Open Closed

NPM package vulnerabilities in 8.1.4 #7367


User avatar
0
scott7106 created
  • ABP Framework version: v8.1.4
  • UI Type: Angular
  • Database System: EF Core
  • Tiered (for MVC) or Auth Server Separated (for Angular): no
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

After upgrading to ABP 8.1.4, I ran an npm audit command on the *.HttpApi.Host project where the abp/account and lepton-x theme packages are defined. The output shows 19 high vulnerabilities. Do you have a plan to address these vulnerabilities?

braces <3.0.3 Severity: high Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg No fix available node_modules/braces node_modules/micromatch/node_modules/braces chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of anymatch Depends on vulnerable versions of braces Depends on vulnerable versions of glob-parent Depends on vulnerable versions of readdirp node_modules/chokidar glob-watcher 5.0.0 - 5.0.5 Depends on vulnerable versions of anymatch Depends on vulnerable versions of chokidar node_modules/glob-watcher gulp 4.0.0 - 4.0.2 Depends on vulnerable versions of glob-watcher Depends on vulnerable versions of gulp-cli Depends on vulnerable versions of vinyl-fs node_modules/gulp @abp/aspnetcore.mvc.ui 0.6.3 - 8.1.4 Depends on vulnerable versions of gulp node_modules/@abp/aspnetcore.mvc.ui @abp/aspnetcore.mvc.ui.theme.shared 0.6.3 - 8.1.4 Depends on vulnerable versions of @abp/aspnetcore.mvc.ui node_modules/@abp/aspnetcore.mvc.ui.theme.shared @volo/abp.aspnetcore.mvc.ui.theme.commercial <=8.1.4 Depends on vulnerable versions of @abp/aspnetcore.mvc.ui.theme.shared node_modules/@volo/abp.aspnetcore.mvc.ui.theme.commercial @volo/abp.aspnetcore.mvc.ui.theme.leptonx <=3.1.4 Depends on vulnerable versions of @volo/abp.aspnetcore.mvc.ui.theme.commercial node_modules/@volo/abp.aspnetcore.mvc.ui.theme.leptonx @volo/account <=8.1.4 Depends on vulnerable versions of @volo/abp.aspnetcore.mvc.ui.theme.commercial node_modules/@volo/account micromatch 0.2.0 - 3.1.10 Depends on vulnerable versions of braces node_modules/anymatch/node_modules/micromatch node_modules/findup-sync/node_modules/micromatch node_modules/matchdep/node_modules/micromatch node_modules/readdirp/node_modules/micromatch anymatch 1.2.0 - 2.0.0 Depends on vulnerable versions of micromatch node_modules/anymatch findup-sync 0.4.0 - 3.0.0 Depends on vulnerable versions of micromatch node_modules/findup-sync node_modules/matchdep/node_modules/findup-sync liftoff 2.2.3 - 3.1.0 Depends on vulnerable versions of findup-sync node_modules/liftoff gulp-cli 1.3.0 - 2.3.0 Depends on vulnerable versions of liftoff Depends on vulnerable versions of matchdep node_modules/gulp-cli matchdep >=1.0.1 Depends on vulnerable versions of findup-sync Depends on vulnerable versions of micromatch node_modules/matchdep readdirp 2.2.0 - 2.2.1 Depends on vulnerable versions of micromatch node_modules/readdirp

glob-parent <5.1.2 Severity: high glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6 No fix available node_modules/glob-parent glob-stream 5.3.0 - 6.1.0 Depends on vulnerable versions of glob-parent node_modules/glob-stream vinyl-fs 2.4.2 - 3.0.3 Depends on vulnerable versions of glob-stream node_modules/vinyl-fs

sweetalert2 >=11.6.14 sweetalert2 v11.6.14 and above contains potentially undesirable behavior - https://github.com/advisories/GHSA-mrr8-v49w-3333 fix available via npm audit fix node_modules/sweetalert2

20 vulnerabilities (1 low, 19 high)


2 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    We will upgrade all packages as much as possible in the next version.

    Your ticket has been refunded.

    Thanks

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    https://github.com/abpframework/abp/issues/20069

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11