Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix npm dependency issues #851

Open
jackc94 opened this issue Aug 23, 2022 · 1 comment
Open

Fix npm dependency issues #851

jackc94 opened this issue Aug 23, 2022 · 1 comment

Comments

@jackc94
Copy link

jackc94 commented Aug 23, 2022

There are currently 8 npm dependency issues that can't be resolved without breaking your project... please could you explore and remedy these as one is DoS.

npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '[email protected]',
npm WARN EBADENGINE   required: { node: '>=4.0.0', npm: '^2.0.0' },
npm WARN EBADENGINE   current: { node: 'v12.22.12', npm: '7.5.2' }
npm WARN EBADENGINE }

up to date, audited 311 packages in 13s

38 packages are looking for funding
  run `npm fund` for details

# npm audit report

ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/ajv
  eslint  2.5.0 - 2.5.2 || 4.2.0 - 5.0.0-rc.0
  Depends on vulnerable versions of ajv
  Depends on vulnerable versions of table
  node_modules/eslint
  table  3.7.10 - 4.0.2
  Depends on vulnerable versions of ajv
  node_modules/table

lodash  <=4.17.20
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request-promise/node_modules/lodash
  request-promise  0.2.4 - 2.0.0
  Depends on vulnerable versions of lodash
  node_modules/request-promise

minimist  <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix`
node_modules/minimist
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/optimist

node-static  *
Severity: moderate
Denial of Service in node-static - https://github.com/advisories/GHSA-8r4g-cg4m-x23c
No fix available
node_modules/node-static

8 vulnerabilities (6 moderate, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

@jackc94 jackc94 changed the title Fix nom dependency issues Fix npm dependency issues Aug 23, 2022
@jsiegenthaler
Copy link
Contributor

I've found that you can update the dependencies as below, and the plugin still works.
It doesn't resolve everything, but it resolves a lot.
I've written a script to update everything to the highest working versions.
Here's my working dependencies:

"dependencies": {
"anesidora": "^1.2.0",
"aws-sdk": "^2.1295.0",
"basic-auth": "^2.0.1",
"fuse.js": "^6.6.2",
"html-entities": "^1.4.0",
"json5": "^2.2.3",
"mime": "^3.0.0",
"music-metadata": "^7.13.3",
"node-static": "^0.7.11",
"request-promise": "^4.2.6",
"sonos-discovery": "https://github.com/jishi/node-sonos-discovery/archive/v1.7.3.tar.gz",
"wav-file-info": "0.0.10"
},
"engines": {
"node": "^18.12.1",
"npm": "^9.2.0"
},

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants