Comments (5)
from linguist.
hamir@hamir-desktop:~/linguist (master)$ npm install
npm WARN deprecated @npmcli/[email protected]: This functionality has been moved to @npmcli/fs
npm WARN deprecated [email protected]: Modern JS already guarantees Array#sort() is a stable sort, so this library is deprecated. See the compatibility table on MDN: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/sort#browser_compatibility
npm WARN deprecated @stylelint/[email protected]: Use the original unforked package instead: postcss-markdown
npm WARN deprecated [email protected]: this library is no longer supported
npm WARN deprecated [email protected]: Please use @jridgewell/sourcemap-codec instead
npm WARN deprecated @stylelint/[email protected]: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.
npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: This SVGO version is no longer supported. Upgrade to v2.x.x.
npm WARN deprecated [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js.
> [email protected] prepare
> husky install
husky - Git hooks installed
added 1949 packages, and audited 1950 packages in 10s
262 packages are looking for funding
run `npm fund` for details
55 vulnerabilities (1 low, 34 moderate, 19 high, 1 critical)
from linguist.
What a problem here? Which exactly package are vulnerable and how it may be exploited?
from linguist.
There are a lot of details, but you should be able to see all of them when running npm audit
.
from linguist.
output of npm audit on main branch
~/linguist (master)$ npm audit
# npm audit report
@babel/traverse <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse
axios 0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/axios
node_modules/google-tts-api/node_modules/axios
@translate-tools/core >=0.0.11
Depends on vulnerable versions of axios
node_modules/@translate-tools/core
google-tts-api >=2.0.0
Depends on vulnerable versions of axios
node_modules/google-tts-api
color-string <1.5.5
Severity: moderate
Regular Expression Denial of Service (ReDOS) - https://github.com/advisories/GHSA-257v-vj4p-3w2h
fix available via `npm audit fix`
node_modules/color-string
color <=0.11.4
Depends on vulnerable versions of color-string
node_modules/color
css-color-function *
Depends on vulnerable versions of color
node_modules/css-color-function
@yandex/themekit <=1.6.8
Depends on vulnerable versions of css-color-function
Depends on vulnerable versions of json5
node_modules/@yandex/themekit
express <=4.19.1 || 5.0.0-alpha.1 - 5.0.0-beta.1
Severity: high
Express.js Open Redirect in malformed URLs - https://github.com/advisories/GHSA-rv95-896h-c2vc
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of qs
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/express
addons-scanner-utils *
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of download
Depends on vulnerable versions of express
node_modules/addons-scanner-utils
addons-linter *
Depends on vulnerable versions of addons-scanner-utils
Depends on vulnerable versions of ajv-merge-patch
Depends on vulnerable versions of postcss
Depends on vulnerable versions of semver
node_modules/addons-linter
web-ext 1.0.0 - 7.6.2
Depends on vulnerable versions of @devicefarmer/adbkit
Depends on vulnerable versions of addons-linter
Depends on vulnerable versions of firefox-profile
Depends on vulnerable versions of sign-addon
Depends on vulnerable versions of update-notifier
node_modules/web-ext
fast-json-patch <3.1.1
Severity: high
Starcounter-Jack JSON-Patch Prototype Pollution vulnerability - https://github.com/advisories/GHSA-8gh8-hqwg-xf34
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/fast-json-patch
ajv-merge-patch *
Depends on vulnerable versions of fast-json-patch
node_modules/ajv-merge-patch
follow-redirects <=1.15.5
Severity: moderate
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
fix available via `npm audit fix`
node_modules/follow-redirects
got <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
node_modules/package-json/node_modules/got
download >=4.0.0
Depends on vulnerable versions of got
node_modules/download
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
http-cache-semantics <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-rc47-6667-2j5j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/http-cache-semantics
cacheable-request 0.1.0 - 2.1.4
Depends on vulnerable versions of http-cache-semantics
node_modules/cacheable-request
json5 2.0.0 - 2.2.1
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix`
node_modules/@yandex/themekit/node_modules/json5
jsonwebtoken <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/jsonwebtoken
sign-addon *
Depends on vulnerable versions of jsonwebtoken
Depends on vulnerable versions of request
node_modules/sign-addon
node-forge <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/node-forge
@devicefarmer/adbkit <=3.2.1
Depends on vulnerable versions of node-forge
node_modules/@devicefarmer/adbkit
nth-check <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install @svgr/[email protected], which is a breaking change
node_modules/nth-check
css-select <=3.1.0
Depends on vulnerable versions of nth-check
node_modules/css-select
svgo 1.0.0 - 1.3.2
Depends on vulnerable versions of css-select
node_modules/svgo
@svgr/plugin-svgo <=5.5.0
Depends on vulnerable versions of svgo
node_modules/@svgr/plugin-svgo
@svgr/webpack 4.0.0 - 5.5.0
Depends on vulnerable versions of @svgr/plugin-svgo
node_modules/@svgr/webpack
postcss <=8.4.30
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/addons-linter/node_modules/postcss
node_modules/autoprefixer/node_modules/postcss
node_modules/postcss
node_modules/postcss-less/node_modules/postcss
node_modules/postcss-rem-to-pixel/node_modules/postcss
node_modules/postcss-safe-parser/node_modules/postcss
node_modules/postcss-sass/node_modules/postcss
node_modules/postcss-scss/node_modules/postcss
node_modules/stylelint/node_modules/postcss
node_modules/sugarss/node_modules/postcss
autoprefixer 1.0.20131222 - 9.8.8
Depends on vulnerable versions of postcss
node_modules/autoprefixer
stylelint 0.1.0 - 13.13.1
Depends on vulnerable versions of autoprefixer
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-less
Depends on vulnerable versions of postcss-safe-parser
Depends on vulnerable versions of postcss-sass
Depends on vulnerable versions of postcss-scss
Depends on vulnerable versions of sugarss
node_modules/stylelint
stylelint-config-recommended <=2.2.0 || 4.0.0 - 5.0.0
Depends on vulnerable versions of stylelint
node_modules/stylelint-config-recommended
stylelint-config-standard 4.0.1 - 18.3.0 || 21.0.0 - 22.0.0
Depends on vulnerable versions of stylelint
Depends on vulnerable versions of stylelint-config-recommended
node_modules/stylelint-config-standard
postcss-less <=3.1.4
Depends on vulnerable versions of postcss
node_modules/postcss-less
postcss-rem-to-pixel *
Depends on vulnerable versions of postcss
node_modules/postcss-rem-to-pixel
postcss-safe-parser <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-safe-parser
postcss-sass <=0.4.4
Depends on vulnerable versions of postcss
node_modules/postcss-sass
postcss-scss <=2.1.1
Depends on vulnerable versions of postcss
node_modules/postcss-scss
sugarss <=2.0.0
Depends on vulnerable versions of postcss
node_modules/sugarss
qs 6.9.0 - 6.9.6
Severity: high
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/qs
body-parser 1.19.1 || 2.0.0-beta.1
Depends on vulnerable versions of qs
node_modules/body-parser
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request
semver <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@commitlint/is-ignored/node_modules/semver
node_modules/@npmcli/fs/node_modules/semver
node_modules/@oclif/command/node_modules/semver
node_modules/@typescript-eslint/eslint-plugin/node_modules/semver
node_modules/@typescript-eslint/typescript-estree/node_modules/semver
node_modules/@typescript-eslint/utils/node_modules/semver
node_modules/addons-linter/node_modules/semver
node_modules/conf/node_modules/semver
node_modules/css-loader/node_modules/semver
node_modules/download/node_modules/semver
node_modules/jest-snapshot/node_modules/semver
node_modules/jsonwebtoken/node_modules/semver
node_modules/node-abi/node_modules/semver
node_modules/node-notifier/node_modules/semver
node_modules/normalize-package-data/node_modules/semver
node_modules/postcss-loader/node_modules/semver
node_modules/read-pkg/node_modules/semver
node_modules/semver
node_modules/sharp/node_modules/semver
node_modules/ts-jest/node_modules/semver
node_modules/ts-loader/node_modules/semver
node_modules/update-notifier/node_modules/semver
@commitlint/is-ignored 9.0.0 - 17.6.5
Depends on vulnerable versions of semver
node_modules/@commitlint/is-ignored
@commitlint/lint 9.0.0 - 16.2.4
Depends on vulnerable versions of @commitlint/is-ignored
node_modules/@commitlint/lint
@commitlint/cli 9.0.0 - 16.3.0
Depends on vulnerable versions of @commitlint/lint
node_modules/@commitlint/cli
sharp <0.32.6
Severity: high
sharp vulnerability in libwebp dependency CVE-2023-4863 - https://github.com/advisories/GHSA-54xq-cgqr-rpm3
fix available via `npm audit fix`
node_modules/sharp
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tough-cookie
word-wrap <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/xml2js
firefox-profile <=4.2.2
Depends on vulnerable versions of xml2js
node_modules/firefox-profile
55 vulnerabilities (1 low, 34 moderate, 19 high, 1 critical)
from linguist.
Related Issues (20)
- Not working.... Background script not responding HOT 1
- Add option to select translation module inplace HOT 1
- chrome 109.0.5407.1 can not use v6.0.1 HOT 12
- Debug flaky test HOT 1
- Prepare landing for public HOT 1
- Add blog to site
- Add docs section on site
- Add translation on site
- Add CNAME for site
- Default HTML contains i18n keys instead of any language
- Translation of a page with local files does not work
- Prevent potential XSS attacks for custom translators
- Problem with detection chinese language on site `copymanga.site`
- Add guide how to use
- CSS for contentscript is not loaded sometimes
- Incorrect language in selector for non-english navigator locales
- Improve localization quality HOT 3
- Translate PDF documents in standalone tab
- Try `git-cliff` to generate changelogs
- Prevent translation for elements with attribute `translate="no"`
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from linguist.