Skip to content

Instantly share code, notes, and snippets.

@Arique1104

Arique1104/worklog-12-2-23.md Secret

Created December 13, 2023 21:00
Show Gist options
  • Save Arique1104/73f9e89751ccc9928848015851474c6d to your computer and use it in GitHub Desktop.
Save Arique1104/73f9e89751ccc9928848015851474c6d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
worklog-12-2-23.md

Worklog 12-2-23

  • npm audit report 12/2/23 12:06pm
@cypress/request  <=2.88.12
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix --force`
Will install cypress@13.6.0, which is a breaking change
node_modules/@cypress/request
  cypress  4.3.0 - 12.17.4
  Depends on vulnerable versions of @cypress/request
  node_modules/cypress

apollo-server-core  <=2.26.0
Severity: moderate
Introspection in schema validation in Apollo Server - https://github.com/advisories/GHSA-w42g-7vfc-xf37
Prevent logging invalid header values - https://github.com/advisories/GHSA-j5g3-5c8r-7qfx
fix available via `npm audit fix --force`
Will install apollo-server-express@3.13.0, which is a breaking change
node_modules/apollo-server-core
  apollo-server-express  <=2.14.1
  Depends on vulnerable versions of apollo-server-core
  node_modules/apollo-server-express


axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install @bandwidth/messaging@4.1.3, which is a breaking change
node_modules/axios
node_modules/twilio/node_modules/axios
  @bandwidth/messaging  3.0.0 - 4.1.2
  Depends on vulnerable versions of axios
  node_modules/@bandwidth/messaging
  twilio  2.6.0 - 4.19.0 || >=5.0.0-rc16
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of jsonwebtoken
  node_modules/twilio

cli  <=0.11.3
Arbitrary File Write in cli - https://github.com/advisories/GHSA-6cpc-mj5c-m9rq
Node CLI Allows Arbitrary File Overwrite - https://github.com/advisories/GHSA-3mrp-qhcj-mwv5
No fix available
node_modules/cli
  color-difference  *
  Depends on vulnerable versions of cli
  node_modules/color-difference

debug  4.0.0 - 4.3.0
Severity: moderate
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
No fix available
node_modules/rethink-knex-adapter/node_modules/debug
  knex  <=2.3.0
  Depends on vulnerable versions of debug
  node_modules/rethink-knex-adapter/node_modules/knex
    rethink-knex-adapter  *
    Depends on vulnerable versions of knex
    Depends on vulnerable versions of thinky
    node_modules/rethink-knex-adapter

degenerator  <3.0.1
Severity: high
Code Injection in pac-resolver - https://github.com/advisories/GHSA-9j49-mfvp-vmhm
fix available via `npm audit fix --force`
Will install mailgun-js@0.6.7, which is a breaking change
node_modules/degenerator
  pac-resolver  <=4.2.0
  Depends on vulnerable versions of degenerator
  Depends on vulnerable versions of netmask
  node_modules/pac-resolver
    pac-proxy-agent  <=4.1.0
    Depends on vulnerable versions of pac-resolver
    node_modules/pac-proxy-agent
      proxy-agent  1.1.0 - 4.0.1
      Depends on vulnerable versions of pac-proxy-agent
      node_modules/proxy-agent
        mailgun-js  >=0.6.8
        Depends on vulnerable versions of proxy-agent
        node_modules/mailgun-js

flat  <5.0.1
Severity: critical
flat vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-2j2x-2gpw-g8fm
fix available via `npm audit fix --force`
Will install json2csv@6.0.0-alpha.2, which is a breaking change
node_modules/flat
  json2csv  3.1.0 - 4.0.0-alpha.2
  Depends on vulnerable versions of flat
  node_modules/json2csv

glob-parent  <5.1.2
Severity: high
glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install webpack-dev-server@4.15.1, which is a breaking change
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/webpack-dev-server/node_modules/chokidar
    webpack-dev-server  2.0.0-beta - 4.7.2
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of selfsigned
    node_modules/webpack-dev-server

