Vulnerable NPM Dependencies

Base Metric	score	severity
overall	2.5	low

Type: Weakness

Status: fixed

Reporting Date: 2023.04.04

Due to outdated packages in the frontend, the application is at risk of vulnerabilities in these dependencies.

Description

Compilation of the project shows outdated packages.

The output of npm audit shows:

# npm audit report

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @storybook/react@7.0.2, which is a breaking change
node_modules/cpy/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/@storybook/builder-webpack4/node_modules/watchpack
      node_modules/@storybook/core-common/node_modules/watchpack
      node_modules/@storybook/core-server/node_modules/webpack/node_modules/watchpack
      node_modules/@storybook/manager-webpack4/node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/@storybook/builder-webpack4/node_modules/webpack
        node_modules/@storybook/core-common/node_modules/webpack
        node_modules/@storybook/core-server/node_modules/webpack
        node_modules/@storybook/manager-webpack4/node_modules/webpack
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/cpy/node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/cpy/node_modules/globby
      cpy  7.0.0 - 8.1.2
      Depends on vulnerable versions of globby
      node_modules/cpy
        @storybook/core-server  <=7.0.0-rc.11
        Depends on vulnerable versions of @storybook/csf-tools
        Depends on vulnerable versions of cpy
        node_modules/@storybook/core-server
          @storybook/core  >=6.2.0-alpha.0
          Depends on vulnerable versions of @storybook/core-server
          node_modules/@storybook/core
            @storybook/react  6.2.0-alpha.0 - 6.5.17-alpha.0
            Depends on vulnerable versions of @storybook/core
            node_modules/@storybook/react

highlight.js  9.0.0 - 10.4.0
Severity: moderate
ReDOS vulnerabities: multiple grammars - https://github.com/advisories/GHSA-7wwv-vh3v-89cq
fix available via `npm audit fix --force`
Will install @types/remarkable@1.7.5, which is a breaking change
node_modules/@types/remarkable/node_modules/highlight.js
  @types/remarkable  >=1.7.6
  Depends on vulnerable versions of highlight.js
  node_modules/@types/remarkable

trim  <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix --force`
Will install @storybook/builder-vite@0.1.37, which is a breaking change
node_modules/trim
  remark-parse  <=8.0.3
  Depends on vulnerable versions of trim
  node_modules/remark-parse
    @mdx-js/mdx  <=1.6.22
    Depends on vulnerable versions of remark-mdx
    Depends on vulnerable versions of remark-parse
    node_modules/@mdx-js/mdx
      @storybook/mdx1-csf  *
      Depends on vulnerable versions of @mdx-js/mdx
      node_modules/@storybook/builder-vite/node_modules/@storybook/mdx1-csf
      node_modules/@storybook/mdx1-csf
        @storybook/addon-docs  >=6.5.0-alpha.1
        Depends on vulnerable versions of @storybook/mdx1-csf
        node_modules/@storybook/addon-docs
          @storybook/addon-essentials  >=6.5.0-alpha.1
          Depends on vulnerable versions of @storybook/addon-docs
          node_modules/@storybook/addon-essentials
        @storybook/builder-vite  >=0.1.38
        Depends on vulnerable versions of @storybook/mdx1-csf
        node_modules/@storybook/builder-vite
        @storybook/csf-tools  6.5.0-alpha.1 - 6.5.17-alpha.0
        Depends on vulnerable versions of @storybook/mdx1-csf
        node_modules/@storybook/csf-tools
    remark-mdx  <=1.6.22
    Depends on vulnerable versions of remark-parse
    node_modules/remark-mdx

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow

24 vulnerabilities (2 moderate, 22 high)

Impact

24 vulnerabilities (2 moderate, 22 high) were found.

These issues are all related to Denial of Service vulnerabilities and the project does not seem to be directly impacted. The most impactful issue could theoretically lead to a non-responsive application when a malicous repository is opened. General impact is therefore low.

Recommendation

Ensure updated packages
Fix outdated vulnerable packages manually or with npm audit --fix

Bloop.ai Tauri Component Audit

Vulnerable NPM Dependencies

Description

Impact

Recommendation