- Issue created by @eduardo morales alberti
- 🇨🇭Switzerland saschaeggi Zurich
Closing this as duplicate of 📌 Update vulnerable package Active
Getting several high and critical vulnerability warnings running npm audit and dependabot jobs.
List of vulnerabilities:
+ ddev exec COLUMNS=200 cd web/themes/contrib/gin; npm audit
[31mFailed to execute command `COLUMNS=200 cd web/themes/contrib/gin; npm audit`: exit status 1[0m
# npm audit report
@babel/helpers <7.26.10
Severity: moderate
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8
fix available via `npm audit fix`
node_modules/@babel/helpers
@babel/runtime <7.26.10
Severity: moderate
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8
fix available via `npm audit fix`
node_modules/@babel/runtime
brace-expansion 2.0.1 - 4.0.0
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/svg-spritemap-webpack-plugin/node_modules/brace-expansion
minimatch 5.0.0 - 9.0.5 || >=10.0.1
Depends on vulnerable versions of brace-expansion
node_modules/svg-spritemap-webpack-plugin/node_modules/minimatch
glob 8.0.1 - 10.4.5
Depends on vulnerable versions of minimatch
node_modules/svg-spritemap-webpack-plugin/node_modules/glob
svg-spritemap-webpack-plugin >=4.4.1
Depends on vulnerable versions of glob
node_modules/svg-spritemap-webpack-plugin
cross-spawn <6.0.6 || >=7.0.0 <7.0.5
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/cross-spawn
node_modules/webpack-cli/node_modules/cross-spawn
elliptic <=6.6.0
Severity: critical
Valid ECDSA signatures erroneously rejected in Elliptic - https://github.com/advisories/GHSA-fc9h-whq2-v747
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) - https://github.com/advisories/GHSA-vjh7-7g9h-fjfh
fix available via `npm audit fix`
node_modules/elliptic
nanoid <3.3.8
Severity: moderate
Predictable results in nanoid generation when given non-integer values - https://github.com/advisories/GHSA-mwcw-c2x4-8c55
fix available via `npm audit fix`
node_modules/nanoid
postcss <=8.4.30
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
No fix available
node_modules/postcss-perfectionist/node_modules/postcss
node_modules/postcss-scss/node_modules/postcss
postcss-perfectionist *
Depends on vulnerable versions of postcss
Depends on vulnerable versions of postcss-scss
node_modules/postcss-perfectionist
postcss-scss <=1.0.6
Depends on vulnerable versions of postcss
node_modules/postcss-scss
12 vulnerabilities (4 low, 6 moderate, 1 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
pull latest and run `npm audit` after `nvm i` `nvm use` and `npm i`
nvm i
nvm use
npm i
npm audit
allow `npm audit fix` to fix non-breaking changes. review breaking changes afterwards.
Active
4.0
Code
Closing this as duplicate of 📌 Update vulnerable package Active