- ABP Framework version: v8.1.4
- UI Type: Angular
- Database System: EF Core
- Tiered (for MVC) or Auth Server Separated (for Angular): no
- Exception message and full stack trace:
- Steps to reproduce the issue:
After upgrading to ABP 8.1.4, I ran an npm audit command on the *.HttpApi.Host project where the abp/account and lepton-x theme packages are defined. The output shows 19 high vulnerabilities. Do you have a plan to address these vulnerabilities?
braces <3.0.3 Severity: high Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg No fix available node_modules/braces node_modules/micromatch/node_modules/braces chokidar 1.0.0-rc1 - 2.1.8 Depends on vulnerable versions of anymatch Depends on vulnerable versions of braces Depends on vulnerable versions of glob-parent Depends on vulnerable versions of readdirp node_modules/chokidar glob-watcher 5.0.0 - 5.0.5 Depends on vulnerable versions of anymatch Depends on vulnerable versions of chokidar node_modules/glob-watcher gulp 4.0.0 - 4.0.2 Depends on vulnerable versions of glob-watcher Depends on vulnerable versions of gulp-cli Depends on vulnerable versions of vinyl-fs node_modules/gulp @abp/aspnetcore.mvc.ui 0.6.3 - 8.1.4 Depends on vulnerable versions of gulp node_modules/@abp/aspnetcore.mvc.ui @abp/aspnetcore.mvc.ui.theme.shared 0.6.3 - 8.1.4 Depends on vulnerable versions of @abp/aspnetcore.mvc.ui node_modules/@abp/aspnetcore.mvc.ui.theme.shared @volo/abp.aspnetcore.mvc.ui.theme.commercial <=8.1.4 Depends on vulnerable versions of @abp/aspnetcore.mvc.ui.theme.shared node_modules/@volo/abp.aspnetcore.mvc.ui.theme.commercial @volo/abp.aspnetcore.mvc.ui.theme.leptonx <=3.1.4 Depends on vulnerable versions of @volo/abp.aspnetcore.mvc.ui.theme.commercial node_modules/@volo/abp.aspnetcore.mvc.ui.theme.leptonx @volo/account <=8.1.4 Depends on vulnerable versions of @volo/abp.aspnetcore.mvc.ui.theme.commercial node_modules/@volo/account micromatch 0.2.0 - 3.1.10 Depends on vulnerable versions of braces node_modules/anymatch/node_modules/micromatch node_modules/findup-sync/node_modules/micromatch node_modules/matchdep/node_modules/micromatch node_modules/readdirp/node_modules/micromatch anymatch 1.2.0 - 2.0.0 Depends on vulnerable versions of micromatch node_modules/anymatch findup-sync 0.4.0 - 3.0.0 Depends on vulnerable versions of micromatch node_modules/findup-sync node_modules/matchdep/node_modules/findup-sync liftoff 2.2.3 - 3.1.0 Depends on vulnerable versions of findup-sync node_modules/liftoff gulp-cli 1.3.0 - 2.3.0 Depends on vulnerable versions of liftoff Depends on vulnerable versions of matchdep node_modules/gulp-cli matchdep >=1.0.1 Depends on vulnerable versions of findup-sync Depends on vulnerable versions of micromatch node_modules/matchdep readdirp 2.2.0 - 2.2.1 Depends on vulnerable versions of micromatch node_modules/readdirp
glob-parent <5.1.2 Severity: high glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6 No fix available node_modules/glob-parent glob-stream 5.3.0 - 6.1.0 Depends on vulnerable versions of glob-parent node_modules/glob-stream vinyl-fs 2.4.2 - 3.0.3 Depends on vulnerable versions of glob-stream node_modules/vinyl-fs
sweetalert2 >=11.6.14
sweetalert2 v11.6.14 and above contains potentially undesirable behavior - https://github.com/advisories/GHSA-mrr8-v49w-3333
fix available via npm audit fix
node_modules/sweetalert2
20 vulnerabilities (1 low, 19 high)
