Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

セキュリティ警告の対応として依存パッケージをアップデート("npm audit fixx --force"を実行) #6

Merged
merged 1 commit into from
May 20, 2024
Merged

セキュリティ警告の対応として依存パッケージをアップデート("npm audit fixx --force"を実行) #6

merged 1 commit into from
May 20, 2024

Conversation

KuraZuzu
Copy link
Collaborator

@KuraZuzu KuraZuzu commented May 17, 2024
edited
Loading

What does this implement/fix?

セキュリティ警告の対応として依存パッケージをアップデート("npm audit fixx --force"を実行)する。

依然として、moderateの状態のパッケージがあります。

Does this close any currently open issues?

クローズしません。

How has this been tested?

npm audit fix --forceを実行した後、npm auditを確認します。

npm audit fix --force

stack-chan/firmware$ npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit No fix available for xs-dev@*
npm WARN audit Updating @google-cloud/text-to-speech to 5.2.0, which is a SemVer major change.

added 1 package, removed 1 package, and audited 442 packages in 2s

67 packages are looking for funding
  run `npm fund` for details

# npm audit report

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
No fix available
node_modules/apisauce/node_modules/axios
  apisauce  <=3.0.0
  Depends on vulnerable versions of axios
  node_modules/apisauce
    gluegun  >=0.3.0
    Depends on vulnerable versions of apisauce
    Depends on vulnerable versions of ejs
    Depends on vulnerable versions of lodash.trim
    Depends on vulnerable versions of lodash.trimend
    Depends on vulnerable versions of semver
    node_modules/gluegun
      xs-dev  *
      Depends on vulnerable versions of gluegun
      node_modules/xs-dev

ejs  <3.1.10
Severity: moderate
ejs lacks certain pollution protection - https://github.com/advisories/GHSA-ghr5-ch3p-vcr6
No fix available
node_modules/ejs

lodash.trim  *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
No fix available
node_modules/lodash.trim

lodash.trimend  *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
fix available via `npm audit fix`
node_modules/lodash.trimend

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/gluegun/node_modules/semver

8 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

npm audit

stack-chan/firmware$ npm audit
# npm audit report

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
No fix available
node_modules/apisauce/node_modules/axios
  apisauce  <=3.0.0
  Depends on vulnerable versions of axios
  node_modules/apisauce
    gluegun  >=0.3.0
    Depends on vulnerable versions of apisauce
    Depends on vulnerable versions of ejs
    Depends on vulnerable versions of lodash.trim
    Depends on vulnerable versions of lodash.trimend
    Depends on vulnerable versions of semver
    node_modules/gluegun
      xs-dev  *
      Depends on vulnerable versions of gluegun
      node_modules/xs-dev

ejs  <3.1.10
Severity: moderate
ejs lacks certain pollution protection - https://github.com/advisories/GHSA-ghr5-ch3p-vcr6
No fix available
node_modules/ejs

lodash.trim  *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
No fix available
node_modules/lodash.trim

lodash.trimend  *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
fix available via `npm audit fix`
node_modules/lodash.trimend

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
No fix available
node_modules/gluegun/node_modules/semver

8 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Any other comments?

Checklists

@KuraZuzu KuraZuzu mentioned this pull request May 17, 2024
Closed
meganetaaan
meganetaaan approved these changes May 20, 2024
View reviewed changes
Copy link
Contributor

@meganetaaan meganetaaan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTMです!

@KuraZuzu KuraZuzu merged commit 5115ae8 into main May 20, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@meganetaaan meganetaaan meganetaaan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@KuraZuzu @meganetaaan