You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
npm audit reports 6 vulnerabilities (5 moderate, 1 critical) that we can't address yet:
# npm audit report
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request
request-promise-core *
Depends on vulnerable versions of request
node_modules/request-promise-core
request-promise-native >=1.0.0
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-core
Depends on vulnerable versions of tough-cookie
node_modules/request-promise-native
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request-promise-native/node_modules/tough-cookie
node_modules/request/node_modules/tough-cookie
xmldom *
Severity: critical
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-h6q6-9hqw-rwfv
xmldom allows multiple root nodes in a DOM - https://github.com/advisories/GHSA-crh6-fp67-6883
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/xmldom
dom-compare >=0.2.0
Depends on vulnerable versions of xmldom
node_modules/dom-compare
6 vulnerabilities (5 moderate, 1 critical)
Describe the improvement you'd like
To summarize the above logs, we need to:
replace request and request-promise-native with a more modern alternative because they're both deprecated. Most alternatives proposed are either ESM-only, unstable, or not production ready
replace dom-compare. It's not longer maintained and uses a vulnerable version of xmldom. We could fork it and use the more recent version of xmldom, inline the dom comparison logic in cht-conf, or find a maintained alternative. TBD.
Dependencies that cannot be updated until we migrate to ESM:
chai
chai-as-promised
chai-exclude
open
Dependencies that need a higher version of Node.js:
semantic-release
PouchDB-related dependencies should probably be updated along with cht-core's.
Additionally, xpath has a new minor version available but no changelog is provided.
The text was updated successfully, but these errors were encountered:
Describe the issue
Follow-up from #621
npm audit
reports 6 vulnerabilities (5 moderate, 1 critical) that we can't address yet:Describe the improvement you'd like
To summarize the above logs, we need to:
request
andrequest-promise-native
with a more modern alternative because they're both deprecated. Most alternatives proposed are either ESM-only, unstable, or not production readydom-compare
. It's not longer maintained and uses a vulnerable version ofxmldom
. We could fork it and use the more recent version of xmldom, inline the dom comparison logic in cht-conf, or find a maintained alternative. TBD.Dependencies that cannot be updated until we migrate to ESM:
chai
chai-as-promised
chai-exclude
open
Dependencies that need a higher version of Node.js:
semantic-release
PouchDB-related dependencies should probably be updated along with cht-core's.
Additionally,
xpath
has a new minor version available but no changelog is provided.The text was updated successfully, but these errors were encountered: