npm-package-template icon indicating copy to clipboard operation
npm-package-template copied to clipboard
verified publisher icon BabylonJS

Dependencies have high severity security issues

Open bghgary opened this issue 3 years ago • 0 comments

From a fresh repo using this template, run npm install and then npm audit:

# npm audit report

shelljs  <0.8.5
Severity: high
Improper Privilege Management in shelljs - https://github.com/advisories/GHSA-4rq4-32rv-6wp6
No fix available
node_modules/shelljs
  recursive-install  *
  Depends on vulnerable versions of shelljs
  Depends on vulnerable versions of yargs
  node_modules/recursive-install

yargs-parser  <=5.0.0
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
No fix available
node_modules/recursive-install/node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 7.0.0-alpha.3 || 7.1.1
  Depends on vulnerable versions of yargs-parser
  node_modules/recursive-install/node_modules/yargs
    recursive-install  *
    Depends on vulnerable versions of shelljs
    Depends on vulnerable versions of yargs
    node_modules/recursive-install

4 vulnerabilities (2 moderate, 2 high)

Some issues need review, and may require choosing
a different dependency.

It does not appear recursive-install has been updated for 4 years.

bghgary avatar Apr 16 '22 18:04 bghgary