npm audit shows 21 vulnerabilities, including 17 high and 2 critical

[nawordar]

Iris version

3.64.1

Operating system(s) affected

• Windows
• MacOS
• iOS
• Android
• Linux
• Other

Browser(s) affected

• Firefox
• Chrome
• Edge
• Other

What happened?

When creating a PR (#864) and running npm install, NPM warned about 21 vulnerabilities. 13 of them are easily fixable with npm audit fix.

Logs

# npm audit report

ansi-html  <0.0.8
Severity: high
Uncontrolled Resource Consumption in ansi-html - https://github.com/advisories/GHSA-whgm-jr23-g3j9
fix available via `npm audit fix`
node_modules/ansi-html
  webpack-dev-server  2.0.0-beta - 4.7.2
  Depends on vulnerable versions of ansi-html
  Depends on vulnerable versions of chokidar
  Depends on vulnerable versions of selfsigned
  node_modules/webpack-dev-server

ansi-regex  4.0.0 - 4.1.0 || 5.0.0
Severity: high
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix`
node_modules/@jest/core/node_modules/ansi-regex
node_modules/cliui/node_modules/ansi-regex
node_modules/eslint/node_modules/ansi-regex
node_modules/inquirer/node_modules/ansi-regex
node_modules/pretty-format/node_modules/ansi-regex
node_modules/string-length/node_modules/ansi-regex
node_modules/string-width/node_modules/ansi-regex
node_modules/table/node_modules/ansi-regex
node_modules/webpack-cli/node_modules/ansi-regex
node_modules/webpack-dev-server/node_modules/ansi-regex
node_modules/wrap-ansi/node_modules/ansi-regex
node_modules/yargs/node_modules/ansi-regex

css-what  4.0.0 - 5.0.0
Severity: high
Denial of service in css-what - https://github.com/advisories/GHSA-q8pj-2vqx-8ggc
fix available via `npm audit fix`
node_modules/cheerio-select/node_modules/css-what

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install @babel/cli@7.12.1, which is a breaking change
node_modules/@nicolo-ribaudo/chokidar-2/node_modules/glob-parent
node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
  @nicolo-ribaudo/chokidar-2  <=2.1.8-no-fsevents.3
  Depends on vulnerable versions of glob-parent
  node_modules/@nicolo-ribaudo/chokidar-2
    @babel/cli  >=7.12.7
    Depends on vulnerable versions of @nicolo-ribaudo/chokidar-2
    node_modules/@babel/cli
  chokidar  1.0.0-rc1 - 2.1.8
  Depends on vulnerable versions of glob-parent
  node_modules/watchpack-chokidar2/node_modules/chokidar
  node_modules/webpack-dev-server/node_modules/chokidar
    watchpack-chokidar2  *
    Depends on vulnerable versions of chokidar
    node_modules/watchpack-chokidar2
      watchpack  1.7.2 - 1.7.5
      Depends on vulnerable versions of watchpack-chokidar2
      node_modules/watchpack
        webpack  4.44.0 - 4.46.0
        Depends on vulnerable versions of watchpack
        node_modules/webpack

jsdom  <=16.4.0
Severity: moderate
Insufficient Granularity of Access Control in JSDom - https://github.com/advisories/GHSA-f4c9-cqv8-9v98
fix available via `npm audit fix`
node_modules/jsdom

json-schema  <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim

lodash  <=4.17.20
Severity: high
Command Injection in lodash - https://github.com/advisories/GHSA-35jh-r3h4-6jhm
Regular Expression Denial of Service (ReDoS) in lodash - https://github.com/advisories/GHSA-29mw-wpgm-hmr9
fix available via `npm audit fix`
node_modules/eslint/node_modules/lodash
node_modules/inquirer/node_modules/lodash
node_modules/table/node_modules/lodash

node-forge  <=1.2.1
Severity: high
Open Redirect in node-forge - https://github.com/advisories/GHSA-8fr3-hfg3-gpgp
Prototype Pollution in node-forge debug API. - https://github.com/advisories/GHSA-5rrq-pxf6-6jx5
Improper Verification of Cryptographic Signature in `node-forge` - https://github.com/advisories/GHSA-2r2c-g63r-vccr
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-x4jg-mjrx-434g
Improper Verification of Cryptographic Signature in node-forge - https://github.com/advisories/GHSA-cfm4-qjh2-4765
URL parsing in node-forge could lead to undesired behavior. - https://github.com/advisories/GHSA-gf8q-jrpm-jvxq
fix available via `npm audit fix`
node_modules/selfsigned/node_modules/node-forge
  selfsigned  1.1.1 - 1.10.14
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

nth-check  <2.0.1
Severity: high
Inefficient Regular Expression Complexity in nth-check - https://github.com/advisories/GHSA-rp65-9cf3-cjxr
fix available via `npm audit fix`
node_modules/cheerio-select/node_modules/nth-check
node_modules/nth-check
  css-select  <=3.1.0
  Depends on vulnerable versions of nth-check
  node_modules/css-select
    cheerio  0.19.0 - 1.0.0-rc.3
    Depends on vulnerable versions of css-select
    node_modules/cheerio

terser  <4.8.1
Severity: high
Terser insecure use of regular expressions before v4.8.1 and v5.14.2 leads to ReDoS - https://github.com/advisories/GHSA-4wf5-vphf-c2xc
fix available via `npm audit fix`
node_modules/terser

21 vulnerabilities (2 moderate, 17 high, 2 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[jaedb]

Upgrades will be included in next release