Audit vulnerabilities detected in the babelplugintransformdecoratorslegacy project on Tag: v1.3.5

[mahirkabir]

Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:

npm audit report

braces <2.3.1
Regular Expression Denial of Service - https://npmjs.com/advisories/786
No fix available
node_modules/braces
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of glob-parent
node_modules/chokidar
babel-cli *
Depends on vulnerable versions of chokidar
node_modules/babel-cli

debug <=2.6.8 || 3.0.0 - 3.0.1
Regular Expression Denial of Service - https://npmjs.com/advisories/534
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/mocha/node_modules/debug
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

diff <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/diff
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
No fix available
node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of anymatch
Depends on vulnerable versions of glob-parent
node_modules/chokidar
babel-cli *
Depends on vulnerable versions of chokidar
node_modules/babel-cli
glob-base *
Depends on vulnerable versions of glob-parent
node_modules/glob-base
parse-glob >=2.1.0
Depends on vulnerable versions of glob-base
node_modules/parse-glob
micromatch 0.2.0 - 2.3.11
Depends on vulnerable versions of braces
Depends on vulnerable versions of parse-glob
node_modules/micromatch
anymatch 1.2.0 - 1.3.2
Depends on vulnerable versions of micromatch
node_modules/anymatch

growl <1.10.2
Severity: critical
Command Injection - https://npmjs.com/advisories/146
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/growl
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

minimatch <=3.0.1
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/118
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/mocha/node_modules/minimatch
glob 3.0.0 - 5.0.14
Depends on vulnerable versions of minimatch
node_modules/mocha/node_modules/glob
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

minimist <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/mocha/node_modules/minimist
mkdirp 0.4.1 - 0.5.1
Depends on vulnerable versions of minimist
node_modules/mocha/node_modules/mkdirp
mocha 0.6.0 - 6.2.2 || 7.0.0-esm1 - 7.1.0
Depends on vulnerable versions of debug
Depends on vulnerable versions of diff
Depends on vulnerable versions of glob
Depends on vulnerable versions of growl
Depends on vulnerable versions of mkdirp
node_modules/mocha

16 vulnerabilities (5 low, 6 moderate, 3 high, 2 critical)

To address all issues possible (including breaking changes), run:
npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:

1. Will you fix the vulnerabilities mentioned above? (Yes/No), and why?:
2. Do you have any additional comments? (If so, please write it down):

For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.

Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].

Steps to reproduce:

• Go to the root folder of the project where the package.json file located
• Execute “npm audit”
• Look at the list of vulnerabilities reported

Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.

References:
2019. 10 npm Security Best Practices. https://snyk.io/blog/ten-npm-security-best-practices/.
2021. npm-audit. https://docs.npmjs.com/cli/v7/commands/npm-audit.