Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: deps security updates #33

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: deps security updates #33

wants to merge 1 commit into from

Conversation

seangray-dev
Copy link
Contributor

This PR addresses several high-severity security vulnerabilities found when running npm install.

List of commands ran and logs:

npm install
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated @humanwhocodes/[email protected]: Use @eslint/config-array instead
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated @humanwhocodes/[email protected]: Use @eslint/object-schema instead
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported

added 1164 packages, and audited 1165 packages in 13s

331 packages are looking for funding
  run `npm fund` for details

14 vulnerabilities (2 moderate, 12 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
npm audit fix --force
npm warn using --force Recommended protections disabled.
npm warn audit Updating react-email to 1.10.1, which is a SemVer major change.
npm warn audit Updating react-email to 1.10.1, which is a SemVer major change.
npm warn audit Updating @aws-sdk/s3-presigned-post to 3.658.1, which is outside your stated dependency range.
npm warn audit Updating @aws-sdk/s3-presigned-post to 3.658.1, which is outside your stated dependency range.

added 143 packages, removed 134 packages, changed 44 packages, and audited 1174 packages in 13s

331 packages are looking for funding
  run `npm fund` for details

# npm audit report

fast-xml-parser  <4.4.1
Severity: high
fast-xml-parser vulnerable to ReDOS at currency parsing - https://github.com/advisories/GHSA-mpg4-rc92-vx8v
fix available via `npm audit fix --force`
Will install @aws-sdk/[email protected], which is outside the stated dependency range
node_modules/fast-xml-parser
  @aws-sdk/core  3.529.1 - 3.620.1
  Depends on vulnerable versions of fast-xml-parser
  node_modules/@aws-sdk/core
    @aws-sdk/client-s3  3.529.1 - 3.620.1
    Depends on vulnerable versions of @aws-sdk/client-sso-oidc
    Depends on vulnerable versions of @aws-sdk/client-sts
    Depends on vulnerable versions of @aws-sdk/core
    Depends on vulnerable versions of @aws-sdk/credential-provider-node
    node_modules/@aws-sdk/client-s3
    @aws-sdk/client-sso  3.529.1 - 3.620.1
    Depends on vulnerable versions of @aws-sdk/core
    node_modules/@aws-sdk/client-sso
      @aws-sdk/credential-provider-sso  3.529.1 - 3.620.1
      Depends on vulnerable versions of @aws-sdk/client-sso
      node_modules/@aws-sdk/credential-provider-sso
        @aws-sdk/credential-provider-ini  3.529.1 - 3.620.1
        Depends on vulnerable versions of @aws-sdk/credential-provider-sso
        node_modules/@aws-sdk/credential-provider-ini
        @aws-sdk/credential-provider-node  3.529.1 - 3.620.1
        Depends on vulnerable versions of @aws-sdk/credential-provider-ini
        Depends on vulnerable versions of @aws-sdk/credential-provider-sso
        node_modules/@aws-sdk/credential-provider-node
          @aws-sdk/client-sso-oidc  3.529.1 - 3.620.1
          Depends on vulnerable versions of @aws-sdk/client-sts
          Depends on vulnerable versions of @aws-sdk/core
          Depends on vulnerable versions of @aws-sdk/credential-provider-node
          node_modules/@aws-sdk/client-sso-oidc
            @aws-sdk/client-sts  3.529.1 - 3.620.1
            Depends on vulnerable versions of @aws-sdk/client-sso-oidc
            Depends on vulnerable versions of @aws-sdk/core
            Depends on vulnerable versions of @aws-sdk/credential-provider-node
            node_modules/@aws-sdk/client-sts

next  14.0.0 - 14.2.9
Severity: high
Next.js Cache Poisoning - https://github.com/advisories/GHSA-gp8f-8m3g-qvj9
fix available via `npm audit fix --force`
Will install [email protected], which is outside the stated dependency range
node_modules/next

10 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues, run:
  npm audit fix --force
npm audit fix --force
npm warn using --force Recommended protections disabled.
npm warn audit Updating next to 14.2.13, which is outside your stated dependency range.
npm warn audit Updating @aws-sdk/client-s3 to 3.658.1, which is outside your stated dependency range.

added 38 packages, removed 58 packages, changed 38 packages, and audited 1154 packages in 6s

330 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

@webdevcody
Copy link
Owner

I'm not a fan of downgrading react-email to 1 when it's on version 3. I'll need to look into this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@seangray-dev @webdevcody