Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security vulnerabilities in v9.0.0 dependencies

See original GitHub issue

👋 @spencermountain, thanks for this library! I got from how to I parse wikitext templates? to problem solved! in less than 30 mins – great stuff 💯

After pushing my code to GitHub I noticed two security advisories and decided to open this issue. Here’s what I see:

yarn why wtf_wikipedia

yarn why v1.22.10
[1/4] 🤔  Why do we have the module "wtf_wikipedia"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "wtf_wikipedia@9.0.0"
info Has been hoisted to "wtf_wikipedia"
info This module exists because it's specified in "dependencies".
info Disk size without dependencies: "2.27MB"
info Disk size with unique dependencies: "2.86MB"
info Disk size with transitive dependencies: "7.25MB"
info Number of shared dependencies: 52

yarn audit

yarn audit v1.22.10
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ wtf_wikipedia                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ wtf_wikipedia > recursive-install > yargs > yargs-parser     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1500                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ trim-newlines                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.1 <4.0.0 || >=4.0.1                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ wtf_wikipedia                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ wtf_wikipedia > path-exists-cli > meow > trim-newlines       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1753                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
2 vulnerabilities found - Packages audited: 1354
Severity: 1 Low | 1 High

Would you accept a PR that upgrades or removes vulnerable dependencies? 🙂 Thanks for the lib again! 🙌

Issue Analytics

State:
Created 2 years ago
Comments:6 (5 by maintainers)

Top GitHub Comments

1reaction

spencermountaincommented, Nov 29, 2021

fixed in 9.0.2 cheers

0reactions

spencermountaincommented, Nov 8, 2021

thank you wouter

Top Results From Across the Web

Fixing security vulnerabilities in npm dependencies in less ...

In my case mocha(7.1.0) -> mkdirp(0.5.1) -> minimist(0.0.8) — the vulnerable version. Resolutions key. 3) And finally the fix was: 3.1) First npm...

How to fix Security Vulnerabilities in NPM Dependencies in 3 ...

1) -> minimist(0.0.8) — the vulnerable version. Resolutions key. 3) And finally the fix was: 3.1) First npm install the non- ...

Apache Tomcat 9 vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat 9.x. Each vulnerability is given a security impact rating by...

github - Proper way to fix potential security vulnerability in a ...

We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known security ...

Karma Dependencies Security Vulnerabilities (NPM Audit)

NPM 6 introduced a security vulnerability audit feature, and karma's dependencies are being flagged with a variety of levels of issues.