Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

npm ci -> 3 vulnerabilities (2 high, 1 critical) #415

Open
mralusw opened this issue Jan 3, 2023 · 1 comment
Open

npm ci -> 3 vulnerabilities (2 high, 1 critical) #415

mralusw opened this issue Jan 3, 2023 · 1 comment

Comments

@mralusw
Copy link

mralusw commented Jan 3, 2023

Same setup as in #414; in addition to the problems there, there was also this message at the end of npm ci: 3 vulnerabilities (2 high, 1 critical).

npm audit reports:

# npm audit report

json5  <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/@babel/core/node_modules/json5
node_modules/adjust-sourcemap-loader/node_modules/json5
node_modules/file-loader/node_modules/json5
node_modules/json5
node_modules/mini-css-extract-plugin/node_modules/json5
node_modules/posthtml-loader/node_modules/json5
node_modules/resolve-url-loader/node_modules/json5
node_modules/thread-loader/node_modules/json5
node_modules/vue-loader/node_modules/json5
node_modules/yaml-loader/node_modules/json5
  loader-utils  <=1.4.2
  Depends on vulnerable versions of json5
  node_modules/loader-utils


qs  6.5.0 - 6.5.2
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix`
node_modules/request/node_modules/qs

3 vulnerabilities (2 high, 1 critical)

Is this... something to be expected?

@MattIPv4
Copy link
Contributor

MattIPv4 commented Jan 3, 2023

Yes, it's quite common for there to be some vulnerabilities listed for dependencies. Feel free to open a PR to resolve them if you wish.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants