video.js audit checks are still failing and it's got bigger. With the spate of npm package attacks the past month which is getting worse. Is it possible to fix these. I found you can use an overrides config to install newer packages assuming there is no api breaks or have to fork them. I've had to do the same the past few days for my own build systems.
It seems Axios is now listed which is bad. Minimatch and glob can be overriden I've had to do this for grunt and works.
@octokit/plugin-paginate-rest <=9.2.1
Severity: moderate
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-h5c3-5r3r-rr8q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@octokit/plugin-paginate-rest
@octokit/rest 16.39.0 - 20.0.1
Depends on vulnerable versions of @octokit/core
Depends on vulnerable versions of @octokit/plugin-paginate-rest
node_modules/@octokit/rest
gh-release >=3.1.0
Depends on vulnerable versions of @octokit/rest
Depends on vulnerable versions of update-notifier
node_modules/gh-release
@octokit/request <=8.4.0
Severity: moderate
Depends on vulnerable versions of @octokit/request-error
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-rmvr-2pp2-xj38
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@octokit/request
@octokit/core <=5.0.0-beta.5
Depends on vulnerable versions of @octokit/graphql
Depends on vulnerable versions of @octokit/request
Depends on vulnerable versions of @octokit/request-error
node_modules/@octokit/core
@octokit/graphql <=2.1.3 || 3.0.0 - 6.0.1
Depends on vulnerable versions of @octokit/request
node_modules/@octokit/graphql
@octokit/request-error <=5.1.0
Severity: moderate
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-xx4v-prfh-6cgc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@octokit/request-error
axios <=0.30.2
Severity: high
Axios vulnerable to Server-Side Request Forgery - https://github.com/advisories/GHSA-4w2v-q235-vp99
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
axios Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-cph5-m8f7-6c5x
axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - https://github.com/advisories/GHSA-jr5f-v2jv-69x6
Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig - https://github.com/advisories/GHSA-43fc-jf86-j433
Depends on vulnerable versions of follow-redirects
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/axios
access-sniff >=1.1.2
Depends on vulnerable versions of axios
Depends on vulnerable versions of jsdom
Depends on vulnerable versions of phantomjs-prebuilt
Depends on vulnerable versions of validator
node_modules/access-sniff
braces <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/unified-args/node_modules/braces
node_modules/videojs-languages/node_modules/braces
node_modules/watchpack/node_modules/braces
node_modules/watchpack/node_modules/readdirp/node_modules/braces
chokidar 1.3.0 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of braces
Depends on vulnerable versions of readdirp
node_modules/unified-args/node_modules/chokidar
node_modules/watchpack/node_modules/chokidar
unified-args 6.0.0
Depends on vulnerable versions of chokidar
node_modules/unified-args
remark-cli <=8.0.1
Depends on vulnerable versions of remark
Depends on vulnerable versions of unified-args
node_modules/remark-cli
micromatch <=4.0.7
Depends on vulnerable versions of braces
node_modules/unified-args/node_modules/micromatch
node_modules/videojs-languages/node_modules/micromatch
node_modules/watchpack/node_modules/micromatch
node_modules/watchpack/node_modules/readdirp/node_modules/micromatch
anymatch 1.2.0 - 2.0.0
Depends on vulnerable versions of micromatch
node_modules/unified-args/node_modules/anymatch
node_modules/watchpack/node_modules/anymatch
fast-glob <=2.2.7
Depends on vulnerable versions of micromatch
node_modules/videojs-languages/node_modules/fast-glob
globby 8.0.0 - 9.2.0
Depends on vulnerable versions of fast-glob
node_modules/videojs-languages/node_modules/globby
videojs-languages >=2.0.0
Depends on vulnerable versions of globby
node_modules/videojs-languages
readdirp 2.2.0 - 2.2.1
Depends on vulnerable versions of micromatch
node_modules/unified-args/node_modules/readdirp
node_modules/watchpack/node_modules/readdirp
elliptic *
Elliptic Uses a Cryptographic Primitive with a Risky Implementation - https://github.com/advisories/GHSA-848j-6mx2-7j84
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/elliptic
browserify-sign >=2.4.0
Depends on vulnerable versions of elliptic
node_modules/browserify-sign
crypto-browserify >=2.0.0
Depends on vulnerable versions of browserify-sign
Depends on vulnerable versions of create-ecdh
Depends on vulnerable versions of sha.js
node_modules/crypto-browserify
node_modules/node-libs-browser/node_modules/crypto-browserify
node-libs-browser 0.2.0 - 0.3.1 || 0.4.1 || 0.4.3 - 0.7.0
Depends on vulnerable versions of crypto-browserify
node_modules/node-libs-browser
webpack 0.11.0-beta1 - 2.7.0
Depends on vulnerable versions of loader-utils
