Comments (5)
hamirmahal
commented on July 22, 2024
from linguist.
hamirmahal
commented on July 22, 2024
hamir@hamir-desktop:~/linguist (master)$ npm install
npm WARN deprecated @npmcli/[email protected]: This functionality has been moved to @npmcli/fs
npm WARN deprecated [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated @stylelint/[email protected]: Use the original unforked package instead: postcss-markdown
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: Please use @jridgewell/sourcemap-codec instead
npm WARN deprecated @stylelint/[email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
> [email protected] prepare
> husky install
husky - Git hooks installed
added 1949 packages, and audited 1950 packages in 10s
262 packages are looking for funding
run `npm fund` for details
55 vulnerabilities (1 low, 34 moderate, 19 high, 1 critical)
from linguist.
vitonsky
commented on July 22, 2024
What a problem here? Which exactly package are vulnerable and how it may be exploited?
from linguist.
hamirmahal
commented on July 22, 2024
There are a lot of details, but you should be able to see all of them when running npm audit.
from linguist.
hamirmahal
commented on July 22, 2024
output of npm audit on main branch
~/linguist (master)$ npm audit
# npm audit report
@babel/traverse <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse
axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/axios
node_modules/google-tts-api/node_modules/axios
@translate-tools/core >=0.0.11
Depends on vulnerable versions of axios
node_modules/@translate-tools/core
google-tts-api >=2.0.0
Depends on vulnerable versions of axios
node_modules/google-tts-api
color-string <1.5.5
Severity: moderate
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-257v-vj4p-3w2h
fix available via `npm audit fix`
node_modules/color-string
color <=0.11.4
Depends on vulnerable versions of color-string
node_modules/color
css-color-function *
Depends on vulnerable versions of color
node_modules/css-color-function
@yandex/themekit <=1.6.8
Depends on vulnerable versions of css-color-function
Depends on vulnerable versions of json5
node_modules/@yandex/themekit
express <=4.19.1 || 5.0.0-alpha.1 - 5.0.0-beta.1
Severity: high
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of qs
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/express
addons-scanner-utils *
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of download
Depends on vulnerable versions of express
node_modules/addons-scanner-utils
addons-linter *
Depends on vulnerable versions of addons-scanner-utils
Depends on vulnerable versions of ajv-merge-patch
Depends on vulnerable versions of postcss
Depends on vulnerable versions of semver
node_modules/addons-linter
web-ext 1.0.0 - 7.6.2
Depends on vulnerable versions of @devicefarmer/adbkit
Depends on vulnerable versions of addons-linter
Depends on vulnerable versions of firefox-profile
Depends on vulnerable versions of sign-addon
Depends on vulnerable versions of update-notifier
node_modules/web-ext
fast-json-patch <3.1.1
Severity: high
Starcounter-Jack JSON-Patch Prototype Pollution vulnerability - https://github.com/advisories/GHSA-8gh8-hqwg-xf34
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/fast-json-patch
ajv-merge-patch *
Depends on vulnerable versions of fast-json-patch
node_modules/ajv-merge-patch
follow-redirects <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/follow-redirects
got <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
node_modules/package-json/node_modules/got
download >=4.0.0
Depends on vulnerable versions of got
node_modules/download
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
http-cache-semantics <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/http-cache-semantics
cacheable-request 0.1.0 - 2.1.4
Depends on vulnerable versions of http-cache-semantics
node_modules/cacheable-request
json5 2.0.0 - 2.2.1
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/@yandex/themekit/node_modules/json5
jsonwebtoken <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/jsonwebtoken
sign-addon *
Depends on vulnerable versions of jsonwebtoken
Depends on vulnerable versions of request
node_modules/sign-addon
node-forge <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/node-forge
@devicefarmer/adbkit <=3.2.1
Depends on vulnerable versions of node-forge
node_modules/@devicefarmer/adbkit
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install @svgr/[email protected], which is a breaking change
node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
postcss <=8.4.30
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/addons-linter/node_modules/postcss
node_modules/autoprefixer/node_modules/postcss
node_modules/postcss
node_modules/postcss-less/node_modules/postcss
node_modules/postcss-rem-to-pixel/node_modules/postcss
node_modules/postcss-safe-parser/node_modules/postcss
node_modules/postcss-sass/node_modules/postcss
node_modules/postcss-scss/node_modules/postcss
node_modules/stylelint/node_modules/postcss
node_modules/sugarss/node_modules/postcss
autoprefixer 1.0.20131222 - 9.8.8
Depends on vulnerable versions of postcss
node_modules/autoprefixer
stylelint 0.1.0 - 13.13.1
Depends on vulnerable versions of autoprefixer
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-less
Depends on vulnerable versions of postcss-safe-parser
Depends on vulnerable versions of postcss-sass
Depends on vulnerable versions of postcss-scss
Depends on vulnerable versions of sugarss
node_modules/stylelint
stylelint-config-recommended <=2.2.0 || 4.0.0 - 5.0.0
Depends on vulnerable versions of stylelint
node_modules/stylelint-config-recommended
stylelint-config-standard 4.0.1 - 18.3.0 || 21.0.0 - 22.0.0
Depends on vulnerable versions of stylelint
Depends on vulnerable versions of stylelint-config-recommended
node_modules/stylelint-config-standard
postcss-less <=3.1.4
Depends on vulnerable versions of postcss
node_modules/postcss-less
postcss-rem-to-pixel *
Depends on vulnerable versions of postcss
node_modules/postcss-rem-to-pixel
postcss-safe-parser <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-safe-parser
postcss-sass <=0.4.4
Depends on vulnerable versions of postcss
node_modules/postcss-sass
postcss-scss <=2.1.1
Depends on vulnerable versions of postcss
node_modules/postcss-scss
sugarss <=2.0.0
Depends on vulnerable versions of postcss
node_modules/sugarss
qs 6.9.0 - 6.9.6
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/qs
body-parser 1.19.1 || 2.0.0-beta.1
Depends on vulnerable versions of qs
node_modules/body-parser
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request
semver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@commitlint/is-ignored/node_modules/semver
node_modules/@npmcli/fs/node_modules/semver
node_modules/@oclif/command/node_modules/semver
node_modules/@typescript-eslint/eslint-plugin/node_modules/semver
node_modules/@typescript-eslint/typescript-estree/node_modules/semver
node_modules/@typescript-eslint/utils/node_modules/semver
node_modules/addons-linter/node_modules/semver
node_modules/conf/node_modules/semver
node_modules/css-loader/node_modules/semver
node_modules/download/node_modules/semver
node_modules/jest-snapshot/node_modules/semver
node_modules/jsonwebtoken/node_modules/semver
node_modules/node-abi/node_modules/semver
node_modules/node-notifier/node_modules/semver
node_modules/normalize-package-data/node_modules/semver
node_modules/postcss-loader/node_modules/semver
node_modules/read-pkg/node_modules/semver
node_modules/semver
node_modules/sharp/node_modules/semver
node_modules/ts-jest/node_modules/semver
node_modules/ts-loader/node_modules/semver
node_modules/update-notifier/node_modules/semver
@commitlint/is-ignored 9.0.0 - 17.6.5
Depends on vulnerable versions of semver
node_modules/@commitlint/is-ignored
@commitlint/lint 9.0.0 - 16.2.4
Depends on vulnerable versions of @commitlint/is-ignored
node_modules/@commitlint/lint
@commitlint/cli 9.0.0 - 16.3.0
Depends on vulnerable versions of @commitlint/lint
node_modules/@commitlint/cli
sharp <0.32.6
Severity: high
sharp vulnerability in libwebp dependency CVE-2023-4863 - https://github.com/advisories/GHSA-54xq-cgqr-rpm3
fix available via `npm audit fix`
node_modules/sharp
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tough-cookie
word-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/xml2js
firefox-profile <=4.2.2
Depends on vulnerable versions of xml2js
node_modules/firefox-profile
55 vulnerabilities (1 low, 34 moderate, 19 high, 1 critical)
from linguist.
Related Issues (20)
- Not working.... Background script not responding HOT 1
- Add option to select translation module inplace HOT 1
- chrome 109.0.5407.1 can not use v6.0.1 HOT 12
- Debug flaky test HOT 1
- Prepare landing for public HOT 1
- Add blog to site
- Add docs section on site
- Add translation on site
- Add CNAME for site
- Default HTML contains i18n keys instead of any language
- Translation of a page with local files does not work
- Prevent potential XSS attacks for custom translators
- Problem with detection chinese language on site `copymanga.site`
- Add guide how to use
- CSS for contentscript is not loaded sometimes
- Incorrect language in selector for non-english navigator locales
- Improve localization quality HOT 3
- Translate PDF documents in standalone tab
- Try `git-cliff` to generate changelogs
- Prevent translation for elements with attribute `translate="no"`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from linguist.