[GitHub] [pulsar-client-node] massakam opened a new pull request #172: Update library with security vulnerabilities

Sun, 05 Sep 2021 18:59:45 -0700 


massakam opened a new pull request #172:
URL: https://github.com/apache/pulsar-client-node/pull/172


   I ran `npm audit fix --force` to update the library with security 
vulnerabilities.
   ```sh
   $ npm audit report
   
   # npm audit report
   
   path-parse  <1.0.7
   Severity: moderate
   Regular Expression Denial of Service in path-parse - 
https://npmjs.com/advisories/1773
   fix available via `npm audit fix`
   node_modules/path-parse
   
   ssri  5.2.2 - 6.0.1 || 7.0.0 - 7.1.0 || 8.0.0
   Severity: moderate
   Regular Expression Denial of Service - https://npmjs.com/advisories/565
   fix available via `npm audit fix`
   node_modules/ssri
     npm-registry-client  >=8.5.1
     Depends on vulnerable versions of ssri
     node_modules/npm-registry-client
   
   tar  <=4.4.17 || 5.0.0 - 5.0.9 || 6.0.0 - 6.1.8
   Severity: high
   Arbitrary File Creation/Overwrite due to insufficient absolute path 
sanitization - https://npmjs.com/advisories/1770
   Arbitrary File Creation/Overwrite via insufficient symlink protection due to 
directory cache poisoning - https://npmjs.com/advisories/1771
   Arbitrary File Creation/Overwrite via insufficient symlink protection due to 
directory cache poisoning using symbolic links - 
https://npmjs.com/advisories/1779
   Arbitrary File Creation/Overwrite via insufficient symlink protection due to 
directory cache poisoning using symbolic links - 
https://npmjs.com/advisories/1780
   fix available via `npm audit fix --force`
   Will install dtslint@3.4.2, which is a breaking change
   node_modules/@definitelytyped/utils/node_modules/tar
   node_modules/node-pre-gyp/node_modules/tar
   node_modules/tar
     @definitelytyped/utils  >=0.0.23-next.0
     Depends on vulnerable versions of tar
     node_modules/@definitelytyped/utils
       dtslint  >=3.5.0
       Depends on vulnerable versions of @definitelytyped/utils
       node_modules/dtslint
   
   6 vulnerabilities (3 moderate, 3 high)
   
   To address issues that do not require attention, run:
     npm audit fix
   
   To address all issues (including breaking changes), run:
     npm audit fix --force
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to