Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security warnings #16

Open
risharde opened this issue May 16, 2022 · 1 comment
Open

Security warnings #16

risharde opened this issue May 16, 2022 · 1 comment

Comments

@risharde
Copy link

@shakty I'm seeing the following and I was wondering if this is normal. Concerned about security here if there are perhaps alternate libraries that can be used to avoid vulernabilities. Seems like it's a NDDB dependency to use uglify?

uglify-js <=2.5.0
Severity: critical
Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js - GHSA-34r7-q49f-h37c
Regular Expression Denial of Service in uglify-js - GHSA-c9f4-xj24-8jqx
fix available via npm audit fix --force
Will install NDDB@0.4.2, which is a breaking change
node_modules/uglify-js
smoosh >=0.4.0
Depends on vulnerable versions of uglify-js
node_modules/smoosh
JSUS >=0.6.3
Depends on vulnerable versions of smoosh
node_modules/JSUS
NDDB >=0.4.3
Depends on vulnerable versions of JSUS
Depends on vulnerable versions of smoosh
node_modules/NDDB
shelf.js >=0.3.7
Depends on vulnerable versions of smoosh
node_modules/shelf.js

5 critical severity vulnerabilities
@shakty
Copy link
Member

shakty commented May 17, 2022

Hi,

Thanks for posting this. uglify-js is no longer used in the minified build of nodegame, we use terser-js for that. It should be removed as dependency and the build script should be updated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shakty @risharde