npm reports vulnerabilities

[canoine]

Hello all,

As I don't know if this should be considered as a bug or not, I'm asking here.

When building commafeed, I can read this :

[INFO] --- frontend:1.15.0:npm (npm install) @ commafeed-client ---
[INFO] Running 'npm ci' in /var/local/commabuild/src/commafeed/commafeed-client
[INFO] 
[INFO] added 966 packages, and audited 967 packages in 1m
[INFO] 
[INFO] 181 packages are looking for funding
[INFO]   run `npm fund` for details
[INFO] 
[INFO] 6 vulnerabilities (4 moderate, 1 high, 1 critical)
[INFO] 
[INFO] To address all issues, run:
[INFO]   npm audit fix
[INFO] 
[INFO] Run `npm audit` for details.

npm audit says :

# npm audit report

@babel/traverse  <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse

axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix`
node_modules/axios

get-func-name  <2.0.1
Severity: high
Chaijs/get-func-name vulnerable to ReDoS - https://github.com/advisories/GHSA-4q6p-r6v2-jvc5
fix available via `npm audit fix`
node_modules/get-func-name

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix`
node_modules/postcss

semver  6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/@typescript-eslint/eslint-plugin/node_modules/semver
node_modules/@typescript-eslint/parser/node_modules/semver
node_modules/@typescript-eslint/type-utils/node_modules/semver
node_modules/@typescript-eslint/typescript-estree/node_modules/semver
node_modules/@typescript-eslint/utils/node_modules/semver
node_modules/concordance/node_modules/semver
node_modules/semver

word-wrap  <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap

6 vulnerabilities (4 moderate, 1 high, 1 critical)

To address all issues, run:
  npm audit fix

So, if I understand well, the currently used versions of some dependencies are known to be vulnerable. But, is it safe to run 'npm audit fix', as recommended ? Are there regressions or incompatibilities, which force to keep old versions for these dependencies ?

[Athou]

Those are probably minor since npm dependencies are only used in the frontend. I'll run npm audit fix and see if it breaks anything :)

[canoine]

Updating...

[INFO] --- frontend:1.15.0:npm (npm install) @ commafeed-client ---
[INFO] Running 'npm ci' in /var/local/commabuild/src/commafeed/commafeed-client
[INFO] 
[INFO] added 973 packages, and audited 974 packages in 1m
[INFO] 
[INFO] 181 packages are looking for funding
[INFO]   run `npm fund` for details
[INFO] 
[INFO] found 0 vulnerabilities

:)