Skip to content

npm audit --fix fails #15174

New issue
New issue
Closed
Closed
npm audit --fix fails#15174
@SchoolGuy

Description

@SchoolGuy
SchoolGuy
opened on Oct 5, 2024

What happened?

Due to GHSA-pxg6-pf52-xh8x currently Jitsi cannot be installed from source.

cookie  <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
No fix available
node_modules/cookie
  express  >=3.0.0-alpha1
  Depends on vulnerable versions of cookie
  node_modules/express
    webpack-dev-server  *
    Depends on vulnerable versions of express
    node_modules/webpack-dev-server

3 low severity vulnerabilities

Platform

  • Chrome (or Chromium based)
  • Firefox
  • Safari
  • Other desktop browser
  • Android browser
  • iOS browser
  • Electron app
  • Android mobile app
  • iOS mobile app
  • Custom app using a mobile SDK

Browser / app / sdk version

2.0.9753

Relevant log output

No response

Reproducibility

  • The problem is reproducible on meet.jit.si

More details?

When webpack-dev-server has updated to a version of express that is not vulnerable anymore, the fix is as simple as increasing the version in package.json.

Express already has a PR that addresses that. As such this is already in motion: expressjs/express#6017

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions