You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Running npm i --save-dev checkly is installing the dependency ip with version 2.0.0 and tar with version 6.2.0. This introduces audit and dependabot alerts. GHSA-78xj-cgh5-2h22 GHSA-f5x3-32g6-xq36
Steps to reproduce, on a clean repo without any dependencies or dev dependencies -
npm i --save-dev checkly
npm WARN deprecated @oclif/screen@3.0.8: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
added 304 packages, and audited 531 packages in 13s
85 packages are looking for funding
run `npm fund` for details
5 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
Here is the npm audit report
npm audit
# npm audit report
ip 2.0.0
Severity: moderate
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix`
node_modules/npm/node_modules/ip
tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install checkly@4.5.2, which is a breaking change
node_modules/npm/node_modules/tar
npm <=10.5.0
Depends on vulnerable versions of tar
node_modules/npm
@oclif/plugin-plugins >=3.0.1
Depends on vulnerable versions of npm
node_modules/@oclif/plugin-plugins
checkly <=0.0.0-pr.944.98770dd || >=4.6.0-prerelease
Depends on vulnerable versions of @oclif/plugin-plugins
node_modules/checkly
5 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Running npm audit fix results in the same audit errors
npm audit fix
npm WARN audit fix ip@2.0.0 node_modules/npm/node_modules/ip
npm WARN audit fix ip@2.0.0 is a bundled dependency of
npm WARN audit fix ip@2.0.0 npm@10.2.3 at node_modules/npm
npm WARN audit fix ip@2.0.0 It cannot be fixed automatically.
npm WARN audit fix ip@2.0.0 Check for updates to the npm package.
npm WARN audit fix tar@6.2.0 node_modules/npm/node_modules/tar
npm WARN audit fix tar@6.2.0 is a bundled dependency of
npm WARN audit fix tar@6.2.0 npm@10.2.3 at node_modules/npm
npm WARN audit fix tar@6.2.0 It cannot be fixed automatically.
npm WARN audit fix tar@6.2.0 Check for updates to the npm package.
up to date, audited 531 packages in 2s
85 packages are looking for funding
run `npm fund` for details
# npm audit report
ip 2.0.0
Severity: moderate
NPM IP package incorrectly identifies some private IP addresses as public - https://github.com/advisories/GHSA-78xj-cgh5-2h22
fix available via `npm audit fix`
node_modules/npm/node_modules/ip
tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install checkly@4.5.2, which is a breaking change
node_modules/npm/node_modules/tar
npm <=10.5.0
Depends on vulnerable versions of tar
node_modules/npm
@oclif/plugin-plugins >=3.0.1
Depends on vulnerable versions of npm
node_modules/@oclif/plugin-plugins
checkly <=0.0.0-pr.944.98770dd || >=4.6.0-prerelease
Depends on vulnerable versions of @oclif/plugin-plugins
node_modules/checkly
5 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Thanks!
What is expected?
The ip and tar dependency versions would match the patched versions that are safe to use.
What is actually happening?
The ip and tar dependency versions are not the patched versions.
Any additional comments?
No response
The text was updated successfully, but these errors were encountered:
Node.js version
20.12.1
NPM version
10.5.0
@checkly/cli version
4.6.3
Steps to reproduce
Hi Checkly team!
Running
npm i --save-dev checkly
is installing the dependencyip
with version2.0.0
andtar
with version6.2.0
. This introduces audit and dependabot alerts.GHSA-78xj-cgh5-2h22
GHSA-f5x3-32g6-xq36
Steps to reproduce, on a clean repo without any dependencies or dev dependencies -
Here is the
npm audit report
Running
npm audit fix
results in the same audit errorsThanks!
What is expected?
The
ip
andtar
dependency versions would match the patched versions that are safe to use.What is actually happening?
The
ip
andtar
dependency versions are not the patched versions.Any additional comments?
No response
The text was updated successfully, but these errors were encountered: