npm audit report semver vulnerability #181
Comments
|
It may be time to remove |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Describe the bug
After installing fhirclient, the npm audit will report the following:
semver 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - GHSA-c2qf-rxjj-qqgw
fix available via
npm audit fixnode_modules/@expo/image-utils/node_modules/semver
@expo/image-utils <=0.0.1-canary-20240109-93608d8 || >=0.3.10-alpha.0
Depends on vulnerable versions of semver
node_modules/@expo/image-utils
@expo/cli <=0.0.0-canary-20231123-1b19f96-4 || >=0.0.1-canary-20231125-d600e44
Depends on vulnerable versions of @expo/image-utils
Depends on vulnerable versions of @expo/prebuild-config
node_modules/@expo/cli
expo >=50.0.0-alpha.0
Depends on vulnerable versions of @expo/cli
node_modules/expo
@expo/prebuild-config *
Depends on vulnerable versions of @expo/image-utils
node_modules/@expo/cli/node_modules/@expo/prebuild-config
5 moderate severity vulnerabilities
To Reproduce
npm install fhirclient
Expected behavior
No vulnerabilities.
Additional context
npm audit has been reporting these vulnerabilities for around a year, I think. I've been waiting for an update to this package, and when I saw an update was made last month, I hoped these would be fixed, but not yet.
I did some investigation in package-lock.json, because the above error messages from npm are not very enlightening. It seems fhirclient depends on isomorphic-webcrypto (not updated for 3 years), which has an optional dependency on "expo-random", which is a deprecated package, and which is likely the cause of the above expo-related problems. Running npm install --no-optional avoids the problem, but I don't know what downsides there are to leaving out all optional packages, and I don't see a way to leave out only expo-random.
The text was updated successfully, but these errors were encountered: