fix(security): upgrade 3 vulnerable packages#307
Conversation
Security fixes: - @babel/preset-env: transitive → 7.28.5 - @babel/traverse: transitive → 7.28.5 - fsevents: transitive → 2.3.3 Addresses vulnerabilities: - CVE-2023-45133 - CVE-2023-45311 Automated security fix by Security Bot
| } | ||
| }, | ||
| "terser": { | ||
| "node_modules/terser": { |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 9732 lists a dependency (terser) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
terser versions before 4.8.1, >= 5.0.0 before 5.14.2 are vulnerable to Inefficient Regular Expression Complexity.
To resolve this comment:
Upgrade this dependency to at least version 4.8.1 at package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| }, | ||
| } | ||
| }, | ||
| "node_modules/htmlnano/node_modules/terser": { |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 5505 lists a dependency (terser) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
terser versions before 4.8.1, >= 5.0.0 before 5.14.2 are vulnerable to Inefficient Regular Expression Complexity.
To resolve this comment:
Upgrade this dependency to at least version 4.8.1 at package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
| }, | ||
| "get-func-name": { | ||
| "node_modules/get-func-name": { |
There was a problem hiding this comment.
High severity vulnerability introduced by a package you're using:
Line 5135 lists a dependency (get-func-name) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.
ℹ️ Why this matters
Affected version of get-func-name is vulnerable to Uncontrolled Resource Consumption / Inefficient Regular Expression Complexity. The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks.
To resolve this comment:
Upgrade this dependency to at least version 2.0.1 at package-lock.json.
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
|
Apologies — a script accidentally modified this PR's title and description. The original title has been restored. The description may need to be manually restored by the PR author. Sorry for the inconvenience. |
Summary
package-lock.jsonto eliminate maliciousfseventsdependency (MAL-2023-462)Why delete the lock file instead of editing it?
fseventsis a transitive dependency — pulled in by webpack, chokidar, and other build tools — not a direct dependency inpackage.jsonnpm installwill generate a clean lock file with only safe versionsImpact Assessment
fseventsis an optional, macOS-only, transitive dependencyTest plan