Skip to content

chore(package): update dependencies to fix vulnerabilities #68

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

chore(package): update dependencies to fix vulnerabilities #68

wants to merge 3 commits into from

Conversation

@thomasjammet
Copy link

@thomasjammet thomasjammet commented Feb 16, 2024
edited
Loading

Current version of videojs/standard has critical npm vulnerabilities :

# npm audit report

ansi-regex  5.0.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ansi-regex

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch

semver  <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/conventional-changelog-writer/node_modules/semver
node_modules/git-semver-tags/node_modules/semver
node_modules/meow/node_modules/semver
node_modules/not-prerelease/node_modules/semver
node_modules/npm-run-all/node_modules/semver
node_modules/read-pkg/node_modules/semver
node_modules/semver

underscore  1.3.2 - 1.12.0
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
fix available via `npm audit fix`
node_modules/underscore
  nomnom  >=1.6.0
  Depends on vulnerable versions of underscore
  node_modules/nomnom

word-wrap  <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap

6 vulnerabilities (2 moderate, 2 high, 2 critical)

This PR fixes all the vulnerabilities but needs first the following PR to be merged :
videojs/eslint-config-videojs#50

This would be a major version change I guess.

@thomasjammet
Copy link
Author

thomasjammet commented Feb 16, 2024

Actually npm run test will not work, this should wait for the following PR :

videojs/eslint-config-videojs#50

@thomasjammet thomasjammet mentioned this pull request Feb 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thomasjammet