Audit vulnerabilities detected in the invariant project on Tag: v2.2.4

[mahirkabir]

Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:

npm audit report

cryptiles <=4.1.1
Severity: high
Insufficient Entropy - https://npmjs.com/advisories/1464
Depends on vulnerable versions of boom
fix available via npm audit fix --force
Will install tap@15.0.9, which is a breaking change
node_modules/cryptiles
hawk 0.0.6 - 6.0.2
Depends on vulnerable versions of boom
Depends on vulnerable versions of cryptiles
Depends on vulnerable versions of hoek
Depends on vulnerable versions of sntp
node_modules/hawk
request 2.16.0 - 2.81.0
Depends on vulnerable versions of hawk
Depends on vulnerable versions of tunnel-agent
node_modules/request
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0
Depends on vulnerable versions of coveralls
Depends on vulnerable versions of nyc
node_modules/tap

diff <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via npm audit fix
node_modules/diff
tap-mocha-reporter 0.0.4 - 5.0.0
Depends on vulnerable versions of diff
node_modules/tap-mocha-reporter

hoek <=4.2.0 || 5.0.0 - 5.0.2
Severity: moderate
Prototype Pollution - https://npmjs.com/advisories/566
fix available via npm audit fix --force
Will install tap@15.0.9, which is a breaking change
node_modules/hoek
boom <=3.1.2
Depends on vulnerable versions of hoek
node_modules/boom
cryptiles <=4.1.1
Depends on vulnerable versions of boom
node_modules/cryptiles
hawk 0.0.6 - 6.0.2
Depends on vulnerable versions of boom
Depends on vulnerable versions of cryptiles
Depends on vulnerable versions of hoek
Depends on vulnerable versions of sntp
node_modules/hawk
request 2.16.0 - 2.81.0
Depends on vulnerable versions of hawk
Depends on vulnerable versions of tunnel-agent
node_modules/request
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0
Depends on vulnerable versions of coveralls
Depends on vulnerable versions of nyc
node_modules/tap
sntp 0.0.0 || 0.1.1 - 2.0.0
Depends on vulnerable versions of hoek
node_modules/sntp

js-yaml <=3.13.0
Severity: high
Denial of Service - https://npmjs.com/advisories/788
Code Injection - https://npmjs.com/advisories/813
fix available via npm audit fix --force
Will install tap@15.0.9, which is a breaking change
node_modules/coveralls/node_modules/js-yaml
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0
Depends on vulnerable versions of coveralls
Depends on vulnerable versions of nyc
node_modules/tap

lodash <=4.17.20
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/1523
Command Injection - https://npmjs.com/advisories/1673
Prototype Pollution - https://npmjs.com/advisories/577
Prototype Pollution - https://npmjs.com/advisories/782
fix available via npm audit fix --force
Will install tap@15.0.9, which is a breaking change
node_modules/lodash
nyc <=5.0.1 || 6.2.0-alpha - 6.6.1
Depends on vulnerable versions of istanbul
Depends on vulnerable versions of lodash
node_modules/nyc
tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0
Depends on vulnerable versions of coveralls
Depends on vulnerable versions of nyc
node_modules/tap

minimatch <=3.0.1
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/118
fix available via npm audit fix --force
Will install browserify@17.0.0, which is a breaking change
node_modules/minimatch
fileset 0.1.0 - 0.2.1
Depends on vulnerable versions of minimatch
node_modules/fileset
istanbul <=0.4.4
Depends on vulnerable versions of fileset
node_modules/istanbul
nyc <=5.0.1 || 6.2.0-alpha - 6.6.1
Depends on vulnerable versions of istanbul
Depends on vulnerable versions of lodash
node_modules/nyc
tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0
Depends on vulnerable versions of coveralls
Depends on vulnerable versions of nyc
node_modules/tap
glob 3.0.0 - 5.0.14
Depends on vulnerable versions of minimatch
node_modules/glob
browserify 2.3.0 - 11.2.0
Depends on vulnerable versions of glob
Depends on vulnerable versions of shell-quote
node_modules/browserify

minimist <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via npm audit fix --force
Will install tap@15.0.9, which is a breaking change
node_modules/coveralls/node_modules/minimist
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0
Depends on vulnerable versions of coveralls
Depends on vulnerable versions of nyc
node_modules/tap

shell-quote <=1.6.0
Severity: critical
Potential Command Injection - https://npmjs.com/advisories/117
fix available via npm audit fix --force
Will install browserify@17.0.0, which is a breaking change
node_modules/shell-quote
browserify 2.3.0 - 11.2.0
Depends on vulnerable versions of glob
Depends on vulnerable versions of shell-quote
node_modules/browserify

tunnel-agent <0.6.0
Severity: moderate
Memory Exposure - https://npmjs.com/advisories/598
fix available via npm audit fix --force
Will install tap@15.0.9, which is a breaking change
node_modules/tunnel-agent
request 2.16.0 - 2.81.0
Depends on vulnerable versions of hawk
Depends on vulnerable versions of tunnel-agent
node_modules/request
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0
Depends on vulnerable versions of coveralls
Depends on vulnerable versions of nyc
node_modules/tap

21 vulnerabilities (1 low, 6 moderate, 12 high, 2 critical)

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force

Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:

1. Will you fix the vulnerabilities mentioned above? (Yes/No), and why?:
2. Do you have any additional comments? (If so, please write it down):

For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.

Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].

Steps to reproduce:

• Go to the root folder of the project where the package.json file located
• Execute “npm audit”
• Look at the list of vulnerabilities reported

Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.

References:
2019. 10 npm Security Best Practices. https://snyk.io/blog/ten-npm-security-best-practices/.
2021. npm-audit. https://docs.npmjs.com/cli/v7/commands/npm-audit.