You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While I don't believe any of these are exploitable in the context of this cli, they are a nuisance since non-breaking patches are available and security policies can make these expensive to ignore.
`npm audit` output as of 2024-05-05
# npm audit report
debug 4.0.0 - 4.3.0
Regular Expression Denial of Service in debug - https://github.com/advisories/GHSA-gxpj-cx7g-858c
fix available via `npm audit fix --force`
Will install vercel@32.3.0, which is a breaking change
node_modules/@vercel/fun/node_modules/debug
@vercel/fun *
Depends on vulnerable versions of debug
Depends on vulnerable versions of semver
Depends on vulnerable versions of tar
node_modules/@vercel/fun
vercel 28.12.3 || 29.0.1 - 29.0.3 || >=32.0.2
Depends on vulnerable versions of @vercel/fun
Depends on vulnerable versions of @vercel/node
node_modules/vercel
semver 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install vercel@32.3.0, which is a breaking change
node_modules/@vercel/fun/node_modules/semver
tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install vercel@32.3.0, which is a breaking change
node_modules/tar
undici <=5.28.3
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline - https://github.com/advisories/GHSA-m4v8-wqvr-p9f7
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect - https://github.com/advisories/GHSA-9qxr-qj54-h672
Undici proxy-authorization header not cleared on cross-origin redirect in fetch - https://github.com/advisories/GHSA-3787-6prv-h9w3
fix available via `npm audit fix --force`
Will install vercel@32.3.0, which is a breaking change
node_modules/undici
@vercel/node 2.14.0 || >=3.0.2
Depends on vulnerable versions of undici
node_modules/@vercel/node
7 vulnerabilities (3 low, 4 moderate)
To address all issues (including breaking changes), run:
npm audit fix --force
The latest version of the
vercel
cli is pulling in packages with known vulnerabilities that have available patches.Current vulnerabilities:
debug
v4.1.1, via@vercel/fun
([cli] Update@vercel/fun
to v1.1.1 #11332)semver
v7.3.5, via@vercel/fun
([cli] Update@vercel/fun
to v1.1.1 #11332)tar
v4.4.18, via@vercel/fun
undici
v5.26.5, via@vercel/node
While I don't believe any of these are exploitable in the context of this cli, they are a nuisance since non-breaking patches are available and security policies can make these expensive to ignore.
`npm audit` output as of 2024-05-05
Related issues and pull requests:
tar
for security fun#104The text was updated successfully, but these errors were encountered: