Personal Library - Boilerplate Dependencies Contain Critical Vulnerabilities

Good morning. Hope you’re having a good day.

I am about to start the Personal Library project. Upon installing the boilerplate’s dependencies, NPM has notified me of several, critical-severity vulnerabilities among those dependencies. I could not find a place on the boilerplate’s Github repo to post an issue on this, so I’m posting it here.

The ouput of npm audit, after running npm audit fix and npm update:

# npm audit report

debug  <2.6.9
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
fix available via `npm audit fix --force`
Will install mocha@10.0.0, which is a breaking change
node_modules/mocha/node_modules/debug
  mocha  0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
  Depends on vulnerable versions of debug
  Depends on vulnerable versions of diff
  Depends on vulnerable versions of growl
  Depends on vulnerable versions of mkdirp
  node_modules/mocha

diff  <3.5.0
Severity: high
Regular Expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-h6ch-v84p-w6p9
fix available via `npm audit fix --force`
Will install mocha@10.0.0, which is a breaking change
node_modules/diff

eventsource  <2.0.2
Severity: critical
Exposure of Sensitive Information in eventsource - https://github.com/advisories/GHSA-6h5x-7c5m-7cr7
fix available via `npm audit fix --force`
Will install zombie@6.1.4, which is a breaking change
node_modules/eventsource
  zombie  >=0.13.0
  Depends on vulnerable versions of eventsource
  Depends on vulnerable versions of lodash
  node_modules/zombie

growl  <1.10.0
Severity: critical
Command Injection in growl - https://github.com/advisories/GHSA-qh2h-chj9-jffq
fix available via `npm audit fix --force`
Will install mocha@10.0.0, which is a breaking change
node_modules/growl

lodash  <=4.17.20
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
Prototype Pollution in lodash - https://github.com/advisories/GHSA-4xc9-xhrj-v574
Prototype Pollution in lodash - https://github.com/advisories/GHSA-fvqr-27wr-82fm
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm
Prototype Pollution in lodash - https://github.com/advisories/GHSA-p6mc-m468-83gw
fix available via `npm audit fix --force`
Will install zombie@6.1.4, which is a breaking change
node_modules/lodash

minimist  <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix --force`
Will install mocha@10.0.0, which is a breaking change
node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/mkdirp

9 vulnerabilities (1 low, 1 moderate, 1 high, 6 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

Even running npm audit fix --force does not fix all of the critical vulnerabilities. What do you make of this? Much thanks.

This topic was automatically closed 182 days after the last reply. New replies are no longer allowed.