Depends on vulnerable versions of node-libs-browser
Depends on vulnerable versions of optimist
node_modules/webpack
create-ecdh *
Depends on vulnerable versions of elliptic
node_modules/create-ecdh
follow-redirects <=1.15.5
Severity: high
Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects - https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
follow-redirects' Proxy-Authorization header kept across hosts - https://github.com/advisories/GHSA-cxjh-pqwp-8mfp
Exposure of sensitive information in follow-redirects - https://github.com/advisories/GHSA-74fj-2j2h-c42q
Follow Redirects improperly handles URLs in the url.parse() function - https://github.com/advisories/GHSA-jchw-25xp-jwwc
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/follow-redirects
form-data <2.5.4
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/form-data
request *
Depends on vulnerable versions of form-data
Depends on vulnerable versions of qs
Depends on vulnerable versions of tough-cookie
node_modules/request
jsdom 0.1.20 || 0.2.0 - 16.5.3
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-native
Depends on vulnerable versions of tough-cookie
node_modules/jsdom
phantomjs-prebuilt *
Depends on vulnerable versions of request
node_modules/phantomjs-prebuilt
request-promise-core *
Depends on vulnerable versions of request
node_modules/request-promise-core
request-promise-native >=1.0.0
Depends on vulnerable versions of request
Depends on vulnerable versions of request-promise-core
Depends on vulnerable versions of tough-cookie
node_modules/request-promise-native
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of latest-version
node_modules/update-notifier
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/loader-utils/node_modules/json5
loader-utils <=1.4.0
Depends on vulnerable versions of json5
node_modules/loader-utils
minimatch <=3.1.3
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/replace/node_modules/minimatch
replace >=0.2.3
Depends on vulnerable versions of minimatch
node_modules/replace
minimist <=0.2.3
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/optimist/node_modules/minimist
optimist >=0.6.0
Depends on vulnerable versions of minimist
node_modules/optimist
qs <6.14.1
Severity: moderate
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion - https://github.com/advisories/GHSA-6rw7-vpxm-498p
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/request/node_modules/qs
sha.js <=2.4.11
Severity: critical
sha.js is missing type checks leading to hash rewind and passing on crafted data - https://github.com/advisories/GHSA-95m3-7q98-8xr5
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/node-libs-browser/node_modules/sha.js
tough-cookie <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tough-cookie
trim <0.0.3
Severity: high
Regular Expression Denial of Service in trim - https://github.com/advisories/GHSA-w5p7-h5w8-2hfq
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/trim
remark-parse <=8.0.3
Depends on vulnerable versions of trim
node_modules/remark-parse
remark 5.0.0 - 12.0.1
Depends on vulnerable versions of remark-parse
node_modules/remark
unified-message-control <=1.0.4
Depends on vulnerable versions of trim
node_modules/unified-message-control
remark-message-control 4.1.0 - 4.2.0
Depends on vulnerable versions of unified-message-control
node_modules/remark-message-control
underscore <=1.13.7
Severity: critical
Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq
Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack - https://github.com/advisories/GHSA-qpx9-hpmf-5gmw
fix available via `npm audit fix`
node_modules/nomnom/node_modules/underscore
nomnom >=1.6.0
Depends on vulnerable versions of underscore
node_modules/nomnom
validator <=13.15.20
Severity: high
Inefficient Regular Expression Complexity in validator.js - https://github.com/advisories/GHSA-qgmg-gppg-76g5
validator.js has a URL validation bypass vulnerability in its isURL function - https://github.com/advisories/GHSA-9965-vmph-33xx
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements - https://github.com/advisories/GHSA-vghf-hv5q-vc2g
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/validator
53 vulnerabilities (3 low, 22 moderate, 17 high, 11 critical)
Description
video.js audit checks are still failing and it's got bigger. With the spate of npm package attacks the past month which is getting worse. Is it possible to fix these. I found you can use an
overridesconfig to install newer packages assuming there is no api breaks or have to fork them. I've had to do the same the past few days for my own build systems.It seems Axios is now listed which is bad. Minimatch and glob can be overriden I've had to do this for grunt and works.
Reduced test case
na
Steps to reproduce
Errors
No response
What version of Video.js are you using?
8.23.8
Video.js plugins used.
No response
What browser(s) including version(s) does this occur with?
na
What OS(es) and version(s) does this occur with?
na