Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Package dependency is causing semver moderate vulnerabilities #2696

Open
raulHaufe opened this issue Jun 27, 2023 · 3 comments
Open

Package dependency is causing semver moderate vulnerabilities #2696

raulHaufe opened this issue Jun 27, 2023 · 3 comments

Comments

@raulHaufe
Copy link

Describe the bug
When installing mjml package, there is a dependency which is causing a moderate vulnerability. (semver, more info here GHSA-c2qf-rxjj-qqgw)

To Reproduce
Steps to reproduce the behavior:

  1. Create a new project using npm npm init
  2. intall mjml npm i mjml
  3. Check the console output
> npm i mjml@4.14.1

added 140 packages, and audited 141 packages in 6s

26 packages are looking for funding
  run `npm fund` for details

3 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

  1. Execute npm audit and check the console output
> npm audit           
# npm audit report

semver  <7.5.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/semver
  editorconfig  0.13.3 - 0.15.3
  Depends on vulnerable versions of semver
  node_modules/editorconfig
    js-beautify  >=1.8.0-rc10
    Depends on vulnerable versions of editorconfig
    node_modules/js-beautify

3 moderate severity vulnerabilities

To address all issues, run:
  npm audit fix

Expected behavior
A clear and concise description of what you expected to happen.

MJML environment (please complete the following information):

  • OS: MacOS
  • MJML Version <= 4.14.1
  • MJML tool used: npm
  • Node version: v16
  • NPM version: 9.5.1

Additional context
npm audit fix is not working

@tosie
Copy link

tosie commented Jul 6, 2023

+1

I would send a PR, but I think I am too unfamiliar with the whole project to update dependencies 🤷‍♂️

@pguedescamargo
Copy link

#2707

@hfhchan-plb
Copy link

Unfortunately it was approved but not merged?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants