xnox commented on PR #9479: URL: https://github.com/apache/nifi/pull/9479#issuecomment-2453046415
This PR is green ommiting dev dependencies: ``` $ for i in $(find . -name package-lock.json); do pushd $(dirname $i); npm audit --omit dev; popd; done ~/upstream/nifi/nifi-frontend/src/main/frontend ~/upstream/nifi ~/upstream/nifi found 0 vulnerabilities ~/upstream/nifi ~/upstream/nifi ~/upstream/nifi/nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main ~/upstream/nifi ~/upstream/nifi found 0 vulnerabilities ~/upstream/nifi ~/upstream/nifi ~/upstream/nifi/nifi-extension-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/src/main/frontend ~/upstream/nifi ~/upstream/nifi found 0 vulnerabilities ~/upstream/nifi ~/upstream/nifi ``` However, with dev dependencies there are still out of date package, please consider upgrading them too ``` $ for i in $(find . -name package-lock.json); do pushd $(dirname $i); npm audit; popd; done ~/upstream/nifi/nifi-frontend/src/main/frontend ~/upstream/nifi ~/upstream/nifi found 0 vulnerabilities ~/upstream/nifi ~/upstream/nifi ~/upstream/nifi/nifi-registry/nifi-registry-core/nifi-registry-web-ui/src/main ~/upstream/nifi ~/upstream/nifi # npm audit report babel-traverse * Severity: critical Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92 fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/babel-traverse babel-template * Depends on vulnerable versions of babel-traverse node_modules/babel-template istanbul-lib-instrument <=1.10.2 Depends on vulnerable versions of babel-template Depends on vulnerable versions of babel-traverse node_modules/istanbul-instrumenter-loader/node_modules/istanbul-lib-instrument istanbul-instrumenter-loader >=0.2.0 Depends on vulnerable versions of istanbul-lib-instrument Depends on vulnerable versions of loader-utils node_modules/istanbul-instrumenter-loader braces <3.0.3 Severity: high Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/braces node_modules/watchpack-chokidar2/node_modules/braces node_modules/webpack/node_modules/braces chokidar 1.3.0 - 2.1.8 Depends on vulnerable versions of anymatch Depends on vulnerable versions of braces Depends on vulnerable versions of readdirp node_modules/watchpack-chokidar2/node_modules/chokidar watchpack-chokidar2 * Depends on vulnerable versions of chokidar node_modules/watchpack-chokidar2 watchpack 1.7.2 - 1.7.5 Depends on vulnerable versions of watchpack-chokidar2 node_modules/watchpack webpack 4.0.0-alpha.0 - 5.0.0-rc.6 Depends on vulnerable versions of micromatch Depends on vulnerable versions of terser-webpack-plugin Depends on vulnerable versions of watchpack node_modules/webpack cache-loader >=2.0.0 Depends on vulnerable versions of webpack node_modules/cache-loader file-loader 3.0.0 - 4.3.0 Depends on vulnerable versions of webpack node_modules/file-loader null-loader 1.0.0 - 3.0.0 Depends on vulnerable versions of webpack node_modules/null-loader optimize-css-assets-webpack-plugin >=4.0.1 Depends on vulnerable versions of webpack node_modules/optimize-css-assets-webpack-plugin terser-webpack-plugin <=2.2.1 Depends on vulnerable versions of webpack node_modules/terser-webpack-plugin micromatch <=4.0.7 Depends on vulnerable versions of braces node_modules/micromatch node_modules/watchpack-chokidar2/node_modules/micromatch node_modules/webpack/node_modules/micromatch anymatch 1.2.0 - 2.0.0 Depends on vulnerable versions of micromatch node_modules/watchpack-chokidar2/node_modules/anymatch readdirp 2.2.0 - 2.2.1 Depends on vulnerable versions of micromatch node_modules/watchpack-chokidar2/node_modules/readdirp elliptic <6.6.0 Valid ECDSA signatures erroneously rejected in Elliptic - https://github.com/advisories/GHSA-fc9h-whq2-v747 fix available via `npm audit fix` node_modules/elliptic html-minifier * Severity: high kangax html-minifier REDoS vulnerability - https://github.com/advisories/GHSA-pfq8-rq6v-vf5m fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/html-minifier html-loader <=0.5.5 Depends on vulnerable versions of html-minifier node_modules/html-loader html-webpack-plugin 1.4.0 - 4.0.0-beta.14 Depends on vulnerable versions of html-minifier Depends on vulnerable versions of loader-utils node_modules/html-webpack-plugin http-proxy-middleware <2.0.7 Severity: high Denial of service in http-proxy-middleware - https://github.com/advisories/GHSA-c7qv-q95q-8v27 fix available via `npm audit fix` node_modules/http-proxy-middleware ip * Severity: high ip SSRF improper categorization in isPublic - https://github.com/advisories/GHSA-2p57-rm9w-gvfp fix available via `npm audit fix --force` Will install [email protected], which is outside the stated dependency range node_modules/ip dns-packet <=5.2.4 Depends on vulnerable versions of ip node_modules/dns-packet multicast-dns 6.0.0 - 7.2.2 Depends on vulnerable versions of dns-packet node_modules/multicast-dns bonjour >=3.3.1 Depends on vulnerable versions of multicast-dns node_modules/bonjour webpack-dev-server 2.5.0 - 4.7.4 Depends on vulnerable versions of bonjour node_modules/webpack-dev-server json5 <1.0.2 Severity: high Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h fix available via `npm audit fix --force` Will install [email protected], which is a breaking change node_modules/html-webpack-plugin/node_modules/json5 node_modules/istanbul-instrumenter-loader/node_modules/json5 loader-utils <=1.4.0 Depends on vulnerable versions of json5 node_modules/html-webpack-plugin/node_modules/loader-utils node_modules/istanbul-instrumenter-loader/node_modules/loader-utils ws 8.0.0 - 8.17.0 Severity: high ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q fix available via `npm audit fix` node_modules/ws socket.io-adapter 2.5.2 - 2.5.4 Depends on vulnerable versions of ws node_modules/socket.io-adapter 31 vulnerabilities (1 low, 7 moderate, 17 high, 6 critical) To address issues that do not require attention, run: npm audit fix To address all issues (including breaking changes), run: npm audit fix --force ~/upstream/nifi ~/upstream/nifi ~/upstream/nifi/nifi-extension-bundles/nifi-update-attribute-bundle/nifi-update-attribute-ui/src/main/frontend ~/upstream/nifi ~/upstream/nifi found 0 vulnerabilities ~/upstream/nifi ~/upstream/nifi ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
