Contrib.social

Update vulnerable package

Open on Drupal.org →
Created on 20 December 2024, 7 months ago

Hello,

As the parent issue, there is one vulnerable package used in package-lock.json : nanoid.
There is a CVE (https://avd.aquasec.com/nvd/cve-2024-55565) with a medium severity for version 3.3.7
Is it possible to update it to 3.3.8 ?

Thank you !

📌 Task
Status

Active

Component

Code

Created by

🇫🇷France amaloisel

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @amaloisel
  • Comment about 1 month ago
    🇫🇷France amaloisel

    Hi,

    I did a patch to update postcss package as nanoid is a dependency of this package.
    From 4.0.x branch

  • Comment about 1 month ago
    🇪🇸Spain eduardo morales alberti Spain, 🇪🇺

    There are more vulnerable packages https://www.drupal.org/project/gin/issues/3529722 🐛 Update Vulnerable npm Packages Active 

    + ddev exec COLUMNS=200 cd web/themes/contrib/gin; npm audit

[31mFailed to execute command `COLUMNS=200 cd web/themes/contrib/gin; npm audit`: exit status 1[0m
# npm audit report

@babel/helpers  <7.26.10
Severity: moderate
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8
fix available via `npm audit fix`
node_modules/@babel/helpers

@babel/runtime  <7.26.10
Severity: moderate
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8
fix available via `npm audit fix`
node_modules/@babel/runtime

brace-expansion  2.0.1 - 4.0.0
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/svg-spritemap-webpack-plugin/node_modules/brace-expansion
  minimatch  5.0.0 - 9.0.5 || >=10.0.1
  Depends on vulnerable versions of brace-expansion
  node_modules/svg-spritemap-webpack-plugin/node_modules/minimatch
    glob  8.0.1 - 10.4.5
    Depends on vulnerable versions of minimatch
    node_modules/svg-spritemap-webpack-plugin/node_modules/glob
      svg-spritemap-webpack-plugin  >=4.4.1
      Depends on vulnerable versions of glob
      node_modules/svg-spritemap-webpack-plugin

cross-spawn  <6.0.6 || >=7.0.0 <7.0.5
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/cross-spawn
node_modules/webpack-cli/node_modules/cross-spawn

elliptic  <=6.6.0
Severity: critical
Valid ECDSA signatures erroneously rejected in Elliptic - https://github.com/advisories/GHSA-fc9h-whq2-v747
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) - https://github.com/advisories/GHSA-vjh7-7g9h-fjfh
fix available via `npm audit fix`
node_modules/elliptic

nanoid  <3.3.8
Severity: moderate
Predictable results in nanoid generation when given non-integer values - https://github.com/advisories/GHSA-mwcw-c2x4-8c55
fix available via `npm audit fix`
node_modules/nanoid

postcss  <=8.4.30
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
No fix available
node_modules/postcss-perfectionist/node_modules/postcss
node_modules/postcss-scss/node_modules/postcss
  postcss-perfectionist  *
  Depends on vulnerable versions of postcss
  Depends on vulnerable versions of postcss-scss
  node_modules/postcss-perfectionist
  postcss-scss  <=1.0.6
  Depends on vulnerable versions of postcss
  node_modules/postcss-scss

12 vulnerabilities (4 low, 6 moderate, 1 high, 1 critical)

To address issues that do not require attention, run:
  npm audit fix
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024