Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security issues from outdated packages in node-ninja and nw-gyp #326

Open
segevfiner opened this issue May 7, 2024 · 0 comments
Open

Security issues from outdated packages in node-ninja and nw-gyp #326

segevfiner opened this issue May 7, 2024 · 0 comments

Comments

@segevfiner
Copy link 

❯ npm audit
# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix`
node_modules/request

semver  <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install prebuild@7.2.2, which is a breaking change
node_modules/nw-gyp/node_modules/semver
  nw-gyp  *
  Depends on vulnerable versions of request
  Depends on vulnerable versions of semver
  Depends on vulnerable versions of tar
  node_modules/nw-gyp
    prebuild  >=4.0.0
    Depends on vulnerable versions of node-ninja
    Depends on vulnerable versions of nw-gyp
    node_modules/prebuild

tar  <=6.2.0
Severity: high
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install prebuild@7.2.2, which is a breaking change
node_modules/node-ninja/node_modules/tar
node_modules/nw-gyp/node_modules/tar
  node-ninja  *
  Depends on vulnerable versions of request
  Depends on vulnerable versions of tar
  node_modules/node-ninja

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix`
node_modules/tough-cookie

7 vulnerabilities (3 moderate, 4 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

It would be nice to resolve these somehow... They are causing noise in dependabot and others.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@segevfiner