Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vulnerabilities in eg gateway create #1065

Open
yogeshgadge opened this issue Jun 9, 2023 · 3 comments
Open

vulnerabilities in eg gateway create #1065

yogeshgadge opened this issue Jun 9, 2023 · 3 comments

Comments

@yogeshgadge
Copy link

yogeshgadge commented Jun 9, 2023

19 vulnerabilities (5 moderate, 9 high, 5 critical) - Fri June 9th 2023

As of Fri June 9th 2023 npm is reporting 5 critical and 9 high vulnerabilities.

$ eg --version

Configuring yargs through package.json is deprecated and will be removed in a future major release, please use the JS API instead.
1.16.11

$ npm audit

# npm audit report

degenerator  <3.0.1
Severity: high
Code Injection in pac-resolver - https://github.com/advisories/GHSA-9j49-mfvp-vmhm
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/degenerator
  pac-resolver  <=4.2.0
  Depends on vulnerable versions of degenerator
  node_modules/pac-resolver
    pac-proxy-agent  <=4.1.0
    Depends on vulnerable versions of pac-resolver
    node_modules/pac-proxy-agent
      proxy-agent  1.1.0 - 4.0.1
      Depends on vulnerable versions of pac-proxy-agent
      node_modules/proxy-agent
        express-gateway  >=0.0.3
        Depends on vulnerable versions of ejs
        Depends on vulnerable versions of jsonwebtoken
        Depends on vulnerable versions of passport
        Depends on vulnerable versions of proxy-agent
        Depends on vulnerable versions of yeoman-generator
        node_modules/express-gateway

ejs  <3.1.7
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/ejs
  mem-fs-editor  2.0.0 - 6.0.0 || 7.0.1 - 7.1.0
  Depends on vulnerable versions of ejs
  Depends on vulnerable versions of globby
  node_modules/mem-fs-editor
  node_modules/yeoman-environment/node_modules/yeoman-generator/node_modules/mem-fs-editor
  node_modules/yeoman-generator/node_modules/mem-fs-editor
    yeoman-environment  2.1.0 - 2.10.3
    Depends on vulnerable versions of globby
    Depends on vulnerable versions of mem-fs-editor
    node_modules/yeoman-environment
      yeoman-generator  0.20.0 - 4.13.0
      Depends on vulnerable versions of github-username
      Depends on vulnerable versions of mem-fs-editor
      Depends on vulnerable versions of mem-fs-editor
      Depends on vulnerable versions of yeoman-environment
      node_modules/yeoman-environment/node_modules/yeoman-generator
      node_modules/yeoman-generator

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/fast-glob/node_modules/glob-parent
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/globby
    node_modules/mem-fs-editor/node_modules/globby
    node_modules/yeoman-environment/node_modules/yeoman-generator/node_modules/globby

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix`
node_modules/got
node_modules/yeoman-environment/node_modules/got
  gh-got  <=9.0.0
  Depends on vulnerable versions of got
  node_modules/gh-got
  node_modules/yeoman-environment/node_modules/gh-got
    github-username  2.0.0 - 5.0.1
    Depends on vulnerable versions of gh-got
    node_modules/github-username
    node_modules/yeoman-environment/node_modules/github-username

jsonwebtoken  <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/jsonwebtoken


passport  <0.6.0
Severity: moderate
Passport before 0.6.0 vulnerable to session regeneration when a users logs in or out - https://github.com/advisories/GHSA-v923-w3x8-wh69
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/passport

redis  2.6.0 - 3.1.0
Severity: high
Node-Redis potential exponential regex in monitor mode - https://github.com/advisories/GHSA-35q2-47q7-3pc3
fix available via `npm audit fix`
node_modules/redis
  rate-limit-redis  1.7.0
  Depends on vulnerable versions of redis
  node_modules/rate-limit-redis

19 vulnerabilities (5 moderate, 9 high, 5 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

@yogeshgadge
Copy link
Author

npm audit fix fixes nothing and npm audit fix --force I am afraid my getting started might break.

@yogeshgadge
Copy link
Author

yogeshgadge commented Jun 9, 2023

I thought this was caused by dependency produced by eg gateway create

"express-gateway": "^0.0.1"

but after updating 1.16.11 I still have

19 vulnerabilities (5 moderate, 9 high, 5 critical)

@l3ernardo
Copy link

@yogeshgadge did you find an answer to your question? I'm also having the same problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants