Task Description:
There are some dependencies in the project that have vulnerabilities that should be addressed. The list can be found by running npm audit
Deliverable(s):
I would like to see two things accomplished
- Dependencies with security vulnerabilities are fixed, i.e. upgraded or removed (if not needed)
- Dependencies with security vulnerabilities that cannot be fixed, an explanation and potential plan to address them in the future.
Additional Context:
When running npm audit, it reports security vulnerabilities that should be looked into. Here is the output when I ran the command.
# npm audit report
body-parser <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via `npm audit fix`
node_modules/body-parser
express <=4.19.2 || 5.0.0-alpha.1 - 5.0.0-beta.3
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of path-to-regexp
Depends on vulnerable versions of send
Depends on vulnerable versions of serve-static
node_modules/express
path-to-regexp <0.1.10
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
fix available via `npm audit fix`
node_modules/path-to-regexp
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request
send <0.19.0
Severity: moderate
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix`
node_modules/send
serve-static <=1.16.0
Depends on vulnerable versions of send
node_modules/serve-static
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie
7 vulnerabilities (4 moderate, 3 high)
To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.
Reminders:
- Assign task to a project (required)
- Assign task to a sprint (required)
- Assign task to a developer (optional)
Task Description:
There are some dependencies in the project that have vulnerabilities that should be addressed. The list can be found by running
npm auditDeliverable(s):
I would like to see two things accomplished
Additional Context:
When running
npm audit, it reports security vulnerabilities that should be looked into. Here is the output when I ran the command.Reminders: