Security Issue: Vulnerable Dependencies #49
Comments
|
Yeah, same issue here 
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Hi,
I am using
vite-plugin-imageminin my project and noticed that it has some dependencies with known security vulnerabilities. Specifically, the following packages are affected:got(viadownload)http-cache-semantics(viacacheable-request)semver-regex(viabin-version-check)trim-newlines(viameow)here is the dependencies tree:
and this is the npm audit report, it recommand the safer version:
got <=11.8.3
Severity: high
Got allows a redirect to a UNIX socket - GHSA-pfrx-2q88-qq97
Depends on vulnerable versions of cacheable-request
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/bin-wrapper/node_modules/got
node_modules/got
download >=4.0.0
Depends on vulnerable versions of got
node_modules/bin-wrapper/node_modules/download
node_modules/download
bin-build >=2.1.2
Depends on vulnerable versions of download
node_modules/bin-build
cwebp-bin >=3.0.0
Depends on vulnerable versions of bin-build
Depends on vulnerable versions of bin-wrapper
node_modules/cwebp-bin
imagemin-webp >=4.1.0
Depends on vulnerable versions of cwebp-bin
node_modules/imagemin-webp
gifsicle >=3.0.0
Depends on vulnerable versions of bin-build
Depends on vulnerable versions of bin-wrapper
node_modules/gifsicle
node_modules/vite-plugin-imagemin/node_modules/gifsicle
imagemin-gifsicle >=6.0.0
Depends on vulnerable versions of gifsicle
node_modules/imagemin-gifsicle
vite-plugin-imagemin >=0.2.0
Depends on vulnerable versions of gifsicle
Depends on vulnerable versions of imagemin-gifsicle
Depends on vulnerable versions of imagemin-jpegtran
Depends on vulnerable versions of imagemin-mozjpeg
Depends on vulnerable versions of imagemin-optipng
Depends on vulnerable versions of imagemin-pngquant
Depends on vulnerable versions of imagemin-webp
Depends on vulnerable versions of jpegtran-bin
node_modules/vite-plugin-imagemin
jpegtran-bin >=3.0.0
Depends on vulnerable versions of bin-build
Depends on vulnerable versions of bin-wrapper
node_modules/jpegtran-bin
node_modules/vite-plugin-imagemin/node_modules/jpegtran-bin
imagemin-jpegtran >=6.0.0
Depends on vulnerable versions of jpegtran-bin
node_modules/imagemin-jpegtran
mozjpeg >=4.0.0
Depends on vulnerable versions of bin-build
Depends on vulnerable versions of bin-wrapper
node_modules/mozjpeg
imagemin-mozjpeg >=7.0.0
Depends on vulnerable versions of mozjpeg
node_modules/imagemin-mozjpeg
optipng-bin >=3.0.0
Depends on vulnerable versions of bin-build
Depends on vulnerable versions of bin-wrapper
node_modules/optipng-bin
imagemin-optipng >=6.0.0
Depends on vulnerable versions of optipng-bin
node_modules/imagemin-optipng
pngquant-bin >=3.0.0
Depends on vulnerable versions of bin-build
Depends on vulnerable versions of bin-wrapper
node_modules/pngquant-bin
imagemin-pngquant >=5.1.0
Depends on vulnerable versions of pngquant-bin
node_modules/imagemin-pngquant
bin-wrapper >=0.4.0
Depends on vulnerable versions of bin-version-check
Depends on vulnerable versions of download
node_modules/bin-wrapper
http-cache-semantics <4.1.1
Severity: high
http-cache-semantics vulnerable to Regular Expression Denial of Service - GHSA-rc47-6667-2j5j
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/bin-wrapper/node_modules/http-cache-semantics
cacheable-request 0.1.0 - 2.1.4
Depends on vulnerable versions of http-cache-semantics
node_modules/bin-wrapper/node_modules/cacheable-request
semver-regex <=3.1.3
Severity: high
semver-regex Regular Expression Denial of Service (ReDOS) - GHSA-44c6-4v22-4mhx
Regular expression denial of service in semver-regex - GHSA-4x5v-gmq8-25ch
fix available via
npm audit fix --forceWill install [email protected], which is a breaking change
node_modules/semver-regex
find-versions <=3.2.0
Depends on vulnerable versions of semver-regex
node_modules/find-versions
bin-version <=4.0.0
Depends on vulnerable versions of find-versions
node_modules/bin-version
bin-version-check <=4.0.0
Depends on vulnerable versions of bin-version
node_modules/bin-version-check
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - GHSA-7p7h-4mm5-852v
fix available via
npm audit fixnode_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/meow
Could you please update these dependencies to their latest secure versions?
The text was updated successfully, but these errors were encountered: