Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerabilities #205

Open
tonai opened this issue Apr 24, 2024 · 0 comments
Open

Vulnerabilities #205

tonai opened this issue Apr 24, 2024 · 0 comments

Comments

@tonai
Copy link

tonai commented Apr 24, 2024

After installing codesandbox package I have some vulnerabilites on my project.
Here is npm audit report:

# npm audit report

axios  <=0.27.2
Severity: high
Axios vulnerable to Server-Side Request Forgery - https://github.com/advisories/GHSA-4w2v-q235-vp99
axios Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
Depends on vulnerable versions of follow-redirects
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/axios
  codesandbox  >=1.0.0
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of pacote
  Depends on vulnerable versions of update-notifier
  node_modules/codesandbox

follow-redirects  <=1.15.5
Severity: high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/axios/node_modules/follow-redirects

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix`
node_modules/codesandbox/node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/codesandbox/node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/codesandbox/node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/codesandbox/node_modules/update-notifier

http-cache-semantics  <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix`
node_modules/make-fetch-happen/node_modules/http-cache-semantics
  make-fetch-happen  2.1.0 - 6.1.0
  Depends on vulnerable versions of http-cache-semantics
  node_modules/make-fetch-happen
    pacote  2.0.0 - 9.5.12
    Depends on vulnerable versions of cacache
    Depends on vulnerable versions of make-fetch-happen
    Depends on vulnerable versions of ssri
    node_modules/pacote

ssri  <=6.0.1
Severity: high
Regular Expression Denial of Service in ssri - https://github.com/advisories/GHSA-325j-24f4-qv5x
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-vx3p-948g-6vhq
fix available via `npm audit fix`
node_modules/make-fetch-happen/node_modules/ssri
node_modules/ssri
  cacache  10.0.4 - 11.0.0 || 7.0.0 - 9.3.0
  Depends on vulnerable versions of ssri
  Depends on vulnerable versions of ssri
  node_modules/cacache
  node_modules/make-fetch-happen/node_modules/cacache

12 vulnerabilities (5 moderate, 7 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Is it possible to update vulnerable packages ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant