Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High Vulnerability found after install FOSJsRoutingBundle #485

Open
M-Arthur opened this issue Jul 4, 2024 · 1 comment
Open

High Vulnerability found after install FOSJsRoutingBundle #485

M-Arthur opened this issue Jul 4, 2024 · 1 comment

Comments

@M-Arthur
Copy link

M-Arthur commented Jul 4, 2024

Description

I followed the below official docs to install the FOSJsRoutingBundle with Symfony Webencore.
https://github.com/FriendsOfSymfony/FOSJsRoutingBundle/blob/master/Resources/doc/installation.rst#step-5-if-you-are-using-webpack-install-the-npm-package-locally

However, I received the following vulnerability warning in npm audit and docker scanning.

Could you please help me have a look and let me know how to resolve the issue? Thanks

NPM Audit Report

# npm audit report
braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/braces
  chokidar  1.3.0 - 2.1.8
  Depends on vulnerable versions of anymatch
  Depends on vulnerable versions of braces
  Depends on vulnerable versions of readdirp
  node_modules/chokidar
    glob-watcher  5.0.0 - 5.0.5
    Depends on vulnerable versions of anymatch
    Depends on vulnerable versions of chokidar
    node_modules/glob-watcher
      gulp  4.0.0 - 4.0.2
      Depends on vulnerable versions of glob-watcher
      Depends on vulnerable versions of gulp-cli
      node_modules/gulp
  micromatch  0.2.0 - 3.1.10
  Depends on vulnerable versions of braces
  node_modules/micromatch
    anymatch  1.2.0 - 2.0.0
    Depends on vulnerable versions of micromatch
    node_modules/anymatch
    findup-sync  0.4.0 - 3.0.0
    Depends on vulnerable versions of micromatch
    node_modules/findup-sync
    node_modules/matchdep/node_modules/findup-sync
      liftoff  2.2.3 - 3.1.0
      Depends on vulnerable versions of findup-sync
      node_modules/liftoff
        gulp-cli  1.3.0 - 2.3.0
        Depends on vulnerable versions of liftoff
        Depends on vulnerable versions of matchdep
        node_modules/gulp-cli
      matchdep  >=1.0.1
      Depends on vulnerable versions of findup-sync
      Depends on vulnerable versions of micromatch
      node_modules/matchdep
    readdirp  2.2.0 - 2.2.1
    Depends on vulnerable versions of micromatch
    node_modules/readdirp

11 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

NPM Why

[email protected] dev
node_modules/braces
  braces@"^2.3.2" from [email protected]
  node_modules/chokidar
    chokidar@"^2.0.0" from [email protected]
    node_modules/glob-watcher
      glob-watcher@"^5.0.3" from [email protected]
      node_modules/gulp
        dev gulp@"^4.0.2" from [email protected]
        vendor/friendsofsymfony/jsrouting-bundle/Resources
          [email protected]
          node_modules/fos-router
            dev fos-router@"file:vendor/friendsofsymfony/jsrouting-bundle/Resources" from the root project
  braces@"^2.3.1" from [email protected]
  node_modules/micromatch
    micromatch@"^3.1.4" from [email protected]
    node_modules/anymatch
      anymatch@"^2.0.0" from [email protected]
      node_modules/chokidar
        chokidar@"^2.0.0" from [email protected]
        node_modules/glob-watcher
          glob-watcher@"^5.0.3" from [email protected]
          node_modules/gulp
            dev gulp@"^4.0.2" from [email protected]
            vendor/friendsofsymfony/jsrouting-bundle/Resources
              [email protected]
              node_modules/fos-router
                dev fos-router@"file:vendor/friendsofsymfony/jsrouting-bundle/Resources" from the root project
      anymatch@"^2.0.0" from [email protected]
      node_modules/glob-watcher
        glob-watcher@"^5.0.3" from [email protected]
        node_modules/gulp
          dev gulp@"^4.0.2" from [email protected]
          vendor/friendsofsymfony/jsrouting-bundle/Resources
            [email protected]
            node_modules/fos-router
              dev fos-router@"file:vendor/friendsofsymfony/jsrouting-bundle/Resources" from the root project
    micromatch@"^3.0.4" from [email protected]
    node_modules/findup-sync
      findup-sync@"^3.0.0" from [email protected]
      node_modules/liftoff
        liftoff@"^3.1.0" from [email protected]
        node_modules/gulp-cli
          gulp-cli@"^2.2.0" from [email protected]
          node_modules/gulp
            dev gulp@"^4.0.2" from [email protected]
            vendor/friendsofsymfony/jsrouting-bundle/Resources
              [email protected]
              node_modules/fos-router
                dev fos-router@"file:vendor/friendsofsymfony/jsrouting-bundle/Resources" from the root project
    micromatch@"^3.0.4" from [email protected]
    node_modules/matchdep
      matchdep@"^2.0.0" from [email protected]
      node_modules/gulp-cli
        gulp-cli@"^2.2.0" from [email protected]
        node_modules/gulp
          dev gulp@"^4.0.2" from [email protected]
          vendor/friendsofsymfony/jsrouting-bundle/Resources
            [email protected]
            node_modules/fos-router
              dev fos-router@"file:vendor/friendsofsymfony/jsrouting-bundle/Resources" from the root project
    micromatch@"^3.0.4" from [email protected]
    node_modules/matchdep/node_modules/findup-sync
      findup-sync@"^2.0.0" from [email protected]
      node_modules/matchdep
        matchdep@"^2.0.0" from [email protected]
        node_modules/gulp-cli
          gulp-cli@"^2.2.0" from [email protected]
          node_modules/gulp
            dev gulp@"^4.0.2" from [email protected]
            vendor/friendsofsymfony/jsrouting-bundle/Resources
              [email protected]
              node_modules/fos-router
                dev fos-router@"file:vendor/friendsofsymfony/jsrouting-bundle/Resources" from the root project
    micromatch@"^3.1.10" from [email protected]
    node_modules/readdirp
      readdirp@"^2.2.1" from [email protected]
      node_modules/chokidar
        chokidar@"^2.0.0" from [email protected]
        node_modules/glob-watcher
          glob-watcher@"^5.0.3" from [email protected]
          node_modules/gulp
            dev gulp@"^4.0.2" from [email protected]
            vendor/friendsofsymfony/jsrouting-bundle/Resources
              [email protected]
              node_modules/fos-router
                dev fos-router@"file:vendor/friendsofsymfony/jsrouting-bundle/Resources" from the root project
@RobertWesner
Copy link

RobertWesner commented Oct 11, 2024
edited
Loading

I was able to fix this by adding following overrides:

{
    "dependencies": {
        ...
    },
    "overrides": {
        "gulp": "5.0.1",
        "braces": "latest",
        "micromatch": "latest"
    }
}

You may want to add specific versions rather than "latest".
This solves the fixed dependencies causing these vulnerabilities until they are updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@M-Arthur @RobertWesner