Upgrade dependencies to mitigate vulnerabilities by rowlanch · Pull Request #39 · moneals/addresser

rowlanch · 2025-05-15T13:50:00Z

NPM audit and Docker Scout report multiple critical and high severity vulnerabilities for the addresser package. This PR upgrades dependencies in both the root and utils dependencies.

See below for the results of npm audit.

Vulnerabilities in the base dependencies:

~/repos/addresser master*
❯ npm audit
# npm audit report

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/braces

get-func-name  <2.0.1
Severity: high
Chaijs/get-func-name vulnerable to ReDoS - https://github.com/advisories/GHSA-4q6p-r6v2-jvc5
fix available via `npm audit fix`
node_modules/get-func-name

nanoid  <3.3.8
Severity: moderate
Predictable results in nanoid generation when given non-integer values - https://github.com/advisories/GHSA-mwcw-c2x4-8c55
fix available via `npm audit fix`
node_modules/nanoid
  mocha  8.2.0 - 10.5.2
  Depends on vulnerable versions of nanoid
  Depends on vulnerable versions of serialize-javascript
  node_modules/mocha

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request
  coveralls  *
  Depends on vulnerable versions of request
  node_modules/coveralls

serialize-javascript  6.0.0 - 6.0.1
Severity: moderate
Cross-site Scripting (XSS) in serialize-javascript - https://github.com/advisories/GHSA-76p7-773f-r4q5
fix available via `npm audit fix`
node_modules/serialize-javascript

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie

word-wrap  <1.2.4
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap

9 vulnerabilities (7 moderate, 2 high)

Vulnerabilities in the utils dependencies:

~/repos/addresser/utils master*
❯ npm audit
# npm audit report

ajv  <6.12.3
Severity: moderate
Prototype Pollution in Ajv - https://github.com/advisories/GHSA-v88g-cgmw-v5xw
fix available via `npm audit fix`
node_modules/ajv
  har-validator  3.3.0 - 5.1.0
  Depends on vulnerable versions of ajv
  node_modules/har-validator

fstream  <1.0.12
Severity: high
Arbitrary File Overwrite in fstream - https://github.com/advisories/GHSA-xf7w-r453-m56c
fix available via `npm audit fix`
node_modules/unzipper/node_modules/fstream

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install package.json@0.0.0, which is a breaking change
node_modules/got
  package-json  <=6.5.0
  Depends on vulnerable versions of got
  node_modules/package-json
    package.json  >=1.0.0
    Depends on vulnerable versions of git-package-json
    Depends on vulnerable versions of git-source
    Depends on vulnerable versions of package-json
    node_modules/package.json

gry  <6.0.0
Severity: high
gry vulnerable to Command Injection - https://github.com/advisories/GHSA-w5mw-f2hq-5fw8
fix available via `npm audit fix`
node_modules/gry
  git-package-json  *
  Depends on vulnerable versions of gry
  node_modules/git-package-json

hosted-git-info  <2.8.9
Severity: moderate
Regular Expression Denial of Service in hosted-git-info - https://github.com/advisories/GHSA-43f8-2h32-f4cj
fix available via `npm audit fix`
node_modules/hosted-git-info

ini  <1.3.6
Severity: high
ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse - https://github.com/advisories/GHSA-qqgx-2p2h-9c37
fix available via `npm audit fix`
node_modules/ini

json-schema  <0.4.0
Severity: critical
json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw
fix available via `npm audit fix`
node_modules/json-schema
  jsprim  0.3.0 - 1.4.1 || 2.0.0 - 2.0.1
  Depends on vulnerable versions of json-schema
  node_modules/jsprim

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix`
node_modules/minimatch

minimist  <=0.2.3 || 1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
fix available via `npm audit fix`
node_modules/minimist
node_modules/rc/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/mkdirp

parse-url  <=8.0.0
Severity: critical
Cross site scripting in parse-url - https://github.com/advisories/GHSA-q6wq-5p59-983w
Server-Side Request Forgery in parse-url - https://github.com/advisories/GHSA-7f3x-x4pr-wqhj
Cross site scripting in parse-url - https://github.com/advisories/GHSA-jpp7-7chh-cf67
Hostname confusion in parse-url - https://github.com/advisories/GHSA-4p35-cfcx-8653
parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing - https://github.com/advisories/GHSA-pqw5-jmp5-px4v
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url - https://github.com/advisories/GHSA-j9fq-vwqv-2fm2
fix available via `npm audit fix`
node_modules/parse-url
  git-up  <=6.0.0
  Depends on vulnerable versions of parse-url
  node_modules/git-up
    git-url-parse  4.0.0 - 12.0.0
    Depends on vulnerable versions of git-up
    node_modules/git-url-parse
      git-source  *
      Depends on vulnerable versions of git-url-parse
      node_modules/git-source

path-parse  <1.0.7
Severity: moderate
Regular Expression Denial of Service in path-parse - https://github.com/advisories/GHSA-hj48-42vr-x3v9
fix available via `npm audit fix`
node_modules/path-parse

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request

semver  <5.7.2
Severity: high
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/semver

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie

23 vulnerabilities (8 moderate, 6 high, 9 critical)

rowlanch added 4 commits May 15, 2025 09:07

Upgrade base dev dependencies

d17c27b

Remove package.json dep from utils

2b25db2

Run npm audit fix on deps

2bf2e7e

Update geonames.org url protocol to https

e04dc80

sokol8 added a commit to Repliers-io/addresser that referenced this pull request Aug 29, 2025

chore: update dev dependencies (based on moneals#39)

483f340

sokol8 added a commit to Repliers-io/addresser that referenced this pull request Aug 29, 2025

chore: Update geonames.org url protocol to https (based on moneals#39)

9bc675e

sokol8 mentioned this pull request Aug 29, 2025

Extend support for Canadian addresses #41

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade dependencies to mitigate vulnerabilities#39

Upgrade dependencies to mitigate vulnerabilities#39
rowlanch wants to merge 4 commits intomoneals:masterfrom
rowlanch:rowlanch/upgrade-deps

rowlanch commented May 15, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

rowlanch commented May 15, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant