I have just created a new project using command npx create-snowpack-app . --template @snowpack/app-template-blank-typescript --force
There are 11 vulnerabilities that include 4 critical vulnerabilities so I was trying to fix that using following commands npm audit fix, npm audit fix --force and by updating each dependency separately as by npm install request@latest and so on.
If you have any idea how to fix that vulnerabilities I would be very grateful.
There is following audit report:
$ npm audit
npm audit report
request *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
fix available via npm audit fix
node_modules/request
node-gyp <=7.1.2
Depends on vulnerable versions of request
node_modules/node-gyp
@npmcli/run-script 1.1.1 - 1.8.6
Depends on vulnerable versions of node-gyp
node_modules/@npmcli/run-script
@npmcli/arborist <=2.10.0
Depends on vulnerable versions of @npmcli/metavuln-calculator
Depends on vulnerable versions of @npmcli/run-script
Depends on vulnerable versions of pacote
node_modules/@npmcli/arborist
snowpack 2.12.2-pre.0 || 2.18.0 - 3.0.0-rc.2 || 3.0.7 || 3.2.0-pre.1 - 3.2.0-pre.3 || >=3.3.0-pre.1
Depends on vulnerable versions of @npmcli/arborist
Depends on vulnerable versions of esinstall
Depends on vulnerable versions of pacote
Depends on vulnerable versions of skypack
node_modules/snowpack
pacote 11.1.5 - 11.3.5
Depends on vulnerable versions of @npmcli/run-script
node_modules/pacote
@npmcli/metavuln-calculator <=1.1.1
Depends on vulnerable versions of pacote
node_modules/@npmcli/metavuln-calculator
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via npm audit fix
node_modules/tough-cookie
vm2 *
Severity: critical
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-cchq-frgv-rjh5
vm2 Sandbox Escape vulnerability - https://github.com/advisories/GHSA-g644-9gfx-q4q4
fix available via npm audit fix
node_modules/vm2
esinstall 0.4.0-pre.1 - 1.1.7
Depends on vulnerable versions of vm2
node_modules/esinstall
skypack >=0.2.0
Depends on vulnerable versions of esinstall
node_modules/skypack
11 vulnerabilities (7 moderate, 4 critical)
To address all issues, run: npm audit fix
Mine package.json is as following:
{ "scripts": { "start": "snowpack dev", "build": "snowpack build", "test": "echo "This template does not include a test runner by default." && exit 1", "format": "prettier --write "src//*.{ts,js}"", "lint": "prettier --check "src//*.{ts,js}"" }, "dependencies": { "canvas-confetti": "^1.2.0" }, "devDependencies": { "@snowpack/plugin-typescript": "^1.2.1", "@types/canvas-confetti": "^1.0.0", "@types/snowpack-env": "^2.3.3", "prettier": "^2.2.1", "snowpack": "^3.3.7", "typescript": "^4.2.4" } }
node version: v18.16.1
npm version: 9.5.1