[Vulnerability] npm audit issues #88
Comments
|
Refer to my post in issue 71 for 2 methods of resolving dependencies/vulnerabilities. Hopefully it's helpful. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When we ran npm audit --json for my project which has html-pdf-node as one of its dependencies, we got the following advisory.
Please note that the severity is critical.
Any help would be really helpful.
{ "1070415": { "findings": [ { "version": "1.0.2", "paths": [ "html-pdf-node>inline-css>cheerio>css-select>nth-check", "html-pdf-node>inline-css>extract-css>list-stylesheets>cheerio>css-select>nth-check" ] } ], "metadata": null, "vulnerable_versions": "<2.0.1", "module_name": "nth-check", "severity": "high", "github_advisory_id": "GHSA-rp65-9cf3-cjxr", "cves": [ "CVE-2021-3803" ], "access": "public", "patched_versions": ">=2.0.1", "cvss": { "score": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, "updated": "2022-05-26T19:57:03.000Z", "recommendation": "Upgrade to version 2.0.1 or later", "cwe": [ "CWE-1333" ], "found_by": null, "deleted": null, "id": 1070415, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2021-3803\n- https://github.com/fb55/nth-check/commit/9894c1d2010870c351f66c6f6efcf656e26bb726\n- https://huntr.dev/bounties/8cf8cc06-d2cf-4b4e-b42c-99fafb0b04d0\n- https://github.com/advisories/GHSA-rp65-9cf3-cjxr", "created": "2021-09-20T20:47:31.000Z", "reported_by": null, "title": "Inefficient Regular Expression Complexity in nth-check", "npm_advisory_id": null, "overview": "nth-check is vulnerable to Inefficient Regular Expression Complexity", "url": "https://github.com/advisories/GHSA-rp65-9cf3-cjxr" }, "1084495": { "findings": [ { "version": "2.6.1", "paths": [ "html-pdf-node>puppeteer>node-fetch" ] } ], "metadata": null, "vulnerable_versions": "<2.6.7", "module_name": "node-fetch", "severity": "high", "github_advisory_id": "GHSA-r683-j2x4-v87g", "cves": [ "CVE-2022-0235" ], "access": "public", "patched_versions": ">=2.6.7", "cvss": { "score": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, "updated": "2022-09-19T22:12:10.000Z", "recommendation": "Upgrade to version 2.6.7 or later", "cwe": [ "CWE-173", "CWE-200", "CWE-601" ], "found_by": null, "deleted": null, "id": 1084495, "references": "- https://nvd.nist.gov/vuln/detail/CVE-2022-0235\n- https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10\n- https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7\n- https://github.com/node-fetch/node-fetch/pull/1453\n- https://github.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e60\n- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf\n- https://github.com/advisories/GHSA-r683-j2x4-v87g", "created": "2022-01-21T23:55:52.000Z", "reported_by": null, "title": "node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor", "npm_advisory_id": null, "overview": "node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor", "url": "https://github.com/advisories/GHSA-r683-j2x4-v87g" } }The text was updated successfully, but these errors were encountered: