7 critical vulnerabilities in npm audit report #1239
Description
Description
# npm audit report
ajv <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/serve/node_modules/ajv
serve 7.0.0 - 14.0.1
Depends on vulnerable versions of ajv
Depends on vulnerable versions of serve-handler
node_modules/serve
glob-parent <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@vuepress/core/node_modules/glob-parent
node_modules/copy-webpack-plugin/node_modules/glob-parent
node_modules/fast-glob/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/@vuepress/core/node_modules/chokidar
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/webpack
webpack-dev-server 2.0.0-beta - 4.7.2
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of selfsigned
node_modules/webpack-dev-server
copy-webpack-plugin 5.0.1 - 5.1.2
Depends on vulnerable versions of glob-parent
node_modules/copy-webpack-plugin
@vuepress/core <=1.9.9
Depends on vulnerable versions of @vuepress/markdown
Depends on vulnerable versions of @vuepress/markdown-loader
Depends on vulnerable versions of @vuepress/plugin-register-components
Depends on vulnerable versions of @vuepress/shared-utils
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of copy-webpack-plugin
Depends on vulnerable versions of optimize-css-assets-webpack-plugin
Depends on vulnerable versions of vuepress-html-webpack-plugin
Depends on vulnerable versions of webpack-dev-server
node_modules/@vuepress/core
vuepress 1.0.0-alpha.0 - 1.9.9
Depends on vulnerable versions of @vuepress/core
Depends on vulnerable versions of update-notifier
node_modules/vuepress
fast-glob <=2.2.7
Depends on vulnerable versions of glob-parent
node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/globby
@vuepress/shared-utils *
Depends on vulnerable versions of globby
node_modules/@vuepress/shared-utils
@vuepress/plugin-register-components <=1.9.9
Depends on vulnerable versions of @vuepress/shared-utils
node_modules/@vuepress/plugin-register-components
vuepress-plugin-container >=2.1.5
Depends on vulnerable versions of @vuepress/shared-utils
node_modules/vuepress-plugin-container
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
highlight.js 9.0.0 - 10.4.0
Severity: moderate
ReDOS vulnerabities: multiple grammars - https://github.com/advisories/GHSA-7wwv-vh3v-89cq
fix available via `npm audit fix`
node_modules/highlight.js
@types/markdown-it 10.0.3
Depends on vulnerable versions of highlight.js
node_modules/@types/markdown-it
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
No fix available
node_modules/css-loader/node_modules/json5
node_modules/file-loader/node_modules/json5
node_modules/string-replace-webpack-plugin/node_modules/json5
node_modules/style-loader/node_modules/json5
node_modules/vuepress-html-webpack-plugin/node_modules/json5
loader-utils <=1.4.0
Depends on vulnerable versions of json5
node_modules/css-loader/node_modules/loader-utils
node_modules/file-loader/node_modules/loader-utils
node_modules/string-replace-webpack-plugin/node_modules/loader-utils
node_modules/style-loader/node_modules/loader-utils
node_modules/vuepress-html-webpack-plugin/node_modules/loader-utils
css-loader 0.6.0 - 0.26.1
Depends on vulnerable versions of loader-utils
node_modules/css-loader
file-loader 0.5.0 - 0.10.0
Depends on vulnerable versions of loader-utils
node_modules/file-loader
string-replace-webpack-plugin *
Depends on vulnerable versions of css-loader
Depends on vulnerable versions of file-loader
Depends on vulnerable versions of loader-utils
Depends on vulnerable versions of style-loader
node_modules/string-replace-webpack-plugin
style-loader 0.8.2 - 0.13.1
Depends on vulnerable versions of loader-utils
node_modules/style-loader
vuepress-html-webpack-plugin *
Depends on vulnerable versions of loader-utils
node_modules/vuepress-html-webpack-plugin
karma <=6.3.15
Severity: high
Open redirect in karma - https://github.com/advisories/GHSA-rc3x-jf5g-xvc5
Cross-site Scripting in karma - https://github.com/advisories/GHSA-7x7c-qm48-pq9c
Depends on vulnerable versions of ua-parser-js
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/karma
markdown-it <12.3.2
Severity: moderate
Uncontrolled Resource Consumption in markdown-it - https://github.com/advisories/GHSA-6vfc-qv3f-vr6c
fix available via `npm audit fix`
node_modules/markdown-it
@vuepress/markdown <=1.9.9
Depends on vulnerable versions of @vuepress/shared-utils
Depends on vulnerable versions of markdown-it
node_modules/@vuepress/markdown
@vuepress/markdown-loader *
Depends on vulnerable versions of @vuepress/markdown
node_modules/@vuepress/markdown-loader
marked <=4.0.9
Severity: high
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-5v2h-r2cx-5xgj
Inefficient Regular Expression Complexity in marked - https://github.com/advisories/GHSA-rrrm-qjm4-v8hf
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/marked
typedoc <=0.21.9 || 0.22.0-beta.0 - 0.22.10 || >=1.0.0-dev.1
Depends on vulnerable versions of marked
node_modules/typedoc
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/serve-handler/node_modules/minimatch
serve-handler 1.1.0 - 6.1.3
Depends on vulnerable versions of minimatch
node_modules/serve-handler
node-forge <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via `npm audit fix`
node_modules/node-forge
selfsigned 1.1.1 - 1.10.14
Depends on vulnerable versions of node-forge
node_modules/selfsigned
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
postcss-svgo 4.0.0-nightly.2020.1.9 - 5.0.0-rc.2
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
cssnano-preset-default <=4.0.8
Depends on vulnerable versions of postcss-svgo
node_modules/cssnano-preset-default
cssnano 4.0.0-nightly.2020.1.9 - 4.1.11
Depends on vulnerable versions of cssnano-preset-default
node_modules/cssnano
optimize-css-assets-webpack-plugin 3.2.1 || 5.0.0 - 5.0.8
Depends on vulnerable versions of cssnano
node_modules/optimize-css-assets-webpack-plugin
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix`
node_modules/request
docsearch.js 2.6.0 - 2.6.3
Depends on vulnerable versions of request
node_modules/docsearch.js
ua-parser-js <=0.7.32
Severity: high
ReDoS Vulnerability in ua-parser-js version - https://github.com/advisories/GHSA-fhg7-m89q-25r3
ua-parser-js Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-394c-5j6w-4xmx
Regular Expression Denial of Service (ReDoS) in ua-parser-js - https://github.com/advisories/GHSA-78cj-fxph-m83p
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/ua-parser-js
49 vulnerabilities (1 low, 11 moderate, 30 high, 7 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Steps to reproduce
run npm audit