Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unsafe dependencies #194

Open
SarahLucke opened this issue Jan 17, 2022 · 4 comments
Open

unsafe dependencies #194

SarahLucke opened this issue Jan 17, 2022 · 4 comments
Labels
good first issue Good for newcomers

Comments

@SarahLucke
Copy link

Describe the bug
I wanted to install taskbook and try it out, but npm tells me it has unsafe dependencies.

To Reproduce
update npm, install taskbook via npm

Expected behavior
The dependencies should be up to date, if possible.

Technical Info (please complete the following information)

  • OS: Linux
  • Node.js Version: 12.16.3
  • Taskbook Version: 0.3.0

Additional context
Commandline outputs:

$ npm install taskbook

added 129 packages, and audited 130 packages in 4s

5 packages are looking for funding
  run `npm fund` for details

9 vulnerabilities (6 moderate, 3 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

$ npm audit fix

up to date, audited 130 packages in 1s

5 packages are looking for funding
  run `npm fund` for details

# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/strip-ansi
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/string-width
      widest-line  2.0.0 - 2.0.1
      Depends on vulnerable versions of string-width
      node_modules/widest-line
        boxen  1.3.0 - 3.2.0
        Depends on vulnerable versions of widest-line
        node_modules/boxen

trim-newlines  <3.0.1
Severity: high
Regular Expression Denial of Service in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
No fix available
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    taskbook  *
    Depends on vulnerable versions of meow
    node_modules/taskbook

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
No fix available
node_modules/yargs-parser
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    taskbook  *
    Depends on vulnerable versions of meow
    node_modules/taskbook

9 vulnerabilities (6 moderate, 3 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.
@klaudiosinani klaudiosinani added the good first issue Good for newcomers label Apr 7, 2022
@adrianvalenz
Copy link

I got the same thing today. I just discovered this and it looks like a really great project. Maybe forking it and taking on new maintenance would be the way to go?

@adrianvalenz
Copy link

I tried it with the yarn command and it works fine!

@adrianvalenz
Copy link

None of those unsafe dependencies warnings

@klaudiosinani
Copy link
Owner

@adrianvalenz @SarahLucke Feel free to create a PR and I will take a look to review it : )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@adrianvalenz @klaudiosinani @SarahLucke