Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

npm audit has been reporting vulnerabilities since at least October 2020, please can we update dependencies?

See original GitHub issue

Here’s the latest from today, this library alone is bringing 10 high security vulnerabilities into my project. It seems to be very last of the google libraries to update dependencies since their discovery, by a long long way.

C’mon, don’t leave our projects vulnerable for so long.

# npm audit report

axios  <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix --force`
Will install actions-on-google@1.7.0, which is a breaking change
node_modules/actions-on-google/node_modules/axios
node_modules/gcp-metadata/node_modules/axios
  gcp-metadata  0.5.0 - 4.1.0
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of json-bigint
  node_modules/gcp-metadata
  node_modules/googleapis-common/node_modules/gcp-metadata
  node_modules/googleapis/node_modules/gcp-metadata
    google-auth-library  0.9.4 - 5.10.1
    Depends on vulnerable versions of axios
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gtoken
    node_modules/actions-on-google/node_modules/google-auth-library
    node_modules/googleapis-common/node_modules/google-auth-library
    node_modules/googleapis/node_modules/google-auth-library
      actions-on-google  >=1.8.0
      Depends on vulnerable versions of google-auth-library
      Depends on vulnerable versions of googleapis
      node_modules/actions-on-google
      googleapis  37.0.0-webpack - 48.0.0
      Depends on vulnerable versions of google-auth-library
      node_modules/googleapis
      googleapis-common  0.5.0-webpack - 0.5.0-webpack3 || 0.6.0-webpack - 3.2.2
      Depends on vulnerable versions of google-auth-library
      node_modules/googleapis-common

json-bigint  <1.0.0
Severity: high
Uncontrolled Resource Consumption in json-bigint - https://npmjs.com/advisories/1690
fix available via `npm audit fix --force`
Will install actions-on-google@1.7.0, which is a breaking change
node_modules/json-bigint
  gcp-metadata  0.5.0 - 4.1.0
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of json-bigint
  node_modules/gcp-metadata
  node_modules/googleapis-common/node_modules/gcp-metadata
  node_modules/googleapis/node_modules/gcp-metadata
    google-auth-library  0.9.4 - 5.10.1
    Depends on vulnerable versions of axios
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gtoken
    node_modules/actions-on-google/node_modules/google-auth-library
    node_modules/googleapis-common/node_modules/google-auth-library
    node_modules/googleapis/node_modules/google-auth-library
      actions-on-google  >=1.8.0
      Depends on vulnerable versions of google-auth-library
      Depends on vulnerable versions of googleapis
      node_modules/actions-on-google
      googleapis  37.0.0-webpack - 48.0.0
      Depends on vulnerable versions of google-auth-library
      node_modules/googleapis
      googleapis-common  0.5.0-webpack - 0.5.0-webpack3 || 0.6.0-webpack - 3.2.2
      Depends on vulnerable versions of google-auth-library
      node_modules/googleapis-common

node-forge  <=0.9.2
Severity: high
Prototype Pollution in node-forge - https://npmjs.com/advisories/1561
fix available via `npm audit fix --force`
Will install actions-on-google@1.7.0, which is a breaking change
node_modules/node-forge
  google-p12-pem  <=3.0.2
  Depends on vulnerable versions of node-forge
  node_modules/google-p12-pem
    gtoken  <=5.0.0
    Depends on vulnerable versions of google-p12-pem
    node_modules/gtoken
      google-auth-library  0.9.4 - 5.10.1
      Depends on vulnerable versions of axios
      Depends on vulnerable versions of gcp-metadata
      Depends on vulnerable versions of gcp-metadata
      Depends on vulnerable versions of gtoken
      node_modules/actions-on-google/node_modules/google-auth-library
      node_modules/googleapis-common/node_modules/google-auth-library
      node_modules/googleapis/node_modules/google-auth-library
        actions-on-google  >=1.8.0
        Depends on vulnerable versions of google-auth-library
        Depends on vulnerable versions of googleapis
        node_modules/actions-on-google
        googleapis  37.0.0-webpack - 48.0.0
        Depends on vulnerable versions of google-auth-library
        node_modules/googleapis
        googleapis-common  0.5.0-webpack - 0.5.0-webpack3 || 0.6.0-webpack - 3.2.2
        Depends on vulnerable versions of google-auth-library
        node_modules/googleapis-common

10 high severity vulnerabilities