mirror of
https://github.com/matrix-org/mjolnir.git
synced 2024-06-26 06:32:13 +00:00
audit yarn.lock
npm install --package-lock-only npm audit fix rm yaarn.lock yarn import ``` npm audit 1 ✘ json-schema <0.4.0 Severity: critical json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw fix available via `npm audit fix` node_modules/json-schema jsprim 0.3.0 - 1.4.1 || 2.0.0 - 2.0.1 Depends on vulnerable versions of json-schema node_modules/jsprim minimist <1.2.6 Severity: critical Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h fix available via `npm audit fix` node_modules/minimist nanoid 3.0.0 - 3.1.30 Severity: moderate Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https://github.com/advisories/GHSA-qrpm-p2h7-hrv2 fix available via `npm audit fix` node_modules/nanoid node_modules/postcss/node_modules/nanoid mocha 8.2.0 - 9.1.4 Depends on vulnerable versions of nanoid node_modules/mocha 5 vulnerabilities (2 moderate, 3 critical) To address all issues, run: npm audit fix ``` minimist@1.2.5 used by mocha, tslint and matrix-bot-sdk@0.5.19 via ``` MatrixClient::replyHtmlText MatrixClient::replyHtmlNotice MatrixClient::sendHtmlNotice MatrixClient::sendHtmlTex ``` none of which we use. As for nanoid this is used by mocha. As for json-schema, it is used by jsprim@1.4.2 within 'validateJsonObjectJS'. fortunately we depend on jsprim via the http-signatures@1.2.0 package which only use jsprim for rfc1123. (which request depends upon in the matrix-bot-sdk).
This commit is contained in:
gnuxie
parent
4376679b99
commit
44f8bd6cdb