Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

High severity vulnerabilities

See original GitHub issue

Cloning repository via npm mentions the following:

found 2 high severity vulnerabilities

Running npm audit reveals the following:


                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ browser-sync > localtunnel > axios                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1594                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Server-Side Request Forgery                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ axios                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.21.1                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ bundlewatch [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ bundlewatch > axios                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1594                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 high severity vulnerabilities in 1425 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

I know that browsersync is used only for development and is not part of dist files. What about bundlewatch? Is it used inside dist files or not?

Reading description of bundlewatch leads me to believe it is used as a dev tool and as such, is not part of the dist files but I’d like to double check to be sure.

Issue Analytics

State:
Created 3 years ago
Comments:15 (6 by maintainers)

Top GitHub Comments

2reactions

REJackcommented, Jan 27, 2021

Now this is fixed 😄 bundlewatch is updated 0.3.1.

1reaction

REJackcommented, Jan 27, 2021

@XhmikosR I’m thinking about to remove the plugins folder and use CDN’s with AdminLTE v4.0.0, this sould help 🤣.

Top Results From Across the Web

when Install the npm, found 12 high severity vulnerabilities

15) has 18 vulnerabilities (6 moderate, 12 high). Upgrading npm to 8.0.0, removing node_modules and package-lock.json and executing npm install ...

Vulnerability Severity Levels - Invicti

A High severity vulnerability means that your website can be hacked and can lead hackers to find other vulnerabilities which have a bigger...

Chromium Docs - Severity Guidelines for Security Issues

High severity vulnerabilities allow an attacker to execute code in the context of, or otherwise impersonate other origins or read cross-origin data.

Update: OpenSSL high severity vulnerabilities - Snyk

OpenSSL has released two high severity vulnerabilities — CVE-2022-3602 and CVE-2022-3786 — related to buffer overrun.

High Severity Vulnerabilities - Acunetix

Vulnerability Name CWE Severity .NET HTTP Remoting publicly exposed CWE‑502 High .NET JSON.NET Deserialization RCE CWE‑502 High ACME mini_httpd arbitrary file read CWE‑23 High