Vulnerabilities That Won't Be Fixed
Hi, when I was trying to run
npm install prisma --save-dev I keep getting 15 vulnerabilities. And if I try to run npm audit fix --force, I still get the vulnerabilities.
Solution:Jump to solution
None of those packages are Prisma packages. I would reach out to those maintainers.
9 Replies
What node -v are you using ?
v20.14.0
Did you try to ask gpt?
Also try without the --save-dev
Without --save-dev it's giving the same issue
Nothing from gpt has seemed to work for me
I would not worry too much about this.
But, to make sure we cover our bases: could you please post the output from
npm audit?There are not vulnerabilities in Prisma:
Is the command amybe reporting also all the ones from other packages already installed in your project?
Yes, that is the case. This is what happens in a new project where I install the
Suddenly the
>npm install prisma
added 6 packages, and audited 7 packages in 7s
found 0 vulnerabilities
>npm audit
found 0 vulnerabilities
>node -v
v20.10.0
>npm install prisma
added 6 packages, and audited 7 packages in 7s
found 0 vulnerabilities
>npm audit
found 0 vulnerabilities
>node -v
v20.10.0
[email protected] that is mentioned in your output above:
C:\Users\Jan\Documents\throwaway\vuln>npm install prisma
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '[email protected]',
npm WARN EBADENGINE required: { node: '0.12.x || 0.10.x || 0.8.x' },
npm WARN EBADENGINE current: { node: 'v20.10.0', npm: '10.2.3' }
npm WARN EBADENGINE }
added 6 packages, and audited 67 packages in 4s
10 vulnerabilities (3 moderate, 7 high)
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details
C:\Users\Jan\Documents\throwaway\vuln>npm install prisma
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: '[email protected]',
npm WARN EBADENGINE required: { node: '0.12.x || 0.10.x || 0.8.x' },
npm WARN EBADENGINE current: { node: 'v20.10.0', npm: '10.2.3' }
npm WARN EBADENGINE }
added 6 packages, and audited 67 packages in 4s
10 vulnerabilities (3 moderate, 7 high)
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details
npm install prisma output changes based on the other packages that are installed.rywong@Rys-MacBook-Air nextjs_sample-main_2 % npm audit
# npm audit report
bl <1.2.3
Severity: moderate
Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/bl
request *
Depends on vulnerable versions of bl
Depends on vulnerable versions of hawk
Depends on vulnerable versions of qs
Depends on vulnerable versions of tunnel-agent
node_modules/request
follow *
Depends on vulnerable versions of request
node_modules/follow
clerk >=0.2.0
Depends on vulnerable versions of follow
Depends on vulnerable versions of superagent
node_modules/clerk
cookiejar <2.1.4
Severity: moderate
cookiejar Regular Expression Denial of Service via Cookie.parse function - https://github.com/advisories/GHSA-h452-7996-h45h
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/cookiejar
superagent <=3.6.3
Depends on vulnerable versions of cookiejar
Depends on vulnerable versions of extend
Depends on vulnerable versions of mime
Depends on vulnerable versions of qs
node_modules/superagent
extend 3.0.0 - 3.0.1
Severity: moderate
Prototype Pollution in extend - https://github.com/advisories/GHSA-qrmc-fj45-qfc2
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/extend
rywong@Rys-MacBook-Air nextjs_sample-main_2 % npm audit
# npm audit report
bl <1.2.3
Severity: moderate
Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/bl
request *
Depends on vulnerable versions of bl
Depends on vulnerable versions of hawk
Depends on vulnerable versions of qs
Depends on vulnerable versions of tunnel-agent
node_modules/request
follow *
Depends on vulnerable versions of request
node_modules/follow
clerk >=0.2.0
Depends on vulnerable versions of follow
Depends on vulnerable versions of superagent
node_modules/clerk
cookiejar <2.1.4
Severity: moderate
cookiejar Regular Expression Denial of Service via Cookie.parse function - https://github.com/advisories/GHSA-h452-7996-h45h
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/cookiejar
superagent <=3.6.3
Depends on vulnerable versions of cookiejar
Depends on vulnerable versions of extend
Depends on vulnerable versions of mime
Depends on vulnerable versions of qs
node_modules/superagent
extend 3.0.0 - 3.0.1
Severity: moderate
Prototype Pollution in extend - https://github.com/advisories/GHSA-qrmc-fj45-qfc2
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/extend
hawk <=9.0.0
Severity: high
Regular Expression Denial of Service in hawk - https://github.com/advisories/GHSA-jcpv-g9rr-qxrc
Uncontrolled Resource Consumption in Hawk - https://github.com/advisories/GHSA-44pw-h2cw-w3vq
Depends on vulnerable versions of boom
Depends on vulnerable versions of cryptiles
Depends on vulnerable versions of hoek
Depends on vulnerable versions of sntp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/hawk
hoek *
Severity: high
Prototype Pollution in hoek - https://github.com/advisories/GHSA-jp4x-w63m-7wgm
hoek subject to prototype pollution via the clone function. - https://github.com/advisories/GHSA-c429-5p7v-vgjp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/hoek
boom <=3.1.2
Depends on vulnerable versions of hoek
node_modules/boom
cryptiles <=2.0.5
Depends on vulnerable versions of boom
node_modules/cryptiles
sntp 0.0.0 || 0.1.1 - 2.0.0
Depends on vulnerable versions of hoek
node_modules/sntp
mime <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/mime
qs <=6.2.3
Severity: high
Prototype Pollution Protection Bypass in qs - https://github.com/advisories/GHSA-gqgv-6jq5-jjj9
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/qs
node_modules/superagent/node_modules/qs
hawk <=9.0.0
Severity: high
Regular Expression Denial of Service in hawk - https://github.com/advisories/GHSA-jcpv-g9rr-qxrc
Uncontrolled Resource Consumption in Hawk - https://github.com/advisories/GHSA-44pw-h2cw-w3vq
Depends on vulnerable versions of boom
Depends on vulnerable versions of cryptiles
Depends on vulnerable versions of hoek
Depends on vulnerable versions of sntp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/hawk
hoek *
Severity: high
Prototype Pollution in hoek - https://github.com/advisories/GHSA-jp4x-w63m-7wgm
hoek subject to prototype pollution via the clone function. - https://github.com/advisories/GHSA-c429-5p7v-vgjp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/hoek
boom <=3.1.2
Depends on vulnerable versions of hoek
node_modules/boom
cryptiles <=2.0.5
Depends on vulnerable versions of boom
node_modules/cryptiles
sntp 0.0.0 || 0.1.1 - 2.0.0
Depends on vulnerable versions of hoek
node_modules/sntp
mime <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/mime
qs <=6.2.3
Severity: high
Prototype Pollution Protection Bypass in qs - https://github.com/advisories/GHSA-gqgv-6jq5-jjj9
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/qs
node_modules/superagent/node_modules/qs
tunnel-agent <0.6.0
Severity: moderate
Memory Exposure in tunnel-agent - https://github.com/advisories/GHSA-xc7v-wxcw-j472
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tunnel-agent
15 vulnerabilities (6 moderate, 9 high)
To address all issues (including breaking changes), run:
npm audit fix --force
tunnel-agent <0.6.0
Severity: moderate
Memory Exposure in tunnel-agent - https://github.com/advisories/GHSA-xc7v-wxcw-j472
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tunnel-agent
15 vulnerabilities (6 moderate, 9 high)
To address all issues (including breaking changes), run:
npm audit fix --force
Solution
None of those packages are Prisma packages. I would reach out to those maintainers.
Ok
Thanks for your help