Hello,
i have check the npm in the docker container from image: evershop/evershop:2.1.1
first of all, thank you for the great work on EverShop. I really like the modern architecture, PostgreSQL support, Docker integration and the overall developer experience.
While testing the current version, I noticed that npm audit reports a relatively high number of vulnerabilities in dependencies, including several high severity issues and at least one critical advisory (for example in Handlebars, Axios, lodash and multer).
I understand that many of these are transitive dependencies and not necessarily direct application vulnerabilities. However, from a security and production perspective, this may make some users hesitant to deploy EverShop publicly.
It would be great if dependency updates and security hardening could receive additional focus in future releases. EverShop has a lot of potential and improving the overall security posture would significantly increase confidence for production use.
Thank you again for your work and for building such an interesting modern commerce platform.
I will definitely continue to follow the project and future releases with great interest, because I really like the overall concept and modern technical approach.
docker exec -it evershop npm audit
50 vulnerabilities (1 low, 38 moderate, 10 high, 1 critical)
npm audit report
ajv 7.0.0-alpha.0 - 8.17.1
Severity: moderate
ajv has ReDoS when using $data option - GHSA-2g4f-4pwh-qvx6
fix available via npm audit fix
node_modules/ajv
axios 1.0.0 - 1.15.1
Severity: high
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF - GHSA-3p68-rc4w-qgx5
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - GHSA-fvcv-3m26-pcqx
Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy - GHSA-w9j2-pvgh-6h63
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 - GHSA-pmwg-cvhr-8vh7
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver - GHSA-3w6x-2g7m-8v23
Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking - GHSA-q8qp-cvcw-x6jj
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams - GHSA-xhjh-pmcv-23jw
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream - GHSA-445q-vr5w-6q77
Axios: no_proxy bypass via IP alias allows SSRF - GHSA-m7pr-hjqh-92cm
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data - GHSA-62hf-57xw-28j9
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 - GHSA-5c9x-8gcm-mpgx
Axios: HTTP adapter streamed responses bypass maxContentLength - GHSA-vf2m-468p-8v99
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking - GHSA-pf86-5x62-jrwf
Axios: Header Injection via Prototype Pollution - GHSA-6chq-wfr3-2hj9
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion - GHSA-xx6v-rp6x-q39c
fix available via npm audit fix
node_modules/axios
bn.js <4.12.3
Severity: moderate
bn.js affected by an infinite loop - GHSA-378v-28hj-76wf
fix available via npm audit fix
node_modules/bn.js
brace-expansion 2.0.0 - 2.0.2
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - GHSA-f886-m6hf-6m8v
fix available via npm audit fix
node_modules/brace-expansion
ckeditor5 >=29.0.0 <47.6.0
Severity: moderate
CKEditor 5 has Cross-site Scripting (XSS) in the HTML Support package - GHSA-jrqm-vmqc-gm93
No fix available
node_modules/ckeditor5
@ckeditor/ckeditor5-adapter-ckfinder 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-adapter-ckfinder
@ckeditor/ckeditor5-autoformat 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-autoformat
@ckeditor/ckeditor5-basic-styles 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-basic-styles
@ckeditor/ckeditor5-block-quote 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-block-quote
@ckeditor/ckeditor5-ckbox <=47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-ckbox
@ckeditor/ckeditor5-build-classic >=29.0.0
Depends on vulnerable versions of @ckeditor/ckeditor5-adapter-ckfinder
Depends on vulnerable versions of @ckeditor/ckeditor5-autoformat
Depends on vulnerable versions of @ckeditor/ckeditor5-basic-styles
Depends on vulnerable versions of @ckeditor/ckeditor5-block-quote
Depends on vulnerable versions of @ckeditor/ckeditor5-ckbox
Depends on vulnerable versions of @ckeditor/ckeditor5-ckfinder
Depends on vulnerable versions of @ckeditor/ckeditor5-cloud-services
Depends on vulnerable versions of @ckeditor/ckeditor5-easy-image
Depends on vulnerable versions of @ckeditor/ckeditor5-editor-classic
Depends on vulnerable versions of @ckeditor/ckeditor5-essentials
Depends on vulnerable versions of @ckeditor/ckeditor5-heading
Depends on vulnerable versions of @ckeditor/ckeditor5-image
Depends on vulnerable versions of @ckeditor/ckeditor5-indent
Depends on vulnerable versions of @ckeditor/ckeditor5-link
Depends on vulnerable versions of @ckeditor/ckeditor5-list
Depends on vulnerable versions of @ckeditor/ckeditor5-media-embed
Depends on vulnerable versions of @ckeditor/ckeditor5-paste-from-office
Depends on vulnerable versions of @ckeditor/ckeditor5-table
node_modules/@ckeditor/ckeditor5-build-classic
@evershop/evershop *
Depends on vulnerable versions of @ckeditor/ckeditor5-build-classic
Depends on vulnerable versions of @swc/cli
node_modules/@evershop/evershop
@ckeditor/ckeditor5-ckfinder 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-ckfinder
@ckeditor/ckeditor5-cloud-services 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-cloud-services
@ckeditor/ckeditor5-easy-image 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-easy-image
@ckeditor/ckeditor5-editor-classic 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-editor-classic
@ckeditor/ckeditor5-essentials 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-essentials
@ckeditor/ckeditor5-heading 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-heading
@ckeditor/ckeditor5-image 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-image
@ckeditor/ckeditor5-indent 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-indent
@ckeditor/ckeditor5-link 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-link
@ckeditor/ckeditor5-list 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-list
@ckeditor/ckeditor5-media-embed 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-media-embed
@ckeditor/ckeditor5-paste-from-office 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-paste-from-office
@ckeditor/ckeditor5-table 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-table
file-type 13.0.0 - 21.3.1
Severity: moderate
file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header - GHSA-5v7r-6r5c-r473
file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry - GHSA-j47w-4g3g-c36v
No fix available
node_modules/file-type
@xhmikosr/archive-type 6.0.0 - 7.1.0
Depends on vulnerable versions of file-type
node_modules/@xhmikosr/archive-type
@xhmikosr/downloader 10.0.0 - 10.0.1 || 12.0.0 - 15.2.0
Depends on vulnerable versions of @xhmikosr/archive-type
Depends on vulnerable versions of @xhmikosr/decompress
Depends on vulnerable versions of file-type
node_modules/@xhmikosr/downloader
@xhmikosr/bin-wrapper 10.0.0 - 13.2.0
Depends on vulnerable versions of @xhmikosr/downloader
node_modules/@xhmikosr/bin-wrapper
@swc/cli 0.5.1 - 0.8.0
Depends on vulnerable versions of @xhmikosr/bin-wrapper
node_modules/@swc/cli
@xhmikosr/decompress-tar 6.0.0 - 8.1.0
Depends on vulnerable versions of file-type
node_modules/@xhmikosr/decompress-tar
@xhmikosr/decompress-tarbz2 6.0.0 - 9.0.0
Depends on vulnerable versions of @xhmikosr/decompress-tar
Depends on vulnerable versions of file-type
node_modules/@xhmikosr/decompress-tarbz2
@xhmikosr/decompress 8.0.0 - 10.2.0
Depends on vulnerable versions of @xhmikosr/decompress-tar
Depends on vulnerable versions of @xhmikosr/decompress-tarbz2
Depends on vulnerable versions of @xhmikosr/decompress-targz
Depends on vulnerable versions of @xhmikosr/decompress-unzip
node_modules/@xhmikosr/decompress
@xhmikosr/decompress-targz 6.0.0 - 9.0.0
Depends on vulnerable versions of @xhmikosr/decompress-tar
Depends on vulnerable versions of file-type
node_modules/@xhmikosr/decompress-targz
@xhmikosr/decompress-unzip 6.0.0 - 7.1.0
Depends on vulnerable versions of file-type
node_modules/@xhmikosr/decompress-unzip
follow-redirects <=1.15.11
Severity: moderate
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets - GHSA-r4q5-vmmm-2653
fix available via npm audit fix
node_modules/follow-redirects
handlebars 4.0.0 - 4.7.8
Severity: critical
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block - GHSA-3mfm-83xf-c92r
Handlebars.js has JavaScript Injection via AST Type Confusion - GHSA-2w6w-674q-4c4q
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection - GHSA-2qvq-rjwj-gvw9
Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry - GHSA-7rx3-28cr-v5wh
Handlebars.js has a Property Access Validation Bypass in container.lookup - GHSA-442j-39wm-28r2
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial - GHSA-xhpv-hc6g-r9c6
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation - GHSA-9cx6-37pm-9jff
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options - GHSA-xjpj-3mr7-gcpf
fix available via npm audit fix
node_modules/handlebars
immutable 5.0.0 - 5.1.4
Severity: high
Immutable is vulnerable to Prototype Pollution - GHSA-wf6x-7x77-mvgw
fix available via npm audit fix
node_modules/immutable
lodash <=4.17.23
Severity: high
lodash vulnerable to Code Injection via _.template imports key names - GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit - GHSA-f23m-r3pf-42rh
fix available via npm audit fix
node_modules/lodash
lodash-es <=4.17.23
Severity: high
lodash vulnerable to Code Injection via _.template imports key names - GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit - GHSA-f23m-r3pf-42rh
fix available via npm audit fix
node_modules/lodash-es
minimatch 9.0.0 - 9.0.6 || 10.0.0 - 10.2.2
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - GHSA-23c5-xmqv-rm74
fix available via npm audit fix
node_modules/@swc/cli/node_modules/minimatch
node_modules/minimatch
multer <=2.1.0
Severity: high
Multer vulnerable to Denial of Service via incomplete cleanup - GHSA-xf7r-hgr6-v32p
Multer vulnerable to Denial of Service via resource exhaustion - GHSA-v52c-386h-88mc
Multer Vulnerable to Denial of Service via Uncontrolled Recursion - GHSA-5528-5vmv-3xc2
fix available via npm audit fix
node_modules/multer
path-to-regexp <0.1.13
Severity: high
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - GHSA-37ch-88jc-xwx2
fix available via npm audit fix
node_modules/path-to-regexp
picomatch <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - GHSA-c2c7-rcm5-vvqj
fix available via npm audit fix
node_modules/@parcel/watcher/node_modules/picomatch
node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch
postcss <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - GHSA-qx2v-qp2m-jg93
fix available via npm audit fix
node_modules/postcss
qs 6.7.0 - 6.14.1
qs's arrayLimit bypass in comma parsing allows denial of service - GHSA-w7fw-mjwx-w883
fix available via npm audit fix
node_modules/qs
serialize-javascript <=7.0.4
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - GHSA-5c6j-r48x-rmvq
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - GHSA-qj8w-gfj5-8c6v
fix available via npm audit fix
node_modules/serialize-javascript
terser-webpack-plugin <=5.3.16
Depends on vulnerable versions of serialize-javascript
node_modules/terser-webpack-plugin
yaml 1.0.0 - 1.10.2
Severity: moderate
yaml is vulnerable to Stack Overflow via deeply nested YAML collections - GHSA-48c2-rrv3-qjmp
fix available via npm audit fix
node_modules/yaml
yauzl 3.2.0
Severity: moderate
yauzl contains an off-by-one error - GHSA-gmq8-994r-jv83
fix available via npm audit fix
node_modules/yauzl
50 vulnerabilities (1 low, 38 moderate, 10 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.
Hello,
i have check the npm in the docker container from image: evershop/evershop:2.1.1
first of all, thank you for the great work on EverShop. I really like the modern architecture, PostgreSQL support, Docker integration and the overall developer experience.
While testing the current version, I noticed that npm audit reports a relatively high number of vulnerabilities in dependencies, including several high severity issues and at least one critical advisory (for example in Handlebars, Axios, lodash and multer).
I understand that many of these are transitive dependencies and not necessarily direct application vulnerabilities. However, from a security and production perspective, this may make some users hesitant to deploy EverShop publicly.
It would be great if dependency updates and security hardening could receive additional focus in future releases. EverShop has a lot of potential and improving the overall security posture would significantly increase confidence for production use.
Thank you again for your work and for building such an interesting modern commerce platform.
I will definitely continue to follow the project and future releases with great interest, because I really like the overall concept and modern technical approach.
docker exec -it evershop npm audit
50 vulnerabilities (1 low, 38 moderate, 10 high, 1 critical)
npm audit report
ajv 7.0.0-alpha.0 - 8.17.1
Severity: moderate
ajv has ReDoS when using
$dataoption - GHSA-2g4f-4pwh-qvx6fix available via
npm audit fixnode_modules/ajv
axios 1.0.0 - 1.15.1
Severity: high
Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF - GHSA-3p68-rc4w-qgx5
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain - GHSA-fvcv-3m26-pcqx
Axios: Authentication Bypass via Prototype Pollution Gadget in
validateStatusMerge Strategy - GHSA-w9j2-pvgh-6h63Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 - GHSA-pmwg-cvhr-8vh7
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in
parseReviver- GHSA-3w6x-2g7m-8v23Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking - GHSA-q8qp-cvcw-x6jj
Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams - GHSA-xhjh-pmcv-23jw
Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream - GHSA-445q-vr5w-6q77
Axios: no_proxy bypass via IP alias allows SSRF - GHSA-m7pr-hjqh-92cm
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data - GHSA-62hf-57xw-28j9
Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 - GHSA-5c9x-8gcm-mpgx
Axios: HTTP adapter streamed responses bypass maxContentLength - GHSA-vf2m-468p-8v99
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking - GHSA-pf86-5x62-jrwf
Axios: Header Injection via Prototype Pollution - GHSA-6chq-wfr3-2hj9
Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in
withXSRFTokenBoolean Coercion - GHSA-xx6v-rp6x-q39cfix available via
npm audit fixnode_modules/axios
bn.js <4.12.3
Severity: moderate
bn.js affected by an infinite loop - GHSA-378v-28hj-76wf
fix available via
npm audit fixnode_modules/bn.js
brace-expansion 2.0.0 - 2.0.2
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - GHSA-f886-m6hf-6m8v
fix available via
npm audit fixnode_modules/brace-expansion
ckeditor5 >=29.0.0 <47.6.0
Severity: moderate
CKEditor 5 has Cross-site Scripting (XSS) in the HTML Support package - GHSA-jrqm-vmqc-gm93
No fix available
node_modules/ckeditor5
@ckeditor/ckeditor5-adapter-ckfinder 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-adapter-ckfinder
@ckeditor/ckeditor5-autoformat 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-autoformat
@ckeditor/ckeditor5-basic-styles 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-basic-styles
@ckeditor/ckeditor5-block-quote 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-block-quote
@ckeditor/ckeditor5-ckbox <=47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-ckbox
@ckeditor/ckeditor5-build-classic >=29.0.0
Depends on vulnerable versions of @ckeditor/ckeditor5-adapter-ckfinder
Depends on vulnerable versions of @ckeditor/ckeditor5-autoformat
Depends on vulnerable versions of @ckeditor/ckeditor5-basic-styles
Depends on vulnerable versions of @ckeditor/ckeditor5-block-quote
Depends on vulnerable versions of @ckeditor/ckeditor5-ckbox
Depends on vulnerable versions of @ckeditor/ckeditor5-ckfinder
Depends on vulnerable versions of @ckeditor/ckeditor5-cloud-services
Depends on vulnerable versions of @ckeditor/ckeditor5-easy-image
Depends on vulnerable versions of @ckeditor/ckeditor5-editor-classic
Depends on vulnerable versions of @ckeditor/ckeditor5-essentials
Depends on vulnerable versions of @ckeditor/ckeditor5-heading
Depends on vulnerable versions of @ckeditor/ckeditor5-image
Depends on vulnerable versions of @ckeditor/ckeditor5-indent
Depends on vulnerable versions of @ckeditor/ckeditor5-link
Depends on vulnerable versions of @ckeditor/ckeditor5-list
Depends on vulnerable versions of @ckeditor/ckeditor5-media-embed
Depends on vulnerable versions of @ckeditor/ckeditor5-paste-from-office
Depends on vulnerable versions of @ckeditor/ckeditor5-table
node_modules/@ckeditor/ckeditor5-build-classic
@evershop/evershop *
Depends on vulnerable versions of @ckeditor/ckeditor5-build-classic
Depends on vulnerable versions of @swc/cli
node_modules/@evershop/evershop
@ckeditor/ckeditor5-ckfinder 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-ckfinder
@ckeditor/ckeditor5-cloud-services 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-cloud-services
@ckeditor/ckeditor5-easy-image 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-easy-image
@ckeditor/ckeditor5-editor-classic 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-editor-classic
@ckeditor/ckeditor5-essentials 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-essentials
@ckeditor/ckeditor5-heading 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-heading
@ckeditor/ckeditor5-image 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-image
@ckeditor/ckeditor5-indent 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-indent
@ckeditor/ckeditor5-link 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-link
@ckeditor/ckeditor5-list 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-list
@ckeditor/ckeditor5-media-embed 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-media-embed
@ckeditor/ckeditor5-paste-from-office 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-paste-from-office
@ckeditor/ckeditor5-table 29.0.0 - 47.6.0-alpha.9
Depends on vulnerable versions of ckeditor5
node_modules/@ckeditor/ckeditor5-table
file-type 13.0.0 - 21.3.1
Severity: moderate
file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header - GHSA-5v7r-6r5c-r473
file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry - GHSA-j47w-4g3g-c36v
No fix available
node_modules/file-type
@xhmikosr/archive-type 6.0.0 - 7.1.0
Depends on vulnerable versions of file-type
node_modules/@xhmikosr/archive-type
@xhmikosr/downloader 10.0.0 - 10.0.1 || 12.0.0 - 15.2.0
Depends on vulnerable versions of @xhmikosr/archive-type
Depends on vulnerable versions of @xhmikosr/decompress
Depends on vulnerable versions of file-type
node_modules/@xhmikosr/downloader
@xhmikosr/bin-wrapper 10.0.0 - 13.2.0
Depends on vulnerable versions of @xhmikosr/downloader
node_modules/@xhmikosr/bin-wrapper
@swc/cli 0.5.1 - 0.8.0
Depends on vulnerable versions of @xhmikosr/bin-wrapper
node_modules/@swc/cli
@xhmikosr/decompress-tar 6.0.0 - 8.1.0
Depends on vulnerable versions of file-type
node_modules/@xhmikosr/decompress-tar
@xhmikosr/decompress-tarbz2 6.0.0 - 9.0.0
Depends on vulnerable versions of @xhmikosr/decompress-tar
Depends on vulnerable versions of file-type
node_modules/@xhmikosr/decompress-tarbz2
@xhmikosr/decompress 8.0.0 - 10.2.0
Depends on vulnerable versions of @xhmikosr/decompress-tar
Depends on vulnerable versions of @xhmikosr/decompress-tarbz2
Depends on vulnerable versions of @xhmikosr/decompress-targz
Depends on vulnerable versions of @xhmikosr/decompress-unzip
node_modules/@xhmikosr/decompress
@xhmikosr/decompress-targz 6.0.0 - 9.0.0
Depends on vulnerable versions of @xhmikosr/decompress-tar
Depends on vulnerable versions of file-type
node_modules/@xhmikosr/decompress-targz
@xhmikosr/decompress-unzip 6.0.0 - 7.1.0
Depends on vulnerable versions of file-type
node_modules/@xhmikosr/decompress-unzip
follow-redirects <=1.15.11
Severity: moderate
follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets - GHSA-r4q5-vmmm-2653
fix available via
npm audit fixnode_modules/follow-redirects
handlebars 4.0.0 - 4.7.8
Severity: critical
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block - GHSA-3mfm-83xf-c92r
Handlebars.js has JavaScript Injection via AST Type Confusion - GHSA-2w6w-674q-4c4q
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection - GHSA-2qvq-rjwj-gvw9
Handlebars.js has a Prototype Method Access Control Gap via Missing lookupSetter Blocklist Entry - GHSA-7rx3-28cr-v5wh
Handlebars.js has a Property Access Validation Bypass in container.lookup - GHSA-442j-39wm-28r2
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial - GHSA-xhpv-hc6g-r9c6
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation - GHSA-9cx6-37pm-9jff
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options - GHSA-xjpj-3mr7-gcpf
fix available via
npm audit fixnode_modules/handlebars
immutable 5.0.0 - 5.1.4
Severity: high
Immutable is vulnerable to Prototype Pollution - GHSA-wf6x-7x77-mvgw
fix available via
npm audit fixnode_modules/immutable
lodash <=4.17.23
Severity: high
lodash vulnerable to Code Injection via
_.templateimports key names - GHSA-r5fr-rjxr-66jclodash vulnerable to Prototype Pollution via array path bypass in
_.unsetand_.omit- GHSA-f23m-r3pf-42rhfix available via
npm audit fixnode_modules/lodash
lodash-es <=4.17.23
Severity: high
lodash vulnerable to Code Injection via
_.templateimports key names - GHSA-r5fr-rjxr-66jclodash vulnerable to Prototype Pollution via array path bypass in
_.unsetand_.omit- GHSA-f23m-r3pf-42rhfix available via
npm audit fixnode_modules/lodash-es
minimatch 9.0.0 - 9.0.6 || 10.0.0 - 10.2.2
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - GHSA-3ppc-4f35-3m26
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - GHSA-7r86-cg39-jmmj
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - GHSA-23c5-xmqv-rm74
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - GHSA-23c5-xmqv-rm74
fix available via
npm audit fixnode_modules/@swc/cli/node_modules/minimatch
node_modules/minimatch
multer <=2.1.0
Severity: high
Multer vulnerable to Denial of Service via incomplete cleanup - GHSA-xf7r-hgr6-v32p
Multer vulnerable to Denial of Service via resource exhaustion - GHSA-v52c-386h-88mc
Multer Vulnerable to Denial of Service via Uncontrolled Recursion - GHSA-5528-5vmv-3xc2
fix available via
npm audit fixnode_modules/multer
path-to-regexp <0.1.13
Severity: high
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters - GHSA-37ch-88jc-xwx2
fix available via
npm audit fixnode_modules/path-to-regexp
picomatch <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - GHSA-c2c7-rcm5-vvqj
fix available via
npm audit fixnode_modules/@parcel/watcher/node_modules/picomatch
node_modules/picomatch
node_modules/tinyglobby/node_modules/picomatch
postcss <8.5.10
Severity: moderate
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output - GHSA-qx2v-qp2m-jg93
fix available via
npm audit fixnode_modules/postcss
qs 6.7.0 - 6.14.1
qs's arrayLimit bypass in comma parsing allows denial of service - GHSA-w7fw-mjwx-w883
fix available via
npm audit fixnode_modules/qs
serialize-javascript <=7.0.4
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - GHSA-5c6j-r48x-rmvq
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects - GHSA-qj8w-gfj5-8c6v
fix available via
npm audit fixnode_modules/serialize-javascript
terser-webpack-plugin <=5.3.16
Depends on vulnerable versions of serialize-javascript
node_modules/terser-webpack-plugin
yaml 1.0.0 - 1.10.2
Severity: moderate
yaml is vulnerable to Stack Overflow via deeply nested YAML collections - GHSA-48c2-rrv3-qjmp
fix available via
npm audit fixnode_modules/yaml
yauzl 3.2.0
Severity: moderate
yauzl contains an off-by-one error - GHSA-gmq8-994r-jv83
fix available via
npm audit fixnode_modules/yauzl
50 vulnerabilities (1 low, 38 moderate, 10 high, 1 critical)
To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.