Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecated dependencies and outdated version of npm in package.json file is causing the compatibility issues. #4156

Open
4 tasks done
apsinghdev opened this issue Dec 18, 2024 · 0 comments · May be fixed by #4157
Open
4 tasks done

Deprecated dependencies and outdated version of npm in package.json file is causing the compatibility issues. #4156

apsinghdev opened this issue Dec 18, 2024 · 0 comments · May be fixed by #4157

Comments

@apsinghdev
Copy link
Member

Current Behavior

We are using many deprecated dependencies in Music Blocks.

Screenshot 2024-12-18 at 9 14 59 PM

ISSUE: 1 - Deprecated dependencies

Project Security Audit

Overview

Our project's security audit reveals several vulnerabilities that require attention. This document outlines the current security status of our dependencies.

Running Audit

To check for vulnerabilities, run the following command:

npm audit

Detailed Vulnerability Report

Vulnerability Summary

  • Total Vulnerabilities: 14
  • Severity Breakdown:
    • Low: 2
    • Moderate: 1
    • High: 9
    • Critical: 2

Identified Vulnerabilities

High Severity Vulnerabilities

  1. ansi-regex (4.0.0 - 4.1.0 || 5.0.0)

    • Issue: Inefficient Regular Expression Complexity
    • Location: node_modules/eslint/node_modules/ansi-regex, node_modules/table/node_modules/ansi-regex
    • Advisory: GHSA-93q8-gq69-wqmw
    • Fix: Available via npm audit fix

  2. cross-spawn (7.0.0 - 7.0.4)

    • Issue: Regular Expression Denial of Service (ReDoS)
    • Location: node_modules/eslint/node_modules/cross-spawn
    • Advisory: GHSA-3xgq-45jj-v275
    • Fix: Available via npm audit fix

  3. decode-uri-component (<0.2.1)

    • Issue: Denial of Service (DoS)
    • Location: node_modules/decode-uri-component
    • Advisory: GHSA-w573-4hg7-7wgq
    • Fix: Available via npm audit fix

Critical Severity Vulnerabilities

  1. minimist (<=0.2.3)

Unresolved Vulnerabilities

Some vulnerabilities currently have no available fix:

  1. clean-css (<4.1.11)

    • Issue: Regular Expression Denial of Service
    • Location: node_modules/gulp-minify-css/node_modules/clean-css
    • No fix available

  2. lodash.template

    • Issue: Command Injection
    • Location: node_modules/gulp-util/node_modules/lodash.template
    • No fix available

  3. node-static

    • Issue: Denial of Service and Directory Traversal
    • Location: node_modules/node-static
    • No fix available

Recommended Actions

  1. Run npm audit fix to address fixable vulnerabilities
  2. Manually review and potentially update or replace packages with unresolvable issues
  3. Regularly update dependencies to ensure security
  4. Consider alternative packages for those with known vulnerabilities

ISSUE: 2 - The package-lock.json file was created with an old version of npm

Screenshot 2024-12-18 at 9 27 42 PM

Checklist

  • I have read and followed the project's code of conduct.
  • I have searched for similar issues before creating this one.
  • I have provided all the necessary information to understand and reproduce the issue.
  • I am willing to contribute to the resolution of this issue.

Thank you for contributing to our project! We appreciate your help in improving it.

📚 See contributing instructions.

🙋🏾🙋🏼 Questions: Community Matrix Server.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

deps: fix the audit to change deps to available fixes apsinghdev/musicblocks
1 participant
@apsinghdev