_modules/istanbul-reports less >=3.11.2 Depends on vulnerable versions of make-dir node_modules/less spawn-wrap >=2.0.0-beta.0 Depends on vulnerable versions of make-dir node_modules/spawn-wrap normalize-package-data <=2.5.0 Depends on vulnerable versions of semver node_modules/read-pkg/node_modules/normalize-package-data read-pkg <=5.2.0 Depends on vulnerable versions of normalize-package-data node_modules/read-pkg read-pkg-up <=7.0.1 Depends on vulnerable versions of read-pkg node_modules/read-pkg-up meow 3.4.0 - 9.0.0 Depends on vulnerable versions of read-pkg-up node_modules/meow conventional-commits-parser >=2.1.5 Depends on vulnerable versions of meow node_modules/conventional-commits-parser @commitlint/parse >=8.3.0 Depends on vulnerable versions of conventional-commits-parser node_modules/@commitlint/parse git-raw-commits >=1.3.4 Depends on vulnerable versions of meow node_modules/git-raw-commits @commitlint/read >=8.3.0 Depends on vulnerable versions of git-raw-commits node_modules/@commitlint/read 34 vulnerabilities (30 moderate, 4 high) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. -
Hey, did you find any resolution to this? I am facing a similar issue, particularly with the
semvervulnerability. I have tried all kinds of things. My concern is that I possibly have to wait for various package owners to update their packages. I usually can resolve this by changing version numbers, but this time I am in a deadlock.
Copyright © 2024 NodeBB | Contributors