Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Fix some npm vulnerabilities #1112

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 11, 2024
Merged

Fix some npm vulnerabilities #1112

merged 3 commits into from
Sep 11, 2024

Conversation

@BentiGorlich
Copy link
Member

previous npm audit report

body-parser  <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via `npm audit fix`
node_modules/body-parser
  express  <=4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3
  Depends on vulnerable versions of body-parser
  Depends on vulnerable versions of path-to-regexp
  Depends on vulnerable versions of send
  Depends on vulnerable versions of serve-static
  node_modules/express


path-to-regexp  <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix`
node_modules/path-to-regexp

send  <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix`
node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static


5 vulnerabilities (2 moderate, 3 high)

curent npm audit report

send  <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
No fix available
node_modules/serve-static/node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static
    express  4.0.0-rc1 - 5.0.0-beta.3
    Depends on vulnerable versions of serve-static
    node_modules/express
      webpack-dev-server  >=1.3.0
      Depends on vulnerable versions of express
      node_modules/webpack-dev-server
        @symfony/webpack-encore  *
        Depends on vulnerable versions of webpack-dev-server
        node_modules/@symfony/webpack-encore

5 moderate severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

@BentiGorlich BentiGorlich added dependencies Pull requests that update a dependency file frontend Visual issues, improvements, bugs or other aspects relating mostly to the front end labels Sep 11, 2024
@BentiGorlich BentiGorlich self-assigned this Sep 11, 2024
@melroy89
Copy link
Member

melroy89 commented Sep 11, 2024
edited
Loading

Yeah. We don't use express as backend or for the frontend. So I doubt how much impact it has for us?

@BentiGorlich
Copy link
Member Author

Yeah I think its mostly the symfony dev server

@melroy89
Copy link
Member

If everything still keep working, feel free to merge it.

@BentiGorlich BentiGorlich merged commit a78998c into main Sep 11, 2024
@BentiGorlich BentiGorlich deleted the fix/npm-security-warnings branch September 11, 2024 14:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@melroy89 melroy89 melroy89 approved these changes

Assignees

@BentiGorlich BentiGorlich

Labels

dependencies Pull requests that update a dependency file frontend Visual issues, improvements, bugs or other aspects relating mostly to the front end

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BentiGorlich @melroy89