Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

install of surge results in deprecations and vulnerabilities #504

Open
johndeighan opened this issue Apr 30, 2023 · 2 comments
Open

install of surge results in deprecations and vulnerabilities #504

johndeighan opened this issue Apr 30, 2023 · 2 comments

Comments

@johndeighan
Copy link

$ cd test

johnd@RazerBlade MINGW64 ~/test
$ npm install surge
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

added 112 packages in 10s

4 packages are looking for funding
  run `npm fund` for details

johnd@RazerBlade MINGW64 ~/test
$ npm audit
# npm audit report

minimist  1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install surge@0.9.0, which is a breaking change
node_modules/minimist
  surge  >=0.1.0
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of request
  node_modules/surge

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix --force`
Will install surge@0.9.0, which is a breaking change
node_modules/request

3 vulnerabilities (1 moderate, 2 critical)

To address all issues (including breaking changes), run:
  npm audit fix --force

However, even using npm audit fix --force did not clear up the critical vulnerabilities

@balupton
Copy link

I use surge to deploy the documentation for the @bevry packages, this has caused all the bevry pakages to be marked as insecure.

@balupton
Copy link

dupe of #472

balupton added a commit to bevry-actions/surge that referenced this issue Nov 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants