refine icon indicating copy to clipboard operation
refine copied to clipboard
verified publisher icon refinedev

[BUG] unable to audit fix

Open NB071 opened this issue 2 years ago • 3 comments

Describe the bug

I recently created a vite boilerplate and while starting the project I saw there are some outdated packages :

up to date, audited 863 packages in 2s

167 packages are looking for funding
  run `npm fund` for details

# npm audit report

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios
  @ory/client  *
  Depends on vulnerable versions of axios
  node_modules/@ory/client
    @refinedev/devtools-server  *
    Depends on vulnerable versions of @ory/client
    Depends on vulnerable versions of @refinedev/devtools-ui
    node_modules/@refinedev/devtools-server
      @refinedev/cli  >=2.16.2
      Depends on vulnerable versions of @refinedev/devtools-server
      Depends on vulnerable versions of semver
      node_modules/@refinedev/cli
    @refinedev/devtools-ui  *
    Depends on vulnerable versions of @ory/client
    node_modules/@refinedev/devtools-ui

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/@refinedev/cli/node_modules/semver

6 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

I attempted to run npm audit fix. It fixed some depricated packages but it didn't resolve the issue of vulnerabilities. Consequently, I added --force option; However, this wasn't effective as well.

Again, I attempted to delete node-modules and package-lock.json and running npm i. Yet again the issue persisted. I believe some of these packages are being used internally by refine.

Steps To Reproduce

Stated fully above

Expected behavior

expected vulnerabilities to be fixed

Screenshot

image

Desktop

No response

Mobile

No response

Additional Context

No response

NB071 avatar Jan 18 '24 03:01 NB071

Hey @NB071, thank you for reporting! Looks like all the warnings are coming from packages with development purposes. It should be fine and not related with any production builds since both @refinedev/cli and @refinedev/devtools-server is not included in the bundles. To address the warnings, I think there should be changes made to the packages rather than trying to solve it per project. We can update @ory/client and semver if there are versions released with the related fixes.

aliemir avatar Jan 18 '24 05:01 aliemir

Awesome! Thank you very much considering it.

NB071 avatar Jan 18 '24 05:01 NB071

Hey @NB071, on @ory/client side, there is an unresolved issue. https://github.com/ory/sdk/issues/289#issuecomment-1898596626

We'll update @ory/client once they release a new version.

BatuhanW avatar Jan 23 '24 08:01 BatuhanW