Audit vulnerabilities detected in the connecthistoryapifallback project on Tag: v1.6.0

[mahirkabir]

Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:

npm audit report

diff <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via npm audit fix
node_modules/diff
tap-mocha-reporter 0.0.4 - 5.0.0
Depends on vulnerable versions of diff
node_modules/tap-mocha-reporter
tap 5.1.0 - 5.1.1 || 6.3.0 - 14.6.7 || 14.10.2-totally-bundled - 14.10.2-unbundled
Depends on vulnerable versions of nyc
Depends on vulnerable versions of tap-mocha-reporter
node_modules/tap

handlebars <=4.7.6
Severity: critical
Prototype Pollution - https://npmjs.com/advisories/1164
Denial of Service - https://npmjs.com/advisories/1300
Arbitrary Code Execution - https://npmjs.com/advisories/1316
Arbitrary Code Execution - https://npmjs.com/advisories/1324
Remote code execution when compiling templates - https://npmjs.com/advisories/1670
Prototype Pollution - https://npmjs.com/advisories/755
Depends on vulnerable versions of optimist
fix available via npm audit fix
node_modules/nyc/node_modules/handlebars

hosted-git-info <2.8.9 || >=3.0.0 <3.0.8
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/1677
fix available via npm audit fix
node_modules/nyc/node_modules/hosted-git-info

js-yaml <=3.13.0
Severity: high
Denial of Service - https://npmjs.com/advisories/788
Code Injection - https://npmjs.com/advisories/813
fix available via npm audit fix
node_modules/js-yaml

kind-of 6.0.0 - 6.0.2
Validation Bypass - https://npmjs.com/advisories/1490
fix available via npm audit fix
node_modules/nyc/node_modules/base/node_modules/kind-of
node_modules/nyc/node_modules/define-property/node_modules/kind-of
node_modules/nyc/node_modules/extglob/node_modules/kind-of
node_modules/nyc/node_modules/micromatch/node_modules/kind-of
node_modules/nyc/node_modules/nanomatch/node_modules/kind-of
node_modules/nyc/node_modules/snapdragon-node/node_modules/kind-of
node_modules/nyc/node_modules/test-exclude/node_modules/kind-of
node_modules/nyc/node_modules/use/node_modules/kind-of

lodash <=4.17.20
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/1523
Command Injection - https://npmjs.com/advisories/1673
Prototype Pollution - https://npmjs.com/advisories/782
fix available via npm audit fix
node_modules/nyc/node_modules/lodash

mem <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via npm audit fix
node_modules/nyc/node_modules/mem
os-locale 2.0.0 - 3.0.0
Depends on vulnerable versions of mem
node_modules/nyc/node_modules/os-locale
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/nyc/node_modules/yargs
nyc 6.0.0 - 13.3.0
Depends on vulnerable versions of mkdirp
Depends on vulnerable versions of yargs
Depends on vulnerable versions of yargs-parser
node_modules/nyc
tap 5.1.0 - 5.1.1 || 6.3.0 - 14.6.7 || 14.10.2-totally-bundled - 14.10.2-unbundled
Depends on vulnerable versions of nyc
Depends on vulnerable versions of tap-mocha-reporter
node_modules/tap

minimatch <=3.0.1
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/118
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/minimatch
eslint 0.7.1 - 1.8.0
Depends on vulnerable versions of minimatch
node_modules/eslint

minimist <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via npm audit fix
node_modules/coveralls/node_modules/minimist
node_modules/minimist
node_modules/nyc/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mkdirp
node_modules/nyc/node_modules/mkdirp
nyc 6.0.0 - 13.3.0
Depends on vulnerable versions of mkdirp
Depends on vulnerable versions of yargs
Depends on vulnerable versions of yargs-parser
node_modules/nyc
tap 5.1.0 - 5.1.1 || 6.3.0 - 14.6.7 || 14.10.2-totally-bundled - 14.10.2-unbundled
Depends on vulnerable versions of nyc
Depends on vulnerable versions of tap-mocha-reporter
node_modules/tap
optimist >=0.6.0
Depends on vulnerable versions of minimist
node_modules/nyc/node_modules/optimist
handlebars <=4.7.6
Depends on vulnerable versions of optimist
node_modules/nyc/node_modules/handlebars

mixin-deep <=1.3.1 || 2.0.0
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1013
fix available via npm audit fix
node_modules/nyc/node_modules/mixin-deep

set-value <=2.0.0 || 3.0.0
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1012
fix available via npm audit fix
node_modules/nyc/node_modules/set-value
node_modules/nyc/node_modules/union-value/node_modules/set-value
union-value <=1.0.0 || 2.0.0
Depends on vulnerable versions of set-value
node_modules/nyc/node_modules/union-value

y18n <3.2.2||=4.0.0||>=5.0.0 <5.0.5
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1654
fix available via npm audit fix
node_modules/nyc/node_modules/y18n

yargs-parser <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via npm audit fix
node_modules/nyc/node_modules/yargs-parser
node_modules/nyc/node_modules/yargs/node_modules/yargs-parser
nyc 6.0.0 - 13.3.0
Depends on vulnerable versions of mkdirp
Depends on vulnerable versions of yargs
Depends on vulnerable versions of yargs-parser
node_modules/nyc
tap 5.1.0 - 5.1.1 || 6.3.0 - 14.6.7 || 14.10.2-totally-bundled - 14.10.2-unbundled
Depends on vulnerable versions of nyc
Depends on vulnerable versions of tap-mocha-reporter
node_modules/tap
yargs 4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/nyc/node_modules/yargs

22 vulnerabilities (9 low, 1 moderate, 11 high, 1 critical)

To address issues that do not require attention, run:
npm audit fix

To address all issues (including breaking changes), run:
npm audit fix --force

Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:

1. Will you fix the vulnerabilities mentioned above? (Yes/No), and why?:
2. Do you have any additional comments? (If so, please write it down):

For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.

Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].

Steps to reproduce:

• Go to the root folder of the project where the package.json file located
• Execute “npm audit”
• Look at the list of vulnerabilities reported

Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.

References:
2019. 10 npm Security Best Practices. https://snyk.io/blog/ten-npm-security-best-practices/.
2021. npm-audit. https://docs.npmjs.com/cli/v7/commands/npm-audit.