Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vulnerabilities on install #3

Open
rowemoore opened this issue Sep 21, 2023 · 1 comment
Open

vulnerabilities on install #3

rowemoore opened this issue Sep 21, 2023 · 1 comment

Comments

@rowemoore
Copy link

Windows 10. audit fix and audit fix --force not working.

`# npm audit report

file-type 17.0.0 - 17.1.2
Severity: high
file-type vulnerable to Infinite Loop via malformed MKV file - GHSA-mhxj-85r3-2x55
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/astro-imagetools/node_modules/file-type
astro-imagetools *
Depends on vulnerable versions of file-type
Depends on vulnerable versions of imagetools-core
Depends on vulnerable versions of potrace
node_modules/astro-imagetools

sharp <0.30.5
Severity: moderate
sharp vulnerable to Command Injection in post-installation over build environment - GHSA-gp95-ppv5-3jc5
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/imagetools-core/node_modules/sharp
imagetools-core <=3.0.2
Depends on vulnerable versions of sharp
node_modules/imagetools-core

xml2js <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - GHSA-776f-qx25-q3cc
fix available via npm audit fix
node_modules/xml2js
parse-bmfont-xml *
Depends on vulnerable versions of xml2js
node_modules/parse-bmfont-xml
load-bmfont >=1.1.0
Depends on vulnerable versions of parse-bmfont-xml
node_modules/load-bmfont
@jimp/core <=0.17.1 || 0.17.3--canary.1136.7f5f5d8.0 || 0.18.0--canary.1133.54bf269.0 - 0.18.0--canary.1135.911ed04.0
Depends on vulnerable versions of load-bmfont
node_modules/potrace/node_modules/@jimp/core
@jimp/custom <=0.17.0--canary.1131.af3cb94.0 || 0.17.3--canary.1136.7f5f5d8.0 || 0.18.0--canary.1133.54bf269.0 - 0.18.0--canary.1135.911ed04.0
Depends on vulnerable versions of @jimp/core
node_modules/potrace/node_modules/@jimp/custom
jimp >=0.3.6-alpha.5
Depends on vulnerable versions of @jimp/custom
Depends on vulnerable versions of @jimp/plugins
node_modules/potrace/node_modules/jimp
potrace >=2.1.2
Depends on vulnerable versions of jimp
node_modules/potrace
@jimp/plugin-print *
Depends on vulnerable versions of load-bmfont
node_modules/@jimp/plugin-print
@jimp/plugins *
Depends on vulnerable versions of @jimp/plugin-print
node_modules/@jimp/plugins

13 vulnerabilities (11 moderate, 2 high)
`

@preetamslot
Copy link
Contributor

Hi @rowemoore,
Think this is related to astro-imagetools. The latest version is 0.9. so I cant imagine that a fix would be to downgrade.

I can be wrong, but the site is build in SSG, so the vulnerabilities are not exposed on the live site, can you let me know how someone could exploit this?

Thanks for the report,
I will investigate if I can find a fix for this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants