klaudiosinani/taskbook

unsafe dependencies

Open

#194 opened on Jan 17, 2022

View on GitHub
 (4 comments) (0 reactions) (0 assignees)JavaScript (8,851 stars) (408 forks)batch import
good first issue

Description

Describe the bug I wanted to install taskbook and try it out, but npm tells me it has unsafe dependencies.

To Reproduce update npm, install taskbook via npm

Expected behavior The dependencies should be up to date, if possible.

Technical Info (please complete the following information)

  • OS: Linux
  • Node.js Version: 12.16.3
  • Taskbook Version: 0.3.0

Additional context Commandline outputs:

$ npm install taskbook

added 129 packages, and audited 130 packages in 4s

5 packages are looking for funding
  run `npm fund` for details

9 vulnerabilities (6 moderate, 3 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

$ npm audit fix

up to date, audited 130 packages in 1s

5 packages are looking for funding
  run `npm fund` for details

# npm audit report

ansi-regex  >2.1.1 <5.0.1
Severity: moderate
 Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/ansi-regex
  strip-ansi  4.0.0 - 5.2.0
  Depends on vulnerable versions of ansi-regex
  node_modules/strip-ansi
    string-width  2.1.0 - 4.1.0
    Depends on vulnerable versions of strip-ansi
    node_modules/string-width
      widest-line  2.0.0 - 2.0.1
      Depends on vulnerable versions of string-width
      node_modules/widest-line
        boxen  1.3.0 - 3.2.0
        Depends on vulnerable versions of widest-line
        node_modules/boxen

trim-newlines  <3.0.1
Severity: high
Regular Expression Denial of Service in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
No fix available
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    taskbook  *
    Depends on vulnerable versions of meow
    node_modules/taskbook

yargs-parser  6.0.0 - 13.1.1
Severity: moderate
Prototype Pollution in yargs-parser - https://github.com/advisories/GHSA-p9pc-299p-vxgp
No fix available
node_modules/yargs-parser
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    taskbook  *
    Depends on vulnerable versions of meow
    node_modules/taskbook

9 vulnerabilities (6 moderate, 3 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Contributor guide

Tech stack
javascriptnodejs
Domain
clisecurity
Issue type
security
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
stale
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
basic npm knowledgeunderstanding of npm audit
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
60
Research direction
The issue is about updating dependencies to fix npm audit vulnerabilities. The vulnerable packages are ansi regex, trim newlines, and yargs parser. Start by checking the package.json file in the root directory. Run `npm audit` to see the specific warnings. Then update the affected dependencies to safe versions, or use `npm audit fix` if available. Be cautious about breaking changes. Test the CLI after updates.