You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As of right now installing this plugin results in the following npm audit report as shown below. These upgrades / fixes already exist as pull requests via dependabot, it's just a matter of merging them. I'm not sure who the right person to speak to would be here so I'm just tagging the last 3 people who have merged something with this project in the hopes that it gets some visibility. @sebastianbenz@patrickkettner@saschazar21
Also would you be able to provide any kind of statement as to if this project is under any kind of maintenance, it's not immediately clear and I just wanted to check before proceeding with using it at all.
Thank you for the effort you have put into it already :)
npm audit report
cross-fetch <=2.2.3 || 2.2.5 || 3.0.0 - 3.1.4 || >=3.2.0-alpha.0
Severity: high
Incorrect Authorization in cross-fetch - GHSA-7gc6-qh9x-w6h8
Depends on vulnerable versions of node-fetch
fix available via npm audit fix --force
Will install @ampproject/[email protected], which is a breaking change
node_modules/cross-fetch
@ampproject/toolbox-core 2.0.0-alpha.0 - 2.8.0
Depends on vulnerable versions of cross-fetch
node_modules/@ampproject/toolbox-core
@ampproject/toolbox-cache-list 2.0.0-alpha.0 - 2.8.0
Depends on vulnerable versions of @ampproject/toolbox-core
node_modules/@ampproject/toolbox-cache-list
@ampproject/toolbox-optimizer 2.0.0-alpha.0 - 2.8.10
Depends on vulnerable versions of @ampproject/toolbox-core
Depends on vulnerable versions of @ampproject/toolbox-validator-rules
Depends on vulnerable versions of cross-fetch
node_modules/@ampproject/toolbox-optimizer
@ampproject/toolbox-runtime-fetch *
Depends on vulnerable versions of @ampproject/toolbox-core
Depends on vulnerable versions of node-fetch
node_modules/@ampproject/toolbox-runtime-fetch
@ampproject/eleventy-plugin-amp >=0.3.0
Depends on vulnerable versions of @11ty/eleventy-img
Depends on vulnerable versions of @ampproject/toolbox-runtime-fetch
node_modules/@ampproject/eleventy-plugin-amp
@ampproject/toolbox-runtime-version 2.0.0-alpha.0 - 2.8.0
Depends on vulnerable versions of @ampproject/toolbox-core
node_modules/@ampproject/toolbox-runtime-version
@ampproject/toolbox-validator-rules <=2.5.4 || 2.7.4 - 2.8.0
Depends on vulnerable versions of cross-fetch
node_modules/@ampproject/toolbox-validator-rules
node-fetch <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - GHSA-r683-j2x4-v87g
fix available via npm audit fix --force
Will install @ampproject/[email protected], which is a breaking change
node_modules/@ampproject/toolbox-runtime-fetch/node_modules/node-fetch
node_modules/cross-fetch/node_modules/node-fetch
sharp <0.30.5
Severity: moderate
Possible vulnerability in sharp at 'npm install' time if an attacker has control over build environment - GHSA-gp95-ppv5-3jc5
fix available via npm audit fix --force
Will install @ampproject/[email protected], which is a breaking change
node_modules/sharp
@11ty/eleventy-img <=1.0.1-beta.1
Depends on vulnerable versions of sharp
node_modules/@11ty/eleventy-img
11 vulnerabilities (7 moderate, 4 high)
The text was updated successfully, but these errors were encountered:
Thanks for flagging this! I just made a new release with updated dependencies.
Also would you be able to provide any kind of statement as to if this project is under any kind of maintenance, it's not immediately clear and I just wanted to check before proceeding with using it at all.
We currently don't have any plans to work on new features.
As of right now installing this plugin results in the following
npm audit
report as shown below. These upgrades / fixes already exist as pull requests via dependabot, it's just a matter of merging them. I'm not sure who the right person to speak to would be here so I'm just tagging the last 3 people who have merged something with this project in the hopes that it gets some visibility. @sebastianbenz @patrickkettner @saschazar21Also would you be able to provide any kind of statement as to if this project is under any kind of maintenance, it's not immediately clear and I just wanted to check before proceeding with using it at all.
Thank you for the effort you have put into it already :)
npm audit report
cross-fetch <=2.2.3 || 2.2.5 || 3.0.0 - 3.1.4 || >=3.2.0-alpha.0
Severity: high
Incorrect Authorization in cross-fetch - GHSA-7gc6-qh9x-w6h8
Depends on vulnerable versions of node-fetch
fix available via
npm audit fix --force
Will install @ampproject/[email protected], which is a breaking change
node_modules/cross-fetch
@ampproject/toolbox-core 2.0.0-alpha.0 - 2.8.0
Depends on vulnerable versions of cross-fetch
node_modules/@ampproject/toolbox-core
@ampproject/toolbox-cache-list 2.0.0-alpha.0 - 2.8.0
Depends on vulnerable versions of @ampproject/toolbox-core
node_modules/@ampproject/toolbox-cache-list
@ampproject/toolbox-optimizer 2.0.0-alpha.0 - 2.8.10
Depends on vulnerable versions of @ampproject/toolbox-core
Depends on vulnerable versions of @ampproject/toolbox-validator-rules
Depends on vulnerable versions of cross-fetch
node_modules/@ampproject/toolbox-optimizer
@ampproject/toolbox-runtime-fetch *
Depends on vulnerable versions of @ampproject/toolbox-core
Depends on vulnerable versions of node-fetch
node_modules/@ampproject/toolbox-runtime-fetch
@ampproject/eleventy-plugin-amp >=0.3.0
Depends on vulnerable versions of @11ty/eleventy-img
Depends on vulnerable versions of @ampproject/toolbox-runtime-fetch
node_modules/@ampproject/eleventy-plugin-amp
@ampproject/toolbox-runtime-version 2.0.0-alpha.0 - 2.8.0
Depends on vulnerable versions of @ampproject/toolbox-core
node_modules/@ampproject/toolbox-runtime-version
@ampproject/toolbox-validator-rules <=2.5.4 || 2.7.4 - 2.8.0
Depends on vulnerable versions of cross-fetch
node_modules/@ampproject/toolbox-validator-rules
node-fetch <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - GHSA-r683-j2x4-v87g
fix available via
npm audit fix --force
Will install @ampproject/[email protected], which is a breaking change
node_modules/@ampproject/toolbox-runtime-fetch/node_modules/node-fetch
node_modules/cross-fetch/node_modules/node-fetch
sharp <0.30.5
Severity: moderate
Possible vulnerability in sharp at 'npm install' time if an attacker has control over build environment - GHSA-gp95-ppv5-3jc5
fix available via
npm audit fix --force
Will install @ampproject/[email protected], which is a breaking change
node_modules/sharp
@11ty/eleventy-img <=1.0.1-beta.1
Depends on vulnerable versions of sharp
node_modules/@11ty/eleventy-img
11 vulnerabilities (7 moderate, 4 high)
The text was updated successfully, but these errors were encountered: