Skip to content

Fix vulnerabilities reported by npm audit#1247

Merged
ewertons merged 2 commits intomainfrom
ewertons/fix-vulnerabilities
Mar 31, 2026
Merged

Fix vulnerabilities reported by npm audit#1247
ewertons merged 2 commits intomainfrom
ewertons/fix-vulnerabilities

Conversation

@ewertons
Copy link
Copy Markdown
Contributor

@ewertons ewertons commented Mar 31, 2026

Checklist

  • I have read the contribution guidelines.
  • I added or modified the existing tests to cover the change (we do not allow our test coverage to go down).
  • If this is a modification that impacts the behavior of a public API
    • I edited the corresponding document in the devdoc folder and added or modified requirements.

Reference/Link to the issue solved with this PR (if any)

Description of the problem

npm audit reported critical vulnerabilities. See output bellow.

Description of the solution

Updated the package versions.

> npm audit
# npm audit report

@octokit/plugin-paginate-rest  <=9.2.1
Severity: moderate
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-h5c3-5r3r-rr8q
fix available via `npm audit fix --force`
Will install lerna@9.0.7, which is a breaking change
node_modules/@octokit/plugin-paginate-rest
  @octokit/rest  16.39.0 - 20.0.1
  Depends on vulnerable versions of @octokit/core
  Depends on vulnerable versions of @octokit/plugin-paginate-rest
  node_modules/@octokit/rest
    @lerna/github-client  >=4.0.0
    Depends on vulnerable versions of @octokit/rest
    node_modules/@lerna/github-client
      @lerna/version  4.0.0 - 6.4.2-beta.0
      Depends on vulnerable versions of @lerna/github-client
      Depends on vulnerable versions of @lerna/run-lifecycle
      Depends on vulnerable versions of @nrwl/devkit
      node_modules/@lerna/version
        @lerna/publish  3.7.0 - 6.4.2-beta.0
        Depends on vulnerable versions of @lerna/npm-dist-tag
        Depends on vulnerable versions of @lerna/npm-publish
        Depends on vulnerable versions of @lerna/pack-directory
        Depends on vulnerable versions of @lerna/run-lifecycle
        Depends on vulnerable versions of @lerna/version
        Depends on vulnerable versions of libnpmaccess
        Depends on vulnerable versions of npm-registry-fetch
        Depends on vulnerable versions of pacote
        node_modules/@lerna/publish
        lerna  3.11.0 - 3.14.2 || 4.0.0 - 8.2.4
        Depends on vulnerable versions of @lerna/add
        Depends on vulnerable versions of @lerna/bootstrap
        Depends on vulnerable versions of @lerna/create
        Depends on vulnerable versions of @lerna/publish
        Depends on vulnerable versions of @lerna/version
        Depends on vulnerable versions of @nrwl/devkit
        Depends on vulnerable versions of nx
        node_modules/lerna

@octokit/request  <=8.4.0
Severity: moderate
Depends on vulnerable versions of @octokit/request-error
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-rmvr-2pp2-xj38
fix available via `npm audit fix --force`
Will install lerna@9.0.7, which is a breaking change
node_modules/@octokit/request
  @octokit/core  <=5.0.0-beta.5
  Depends on vulnerable versions of @octokit/graphql
  Depends on vulnerable versions of @octokit/request
  Depends on vulnerable versions of @octokit/request-error
  node_modules/@octokit/core
  @octokit/graphql  <=2.1.3 || 3.0.0 - 6.0.1
  Depends on vulnerable versions of @octokit/request
  node_modules/@octokit/graphql

@octokit/request-error  <=5.1.0
Severity: moderate
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-xx4v-prfh-6cgc
fix available via `npm audit fix --force`
Will install lerna@9.0.7, which is a breaking change
node_modules/@octokit/request-error

@tootallnate/once  <3.0.1
@tootallnate/once vulnerable to Incorrect Control Flow Scoping - https://github.com/advisories/GHSA-vpq2-c234-7xj6
fix available via `npm audit fix --force`
Will install node-gyp@12.2.0, which is a breaking change
node_modules/@tootallnate/once
  http-proxy-agent  4.0.1 - 5.0.0
  Depends on vulnerable versions of @tootallnate/once
  node_modules/@npmcli/run-script/node_modules/http-proxy-agent
  node_modules/npm-registry-fetch/node_modules/http-proxy-agent
    make-fetch-happen  7.1.1 - 14.0.0
    Depends on vulnerable versions of cacache
    Depends on vulnerable versions of http-proxy-agent
    node_modules/@npmcli/run-script/node_modules/make-fetch-happen
    node_modules/make-fetch-happen
    node_modules/npm-registry-fetch/node_modules/make-fetch-happen
      node-gyp  <=10.3.1
      Depends on vulnerable versions of make-fetch-happen
      Depends on vulnerable versions of make-fetch-happen
      Depends on vulnerable versions of tar
      node_modules/@npmcli/run-script/node_modules/node-gyp
      node_modules/node-gyp
        @npmcli/run-script  1.1.1 - 9.0.1
        Depends on vulnerable versions of node-gyp
        node_modules/@npmcli/run-script
          @lerna/run-lifecycle  >=5.0.0-alpha.0
          Depends on vulnerable versions of @npmcli/run-script
          node_modules/@lerna/run-lifecycle
            @lerna/bootstrap  5.0.0-alpha.0 - 6.4.2-beta.0
            Depends on vulnerable versions of @lerna/run-lifecycle
            Depends on vulnerable versions of @npmcli/arborist
            node_modules/@lerna/bootstrap
              @lerna/add  3.1.1 - 3.5.0 || 3.11.0 - 3.14.2 || 4.0.0 - 6.4.2-beta.0
              Depends on vulnerable versions of @lerna/bootstrap
              Depends on vulnerable versions of pacote
              node_modules/@lerna/add
            @lerna/npm-publish  >=4.0.0
            Depends on vulnerable versions of @lerna/run-lifecycle
            Depends on vulnerable versions of libnpmpublish
            node_modules/@lerna/npm-publish
            @lerna/pack-directory  *
            Depends on vulnerable versions of @lerna/get-packed
            Depends on vulnerable versions of @lerna/run-lifecycle
            Depends on vulnerable versions of tar
            node_modules/@lerna/pack-directory
          pacote  5.0.0 - 19.0.1 || 20.0.0 || 21.0.0
          Depends on vulnerable versions of @npmcli/run-script
          Depends on vulnerable versions of cacache
          Depends on vulnerable versions of npm-registry-fetch
          Depends on vulnerable versions of tar
          node_modules/pacote
            @lerna/create  3.11.0 - 3.14.2 || 4.0.0 - 8.2.4
            Depends on vulnerable versions of pacote
            node_modules/@lerna/create
            @npmcli/arborist  <=7.5.4
            Depends on vulnerable versions of @npmcli/metavuln-calculator
            Depends on vulnerable versions of @npmcli/run-script
            Depends on vulnerable versions of cacache
            Depends on vulnerable versions of npm-registry-fetch
            Depends on vulnerable versions of pacote
            node_modules/@npmcli/arborist
            @npmcli/metavuln-calculator  <=7.1.1
            Depends on vulnerable versions of cacache
            Depends on vulnerable versions of pacote
            node_modules/@npmcli/metavuln-calculator
      npm-registry-fetch  7.0.1 - 14.0.5
      Depends on vulnerable versions of make-fetch-happen
      node_modules/npm-registry-fetch
        @lerna/npm-dist-tag  >=4.0.0
        Depends on vulnerable versions of npm-registry-fetch
        node_modules/@lerna/npm-dist-tag
        libnpmaccess  4.0.0 - 7.0.3
        Depends on vulnerable versions of npm-registry-fetch
        node_modules/libnpmaccess
        libnpmpublish  3.0.0 - 8.0.0
        Depends on vulnerable versions of npm-registry-fetch
        node_modules/libnpmpublish

js-yaml  4.0.0 - 4.1.0
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix --force`
Will install lerna@9.0.7, which is a breaking change
node_modules/nx/node_modules/js-yaml
  nx  13.10.0-beta.1 - 19.0.7 || 19.1.0-beta.0 - 19.1.0-canary.20240524-12c6a73 || 19.8.15
  Depends on vulnerable versions of @nrwl/cli
  Depends on vulnerable versions of @nrwl/tao
  Depends on vulnerable versions of js-yaml
  Depends on vulnerable versions of minimatch
  node_modules/nx
    @nrwl/cli  13.10.0-beta.1 - 15.9.7
    Depends on vulnerable versions of nx
    node_modules/@nrwl/cli
    @nrwl/devkit  13.10.0-beta.1 - 16.0.0-rc.1
    Depends on vulnerable versions of nx
    node_modules/@nrwl/devkit
    @nrwl/tao  13.10.0-beta.1 - 17.3.0-rc.1
    Depends on vulnerable versions of nx
    node_modules/@nrwl/tao

minimatch  <=3.1.3
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix --force`
Will install lerna@9.0.7, which is a breaking change
node_modules/nx/node_modules/minimatch

serialize-javascript  <=7.0.4
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - https://github.com/advisories/GHSA-qj8w-gfj5-8c6v
fix available via `npm audit fix --force`
Will install mocha@7.2.0, which is a breaking change
node_modules/serialize-javascript
  mocha  8.0.0 - 12.0.0-beta-2
  Depends on vulnerable versions of serialize-javascript
  node_modules/mocha

tar  <=7.5.10
Severity: high
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal - https://github.com/advisories/GHSA-34x7-hfp2-rc4v
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - https://github.com/advisories/GHSA-8qq5-rm4j-mr97
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction - https://github.com/advisories/GHSA-83g3-92jg-28cx
tar has Hardlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-qffp-2rhf-9h96
node-tar Symlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-9ppj-qmqm-q256
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - https://github.com/advisories/GHSA-r6q2-hw4h-h46w
fix available via `npm audit fix --force`
Will install node-gyp@12.2.0, which is a breaking change
node_modules/tar
  @lerna/get-packed  *
  Depends on vulnerable versions of tar
  node_modules/@lerna/get-packed
  cacache  14.0.0 - 18.0.4
  Depends on vulnerable versions of tar
  node_modules/cacache
  node_modules/make-fetch-happen/node_modules/cacache

39 vulnerabilities (6 low, 8 moderate, 25 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

@ewertons ewertons self-assigned this Mar 31, 2026
@ewertons
Fix 16 vulnerabilities
aceae58 
Vulnerability Fix Summary (39 → 16 remaining)

Fixed (23 vulnerabilities eliminated):

Fix
Packages (Resolution)
lerna ^5.6.2 → ^9.0.7 + npm workspaces (@octokit/, js-yaml, minimatch (in nx), nx, @nrwl/)
node-gyp ^10 → ^12.2.0 (@tootallnate/once, tar, cacache, make-fetch-happen, etc.)
azure-iothub 1.15.1 → 1.16.6 (es5-ext (in iothub deps), @azure/core-http (in iothub))
es5-ext 0.10.53 → ^0.10.64 - 10 packages (es5-ext ReDoS)
@azure/identity ^2 → ^4.2.1 (Elevation of Privilege)
Overrides: serialize-javascript, xml2js, axios (RCE, prototype pollution, CSRF/SSRF/DoS)

Remaining 16 (unfixable without breaking changes):
4 false positives — local workspace package names matching npm malware advisories
8 moderate from deprecated request@2.88.2 (used by @Azure/event-hubs@1.x, ms-rest, azure-storage)
2 high from jshint → old minimatch
2 moderate from ms-rest → old ajv

Infrastructure changes:
Added workspaces to root package.json (replaces lerna bootstrap --hoist)
Updated lerna.json version to 9.0.7
Updated CI YAMLs: node-nightly-windows.yaml, node-nightly-linux.yaml, node-nightly-df.yaml
@ewertons ewertons requested a review from avishekpant March 31, 2026 20:04
@ewertons ewertons merged commit 761708f into main Mar 31, 2026
9 checks passed
@ewertons ewertons deleted the ewertons/fix-vulnerabilities branch March 31, 2026 20:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cartertinney cartertinney cartertinney approved these changes

@maximsemenov80 maximsemenov80 Awaiting requested review from maximsemenov80

@avishekpant avishekpant Awaiting requested review from avishekpant

Assignees

@ewertons ewertons

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ewertons @cartertinney @avishekpant