Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shows 3 high severity vulnerabilities when installing npm packages. #216

Closed
xayanide opened this issue Apr 17, 2022 · 2 comments · Fixed by #301
Closed

Shows 3 high severity vulnerabilities when installing npm packages. #216

xayanide opened this issue Apr 17, 2022 · 2 comments · Fixed by #301
Assignees
@zapteryx
Labels
priority:p0 Issues and PRs: Critical priority released on @next status:wontfix Issues and PRs: Won't be fixed, or won't be merged type:enhancement Issues and PRs: Related to adding or improving something

Comments

@xayanide
Copy link
Member

xayanide commented Apr 17, 2022
edited
Loading

Describe the bug
What isn't working as intended, and what does it affect?
data-store
Affects vulnerability

Affected versions
What versions are affected by this bug? (e.g. >=3.0.1, 2.5.1-2.6.3, >=1.2.0)
3.0.0-next.4^

Steps to reproduce
Steps to reproduce the behavior. (e.g. click on a button, enter a value, etc. and see error)

  1. Type and enter npm i in the cli or terminal.

Expected behavior
What is expected to happen?
Show no vulnerability.

Actual behavior
What actually happens? Attach or add errors or screenshots here as well.

Shows 3 severity vulnerabilities that is related to the data-store dependency.

PS C:\Users\Ava\Documents\GitHub\Quaver> npm i

> quaver@3.4.0-next.53 postinstall
> patch-package

patch-package 6.4.7
Applying patches...
@lavaclient/queue@2.0.6 

up to date, audited 195 packages in 6s

21 packages are looking for funding
  run `npm fund` for details

3 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
PS C:\Users\Ava\Documents\GitHub\Quaver> npm audit
# npm audit report

node-fetch  <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix`
node_modules/node-fetch

set-value  3.0.0 - 4.0.0
Severity: high
Prototype Pollution in set-value - https://github.com/advisories/GHSA-4jqc-8m5r-9rpr
fix available via `npm audit fix --force`
Will install data-store@3.1.0, which is a breaking change
node_modules/set-value
  data-store  >=4.0.0
  Depends on vulnerable versions of set-value
  node_modules/data-store

3 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force
@xayanide xayanide added type:enhancement Issues and PRs: Related to adding or improving something priority:p0 Issues and PRs: Critical priority labels Apr 17, 2022
@xayanide xayanide changed the title 3 high severity vulnerabilities when installing npm packages. 3 high severity vulnerabilities is shown when installing npm packages. Apr 17, 2022
@xayanide xayanide changed the title 3 high severity vulnerabilities is shown when installing npm packages. Shows 3 high severity vulnerabilities when installing npm packages. Apr 17, 2022
@zapteryx
Copy link
Member

jonschlinkert/data-store#43

@zapteryx zapteryx added the status:wontfix Issues and PRs: Won't be fixed, or won't be merged label Apr 17, 2022
@zapteryx zapteryx pinned this issue Apr 17, 2022
@zapteryx zapteryx mentioned this issue Jul 10, 2022
Merged
11 tasks
@zapteryx zapteryx linked a pull request Jul 10, 2022 that will close this issue
feat: use SQLite for storage #301
Merged
11 tasks
@github-actions
Copy link
Contributor

🎉 This issue has been resolved in version 4.0.0-next.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@zapteryx zapteryx unpinned this issue Jul 12, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zapteryx zapteryx

Labels
priority:p0 Issues and PRs: Critical priority released on @next status:wontfix Issues and PRs: Won't be fixed, or won't be merged type:enhancement Issues and PRs: Related to adding or improving something
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: use SQLite for storage ZPTXDev/Quaver
2 participants
@zapteryx @xayanide