npm audit reports high/moderate severity vulnerabilities in [email protected] dependencies #2043
Open
Description
Which packages are impacted by your issue?
@graphprotocol/graph-cli
Describe the issue
I'm using @graphprotocol/graph-cli version 0.97.1 (installed via npm) and npm audit reports several high and moderate severity vulnerabilities in transitive dependencies. npm audit fix --force suggests downgrading to [email protected] to resolve these, which is not an ideal solution. I've previously build on version 0.73.0 which has a number of vulnerabilities as well, and fixes to 0.97.1
Reproduction
any install utilizing the affected version
Steps to Reproduce the Bug or Issue
- create a new npm project or ensure
package.jsonspecifies:
{
"dependencies": {
"@graphprotocol/graph-cli": "0.97.1",
"@graphprotocol/graph-ts": "0.32.0"
}
}- run a clean install:
rm -rf node_modules package-lock.json
npm install- run the audit
npm auditActual Results (full npm audit output):
[16:21:00] [jon]:~/xmtp/subgraphs ✗ $ npm list @graphprotocol/graph-cli
[email protected] /home/jon/xmtp/subgraphs
└── @graphprotocol/[email protected]
[16:22:00] [jon]:~/xmtp/subgraphs ✓ $ npm audit
# npm audit report
axios <=0.29.0
Severity: high
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
fix available via `npm audit fix --force`
Will install @graphprotocol/[email protected], which is a breaking change
node_modules/axios
apisauce <=3.0.0
Depends on vulnerable versions of axios
node_modules/apisauce
gluegun >=0.3.0
Depends on vulnerable versions of apisauce
Depends on vulnerable versions of cross-spawn
Depends on vulnerable versions of ejs
Depends on vulnerable versions of lodash.trim
Depends on vulnerable versions of lodash.trimend
Depends on vulnerable versions of semver
node_modules/gluegun
@graphprotocol/graph-cli >=0.25.2
Depends on vulnerable versions of gluegun
node_modules/@graphprotocol/graph-cli
cross-spawn 7.0.0 - 7.0.4
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix --force`
Will install @graphprotocol/[email protected], which is a breaking change
node_modules/gluegun/node_modules/cross-spawn
ejs <3.1.10
Severity: moderate
ejs lacks certain pollution protection - https://github.com/advisories/GHSA-ghr5-ch3p-vcr6
fix available via `npm audit fix --force`
Will install @graphprotocol/[email protected], which is a breaking change
node_modules/gluegun/node_modules/ejs
lodash.trim *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
fix available via `npm audit fix --force`
Will install @graphprotocol/[email protected], which is a breaking change
node_modules/lodash.trim
lodash.trimend *
Severity: moderate
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
fix available via `npm audit fix`
node_modules/lodash.trimend
semver 7.0.0 - 7.5.1
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install @graphprotocol/[email protected], which is a breaking change
node_modules/gluegun/node_modules/semver
9 vulnerabilities (3 moderate, 6 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --forceExpected behavior
npm audit reports no vulnerabilities, or offers a viable fix at or above the 0.97.x version line instead of a downgrade.
Platform
- OS: WSL 2 on Windows 11
- NodeJS: 20.19.0
@graphprotocol/graph-cliversion(s): 0.97.1