json-bigint  <1.0.0
Severity: high
Uncontrolled Resource Consumption in json-bigint - https://github.com/advisories/GHSA-wgfq-7857-4jcc
fix available via `npm audit fix --force`
Will install googleapis@129.0.0, which is a breaking change
node_modules/json-bigint
  gcp-metadata  0.8.0 - 4.1.0
  Depends on vulnerable versions of json-bigint
  node_modules/gcp-metadata
    google-auth-library  0.9.4 - 5.10.1
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gtoken
    node_modules/google-auth-library
      googleapis  37.0.0-webpack - 48.0.0
      Depends on vulnerable versions of google-auth-library
      Depends on vulnerable versions of googleapis-common
      node_modules/googleapis
      googleapis-common  0.5.0-webpack - 0.5.0-webpack3 || 0.6.0-webpack - 3.2.2
      Depends on vulnerable versions of google-auth-library
      node_modules/googleapis-common

jsonwebtoken  <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install nexmo@0.0.7, which is a breaking change
node_modules/nexmo/node_modules/jsonwebtoken
node_modules/twilio/node_modules/jsonwebtoken
  nexmo  *
  Depends on vulnerable versions of jsonwebtoken
  Depends on vulnerable versions of request
  node_modules/nexmo


netmask  <=2.0.0
Severity: critical
Improper parsing of octal bytes in netmask - https://github.com/advisories/GHSA-4c7m-wxvm-r7gc
netmask npm package mishandles octal input data - https://github.com/advisories/GHSA-pch5-whg9-qr2r
fix available via `npm audit fix --force`
Will install mailgun-js@0.6.7, which is a breaking change
node_modules/netmask

node-fetch  <=2.6.6
Severity: high
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
node-fetch forwards secure headers to untrusted sites - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix --force`
Will install isomorphic-fetch@3.0.0, which is a breaking change
node_modules/isomorphic-fetch/node_modules/node-fetch
  isomorphic-fetch  2.0.0 - 2.2.1
  Depends on vulnerable versions of node-fetch
  node_modules/isomorphic-fetch
    fbjs  0.7.0 - 1.0.0
    Depends on vulnerable versions of isomorphic-fetch
    node_modules/recompose/node_modules/fbjs
      recompose  >=0.18.0
      Depends on vulnerable versions of fbjs
      node_modules/recompose

node-forge  <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via `npm audit fix --force`
Will install webpack-dev-server@4.15.1, which is a breaking change
node_modules/node-forge
  google-p12-pem  <=3.1.2
  Depends on vulnerable versions of node-forge
  node_modules/google-p12-pem
    gtoken  <=5.0.0
    Depends on vulnerable versions of google-p12-pem
    node_modules/gtoken
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of resolve-url-loader
          node_modules/react-scripts


passport  <0.6.0
Severity: moderate
Passport vulnerable to session regeneration when a users logs in or out - https://github.com/advisories/GHSA-v923-w3x8-wh69
fix available via `npm audit fix --force`
Will install passport@0.7.0, which is a breaking change
node_modules/passport

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
  resolve-url-loader  0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install nexmo@0.0.7, which is a breaking change
node_modules/request
  passport-auth0  <=1.4.0
  Depends on vulnerable versions of request
  node_modules/passport-auth0
  wait-on  <=4.0.2
  Depends on vulnerable versions of request
  node_modules/wait-on

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/simple-update-notifier/node_modules/semver
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier
    nodemon  2.0.19 - 2.0.22
    Depends on vulnerable versions of simple-update-notifier
    node_modules/nodemon

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install nexmo@0.0.7, which is a breaking change
node_modules/tough-cookie

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
No fix available
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow
    us-area-codes  *
    Depends on vulnerable versions of meow
    node_modules/us-area-codes

validator  <13.7.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5
fix available via `npm audit fix --force`
Will install thinky@1.15.1, which is a breaking change
node_modules/validator
  thinky  >=1.15.2
  Depends on vulnerable versions of validator
  node_modules/thinky

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
No fix available
node_modules/xml2js
  @bandwidth/numbers  *
  Depends on vulnerable versions of xml2js
  node_modules/@bandwidth/numbers
  selenium-webdriver  2.43.1 - 4.0.0-rc-2
  Depends on vulnerable versions of xml2js
  node_modules/selenium-webdriver

62 vulnerabilities (5 low, 25 moderate, 27 high, 5 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Okay, I've removed some error messages. now it's time to see if this turns on.

  • Haven't tried turning it on yet, but finally got rid of the error that kept coming up.
  • This is the npm audit report
@cypress/request  <=2.88.12
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
fix available via `npm audit fix --force`
Will install cypress@13.6.0, which is a breaking change
node_modules/@cypress/request
  cypress  4.3.0 - 12.17.4
  Depends on vulnerable versions of @cypress/request
  node_modules/cypress

apollo-server-core  <=2.26.0
Severity: moderate
Introspection in schema validation in Apollo Server - https://github.com/advisories/GHSA-w42g-7vfc-xf37
Prevent logging invalid header values - https://github.com/advisories/GHSA-j5g3-5c8r-7qfx
fix available via `npm audit fix --force`
Will install apollo-server-express@3.13.0, which is a breaking change
node_modules/apollo-server-core
  apollo-server-express  <=2.14.1
  Depends on vulnerable versions of apollo-server-core
  node_modules/apollo-server-express


axios  0.8.1 - 1.5.1
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install @bandwidth/messaging@4.1.3, which is a breaking change
node_modules/axios
node_modules/twilio/node_modules/axios
  @bandwidth/messaging  3.0.0 - 4.1.2
  Depends on vulnerable versions of axios
  node_modules/@bandwidth/messaging
  twilio  2.6.0 - 4.19.0 || >=5.0.0-rc16
  Depends on vulnerable versions of axios
  Depends on vulnerable versions of jsonwebtoken
  node_modules/twilio

cli  <=0.11.3
Arbitrary File Write in cli - https://github.com/advisories/GHSA-6cpc-mj5c-m9rq
Node CLI Allows Arbitrary File Overwrite - https://github.com/advisories/GHSA-3mrp-qhcj-mwv5
No fix available
node_modules/cli
  color-difference  *
  Depends on vulnerable versions of cli
  node_modules/color-difference

debug  4.0.0 - 4.3.0
Severity: moderate
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
No fix available
node_modules/rethink-knex-adapter/node_modules/debug
  knex  <=2.3.0
  Depends on vulnerable versions of debug
  node_modules/rethink-knex-adapter/node_modules/knex
    rethink-knex-adapter  *
    Depends on vulnerable versions of knex
    Depends on vulnerable versions of thinky
    node_modules/rethink-knex-adapter

degenerator  <3.0.1
Severity: high
Code Injection in pac-resolver - https://github.com/advisories/GHSA-9j49-mfvp-vmhm
fix available via `npm audit fix --force`
Will install mailgun-js@0.6.7, which is a breaking change
node_modules/degenerator
  pac-resolver  <=4.2.0
  Depends on vulnerable versions of degenerator
  Depends on vulnerable versions of netmask
  node_modules/pac-resolver
    pac-proxy-agent  <=4.1.0
    Depends on vulnerable versions of pac-resolver
    node_modules/pac-proxy-agent
      proxy-agent  1.1.0 - 4.0.1
      Depends on vulnerable versions of pac-proxy-agent
      node_modules/proxy-agent
        mailgun-js  >=0.6.8
        Depends on vulnerable versions of proxy-agent
        node_modules/mailgun-js

flat  <5.0.1
Severity: critical
flat vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-2j2x-2gpw-g8fm
fix available via `npm audit fix --force`
Will install json2csv@6.0.0-alpha.2, which is a breaking change
node_modules/flat
  json2csv  3.1.0 - 4.0.0-alpha.2
  Depends on vulnerable versions of flat
  node_modules/json2csv

glob-parent  <5.1.2
Severity: high
glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install webpack-dev-server@4.15.1, which is a breaking change
node_modules/webpack-dev-server/node_modules/glob-parent
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/webpack-dev-server/node_modules/chokidar
    webpack-dev-server  2.0.0-beta - 4.7.2
    Depends on vulnerable versions of chokidar
    Depends on vulnerable versions of selfsigned
    node_modules/webpack-dev-server

json-bigint  <1.0.0
Severity: high
Uncontrolled Resource Consumption in json-bigint - https://github.com/advisories/GHSA-wgfq-7857-4jcc
fix available via `npm audit fix --force`
Will install googleapis@129.0.0, which is a breaking change
node_modules/json-bigint
  gcp-metadata  0.8.0 - 4.1.0
  Depends on vulnerable versions of json-bigint
  node_modules/gcp-metadata
    google-auth-library  0.9.4 - 5.10.1
    Depends on vulnerable versions of gcp-metadata
    Depends on vulnerable versions of gtoken
    node_modules/google-auth-library
      googleapis  37.0.0-webpack - 48.0.0
      Depends on vulnerable versions of google-auth-library
      Depends on vulnerable versions of googleapis-common
      node_modules/googleapis
      googleapis-common  0.5.0-webpack - 0.5.0-webpack3 || 0.6.0-webpack - 3.2.2
      Depends on vulnerable versions of google-auth-library
      node_modules/googleapis-common

jsonwebtoken  <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install nexmo@0.0.7, which is a breaking change
node_modules/nexmo/node_modules/jsonwebtoken
node_modules/twilio/node_modules/jsonwebtoken
  nexmo  *
  Depends on vulnerable versions of jsonwebtoken
  Depends on vulnerable versions of request
  node_modules/nexmo


netmask  <=2.0.0
Severity: critical
Improper parsing of octal bytes in netmask - https://github.com/advisories/GHSA-4c7m-wxvm-r7gc
netmask npm package mishandles octal input data - https://github.com/advisories/GHSA-pch5-whg9-qr2r
fix available via `npm audit fix --force`
Will install mailgun-js@0.6.7, which is a breaking change
node_modules/netmask

node-fetch  <=2.6.6
Severity: high
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
node-fetch forwards secure headers to untrusted sites - https://github.com/advisories/GHSA-r683-j2x4-v87g
fix available via `npm audit fix --force`
Will install isomorphic-fetch@3.0.0, which is a breaking change
node_modules/isomorphic-fetch/node_modules/node-fetch
  isomorphic-fetch  2.0.0 - 2.2.1
  Depends on vulnerable versions of node-fetch
  node_modules/isomorphic-fetch
    fbjs  0.7.0 - 1.0.0
    Depends on vulnerable versions of isomorphic-fetch
    node_modules/recompose/node_modules/fbjs
      recompose  >=0.18.0
      Depends on vulnerable versions of fbjs
      node_modules/recompose

node-forge  <=1.2.1
Severity: high
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
fix available via `npm audit fix --force`
Will install webpack-dev-server@4.15.1, which is a breaking change
node_modules/node-forge
  google-p12-pem  <=3.1.2
  Depends on vulnerable versions of node-forge
  node_modules/google-p12-pem
    gtoken  <=5.0.0
    Depends on vulnerable versions of google-p12-pem
    node_modules/gtoken
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/svgo/node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/svgo/node_modules/css-select
    svgo  1.0.0 - 1.3.2
    Depends on vulnerable versions of css-select
    node_modules/svgo
      @svgr/plugin-svgo  <=5.5.0
      Depends on vulnerable versions of svgo
      node_modules/@svgr/plugin-svgo
        @svgr/webpack  4.0.0 - 5.5.0
        Depends on vulnerable versions of @svgr/plugin-svgo
        node_modules/@svgr/webpack
          react-scripts  >=2.1.4
          Depends on vulnerable versions of @svgr/webpack
          Depends on vulnerable versions of resolve-url-loader
          node_modules/react-scripts


passport  <0.6.0
Severity: moderate
Passport vulnerable to session regeneration when a users logs in or out - https://github.com/advisories/GHSA-v923-w3x8-wh69
fix available via `npm audit fix --force`
Will install passport@0.7.0, which is a breaking change
node_modules/passport

postcss  <8.4.31
Severity: moderate
PostCSS line return parsing error - https://github.com/advisories/GHSA-7fh5-64p2-3v2j
fix available via `npm audit fix --force`
Will install react-scripts@3.0.1, which is a breaking change
node_modules/resolve-url-loader/node_modules/postcss
  resolve-url-loader  0.0.1-experiment-postcss || 3.0.0-alpha.1 - 4.0.0
  Depends on vulnerable versions of postcss
  node_modules/resolve-url-loader

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via `npm audit fix --force`
Will install nexmo@0.0.7, which is a breaking change
node_modules/request
  passport-auth0  <=1.4.0
  Depends on vulnerable versions of request
  node_modules/passport-auth0
  wait-on  <=4.0.2
  Depends on vulnerable versions of request
  node_modules/wait-on

semver  7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/simple-update-notifier/node_modules/semver
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier
    nodemon  2.0.19 - 2.0.22
    Depends on vulnerable versions of simple-update-notifier
    node_modules/nodemon

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install nexmo@0.0.7, which is a breaking change
node_modules/tough-cookie

trim-newlines  <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
No fix available
node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow
    us-area-codes  *
    Depends on vulnerable versions of meow
    node_modules/us-area-codes

validator  <13.7.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5
fix available via `npm audit fix --force`
Will install thinky@1.15.1, which is a breaking change
node_modules/validator
  thinky  >=1.15.2
  Depends on vulnerable versions of validator
  node_modules/thinky

xml2js  <0.5.0
Severity: moderate
xml2js is vulnerable to prototype pollution - https://github.com/advisories/GHSA-776f-qx25-q3cc
fix available via `npm audit fix --force`
Will install selenium-webdriver@4.15.0, which is a breaking change
node_modules/xml2js
  @bandwidth/numbers  *
  Depends on vulnerable versions of xml2js
  node_modules/@bandwidth/numbers
  selenium-webdriver  2.43.1 - 4.0.0-rc-2
  Depends on vulnerable versions of xml2js
  node_modules/selenium-webdriver

62 vulnerabilities (5 low, 25 moderate, 27 high, 5 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Okay, I have a successful product - thus far!

I am getting that these are dependencies that I need to configure:

npm WARN deprecated @babel/plugin-proposal-class-properties@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-class-properties instead.
npm WARN deprecated @babel/plugin-proposal-nullish-coalescing-operator@7.18.6: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-nullish-coalescing-operator instead.
npm WARN deprecated @babel/plugin-proposal-optional-chaining@7.21.0: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-optional-chaining instead.

Each of these above dependencies were configured in the package.json and yarn.lock files

  • Here is a log of all the commands I have used thus far:
10253  gh repo clone StateVoicesNational/Spoke_Hackathon_Fork
10254  ls
10255  cd Spoke_Hackathon_Fork
10256  git checkout -b node20-update-II
10257  node -v
10258  npm -v
10259  npm outdated
10260  npm install
10261  npm outdated
10262  git status
10263  git add .
10264  git commit -m "Ran npm install and got a yarn.lock file update.  Keeping to learning purposes"
10265  npm audit
10266  npm ls
10267  npm outdated --depth
10268  npm install @babel/cli 7.23.4 --save
10269  npm install @babel/cli@7.23.4 --save
10270  git status
10271  git add .
10272  git commit -m "Adds @babel/cli@7.23.4 to dependencies"
10273  npm ls @babel/cli@7.23.4
10274  npm ls @babel/cli@7.23.4 --depth
10275  npm ls @babel/core
10276  npm install @babel/core@7.23.4 --save
10277  git status
10278  git add .
10279  git status"\n"
10280  git status
10281  git add .
10282  git commit -m "Removes web-cli from optional dependencies"
10283  git status
10284  npm ls @babel/traverse
10285  npm install @babel/traverse@7.23.2 --save
10286  git status
10287  git add .
10288  git commit -m "Adds babel/traverse version 7.23.2 to package and yarn lock"
10289  git push origin node20-update-II
10290  npm audit fix
10291  git status
10292  git add .
10293  git commit -m "Ran npm audit fix"
10294  git push origin node20-update-II
10295  npm audit
10296  npm outdated --depth
10297  npm use
10298  npm install
10299  npm un react-dnd@11.1.3
10300  git status
10301  npm uninstall react-dnd@7.7.0
10302  npm install react-dnd@11.1.3 --save
10303  npm install react-dnd@7.7.0
10304  npm install react-dnd@7.7.0 --save
10305  npm install
10306  git add .
10307  git commit -m "Adds react-dnd version 7.7.0 to dependencies"
10308  git push origin node20-update-II
10309  npm outdated
10310  npm ls @babel/core
10311  npm audit
10312* npm ls @cypress/request
10313* npm install @cypress/request@2.88.12 --save
10314  npm ls @cypress/request
10315  npm up @cypress/request
10316  git status
10317  yarn dev
10318  cp .env.example .env
10319  yarn dev
10320  npm install node@20.0.0 --save
10321  npm install npm@9.6.4
10322  git status
10323  git add .
10324  history
10325  git status
10326  yarn dev
10327  npm ls aws-sdk --all
10328  npx aws-sdk-js-codemod -t v2-to-v3 /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/src/extensions/action-handlers/mobilecommons-signup.js
10329  git status
10330  git add .
10331  git commit -m "Updates mobilecommons-signup to remove aws-sdk which is deprecated"
10332  yarn dev
10333  git push origin node20-update-II
10334  npm install @babel/plugin-transform-class-properties
10335  git add .
10336  git commit -m "Adds babel/plugin-transform-class-properties to project dependencies"
10337  yarn dev
10338  git push origin node20-update-II
10339  npm install @babel/plugin-transform-nullish-coalescing-operator --save
10340  git add .
10341  git commit -m "Adds @babel/plugin-transform-nullish-coalescing-operator to project dependencies"
10342  yarn dev
10343  git push origin node20-update-II
10344  npm install @babel/plugin-transform-optional-chaining
10345  git add .
10346  git commit -m "Adds @babel/plugin-transform-optional-chaining into project dependencies"
10347  yarn dev
10348  git push origin node20-update-II
10349  npx aws-sdk-js-codemod -t v2-to-v3 /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/src/extensions/action-handlers/revere-signup.js
10350  git status
10351  git add .
10352  git commit -m "Upgrades revere-signup to aws-sdk to version 3 standards"
10353  yarn dev
 ariqueaguilar@Ariques-MBP  node-update/Spoke_Hackathon_Fork   node20-update-II 
>

  • Okay, so I updated contact loaders csv-s3-upload/index.js and there was no breaking change, but then I upgraded s3-pull/index.js and the app crashed, mysteriously compiled, but then I couldn't log in.

  • As of right now, I am tabling any further updates on s3-pull/index.js

  • updating jobs.js and I have an ingestMethod in this document. So I'm expecting something to break when I run yarn dev.

CONTACT_LOADERS failed to load ingestMethod csv-upload Error: Cannot find module '@aws-sdk/client-lambda'
Require stack:
3:13:45 PM server.1  |  - /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/src/workers/jobs.js
3:13:45 PM server.1  |  - /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/src/extensions/contact-loaders/helpers.js
3:13:45 PM server.1  |  - /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/src/extensions/contact-loaders/csv-upload/index.js
3:13:45 PM server.1  |  - /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/src/extensions/contact-loaders/index.js
3:13:45 PM server.1  |  - /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/src/server/api/schema.js
3:13:45 PM server.1  |  - /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/src/server/index.js
3:13:45 PM server.1  |  - /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/dev-tools/babel-run

  • Since I know that the application was working swimmingly before this change, I feel comfortable committing this change and pursuring these required stack documents for proper updates.

  • getting an error that a module is missing.

  • adding @aws-sdk/s3-request-presigner

  • adding @aws-sdk/client-s3

  • adding @aws-sdk/client-sqs

  • END OF BREAKING CHANGES! YAY!

  • I now only have three documents that require the javascript 3 update:

  • /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/lambda.js

    • All that happened here was that const AWS = require("aws-sdk") was removed from the top. and the application runs successfully. Going to check if there are more documents that have the above const.
    • No other documents have this requirement. The aws-sdk error is officially fixed! YAY!

  • /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/src/server/telemetry.js

    • after installing the two new dependencies, I realized that the application is no longer requesting that I update to javascript s3. But I have one more file to do, the lambda above. Let's see what it requires and how it breaks.

  • /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/src/extensions/job-runners/lambda-async/index.js

    • now using @aws-sdk/client-lambda << might have to install it in dependencies!
    • never mind! it's already installed? Yup! Installed it earlier! Moving on!

  • /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/src/extensions/contact-loaders/s3-pull/index.js (finished with no breaking changes!)

Alright, I have a type error once I started fidgeting around with the application, going to list it below to get help with it from Daniel

4:03:25 PM server.1  |    error: TypeError: Field error: value is not an instance of Date
4:03:25 PM server.1  |        at serialize (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql-date/index.js:14:5)
4:03:25 PM server.1  |        at GraphQLScalarType.serialize (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/type/definition.js:418:12)
4:03:25 PM server.1  |        at completeLeafValue (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:701:37)
4:03:25 PM server.1  |        at completeValue (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:649:12)
4:03:25 PM server.1  |        at completeValueWithLocatedError (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:580:21)
4:03:25 PM server.1  |        at completeValueCatchingError (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:556:21)
4:03:25 PM server.1  |        at resolveField (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:497:10)
4:03:25 PM server.1  |        at /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:364:18
4:03:25 PM server.1  |        at Array.reduce (<anonymous>)
4:03:25 PM server.1  |        at executeFields (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:361:42)
4:03:25 PM server.1  |        at collectAndExecuteSubfields (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:772:10)
4:03:25 PM server.1  |        at completeObjectValue (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:762:10)
4:03:25 PM server.1  |        at completeValue (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:660:12)
4:03:25 PM server.1  |        at completeValue (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:629:21)
4:03:25 PM server.1  |        at completeValueWithLocatedError (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:580:21)
4:03:25 PM server.1  |        at completeValueCatchingError (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:550:12)
4:03:25 PM server.1  |        at resolveField (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:497:10)
4:03:25 PM server.1  |        at /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:364:18
4:03:25 PM server.1  |        at Array.reduce (<anonymous>)
4:03:25 PM server.1  |        at executeFields (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:361:42)
4:03:25 PM server.1  |        at collectAndExecuteSubfields (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:772:10)
4:03:25 PM server.1  |        at completeObjectValue (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:762:10)
4:03:25 PM server.1  |        at completeValue (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:660:12)
4:03:25 PM server.1  |        at completeValueWithLocatedError (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:580:21)
4:03:25 PM server.1  |        at completeValueCatchingError (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:556:21)
4:03:25 PM server.1  |        at /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:684:25
4:03:25 PM server.1  |        at Array.forEach (<anonymous>)
4:03:25 PM server.1  |        at forEach (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/iterall/index.js:83:25)
4:03:25 PM server.1  |        at completeListValue (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:680:24)
4:03:25 PM server.1  |        at completeValue (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:643:12)
4:03:25 PM server.1  |        at completeValue (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:629:21)
4:03:25 PM server.1  |        at completeValueWithLocatedError (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:580:21)
4:03:25 PM server.1  |        at completeValueCatchingError (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:550:12)
4:03:25 PM server.1  |        at resolveField (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:497:10)
4:03:25 PM server.1  |        at /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:364:18
4:03:25 PM server.1  |        at Array.reduce (<anonymous>)
4:03:25 PM server.1  |        at executeFields (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:361:42)
4:03:25 PM server.1  |        at collectAndExecuteSubfields (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:772:10)
4:03:25 PM server.1  |        at completeObjectValue (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:762:10)
4:03:25 PM server.1  |        at completeValue (/Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:660:12)
4:03:25 PM server.1  |        at /Users/ariqueaguilar/node-update/Spoke_Hackathon_Fork/node_modules/graphql/execution/execute.js:617:14
4:03:25 PM server.1  |        at async Promise.all (index 0)
4:03:25 PM server.1  |        at async Promise.all (index 0) {
4:03:25 PM server.1  |      locations: [ { line: 22, column: 9 } ],
4:03:25 PM server.1  |      path: [ 'conversations', 'conversations', 0, 'contact', 'updated_at' ]
4:03:25 PM server.1  |    },
4:03:25 PM server.1  |    msg: 'GraphQL error'
4:03:25 PM server.1  |  }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment