Skip to content

NPM reported vulnerabilities #31

Description

@steliosrammos

NPM reports vulnerabilities upon running npm install, including 11 rated high. Some are reported as having available fixes.

Output of npm audit report:

# npm audit report

@isaacs/brace-expansion  5.0.0
Severity: high
@isaacs/brace-expansion has Uncontrolled Resource Consumption - https://github.com/advisories/GHSA-7h2j-956f-4vf2
fix available via `npm audit fix`
node_modules/@isaacs/brace-expansion

axios  <=0.30.1
Severity: high
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
Axios is vulnerable to DoS attack through lack of data size check - https://github.com/advisories/GHSA-4hjh-wcwx-xvwj
fix available via `npm audit fix`
node_modules/@gelatonetwork/relay-sdk/node_modules/axios
  @gelatonetwork/relay-sdk  <=3.5.0 || 5.0.0 - 5.6.0
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of ethers
  node_modules/@gelatonetwork/relay-sdk

diff  5.0.0 - 5.2.1 || 6.0.0 - 8.0.2
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix`
node_modules/diff
node_modules/mocha/node_modules/diff

elliptic  *
Elliptic Uses a Cryptographic Primitive with a Risky Implementation - https://github.com/advisories/GHSA-848j-6mx2-7j84
fix available via `npm audit fix --force`
Will install undefined@undefined, which is a breaking change
node_modules/elliptic
  @ethersproject/signing-key  <=5.8.0
  Depends on vulnerable versions of elliptic
  node_modules/@ethersproject/signing-key
    @ethersproject/transactions  <=5.8.0
    Depends on vulnerable versions of @ethersproject/signing-key
    node_modules/@ethersproject/transactions
      @ethersproject/abstract-provider  *
      Depends on vulnerable versions of @ethersproject/transactions
      node_modules/@ethersproject/abstract-provider
        @ethersproject/abstract-signer  *
        Depends on vulnerable versions of @ethersproject/abstract-provider
        node_modules/@ethersproject/abstract-signer
          @ethersproject/hash  5.0.6 - 5.8.0
          Depends on vulnerable versions of @ethersproject/abstract-signer
          node_modules/@ethersproject/hash
            @ethersproject/abi  5.0.10 - 5.8.0
            Depends on vulnerable versions of @ethersproject/hash
            node_modules/@ethersproject/abi
              tronweb  5.3.0 - 6.0.0-beta.4
              Depends on vulnerable versions of @ethersproject/abi
              node_modules/tronweb
                @wdk/wallet-tron  
                Depends on vulnerable versions of tronweb
                node_modules/@wdk/wallet-tron
                @wdk/wallet-tron-gasfree  
                Depends on vulnerable versions of @wdk/wallet-tron
                Depends on vulnerable versions of tronweb
                node_modules/@wdk/wallet-tron-gasfree
                  @tetherto/pear-wrk-wdk  *
                  Depends on vulnerable versions of @wdk/wallet-tron
                  Depends on vulnerable versions of @wdk/wallet-tron-gasfree
                  node_modules/@tetherto/pear-wrk-wdk
  browserify-sign  >=2.4.0
  Depends on vulnerable versions of elliptic
  node_modules/browserify-sign
  create-ecdh  *
  Depends on vulnerable versions of elliptic
  node_modules/create-ecdh
    react-native-crypto  *
    Depends on vulnerable versions of browserify-sign
    Depends on vulnerable versions of create-ecdh
    node_modules/react-native-crypto
      @tetherto/wdk-react-native-provider  *
      Depends on vulnerable versions of @tetherto/pear-wrk-wdk
      Depends on vulnerable versions of react-native-crypto
      node_modules/@tetherto/wdk-react-native-provider

fast-xml-parser  4.3.6 - 5.3.3
Severity: high
fast-xml-parser has RangeError DoS Numeric Entities Bug - https://github.com/advisories/GHSA-37qj-frw5-hhjh
fix available via `npm audit fix`
node_modules/fast-xml-parser

glob  10.2.0 - 10.4.5 || 11.0.0 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix --force`
Will install sharp-cli@4.2.0, which is a breaking change
node_modules/glob
node_modules/sharp-cli/node_modules/glob
  sharp-cli  >=5.0.0
  Depends on vulnerable versions of glob
  node_modules/sharp-cli

js-yaml  <3.14.2 || >=4.0.0 <4.1.1
Severity: moderate
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
js-yaml has prototype pollution in merge (<<) - https://github.com/advisories/GHSA-mh29-5h37-fv8m
fix available via `npm audit fix`
node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml
node_modules/cosmiconfig/node_modules/js-yaml
node_modules/js-yaml

lodash  4.0.0 - 4.17.21
Severity: moderate
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions - https://github.com/advisories/GHSA-xxjr-mmjv-4gpg
fix available via `npm audit fix`
node_modules/lodash

node-forge  <=1.3.1
Severity: high
node-forge has ASN.1 Unbounded Recursion - https://github.com/advisories/GHSA-554w-wpv2-vw27
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization - https://github.com/advisories/GHSA-5gfm-wpxj-wjgq
node-forge is vulnerable to ASN.1 OID Integer Truncation - https://github.com/advisories/GHSA-65ch-62r8-g69g
fix available via `npm audit fix`
node_modules/node-forge

tar  <=7.5.6
Severity: high
node-tar has a race condition leading to uninitialized memory exposure - https://github.com/advisories/GHSA-29xp-372q-xqph
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - https://github.com/advisories/GHSA-8qq5-rm4j-mr97
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - https://github.com/advisories/GHSA-r6q2-hw4h-h46w
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal - https://github.com/advisories/GHSA-34x7-hfp2-rc4v
fix available via `npm audit fix`
node_modules/tar

undici  <6.23.0 || >=7.0.0 <7.18.2
Severity: moderate
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
fix available via `npm audit fix`
node_modules/cheerio/node_modules/undici
node_modules/undici

validator  <=13.15.20
Severity: high
validator.js has a URL validation bypass vulnerability in its isURL function - https://github.com/advisories/GHSA-9965-vmph-33xx
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements - https://github.com/advisories/GHSA-vghf-hv5q-vc2g
fix available via `npm audit fix`
node_modules/validator

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix`
node_modules/@gelatonetwork/relay-sdk/node_modules/ethers/node_modules/ws
  ethers  6.0.0-beta.1 - 6.13.0
  Depends on vulnerable versions of ws
  node_modules/@gelatonetwork/relay-sdk/node_modules/ethers

30 vulnerabilities (16 low, 3 moderate, 11 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions