Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix security issues #450

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix security issues #450

wants to merge 1 commit into from

Conversation

JaderDias
Copy link

$ npm audit fix
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile
npm WARN audit fix tar@4.4.8 node_modules/fsevents/node_modules/tar
npm WARN audit fix tar@4.4.8 is a bundled dependency of
npm WARN audit fix tar@4.4.8 fsevents@1.2.9 at node_modules/fsevents
npm WARN audit fix tar@4.4.8 It cannot be fixed automatically.
npm WARN audit fix tar@4.4.8 Check for updates to the fsevents package.
npm WARN audit fix minimist@1.2.0 node_modules/fsevents/node_modules/rc/node_modules/minimist
npm WARN audit fix minimist@1.2.0 is a bundled dependency of
npm WARN audit fix minimist@1.2.0 fsevents@1.2.9 at node_modules/fsevents
npm WARN audit fix minimist@1.2.0 It cannot be fixed automatically.
npm WARN audit fix minimist@1.2.0 Check for updates to the fsevents package.
npm WARN audit fix minimist@0.0.8 node_modules/fsevents/node_modules/minimist
npm WARN audit fix minimist@0.0.8 is a bundled dependency of
npm WARN audit fix minimist@0.0.8 fsevents@1.2.9 at node_modules/fsevents
npm WARN audit fix minimist@0.0.8 It cannot be fixed automatically.
npm WARN audit fix minimist@0.0.8 Check for updates to the fsevents package.
npm WARN audit fix ini@1.3.5 node_modules/fsevents/node_modules/ini
npm WARN audit fix ini@1.3.5 is a bundled dependency of
npm WARN audit fix ini@1.3.5 fsevents@1.2.9 at node_modules/fsevents
npm WARN audit fix ini@1.3.5 It cannot be fixed automatically.
npm WARN audit fix ini@1.3.5 Check for updates to the fsevents package.
npm WARN audit fix mkdirp@0.5.1 node_modules/fsevents/node_modules/mkdirp
npm WARN audit fix mkdirp@0.5.1 is a bundled dependency of
npm WARN audit fix mkdirp@0.5.1 fsevents@1.2.9 at node_modules/fsevents
npm WARN audit fix mkdirp@0.5.1 It cannot be fixed automatically.
npm WARN audit fix mkdirp@0.5.1 Check for updates to the fsevents package.
npm WARN deprecated kleur@2.0.2: Please upgrade to kleur@3 or migrate to 'ansi-colors' if you prefer the old syntax. Visit https://github.com/lukeed/kleur/releases/tag/v3.0.0\ for migration path(s).
npm WARN deprecated har-validator@5.1.3: this library is no longer supported
npm WARN deprecated left-pad@1.3.0: use String.prototype.padStart()
npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated sane@2.5.2: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated source-map-resolve@0.5.2: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated request@2.88.0: request has been deprecated, see request/request#3142
npm WARN deprecated request-promise-native@1.0.8: request-promise-native has been deprecated because it extends the now deprecated request package, see request/request#3142
npm WARN deprecated request-promise@4.2.5: request-promise has been deprecated because it extends the now deprecated request package, see request/request#3142
npm WARN deprecated uuid@3.3.3: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated mailgun-js@0.22.0: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated gitlab@3.11.4: The gitlab package has found a new home in the @gitbeaker organization. For the latest gitlab node library, check out @gitbeaker/node. A full list of the features can be found here: https://github.com/jdalrymple/gitbeaker#readme
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated @octokit/app@4.1.0: '@octokit/app' will be repurposed in future. Use '@octokit/auth-app' instead
npm WARN deprecated source-map-url@0.4.0: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated core-js@2.6.10: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 1021 packages, and audited 1022 packages in 28s

39 packages are looking for funding
run npm fund for details

ajv <6.12.3
Severity: moderate
Prototype Pollution in Ajv - GHSA-v88g-cgmw-v5xw
fix available via npm audit fix
node_modules/table/node_modules/ajv
table 3.7.10 - 4.0.2
Depends on vulnerable versions of ajv
node_modules/table

braces <=2.3.0
Regular Expression Denial of Service (ReDoS) in braces - GHSA-cwfw-4gq5-mrqx
Regular Expression Denial of Service in braces - GHSA-g95f-p29q-9xw4
fix available via npm audit fix --force
Will install jest@28.1.3, which is a breaking change
node_modules/jest-cli/node_modules/braces
node_modules/jest-config/node_modules/braces
node_modules/jest-haste-map/node_modules/braces
node_modules/jest-message-util/node_modules/braces
node_modules/jest-runtime/node_modules/braces
node_modules/test-exclude/node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/jest-cli/node_modules/micromatch
node_modules/jest-config/node_modules/micromatch
node_modules/jest-haste-map/node_modules/micromatch
node_modules/jest-message-util/node_modules/micromatch
node_modules/jest-runtime/node_modules/micromatch
node_modules/test-exclude/node_modules/micromatch
jest-cli 0.10.2 - 24.8.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-environment-jsdom
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-resolve-dependencies
Depends on vulnerable versions of jest-runner
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of node-notifier
Depends on vulnerable versions of yargs
node_modules/jest-cli
jest 13.3.0-alpha.4eb0c908 - 23.6.0
Depends on vulnerable versions of jest-cli
node_modules/jest
jest-config 12.1.1-alpha.2935e14d - 25.5.4
Depends on vulnerable versions of babel-jest
Depends on vulnerable versions of jest-environment-jsdom
Depends on vulnerable versions of jest-environment-node
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
node_modules/jest-config
jest-runner 21.0.0-alpha.1 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-jasmine2
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-runtime
Depends on vulnerable versions of jest-util
node_modules/jest-runner
jest-runtime 14.1.0 - 24.8.0
Depends on vulnerable versions of babel-plugin-istanbul
Depends on vulnerable versions of jest-config
Depends on vulnerable versions of jest-haste-map
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of yargs
node_modules/jest-runtime
jest-haste-map 16.1.0-alpha.691b0e22 - 24.0.0
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of sane
node_modules/jest-haste-map
jest-message-util 18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16
Depends on vulnerable versions of micromatch
node_modules/jest-message-util
expect 21.0.0-beta.1 - 22.4.3 || 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-message-util
node_modules/expect
jest-jasmine2 18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
Depends on vulnerable versions of expect
Depends on vulnerable versions of jest-message-util
Depends on vulnerable versions of jest-snapshot
Depends on vulnerable versions of jest-util
node_modules/jest-jasmine2
jest-snapshot 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-message-util
node_modules/jest-snapshot
jest-resolve-dependencies 23.4.0 - 23.6.0
Depends on vulnerable versions of jest-snapshot
node_modules/jest-resolve-dependencies
jest-util 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-message-util
node_modules/jest-util
jest-environment-jsdom 10.0.2 - 25.5.0
Depends on vulnerable versions of jest-util
Depends on vulnerable versions of jsdom
node_modules/jest-environment-jsdom
jest-environment-node 18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
Depends on vulnerable versions of jest-util
node_modules/jest-environment-node
test-exclude <=4.2.3
Depends on vulnerable versions of micromatch
node_modules/test-exclude
babel-plugin-istanbul <=5.0.0
Depends on vulnerable versions of test-exclude
node_modules/babel-plugin-istanbul
babel-jest 14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
Depends on vulnerable versions of babel-plugin-istanbul
node_modules/babel-jest

convict <=6.2.2
Severity: critical
Prototype Pollution in convict - GHSA-jjf5-wx3j-3fv7
Prototype Pollution in convict - GHSA-x2w5-725j-gf2g
Depends on vulnerable versions of moment
Depends on vulnerable versions of validator
Depends on vulnerable versions of yargs-parser
fix available via npm audit fix --force
Will install convict@6.2.3, which is a breaking change
node_modules/convict

express-brute *
Severity: high
Rate Limiting Bypass in express-brute - GHSA-984p-xq9m-4rjw
Depends on vulnerable versions of underscore
No fix available
node_modules/express-brute

glob-parent <=5.1.1
Severity: high
Regular expression denial of service in glob-parent - GHSA-ww39-953v-wcq6
glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-cj88-88mr-972w
fix available via npm audit fix --force
Will install nodemon@2.0.19, which is a breaking change
node_modules/glob-base/node_modules/glob-parent
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/chokidar
nodemon 1.3.5 - 2.0.16 || 2.0.18
Depends on vulnerable versions of chokidar
Depends on vulnerable versions of update-notifier
node_modules/nodemon
glob-base *
Depends on vulnerable versions of glob-parent
node_modules/glob-base
parse-glob >=2.1.0
Depends on vulnerable versions of glob-base
node_modules/parse-glob

got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via npm audit fix --force
Will install nodemon@2.0.19, which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier

ini <1.3.6
Severity: high
Prototype Pollution - GHSA-qqgx-2p2h-9c37
fix available via npm audit fix
node_modules/ini

jsdom <=16.4.0
Severity: moderate
Insufficient Granularity of Access Control in JSDom - GHSA-f4c9-cqv8-9v98
fix available via npm audit fix --force
Will install jest@28.1.3, which is a breaking change
node_modules/jsdom

merge <2.1.1
Severity: high
Prototype Pollution in merge - GHSA-7wpw-2hjm-89gp
fix available via npm audit fix --force
Will install jest@28.1.3, which is a breaking change
node_modules/merge
exec-sh <=0.3.1
Depends on vulnerable versions of merge
node_modules/exec-sh
sane 1.0.4 - 4.0.2
Depends on vulnerable versions of exec-sh
Depends on vulnerable versions of watch
node_modules/sane
watch >=0.14.0
Depends on vulnerable versions of exec-sh
node_modules/watch

minimist <=1.2.5
Severity: critical
Prototype Pollution in minimist - GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
fix available via npm audit fix
node_modules/minimist
node_modules/rc/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mkdirp

moment <=2.29.3
Severity: high
Path Traversal: 'dir/../../filename' in moment.locale - GHSA-8hfj-j24r-96c4
Inefficient Regular Expression Complexity in moment - GHSA-wc69-rhjr-hc9g
fix available via npm audit fix --force
Will install convict@6.2.3, which is a breaking change
node_modules/convict/node_modules/moment

netmask <=2.0.0
Severity: critical
Improper parsing of octal bytes in netmask - GHSA-4c7m-wxvm-r7gc
netmask npm package vulnerable to octal input data - GHSA-pch5-whg9-qr2r
fix available via npm audit fix --force
Will install mailgun-js@0.6.7, which is a breaking change
node_modules/netmask
pac-resolver <=4.2.0
Depends on vulnerable versions of netmask
node_modules/pac-resolver
pac-proxy-agent <=4.1.0
Depends on vulnerable versions of pac-resolver
node_modules/pac-proxy-agent
proxy-agent 1.1.0 - 4.0.1
Depends on vulnerable versions of pac-proxy-agent
node_modules/proxy-agent
mailgun-js >=0.6.8
Depends on vulnerable versions of proxy-agent
node_modules/mailgun-js

node-notifier <8.0.1
Severity: moderate
OS Command Injection in node-notifier - GHSA-5fw9-fq32-wv5p
fix available via npm audit fix --force
Will install jest@28.1.3, which is a breaking change
node_modules/node-notifier

parse-link-header <2.0.0
Severity: high
Uncontrolled Resource Consumption in parse-link-header - GHSA-q674-xm3x-2926
fix available via npm audit fix --force
Will install gitlab@14.2.2, which is a breaking change
node_modules/parse-link-header
gitlab 3.0.0 - 4.5.1
Depends on vulnerable versions of parse-link-header
node_modules/gitlab

shelljs <=0.8.4
Severity: high
Improper Privilege Management in shelljs - GHSA-4rq4-32rv-6wp6
Improper Privilege Management in shelljs - GHSA-64g7-mvw6-v9qj
fix available via npm audit fix --force
Will install standard@17.0.0, which is a breaking change
node_modules/shelljs
eslint 1.4.0 - 4.0.0-rc.0
Depends on vulnerable versions of shelljs
node_modules/eslint
eslint-plugin-import 1.0.0-beta.0 - 2.5.0
Depends on vulnerable versions of eslint
node_modules/eslint-plugin-import
standard 3.3.0 || 4.1.0 - 4.3.3 || 6.0.0 - 10.0.3
Depends on vulnerable versions of eslint
Depends on vulnerable versions of eslint-plugin-import
Depends on vulnerable versions of eslint-plugin-react
node_modules/standard
eslint-plugin-react 6.0.0-alpha.1 - 7.0.1
Depends on vulnerable versions of eslint
node_modules/eslint-plugin-react

tar <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - GHSA-qq89-hq3f-393p
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - GHSA-r628-mhmh-qjhw
fix available via npm audit fix
node_modules/tar

underscore 1.3.2 - 1.12.0
Severity: high
Arbitrary Code Execution in underscore - GHSA-cf4h-3jhx-xvhq
No fix available
node_modules/underscore

validator <13.7.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - GHSA-qgmg-gppg-76g5
fix available via npm audit fix
node_modules/validator

yargs-parser 6.0.0 - 13.1.1
Severity: moderate
Prototype Pollution in yargs-parser - GHSA-p9pc-299p-vxgp
fix available via npm audit fix --force
Will install convict@6.2.3, which is a breaking change
node_modules/yargs-parser
node_modules/yargs/node_modules/yargs-parser
yargs 8.0.0-candidate.0 - 12.0.5
Depends on vulnerable versions of yargs-parser
node_modules/yargs

59 vulnerabilities (12 low, 22 moderate, 21 high, 4 critical)

To address issues that do not require attention, run:
npm audit fix

To address all issues possible (including breaking changes), run:
npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

@JaderDias
fix security issues
b64d143 
$  npm audit fix
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile
npm WARN audit fix tar@4.4.8 node_modules/fsevents/node_modules/tar
npm WARN audit fix tar@4.4.8 is a bundled dependency of
npm WARN audit fix tar@4.4.8 fsevents@1.2.9 at node_modules/fsevents
npm WARN audit fix tar@4.4.8 It cannot be fixed automatically.
npm WARN audit fix tar@4.4.8 Check for updates to the fsevents package.
npm WARN audit fix minimist@1.2.0 node_modules/fsevents/node_modules/rc/node_modules/minimist
npm WARN audit fix minimist@1.2.0 is a bundled dependency of
npm WARN audit fix minimist@1.2.0 fsevents@1.2.9 at node_modules/fsevents
npm WARN audit fix minimist@1.2.0 It cannot be fixed automatically.
npm WARN audit fix minimist@1.2.0 Check for updates to the fsevents package.
npm WARN audit fix minimist@0.0.8 node_modules/fsevents/node_modules/minimist
npm WARN audit fix minimist@0.0.8 is a bundled dependency of
npm WARN audit fix minimist@0.0.8 fsevents@1.2.9 at node_modules/fsevents
npm WARN audit fix minimist@0.0.8 It cannot be fixed automatically.
npm WARN audit fix minimist@0.0.8 Check for updates to the fsevents package.
npm WARN audit fix ini@1.3.5 node_modules/fsevents/node_modules/ini
npm WARN audit fix ini@1.3.5 is a bundled dependency of
npm WARN audit fix ini@1.3.5 fsevents@1.2.9 at node_modules/fsevents
npm WARN audit fix ini@1.3.5 It cannot be fixed automatically.
npm WARN audit fix ini@1.3.5 Check for updates to the fsevents package.
npm WARN audit fix mkdirp@0.5.1 node_modules/fsevents/node_modules/mkdirp
npm WARN audit fix mkdirp@0.5.1 is a bundled dependency of
npm WARN audit fix mkdirp@0.5.1 fsevents@1.2.9 at node_modules/fsevents
npm WARN audit fix mkdirp@0.5.1 It cannot be fixed automatically.
npm WARN audit fix mkdirp@0.5.1 Check for updates to the fsevents package.
npm WARN deprecated kleur@2.0.2: Please upgrade to kleur@3 or migrate to 'ansi-colors' if you prefer the old syntax. Visit <https://github.com/lukeed/kleur/releases/tag/v3.0.0\> for migration path(s).
npm WARN deprecated har-validator@5.1.3: this library is no longer supported
npm WARN deprecated left-pad@1.3.0: use String.prototype.padStart()
npm WARN deprecated circular-json@0.3.3: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated debug@3.2.6: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated sane@2.5.2: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated chokidar@2.1.8: Chokidar 2 does not receive security updates since 2019. Upgrade to chokidar 3 with 15x fewer dependencies
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated debug@4.1.1: Debug versions >=3.2.0 <3.2.7 || >=4 <4.3.1 have a low-severity ReDos regression when used in a Node.js environment. It is recommended you upgrade to 3.2.7 or 4.3.1. (debug-js/debug#797)
npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead.
npm WARN deprecated source-map-resolve@0.5.2: See https://github.com/lydell/source-map-resolve#deprecated
npm WARN deprecated request@2.88.0: request has been deprecated, see request/request#3142
npm WARN deprecated request-promise-native@1.0.8: request-promise-native has been deprecated because it extends the now deprecated request package, see request/request#3142
npm WARN deprecated request-promise@4.2.5: request-promise has been deprecated because it extends the now deprecated request package, see request/request#3142
npm WARN deprecated uuid@3.3.3: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated mailgun-js@0.22.0: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated gitlab@3.11.4: The gitlab package has found a new home in the @gitbeaker organization. For the latest gitlab node library, check out @gitbeaker/node. A full list of the features can be found here: https://github.com/jdalrymple/gitbeaker#readme
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated @octokit/app@4.1.0: '@octokit/app' will be repurposed in future. Use '@octokit/auth-app' instead
npm WARN deprecated source-map-url@0.4.0: See https://github.com/lydell/source-map-url#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated core-js@2.6.10: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.

added 1021 packages, and audited 1022 packages in 28s

39 packages are looking for funding
  run `npm fund` for details

ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix`
node_modules/table/node_modules/ajv
  table  3.7.10 - 4.0.2
  Depends on vulnerable versions of ajv
  node_modules/table

braces  <=2.3.0
Regular Expression Denial of Service (ReDoS) in braces - GHSA-cwfw-4gq5-mrqx
Regular Expression Denial of Service in braces - GHSA-g95f-p29q-9xw4
fix available via `npm audit fix --force`
Will install jest@28.1.3, which is a breaking change
node_modules/jest-cli/node_modules/braces
node_modules/jest-config/node_modules/braces
node_modules/jest-haste-map/node_modules/braces
node_modules/jest-message-util/node_modules/braces
node_modules/jest-runtime/node_modules/braces
node_modules/test-exclude/node_modules/braces
  micromatch  0.2.0 - 2.3.11
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of parse-glob
  node_modules/jest-cli/node_modules/micromatch
  node_modules/jest-config/node_modules/micromatch
  node_modules/jest-haste-map/node_modules/micromatch
  node_modules/jest-message-util/node_modules/micromatch
  node_modules/jest-runtime/node_modules/micromatch
  node_modules/test-exclude/node_modules/micromatch
    jest-cli  0.10.2 - 24.8.0
    Depends on vulnerable versions of jest-config
    Depends on vulnerable versions of jest-environment-jsdom
    Depends on vulnerable versions of jest-haste-map
    Depends on vulnerable versions of jest-message-util
    Depends on vulnerable versions of jest-resolve-dependencies
    Depends on vulnerable versions of jest-runner
    Depends on vulnerable versions of jest-runtime
    Depends on vulnerable versions of jest-snapshot
    Depends on vulnerable versions of jest-util
    Depends on vulnerable versions of micromatch
    Depends on vulnerable versions of node-notifier
    Depends on vulnerable versions of yargs
    node_modules/jest-cli
      jest  13.3.0-alpha.4eb0c908 - 23.6.0
      Depends on vulnerable versions of jest-cli
      node_modules/jest
    jest-config  12.1.1-alpha.2935e14d - 25.5.4
    Depends on vulnerable versions of babel-jest
    Depends on vulnerable versions of jest-environment-jsdom
    Depends on vulnerable versions of jest-environment-node
    Depends on vulnerable versions of jest-jasmine2
    Depends on vulnerable versions of jest-util
    Depends on vulnerable versions of micromatch
    node_modules/jest-config
      jest-runner  21.0.0-alpha.1 - 22.4.4 || 23.4.0 - 23.6.0
      Depends on vulnerable versions of jest-config
      Depends on vulnerable versions of jest-haste-map
      Depends on vulnerable versions of jest-jasmine2
      Depends on vulnerable versions of jest-message-util
      Depends on vulnerable versions of jest-runtime
      Depends on vulnerable versions of jest-util
      node_modules/jest-runner
      jest-runtime  14.1.0 - 24.8.0
      Depends on vulnerable versions of babel-plugin-istanbul
      Depends on vulnerable versions of jest-config
      Depends on vulnerable versions of jest-haste-map
      Depends on vulnerable versions of jest-message-util
      Depends on vulnerable versions of jest-snapshot
      Depends on vulnerable versions of jest-util
      Depends on vulnerable versions of micromatch
      Depends on vulnerable versions of yargs
      node_modules/jest-runtime
    jest-haste-map  16.1.0-alpha.691b0e22 - 24.0.0
    Depends on vulnerable versions of micromatch
    Depends on vulnerable versions of sane
    node_modules/jest-haste-map
    jest-message-util  18.5.0-alpha.7da3df39 - 23.1.0 || 23.4.0 - 24.0.0-alpha.16
    Depends on vulnerable versions of micromatch
    node_modules/jest-message-util
      expect  21.0.0-beta.1 - 22.4.3 || 23.4.0 - 23.6.0
      Depends on vulnerable versions of jest-message-util
      node_modules/expect
        jest-jasmine2  18.5.0-alpha.7da3df39 - 22.4.4 || 23.4.0 - 23.6.0
        Depends on vulnerable versions of expect
        Depends on vulnerable versions of jest-message-util
        Depends on vulnerable versions of jest-snapshot
        Depends on vulnerable versions of jest-util
        node_modules/jest-jasmine2
      jest-snapshot  23.4.0 - 23.6.0
      Depends on vulnerable versions of jest-message-util
      node_modules/jest-snapshot
        jest-resolve-dependencies  23.4.0 - 23.6.0
        Depends on vulnerable versions of jest-snapshot
        node_modules/jest-resolve-dependencies
      jest-util  18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
      Depends on vulnerable versions of jest-message-util
      node_modules/jest-util
        jest-environment-jsdom  10.0.2 - 25.5.0
        Depends on vulnerable versions of jest-util
        Depends on vulnerable versions of jsdom
        node_modules/jest-environment-jsdom
        jest-environment-node  18.5.0-alpha.7da3df39 - 22.4.3 || 23.4.0
        Depends on vulnerable versions of jest-util
        node_modules/jest-environment-node
    test-exclude  <=4.2.3
    Depends on vulnerable versions of micromatch
    node_modules/test-exclude
      babel-plugin-istanbul  <=5.0.0
      Depends on vulnerable versions of test-exclude
      node_modules/babel-plugin-istanbul
        babel-jest  14.2.0-alpha.ca8bfb6e - 24.0.0-alpha.16
        Depends on vulnerable versions of babel-plugin-istanbul
        node_modules/babel-jest

convict  <=6.2.2
Severity: critical
Prototype Pollution in convict - GHSA-jjf5-wx3j-3fv7
Prototype Pollution in convict - GHSA-x2w5-725j-gf2g
Depends on vulnerable versions of moment
Depends on vulnerable versions of validator
Depends on vulnerable versions of yargs-parser
fix available via `npm audit fix --force`
Will install convict@6.2.3, which is a breaking change
node_modules/convict

express-brute  *
Severity: high
Rate Limiting Bypass in express-brute - GHSA-984p-xq9m-4rjw
Depends on vulnerable versions of underscore
No fix available
node_modules/express-brute

glob-parent  <=5.1.1
Severity: high
Regular expression denial of service in glob-parent - GHSA-ww39-953v-wcq6
glob-parent before 6.0.1 and 5.1.2 vulnerable to Regular Expression Denial of Service (ReDoS) - GHSA-cj88-88mr-972w
fix available via `npm audit fix --force`
Will install nodemon@2.0.19, which is a breaking change
node_modules/glob-base/node_modules/glob-parent
node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/chokidar
    nodemon  1.3.5 - 2.0.16 || 2.0.18
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of update-notifier
    node_modules/nodemon
  glob-base  *
  Depends on vulnerable versions of glob-parent
  node_modules/glob-base
    parse-glob  >=2.1.0
    Depends on vulnerable versions of glob-base
    node_modules/parse-glob

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install nodemon@2.0.19, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    latest-version  0.2.0 - 5.1.0
    Depends on vulnerable versions of package-json
    node_modules/latest-version
      update-notifier  0.2.0 - 5.1.0
      Depends on vulnerable versions of latest-version
      node_modules/update-notifier

ini  <1.3.6
Severity: high
Prototype Pollution - GHSA-qqgx-2p2h-9c37
fix available via `npm audit fix`
node_modules/ini

jsdom  <=16.4.0
Severity: moderate
Insufficient Granularity of Access Control in JSDom - GHSA-f4c9-cqv8-9v98
fix available via `npm audit fix --force`
Will install jest@28.1.3, which is a breaking change
node_modules/jsdom

merge  <2.1.1
Severity: high
Prototype Pollution in merge - GHSA-7wpw-2hjm-89gp
fix available via `npm audit fix --force`
Will install jest@28.1.3, which is a breaking change
node_modules/merge
  exec-sh  <=0.3.1
  Depends on vulnerable versions of merge
  node_modules/exec-sh
    sane  1.0.4 - 4.0.2
    Depends on vulnerable versions of exec-sh
    Depends on vulnerable versions of watch
    node_modules/sane
    watch  >=0.14.0
    Depends on vulnerable versions of exec-sh
    node_modules/watch

minimist  <=1.2.5
Severity: critical
Prototype Pollution in minimist - GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix`
node_modules/minimist
node_modules/rc/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/mkdirp

moment  <=2.29.3
Severity: high
Path Traversal: 'dir/../../filename' in moment.locale - GHSA-8hfj-j24r-96c4
Inefficient Regular Expression Complexity in moment - GHSA-wc69-rhjr-hc9g
fix available via `npm audit fix --force`
Will install convict@6.2.3, which is a breaking change
node_modules/convict/node_modules/moment

netmask  <=2.0.0
Severity: critical
Improper parsing of octal bytes in netmask - GHSA-4c7m-wxvm-r7gc
netmask npm package vulnerable to octal input data - GHSA-pch5-whg9-qr2r
fix available via `npm audit fix --force`
Will install mailgun-js@0.6.7, which is a breaking change
node_modules/netmask
  pac-resolver  <=4.2.0
  Depends on vulnerable versions of netmask
  node_modules/pac-resolver
    pac-proxy-agent  <=4.1.0
    Depends on vulnerable versions of pac-resolver
    node_modules/pac-proxy-agent
      proxy-agent  1.1.0 - 4.0.1
      Depends on vulnerable versions of pac-proxy-agent
      node_modules/proxy-agent
        mailgun-js  >=0.6.8
        Depends on vulnerable versions of proxy-agent
        node_modules/mailgun-js

node-notifier  <8.0.1
Severity: moderate
OS Command Injection in node-notifier - GHSA-5fw9-fq32-wv5p
fix available via `npm audit fix --force`
Will install jest@28.1.3, which is a breaking change
node_modules/node-notifier

parse-link-header  <2.0.0
Severity: high
Uncontrolled Resource Consumption in parse-link-header - GHSA-q674-xm3x-2926
fix available via `npm audit fix --force`
Will install gitlab@14.2.2, which is a breaking change
node_modules/parse-link-header
  gitlab  3.0.0 - 4.5.1
  Depends on vulnerable versions of parse-link-header
  node_modules/gitlab

shelljs  <=0.8.4
Severity: high
Improper Privilege Management in shelljs - GHSA-4rq4-32rv-6wp6
Improper Privilege Management in shelljs - GHSA-64g7-mvw6-v9qj
fix available via `npm audit fix --force`
Will install standard@17.0.0, which is a breaking change
node_modules/shelljs
  eslint  1.4.0 - 4.0.0-rc.0
  Depends on vulnerable versions of shelljs
  node_modules/eslint
    eslint-plugin-import  1.0.0-beta.0 - 2.5.0
    Depends on vulnerable versions of eslint
    node_modules/eslint-plugin-import
      standard  3.3.0 || 4.1.0 - 4.3.3 || 6.0.0 - 10.0.3
      Depends on vulnerable versions of eslint
      Depends on vulnerable versions of eslint-plugin-import
      Depends on vulnerable versions of eslint-plugin-react
      node_modules/standard
    eslint-plugin-react  6.0.0-alpha.1 - 7.0.1
    Depends on vulnerable versions of eslint
    node_modules/eslint-plugin-react

tar  <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - GHSA-qq89-hq3f-393p
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - GHSA-r628-mhmh-qjhw
fix available via `npm audit fix`
node_modules/tar

underscore  1.3.2 - 1.12.0
Severity: high
Arbitrary Code Execution in underscore - GHSA-cf4h-3jhx-xvhq
No fix available
node_modules/underscore

validator  <13.7.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - GHSA-qgmg-gppg-76g5
fix available via `npm audit fix`
node_modules/validator

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
Prototype Pollution in yargs-parser - GHSA-p9pc-299p-vxgp
fix available via `npm audit fix --force`
Will install convict@6.2.3, which is a breaking change
node_modules/yargs-parser
node_modules/yargs/node_modules/yargs-parser
  yargs  8.0.0-candidate.0 - 12.0.5
  Depends on vulnerable versions of yargs-parser
  node_modules/yargs

59 vulnerabilities (12 low, 22 moderate, 21 high, 4 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@JaderDias