You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The balena-cli when installed via npm currently includes 39 vulnerabilities, including 2 critical, which are non patchable. Some of these include using a sub dependency that was last published 10 years ago (optimist). Could some of these vulnerabilities be assessed and looked at?
Expected Behavior
In the ideal world, 0 vulnerabilities when the package is installed with NPM
Actual Behavior
39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical) and many deprecated packages
Steps to Reproduce the Problem
npm init with just defaults
npm install balena-cli
The below output
❯ npm install balena-cli
npm WARN skipping integrity check for git dependency ssh://git@github.com/balena-io-modules/unbzip2-stream.git
npm WARN skipping integrity check for git dependency ssh://git@github.com/resin-io-modules/multicast-dns.git
npm WARN skipping integrity check for git dependency ssh://git@github.com/balena-io-modules/bonjour.git
npm WARN deprecated @types/nock@11.1.0: This is a stub types definition. nock provides its own type definitions, so you do not need this installed.
npm WARN deprecated @types/is-root@2.1.2: This is a stub types definition. is-root provides its own type definitions, so you do not need this installed.
npm WARN deprecated @types/cli-truncate@2.0.0: This is a stub types definition. cli-truncate provides its own type definitions, so you do not need this installed.
npm WARN deprecated readdir-scoped-modules@1.1.0: This functionality has been moved to @npmcli/fs
npm WARN deprecated debuglog@1.0.1: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated @npmcli/move-file@1.1.2: This functionality has been moved to @npmcli/fs
npm WARN deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
npm WARN deprecated stable@0.1.8: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated @npmcli/move-file@2.0.1: This functionality has been moved to @npmcli/fs
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated request-promise@4.2.6: request-promise has been deprecated because it extends the now deprecated request package, see https://github.com/request/request/issues/3142
npm WARN deprecated graceful-fs@1.2.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated formidable@1.2.6: Please upgrade to latest, formidable@v2 or formidable@v3! Check these notes: https://bit.ly/2ZEqIau
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated superagent@5.3.1: Please upgrade to v7.0.2+ of superagent. We have fixed numerous issues with streams, form-data, attach(), filesystem errors not bubbling up (ENOENT on attach()), and all tests are now passing. See the releases tab for more information at <https://github.com/visionmedia/superagent/releases>.
npm WARN deprecated svgo@1.3.2: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated core-js@3.20.1: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
added 2139 packages, and audited 2140 packages in 15s
104 packages are looking for funding
run `npm fund` for details
39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical)
To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
Output of npm audit is
# npm audit report
bl <1.2.3
Severity: moderate
Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/ghauth/node_modules/bl
ghauth <=3.2.1
Depends on vulnerable versions of bl
node_modules/balena-cli/node_modules/ghauth
express <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/express
follow-redirects <=1.15.5
Severity: moderate
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/follow-redirects
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/package-json/node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/balena-cli/node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/balena-cli/node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/balena-cli/node_modules/update-notifier
jsonwebtoken <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/jsonwebtoken
lodash <=4.17.20
Severity: critical
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/publish-release/node_modules/inquirer/node_modules/lodash
inquirer <=0.11.4
Depends on vulnerable versions of lodash
node_modules/balena-cli/node_modules/publish-release/node_modules/inquirer
lodash.template *
Severity: high
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/lodash.template
@oclif/plugin-warn-if-update-available 1.7.0 || 2.0.0 || 2.1.0 - 3.0.16
Depends on vulnerable versions of lodash.template
node_modules/balena-cli/node_modules/@oclif/plugin-warn-if-update-available
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/minimatch
mocha 5.1.0 - 9.2.1
Depends on vulnerable versions of minimatch
Depends on vulnerable versions of nanoid
node_modules/balena-cli/node_modules/mocha
minimist <=0.2.3
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
No fix available
node_modules/balena-cli/node_modules/optimist/node_modules/minimist
optimist >=0.6.0
Depends on vulnerable versions of minimist
node_modules/balena-cli/node_modules/optimist
dbus-native *
Depends on vulnerable versions of optimist
Depends on vulnerable versions of put
Depends on vulnerable versions of xml2js
node_modules/balena-cli/node_modules/dbus-native
resin-discoverable-services >=2.0.0
Depends on vulnerable versions of dbus-native
node_modules/balena-cli/node_modules/resin-discoverable-services
balena-cli *
Depends on vulnerable versions of @balena/compose
Depends on vulnerable versions of balena-preload
Depends on vulnerable versions of request
Depends on vulnerable versions of resin-discoverable-services
Depends on vulnerable versions of update-notifier
node_modules/balena-cli
nanoid 3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/nanoid
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/balena-cli/node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/balena-cli/node_modules/svgo
inline-source 6.1.0 - 7.2.0
Depends on vulnerable versions of svgo
node_modules/balena-cli/node_modules/inline-source
inline-source-cli >=2.0.0
Depends on vulnerable versions of inline-source
node_modules/balena-cli/node_modules/inline-source-cli
put *
Sensitive Data Exposure in put - https://github.com/advisories/GHSA-v6gv-fg46-h89j
No fix available
node_modules/balena-cli/node_modules/put
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/balena-cli/node_modules/request
@balena/compose *
Depends on vulnerable versions of pinejs-client-request
Depends on vulnerable versions of request
node_modules/balena-cli/node_modules/@balena/compose
balena-preload >=10.3.2-233-sh-truncate-exc-feff27b0a0cd5e8ce93564e8a8a25727bd7acffa
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise
node_modules/balena-cli/node_modules/balena-preload
pinejs-client-request *
Depends on vulnerable versions of request
node_modules/balena-cli/node_modules/pinejs-client-request
publish-release *
Depends on vulnerable versions of ghauth
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of request
node_modules/balena-cli/node_modules/publish-release
request-promise >=0.0.2
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-core
Depends on vulnerable versions of tough-cookie
node_modules/balena-cli/node_modules/request-promise
request-promise-core *
Depends on vulnerable versions of request
node_modules/balena-cli/node_modules/request-promise-core
tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/tar
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/balena-cli/node_modules/tough-cookie
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/balena-cli/node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/balena-cli/node_modules/meow
xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
No fix available
node_modules/balena-cli/node_modules/dbus-native/node_modules/xml2js
39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical)
To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.
The text was updated successfully, but these errors were encountered:
Description
The balena-cli when installed via npm currently includes 39 vulnerabilities, including 2 critical, which are non patchable. Some of these include using a sub dependency that was last published 10 years ago (optimist). Could some of these vulnerabilities be assessed and looked at?
Expected Behavior
In the ideal world, 0 vulnerabilities when the package is installed with NPM
Actual Behavior
39 vulnerabilities (1 low, 23 moderate, 13 high, 2 critical) and many deprecated packages
Steps to Reproduce the Problem
npm init
with just defaultsnpm install balena-cli
npm audit
isThe text was updated successfully, but these errors were encountered: