Lots of vulnerabilities because of outdated peer deps of this package #585
Description
Describe the bug
# npm audit report
ajv <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/json-schema-migrate/node_modules/ajv
node_modules/webapi-parser/node_modules/ajv
json-schema-migrate 0.1.0 - 0.2.0
Depends on vulnerable versions of ajv
node_modules/json-schema-migrate
webapi-parser *
Depends on vulnerable versions of ajv
node_modules/webapi-parser
@asyncapi/parser 2.0.0-next-major.2 - 3.3.0
Depends on vulnerable versions of jsonpath-plus
Depends on vulnerable versions of ramldt2jsonschema
Depends on vulnerable versions of webapi-parser
node_modules/@asyncapi/parser
node_modules/parserv2
@asyncapi/generator 1.2.0 - 1.16.0
Depends on vulnerable versions of @asyncapi/parser
Depends on vulnerable versions of @npmcli/arborist
node_modules/@asyncapi/generator
nestjs-asyncapi >=0.2.11
Depends on vulnerable versions of @asyncapi/generator
Depends on vulnerable versions of @asyncapi/html-template
node_modules/nestjs-asyncapi
@smoya/multi-parser >=3.0.0
Depends on vulnerable versions of @asyncapi/parser
Depends on vulnerable versions of @asyncapi/raml-dt-schema-parser
node_modules/@smoya/multi-parser
@asyncapi/raml-dt-schema-parser *
Depends on vulnerable versions of ramldt2jsonschema
Depends on vulnerable versions of webapi-parser
node_modules/@asyncapi/raml-dt-schema-parser
ramldt2jsonschema >=1.0.0
Depends on vulnerable versions of json-schema-migrate
Depends on vulnerable versions of webapi-parser
node_modules/ramldt2jsonschema
dompurify <3.2.4
Severity: moderate
DOMPurify allows Cross-site Scripting (XSS) - https://github.com/advisories/GHSA-vhxf-7vqr-mrjg
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/dompurify
isomorphic-dompurify <=0.27.0
Depends on vulnerable versions of dompurify
node_modules/isomorphic-dompurify
@asyncapi/react-component 0.21.0-next.1 || 1.0.0-next.1 - 2.0.4
Depends on vulnerable versions of isomorphic-dompurify
node_modules/@asyncapi/react-component
@asyncapi/html-template 0.21.0 - 3.2.0
Depends on vulnerable versions of @asyncapi/react-component
Depends on vulnerable versions of puppeteer
node_modules/@asyncapi/html-template
form-data <2.5.4
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request/node_modules/form-data
request *
Depends on vulnerable versions of form-data
Depends on vulnerable versions of tough-cookie
node_modules/request
node-gyp <=7.1.2
Depends on vulnerable versions of request
node_modules/node-gyp
@npmcli/run-script 1.1.1 - 1.8.6
Depends on vulnerable versions of node-gyp
node_modules/@npmcli/run-script
@npmcli/arborist <=2.10.0
Depends on vulnerable versions of @npmcli/metavuln-calculator
Depends on vulnerable versions of @npmcli/run-script
Depends on vulnerable versions of pacote
node_modules/@npmcli/arborist
pacote 11.1.5 - 11.3.5
Depends on vulnerable versions of @npmcli/run-script
node_modules/pacote
@npmcli/metavuln-calculator <=1.1.1
Depends on vulnerable versions of pacote
node_modules/@npmcli/metavuln-calculator
jsonpath-plus <=10.2.0
Severity: critical
JSONPath Plus Remote Code Execution (RCE) Vulnerability - https://github.com/advisories/GHSA-pppg-cpfq-h7wr
JSONPath Plus allows Remote Code Execution - https://github.com/advisories/GHSA-hw8r-x6gr-5gjp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/jsonpath-plus
tar-fs 2.0.0 - 2.1.2
Severity: high
tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File - https://github.com/advisories/GHSA-pq67-2wwv-3xjx
tar-fs can extract outside the specified dir with a specific tarball - https://github.com/advisories/GHSA-8cj5-5rvv-wf4v
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tar-fs
puppeteer 10.0.0 - 18.1.0
Depends on vulnerable versions of tar-fs
Depends on vulnerable versions of ws
node_modules/puppeteer
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request/node_modules/tough-cookie
ws 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/puppeteer/node_modules/ws
25 vulnerabilities (14 moderate, 4 high, 7 critical)
All of which are peer deps of nestjs-asyncapi
To Reproduce
Steps to reproduce the behavior:
- Add package to your repo
- Run
nom audit
Expected behavior
0 Vulnerabilities found
like running npm uninstall nestjs-asyncapi results in immediate fix :/
removed 690 packages, and audited 959 packages in 6s
178 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
Environment
Nest version: 11.0.1
Others:
- Anything else relevant? Operating system version, IDE, package manager, ...
Additional context
Add any other context about the problem here.