Skip to content

Force resolve packages beyond npm audit reports#341

Merged
jdalton merged 2 commits intomainfrom
okayaudit
Feb 28, 2025
Merged

Force resolve packages beyond npm audit reports#341
jdalton merged 2 commits intomainfrom
okayaudit

Conversation

@pvdz
Copy link
Contributor

@pvdz pvdz commented Feb 28, 2025
edited
Loading

This will fix our npm audit warnings when doing npm i

  • the xml2js bump basically forced Object.create(null). This is a transitive dep of blessed-contrib. I checked socket analytics and that seems to still work.
  • the vite was to get beyond an esbuild dep, transitive to vitest. if vitest breaks we'll know why (:
  • the undici bump was from 6.12.0 to 6.12.1, the last in the 6.x.x branch (and a backport). It fixes how the number is generated, which I don't expect to actually break anything as the result before and after is a perceived random value of the same structure.

Before:

added 1 package, removed 8 packages, and audited 1248 packages in 2s

235 packages are looking for funding
  run `npm fund` for details

6 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

$ npm audit
# npm audit report

esbuild  <=0.24.2
Severity: moderate
esbuild enables any website to send any requests to the development server and read the response - https://github.com/advisories/GHSA-67mh-4wv8-2f99
fix available via `npm audit fix`
node_modules/esbuild
  vite  0.11.0 - 6.1.1
  Depends on vulnerable versions of esbuild
  node_modules/vite

undici  6.0.0 - 6.21.0
Severity: moderate
Use of Insufficiently Random Values in undici - https://github.com/advisories/GHSA-c76h-2ccp-4975
fix available via `npm audit fix`
node_modules/undici

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install blessed-contrib@1.0.11, which is a breaking change
node_modules/xml2js
  map-canvas  >=0.0.5
  Depends on vulnerable versions of xml2js
  node_modules/map-canvas
    blessed-contrib  >=1.0.12
    Depends on vulnerable versions of map-canvas
    node_modules/blessed-contrib

6 moderate severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

After:

up to date, audited 1248 packages in 1s

235 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm audit
found 0 vulnerabilities

@pvdz pvdz requested a review from jdalton February 28, 2025 11:21
jdalton
jdalton approved these changes Feb 28, 2025
View reviewed changes
Copy link
Contributor

@jdalton jdalton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ❤️ this!

@jdalton jdalton merged commit 07166a5 into main Feb 28, 2025
15 checks passed
@jdalton jdalton deleted the okayaudit branch February 28, 2025 12:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jdalton jdalton jdalton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pvdz @jdalton