Prisma•2y ago

Vulnerabilities That Won't Be Fixed

Hi, when I was trying to run

npm install prisma --save-dev

npm install prisma --save-dev

I keep getting 15 vulnerabilities. And if I try to run

npm audit fix --force

npm audit fix --force

, I still get the vulnerabilities.

Solution

None of those packages are Prisma packages. I would reach out to those maintainers.

Jump to solution

adam boukhris

A

adam boukhris•6/7/24, 11:24 PM

What node -v are you using ?

Xarus

X

XarusOP•6/7/24, 11:27 PM

v20.14.0

adam boukhris

A

adam boukhris•6/7/24, 11:30 PM

Did you try to ask gpt?

adam boukhris

A

adam boukhris•6/7/24, 11:30 PM

Also try without the --save-dev

Xarus

X

XarusOP•6/7/24, 11:36 PM

Without --save-dev it's giving the same issue

Xarus

X

XarusOP•6/7/24, 11:37 PM

Nothing from gpt has seemed to work for me

jonfanz

J

jonfanz•6/7/24, 11:56 PM

I would not worry too much about this.

But, to make sure we cover our bases: could you please post the output from

npm audit

npm audit

?

Jan Piotrowski (janpio)

J

Jan Piotrowski (janpio)•6/8/24, 8:48 AM

There are not vulnerabilities in Prisma:

Jan Piotrowski (janpio)

J

Jan Piotrowski (janpio)•6/8/24, 8:48 AM

Is the command amybe reporting also all the ones from other packages already installed in your project?

Jan Piotrowski (janpio)

J

Jan Piotrowski (janpio)•6/8/24, 8:50 AM

Yes, that is the case. This is what happens in a new project where I install the that is mentioned in your output above:

Suddenly the output changes based on the other packages that are installed.

jonfanz

Jjonfanz I would not worry too much about this. But, to make sure we cover our bases: c...

Xarus

X

XarusOP•6/10/24, 5:38 PM

Xarus

XXarus ```rywong@Rys-MacBook-Air nextjs_sample-main_2 % npm audit # npm...

Xarus

X

XarusOP•6/10/24, 5:38 PM

Xarus

X

XarusOP•6/10/24, 5:39 PM

Solution

jonfanz

J

jonfanz•6/10/24, 5:39 PM

None of those packages are Prisma packages. I would reach out to those maintainers.

Xarus

X

XarusOP•6/10/24, 5:41 PM

Ok

Xarus

X

XarusOP•6/10/24, 5:41 PM

Thanks for your help

C:\Users\Jan\Documents\throwaway\vuln>npm install prisma
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'follow@0.12.1',
npm WARN EBADENGINE   required: { node: '0.12.x || 0.10.x || 0.8.x' },
npm WARN EBADENGINE   current: { node: 'v20.10.0', npm: '10.2.3' }
npm WARN EBADENGINE }

added 6 packages, and audited 67 packages in 4s

10 vulnerabilities (3 moderate, 7 high)

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details

C:\Users\Jan\Documents\throwaway\vuln>npm install prisma
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: 'follow@0.12.1',
npm WARN EBADENGINE   required: { node: '0.12.x || 0.10.x || 0.8.x' },
npm WARN EBADENGINE   current: { node: 'v20.10.0', npm: '10.2.3' }
npm WARN EBADENGINE }

added 6 packages, and audited 67 packages in 4s

10 vulnerabilities (3 moderate, 7 high)

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details

rywong@Rys-MacBook-Air nextjs_sample-main_2 % npm audit                
# npm audit report

bl  <1.2.3
Severity: moderate
Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/bl
  request  *
  Depends on vulnerable versions of bl
  Depends on vulnerable versions of hawk
  Depends on vulnerable versions of qs
  Depends on vulnerable versions of tunnel-agent
  node_modules/request
    follow  *
    Depends on vulnerable versions of request
    node_modules/follow
      clerk  >=0.2.0
      Depends on vulnerable versions of follow
      Depends on vulnerable versions of superagent
      node_modules/clerk

cookiejar  <2.1.4
Severity: moderate
cookiejar Regular Expression Denial of Service via Cookie.parse function - https://github.com/advisories/GHSA-h452-7996-h45h
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/cookiejar
  superagent  <=3.6.3
  Depends on vulnerable versions of cookiejar
  Depends on vulnerable versions of extend
  Depends on vulnerable versions of mime
  Depends on vulnerable versions of qs
  node_modules/superagent

extend  3.0.0 - 3.0.1
Severity: moderate
Prototype Pollution in extend - https://github.com/advisories/GHSA-qrmc-fj45-qfc2
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/extend

rywong@Rys-MacBook-Air nextjs_sample-main_2 % npm audit                
# npm audit report

bl  <1.2.3
Severity: moderate
Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/bl
  request  *
  Depends on vulnerable versions of bl
  Depends on vulnerable versions of hawk
  Depends on vulnerable versions of qs
  Depends on vulnerable versions of tunnel-agent
  node_modules/request
    follow  *
    Depends on vulnerable versions of request
    node_modules/follow
      clerk  >=0.2.0
      Depends on vulnerable versions of follow
      Depends on vulnerable versions of superagent
      node_modules/clerk

cookiejar  <2.1.4
Severity: moderate
cookiejar Regular Expression Denial of Service via Cookie.parse function - https://github.com/advisories/GHSA-h452-7996-h45h
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/cookiejar
  superagent  <=3.6.3
  Depends on vulnerable versions of cookiejar
  Depends on vulnerable versions of extend
  Depends on vulnerable versions of mime
  Depends on vulnerable versions of qs
  node_modules/superagent

extend  3.0.0 - 3.0.1
Severity: moderate
Prototype Pollution in extend - https://github.com/advisories/GHSA-qrmc-fj45-qfc2
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/extend

hawk  <=9.0.0
Severity: high
Regular Expression Denial of Service in hawk - https://github.com/advisories/GHSA-jcpv-g9rr-qxrc
Uncontrolled Resource Consumption in Hawk - https://github.com/advisories/GHSA-44pw-h2cw-w3vq
Depends on vulnerable versions of boom
Depends on vulnerable versions of cryptiles
Depends on vulnerable versions of hoek
Depends on vulnerable versions of sntp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/hawk

hoek  *
Severity: high
Prototype Pollution in hoek - https://github.com/advisories/GHSA-jp4x-w63m-7wgm
hoek subject to prototype pollution via the clone function. - https://github.com/advisories/GHSA-c429-5p7v-vgjp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/hoek
  boom  <=3.1.2
  Depends on vulnerable versions of hoek
  node_modules/boom
    cryptiles  <=2.0.5
    Depends on vulnerable versions of boom
    node_modules/cryptiles
  sntp  0.0.0 || 0.1.1 - 2.0.0
  Depends on vulnerable versions of hoek
  node_modules/sntp

mime  <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/mime

qs  <=6.2.3
Severity: high
Prototype Pollution Protection Bypass in qs - https://github.com/advisories/GHSA-gqgv-6jq5-jjj9
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/qs
node_modules/superagent/node_modules/qs

hawk  <=9.0.0
Severity: high
Regular Expression Denial of Service in hawk - https://github.com/advisories/GHSA-jcpv-g9rr-qxrc
Uncontrolled Resource Consumption in Hawk - https://github.com/advisories/GHSA-44pw-h2cw-w3vq
Depends on vulnerable versions of boom
Depends on vulnerable versions of cryptiles
Depends on vulnerable versions of hoek
Depends on vulnerable versions of sntp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/hawk

hoek  *
Severity: high
Prototype Pollution in hoek - https://github.com/advisories/GHSA-jp4x-w63m-7wgm
hoek subject to prototype pollution via the clone function. - https://github.com/advisories/GHSA-c429-5p7v-vgjp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/hoek
  boom  <=3.1.2
  Depends on vulnerable versions of hoek
  node_modules/boom
    cryptiles  <=2.0.5
    Depends on vulnerable versions of boom
    node_modules/cryptiles
  sntp  0.0.0 || 0.1.1 - 2.0.0
  Depends on vulnerable versions of hoek
  node_modules/sntp

mime  <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/mime

qs  <=6.2.3
Severity: high
Prototype Pollution Protection Bypass in qs - https://github.com/advisories/GHSA-gqgv-6jq5-jjj9
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/qs
node_modules/superagent/node_modules/qs

tunnel-agent  <0.6.0
Severity: moderate
Memory Exposure in tunnel-agent - https://github.com/advisories/GHSA-xc7v-wxcw-j472
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/tunnel-agent

15 vulnerabilities (6 moderate, 9 high)

To address all issues (including breaking changes), run:
  npm audit fix --force

tunnel-agent  <0.6.0
Severity: moderate
Memory Exposure in tunnel-agent - https://github.com/advisories/GHSA-xc7v-wxcw-j472
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/tunnel-agent

15 vulnerabilities (6 moderate, 9 high)

To address all issues (including breaking changes), run:
  npm audit fix --force