Comments (3)
Unable to reproduce the issue as [email protected] . Tried on the environment as mentioned.
I have tried with lodash and micromatch packages and the audited json output is looking good for the via field data structure.
{
"auditReportVersion": 2,
"vulnerabilities": {
"lodash": {
"name": "lodash",
"severity": "high",
"isDirect": true,
"via": [
{
"source": 1094500,
"name": "lodash",
"dependency": "lodash",
"title": "Regular Expression Denial of Service (ReDoS) in lodash",
"url": "https://github.com/advisories/GHSA-29mw-wpgm-hmr9",
"severity": "moderate",
"cwe": [
"CWE-400",
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<4.17.21"
},
{
"source": 1096305,
"name": "lodash",
"dependency": "lodash",
"title": "Prototype Pollution in lodash",
"url": "https://github.com/advisories/GHSA-p6mc-m468-83gw",
"severity": "high",
"cwe": [
"CWE-770",
"CWE-1321"
],
"cvss": {
"score": 7.4,
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"
},
"range": ">=3.7.0 <4.17.19"
},
{
"source": 1096996,
"name": "lodash",
"dependency": "lodash",
"title": "Command Injection in lodash",
"url": "https://github.com/advisories/GHSA-35jh-r3h4-6jhm",
"severity": "high",
"cwe": [
"CWE-77",
"CWE-94"
],
"cvss": {
"score": 7.2,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
},
"range": "<4.17.21"
}
],
"effects": [],
"range": "<=4.17.20",
"nodes": [
"node_modules/lodash"
],
"fixAvailable": true
},
"micromatch": {
"name": "micromatch",
"severity": "moderate",
"isDirect": true,
"via": [
{
"source": 1098681,
"name": "micromatch",
"dependency": "micromatch",
"title": "Regular Expression Denial of Service (ReDoS) in micromatch",
"url": "https://github.com/advisories/GHSA-952p-6rrq-rcjv",
"severity": "moderate",
"cwe": [
"CWE-1333"
],
"cvss": {
"score": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
},
"range": "<4.0.8"
}
],
"effects": [],
"range": "<4.0.8",
"nodes": [
"node_modules/micromatch"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 1,
"high": 1,
"critical": 0,
"total": 2
},
"dependencies": {
"prod": 97,
"dev": 0,
"optional": 0,
"peer": 66,
"peerOptional": 0,
"total": 162
}
}
}
from cli.
Related Issues (20)
- Feature request: Add config option to prevent accidental installation of packages in directories without package.json HOT 2
- [BUG] npm publish <package-spec> in a workspace is not taking package-spec into account HOT 1
- [BUG] package binaries with .hidden folders don't install globally HOT 1
- [BUG] No lifecycle hooks are run at all HOT 3
- [BUG] `npm update -g ds` removes all global packages and npm itself HOT 3
- [BUG] DevDependancy are installed in production when also marked as peerDependenciesMeta optional HOT 3
- [question] Whether it is possible to upload to npmjs.org manually? HOT 1
- [BUG] `npm outdated --json` doesn't provide distinct workspace packages information HOT 1
- [BUG] git dependencies cause weird behaviour when git is not installed HOT 1
- [BUG] DevDependancy are installed in production when also marked as optional peerDependencies HOT 8
- [BUG] outdated does not report packages in unnamed workspaces HOT 1
- [BUG] `npm i` does not set `["packages"][""]["name"]` in package-lock.json when there is no name in package.json while `npm audit fix` sets that to project's directory name HOT 7
- [BUG] `npm install` sometimes removes indirect dependencies if a parent node was deleted from the lockfile HOT 2
- [BUG] The .gitignore file is renamed to .npmignore when npm install HOT 2
- [BUG] The package-lock.json file depends on node_modules, which will cause the lock generated by npm i to be inconsistent after the lock file is deleted when some packages that depend on the system architecture (such as node-unix-socket) are installed again. HOT 3
- Start HOT 1
- [BUG] Project name was being added to dependencies automatically HOT 7
- Align npm packages to npm 10's node engine range
- Problem: CORS Error When Accessing Swagger API Deployed on AWS EC2 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cli.