Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High Vulnerabilities from a clean install / audit fix #109

Open
innomadic opened this issue Feb 19, 2025 · 2 comments
Open

High Vulnerabilities from a clean install / audit fix #109

innomadic opened this issue Feb 19, 2025 · 2 comments
Labels
bug Something isn't working

Comments

@innomadic
Copy link

Thank you so much much for this package. I've used it for a while, and I noticed I needed to upgrade something things. I tried to upgrade and get myself into a bit of a mess. So I started from scratch, but still saw that I had packages that were classified as high risk vulnerabilities by npm audit. Can someone suggest a solution?

Describe the bug
After npm install, npm audit fix I am still left with 2 high vulnerabilities.

axios  0.8.1 - 0.27.2
Severity: moderate
Axios Cross-Site Request Forgery Vulnerability - https://github.com/advisories/GHSA-wf5p-g6vw-rhxx
fix available via `npm audit fix --force`
Will install @11ty/eleventy@3.0.0, which is a breaking change
node_modules/axios
  localtunnel  >=1.9.0
  Depends on vulnerable versions of axios
  node_modules/localtunnel
    browser-sync  >=1.5.0
    Depends on vulnerable versions of eazy-logger
    Depends on vulnerable versions of localtunnel
    Depends on vulnerable versions of send
    Depends on vulnerable versions of serve-static
    node_modules/browser-sync
      @11ty/eleventy  <=2.0.0-canary.18
      Depends on vulnerable versions of browser-sync
      Depends on vulnerable versions of liquidjs
      node_modules/@11ty/eleventy

eazy-logger  *
Severity: high
eazy-logger prototype pollution - https://github.com/advisories/GHSA-r7jx-5m6m-cpg9
fix available via `npm audit fix --force`
Will install @11ty/eleventy@3.0.0, which is a breaking change
node_modules/eazy-logger

liquidjs  <10.0.0
Severity: moderate
liquidjs may leak properties of a prototype - https://github.com/advisories/GHSA-45rm-2893-5f49
fix available via `npm audit fix --force`
Will install @11ty/eleventy@3.0.0, which is a breaking change
node_modules/liquidjs

send  <0.19.0
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via `npm audit fix --force`
Will install @11ty/eleventy@3.0.0, which is a breaking change
node_modules/send
  serve-static  <=1.16.0
  Depends on vulnerable versions of send
  node_modules/serve-static


8 vulnerabilities (2 low, 4 moderate, 2 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

To Reproduce
Steps to reproduce the behavior:

  1. git clone
  2. npm install
  3. npm audit fix
  4. See error

Expected behavior
I was hoping for there to not still be vulnerabilities listed.
@innomadic innomadic added the bug Something isn't working label Feb 19, 2025
@innomadic
Copy link
Author

So, despite the warnings about these being breaking changes, I was able to just force it and still get a working build. Maybe the problem in my original repo was related to some customization I made. So I guess this could be closed or perhaps the package versions could be updated in the source repo?

@innomadic
Copy link
Author

Returning to this, it seems like there is an issue, which is that the layouts for the notes no longer get rendered after running the upgrade.

Strangely, it seem like changing note.html triggers a re-build for the notes, but the notes don't actually include the template.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@innomadic