react-qr-code icon indicating copy to clipboard operation
react-qr-code copied to clipboard
verified publisher icon rosskhanas

Current dependency (critical) vulnerabilities

Open ralphneeleman opened this issue 3 years ago • 2 comments

Hi,

First of all thanks for your work on this library.

Currently, the version used of react-native-svg has 2 critical vulnerabilities.

I tried fixing the dependencies in this repo myself but I couldn't install them without errors or vulnerable versions.

Could you (or another contributor) please take a look it?

Thanks in advance.

ralphneeleman avatar Aug 10 '22 12:08 ralphneeleman

@ralphneeleman could you please provide any logs?

rosskhanas avatar Aug 10 '22 12:08 rosskhanas

Personal project

NPM returns this audit report after using either npm i, npm i react-qr-code@latest or npm audit (fix). npm audit fix (--force) doesn't change anything.

npm audit report

hermes-engine <=0.9.0 Severity: critical Access of Resource Using Incompatible Type in Hermes - https://github.com/advisories/GHSA-7mhc-prgv-r3q4 fix available via npm audit fix node_modules/hermes-engine react-native <=0.0.0-ffdfbbec0 || 0.61.0-rc.0 - 0.67.4 Depends on vulnerable versions of hermes-engine node_modules/react-native

2 critical severity vulnerabilities

To address all issues, run: npm audit fix

react-qr-code repo

after using npm i

npm resolution error report

2022-08-10T12:54:20.431Z

While resolving: [email protected] Found: [email protected] node_modules/react dev react@"^17.0.1" from the root project

Could not resolve dependency: peer react@"^16.0.0-0" from [email protected] node_modules/enzyme-adapter-react-16 dev enzyme-adapter-react-16@"^1.15.6" from the root project

Fix the upstream dependency conflict, or retry this command with --force, or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.

Raw JSON explanation object:

{ "code": "ERESOLVE", "current": { "name": "react", "version": "17.0.2", "whileInstalling": { "name": "react-qr-code", "version": "2.0.7", "path": "/Users/ralphneeleman/Documents/Projecten/Appkwekerij/react-qr-code" }, "location": "node_modules/react", "isWorkspace": false, "dependents": [ { "type": "dev", "name": "react", "spec": "^17.0.1", "from": { "location": "/Users/ralphneeleman/Documents/Projecten/Appkwekerij/react-qr-code" } } ] }, "currentEdge": { "type": "dev", "name": "react", "spec": "^17.0.1", "from": { "location": "/Users/ralphneeleman/Documents/Projecten/Appkwekerij/react-qr-code" } }, "edge": { "type": "peer", "name": "react", "spec": "^16.0.0-0", "error": "INVALID", "from": { "name": "enzyme-adapter-react-16", "version": "1.15.6", "whileInstalling": { "name": "react-qr-code", "version": "2.0.7", "path": "/Users/ralphneeleman/Documents/Projecten/Appkwekerij/react-qr-code" }, "location": "node_modules/enzyme-adapter-react-16", "isWorkspace": false, "dependents": [ { "type": "dev", "name": "enzyme-adapter-react-16", "spec": "^1.15.6", "from": { "location": "/Users/ralphneeleman/Documents/Projecten/Appkwekerij/react-qr-code" } } ] } }, "strictPeerDeps": false, "force": false }

after using npm i --force this does install with loads of warnings but still has 8 vulnerabilities

warnings:

npm WARN using --force Recommended protections disabled. npm WARN ERESOLVE overriding peer dependency npm WARN While resolving: [email protected] npm WARN Found: [email protected] npm WARN node_modules/react npm WARN dev react@"^17.0.1" from the root project npm WARN 3 more (react-dom, react-native-svg, react-test-renderer) npm WARN npm WARN Could not resolve dependency: npm WARN peer react@"^16.0.0-0" from [email protected] npm WARN node_modules/enzyme-adapter-react-16 npm WARN dev enzyme-adapter-react-16@"^1.15.6" from the root project npm WARN ERESOLVE overriding peer dependency npm WARN While resolving: [email protected] npm WARN Found: [email protected] npm WARN node_modules/react-dom npm WARN dev react-dom@"^17.0.1" from the root project npm WARN npm WARN Could not resolve dependency: npm WARN peer react-dom@"^16.0.0-0" from [email protected] npm WARN node_modules/enzyme-adapter-react-16 npm WARN dev enzyme-adapter-react-16@"^1.15.6" from the root project npm WARN ERESOLVE overriding peer dependency npm WARN While resolving: [email protected] npm WARN Found: [email protected] npm WARN node_modules/react npm WARN dev react@"^17.0.1" from the root project npm WARN 3 more (react-dom, react-native-svg, react-test-renderer) npm WARN npm WARN Could not resolve dependency: npm WARN peer react@"0.13.x || 0.14.x || ^15.0.0-0 || ^16.0.0-0" from [email protected] npm WARN node_modules/enzyme-adapter-utils npm WARN enzyme-adapter-utils@"^1.14.0" from [email protected] npm WARN node_modules/enzyme-adapter-react-16 npm WARN ERESOLVE overriding peer dependency npm WARN While resolving: [email protected] npm WARN Found: [email protected] npm WARN node_modules/react npm WARN dev react@"^17.0.1" from the root project npm WARN 3 more (react-dom, react-native-svg, react-test-renderer) npm WARN npm WARN Could not resolve dependency: npm WARN peer react@"^0.14 || ^15.0.0 || ^16.0.0-alpha" from [email protected] npm WARN node_modules/airbnb-prop-types npm WARN airbnb-prop-types@"^2.16.0" from [email protected] npm WARN node_modules/enzyme-adapter-utils npm WARN ERESOLVE overriding peer dependency npm WARN While resolving: [email protected] npm WARN Found: [email protected] npm WARN node_modules/react npm WARN dev react@"^17.0.1" from the root project npm WARN 3 more (react-dom, react-native-svg, react-test-renderer) npm WARN npm WARN Could not resolve dependency: npm WARN peer react@"18.0.0" from [email protected] npm WARN node_modules/react-native npm WARN peer react-native@">=0.50.0" from [email protected] npm WARN node_modules/react-native-svg npm WARN 1 more (@react-native-community/cli) npm WARN ERESOLVE overriding peer dependency npm WARN While resolving: [email protected] npm WARN Found: [email protected] npm WARN node_modules/react npm WARN dev react@"^17.0.1" from the root project npm WARN 3 more (react-dom, react-native-svg, react-test-renderer) npm WARN npm WARN Could not resolve dependency: npm WARN peer react@"^16.14.0" from [email protected] npm WARN node_modules/enzyme-adapter-react-16/node_modules/react-test-renderer npm WARN react-test-renderer@"^16.0.0-0" from [email protected] npm WARN node_modules/enzyme-adapter-react-16 npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-url#deprecated npm WARN deprecated [email protected]: 🙌 Thanks for using Babel: we recommend using babel-preset-env now: please read https://babeljs.io/env to update! npm WARN deprecated [email protected]: In 6.x, the babel package has been deprecated in favor of babel-cli. Check https://opencollective.com/babel to support the Babel maintainers npm WARN deprecated [email protected]: See https://github.com/lydell/source-map-resolve#deprecated npm WARN deprecated [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies. npm WARN deprecated [email protected]: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2. npm WARN deprecated [email protected]: babel-eslint is now @babel/eslint-parser. This package will no longer receive updates. npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated npm WARN deprecated [email protected]: support for ECMAScript is superseded byuglify-jsas of v3.13.0 npm WARN deprecated [email protected]: core-js@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js. npm WARN deprecated [email protected]: core-js-pure@<3.23.3 is no longer maintained and not recommended for usage due to the number of issues. Because of the V8 engine whims, feature detection in old core-js versions could cause a slowdown up to 100x even if nothing is polyfilled. Some versions have web compatibility issues. Please, upgrade your dependencies to the actual version of core-js-pure.

And finally running npm audit (fix) after npm i --force

npm audit report

braces <2.3.1 Regular Expression Denial of Service (ReDoS) in braces - https://github.com/advisories/GHSA-cwfw-4gq5-mrqx No fix available node_modules/braces micromatch 0.2.0 - 2.3.11 Depends on vulnerable versions of braces Depends on vulnerable versions of parse-glob node_modules/micromatch anymatch 1.2.0 - 1.3.2 Depends on vulnerable versions of micromatch node_modules/anymatch chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of anymatch Depends on vulnerable versions of glob-parent node_modules/chokidar babel-cli * Depends on vulnerable versions of chokidar node_modules/babel-cli

glob-parent <5.1.2 Severity: high glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6 No fix available node_modules/glob-parent chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of anymatch Depends on vulnerable versions of glob-parent node_modules/chokidar babel-cli * Depends on vulnerable versions of chokidar node_modules/babel-cli glob-base * Depends on vulnerable versions of glob-parent node_modules/glob-base parse-glob >=2.1.0 Depends on vulnerable versions of glob-base node_modules/parse-glob micromatch 0.2.0 - 2.3.11 Depends on vulnerable versions of braces Depends on vulnerable versions of parse-glob node_modules/micromatch anymatch 1.2.0 - 1.3.2 Depends on vulnerable versions of micromatch node_modules/anymatch

8 vulnerabilities (2 low, 6 high)

Some issues need review, and may require choosing a different dependency.

ralphneeleman avatar Aug 10 '22 13:08 ralphneeleman