Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] Please merge fixes for vulnerable dependencies #112

Open
mhoad opened this issue Jun 23, 2022 · 1 comment
Open

[SECURITY] Please merge fixes for vulnerable dependencies #112

mhoad opened this issue Jun 23, 2022 · 1 comment

Comments

@mhoad
Copy link

mhoad commented Jun 23, 2022

As of right now installing this plugin results in the following npm audit report as shown below. These upgrades / fixes already exist as pull requests via dependabot, it's just a matter of merging them. I'm not sure who the right person to speak to would be here so I'm just tagging the last 3 people who have merged something with this project in the hopes that it gets some visibility. @sebastianbenz @patrickkettner @saschazar21

Also would you be able to provide any kind of statement as to if this project is under any kind of maintenance, it's not immediately clear and I just wanted to check before proceeding with using it at all.

Thank you for the effort you have put into it already :)

npm audit report

cross-fetch <=2.2.3 || 2.2.5 || 3.0.0 - 3.1.4 || >=3.2.0-alpha.0
Severity: high
Incorrect Authorization in cross-fetch - GHSA-7gc6-qh9x-w6h8
Depends on vulnerable versions of node-fetch
fix available via npm audit fix --force
Will install @ampproject/[email protected], which is a breaking change
node_modules/cross-fetch
@ampproject/toolbox-core 2.0.0-alpha.0 - 2.8.0
Depends on vulnerable versions of cross-fetch
node_modules/@ampproject/toolbox-core
@ampproject/toolbox-cache-list 2.0.0-alpha.0 - 2.8.0
Depends on vulnerable versions of @ampproject/toolbox-core
node_modules/@ampproject/toolbox-cache-list
@ampproject/toolbox-optimizer 2.0.0-alpha.0 - 2.8.10
Depends on vulnerable versions of @ampproject/toolbox-core
Depends on vulnerable versions of @ampproject/toolbox-validator-rules
Depends on vulnerable versions of cross-fetch
node_modules/@ampproject/toolbox-optimizer
@ampproject/toolbox-runtime-fetch *
Depends on vulnerable versions of @ampproject/toolbox-core
Depends on vulnerable versions of node-fetch
node_modules/@ampproject/toolbox-runtime-fetch
@ampproject/eleventy-plugin-amp >=0.3.0
Depends on vulnerable versions of @11ty/eleventy-img
Depends on vulnerable versions of @ampproject/toolbox-runtime-fetch
node_modules/@ampproject/eleventy-plugin-amp
@ampproject/toolbox-runtime-version 2.0.0-alpha.0 - 2.8.0
Depends on vulnerable versions of @ampproject/toolbox-core
node_modules/@ampproject/toolbox-runtime-version
@ampproject/toolbox-validator-rules <=2.5.4 || 2.7.4 - 2.8.0
Depends on vulnerable versions of cross-fetch
node_modules/@ampproject/toolbox-validator-rules

node-fetch <2.6.7
Severity: high
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - GHSA-r683-j2x4-v87g
fix available via npm audit fix --force
Will install @ampproject/[email protected], which is a breaking change
node_modules/@ampproject/toolbox-runtime-fetch/node_modules/node-fetch
node_modules/cross-fetch/node_modules/node-fetch

sharp <0.30.5
Severity: moderate
Possible vulnerability in sharp at 'npm install' time if an attacker has control over build environment - GHSA-gp95-ppv5-3jc5
fix available via npm audit fix --force
Will install @ampproject/[email protected], which is a breaking change
node_modules/sharp
@11ty/eleventy-img <=1.0.1-beta.1
Depends on vulnerable versions of sharp
node_modules/@11ty/eleventy-img

11 vulnerabilities (7 moderate, 4 high)

@sebastianbenz
Copy link
Collaborator

Thanks for flagging this! I just made a new release with updated dependencies.

Also would you be able to provide any kind of statement as to if this project is under any kind of maintenance, it's not immediately clear and I just wanted to check before proceeding with using it at all.

We currently don't have any plans to work on new features.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants