npm audit shows high security issues with version 3.0.8 / 3.0.9

[tzahari]

Dear @newhouse,

Thank you for releasing the 3.0.8 version of spectaql.
Sorry, but it seems that there were no dependency security issues resolved.

Maybe add a npm audit GitHub action to the project?
https://github.com/marketplace/actions/npm-audit-action

Output of installation:

❮ npm i spectaql@3.0.8

up to date, audited 382 packages in 5s

67 packages are looking for funding
  run `npm fund` for details

11 vulnerabilities (2 moderate, 9 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
❮ npm audit
# npm audit report

lodash.unset  *
Severity: moderate
Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions - https://github.com/advisories/GHSA-xxjr-mmjv-4gpg
fix available via `npm audit fix --force`
Will install spectaql@0.0.2, which is a breaking change
node_modules/lodash.unset
  microfiber  *
  Depends on vulnerable versions of lodash.unset
  node_modules/microfiber
    spectaql  >=0.0.5
    Depends on vulnerable versions of grunt
    Depends on vulnerable versions of grunt-contrib-clean
    Depends on vulnerable versions of grunt-contrib-concat
    Depends on vulnerable versions of grunt-contrib-watch
    Depends on vulnerable versions of grunt-sass
    Depends on vulnerable versions of microfiber
    node_modules/spectaql

minimatch  <=3.1.3
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix --force`
Will install spectaql@0.0.2, which is a breaking change
node_modules/minimatch
  globule  *
  Depends on vulnerable versions of minimatch
  node_modules/globule
    gaze  >=0.4.0
    Depends on vulnerable versions of globule
    node_modules/gaze
      grunt-contrib-watch  >=0.5.0
      Depends on vulnerable versions of gaze
      node_modules/grunt-contrib-watch
  grunt  >=0.4.0-a
  Depends on vulnerable versions of minimatch
  node_modules/grunt
    grunt-contrib-clean  >=0.4.0-a
    Depends on vulnerable versions of grunt
    node_modules/grunt-contrib-clean
    grunt-contrib-concat  >=0.1.2-rc5
    Depends on vulnerable versions of grunt
    node_modules/grunt-contrib-concat
    grunt-sass  0.4.0 - 0.14.0 || >=1.2.0-beta
    Depends on vulnerable versions of grunt
    node_modules/grunt-sass

11 vulnerabilities (2 moderate, 9 high)

[newhouse]

The problem isn't detecting them...it's what it takes to fix them. I don't have the time or much interest in maintaining this project right now. I no longer work at Anvil and they would not transfer the repository to me so my motivation is low.

I'm sorry, but if you want to open a PR that fixes it I'd be happy to get it reviewed, tested, and merged if you think it's good to go

[tzahari]

Understandable. Maybe do a fork then?
I tried to upgrade the dependencies on the weekend. But without luck.
There are so many deep dependencies. Some are unmaintained und must be replaced...

[trevorr]

@newhouse I opened a PR in microfiber to update lodash. Are you able to approve that? I'm happy to fix these issues.

[newhouse]

@newhouse I opened a PR in microfiber to update lodash. Are you able to approve that? I'm happy to fix these issues.

@fostimus can you give me permissions please. I will need that on npm too

[fostimus]

@newhouse invites sent for both

[newhouse]

Ok back to me.

[newhouse]

Ok I merged it and published microfiber@2.1.2 with all that

@trevorr

Thank you @fostimus !

[newhouse]

published in 3.0.9
@trevorr

[trevorr]

Thank you! 🙌

[tzahari]

Thank you!

There is also an issue at grunt to update minimatch grunt/issues/1795

[tzahari]

With spectaql version 3.0.9 still 11 high security issues.

# npm audit report

lodash  <=4.17.23
Severity: high
lodash vulnerable to Code Injection via `_.template` imports key names - https://github.com/advisories/GHSA-r5fr-rjxr-66jc
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit` - https://github.com/advisories/GHSA-f23m-r3pf-42rh
fix available via `npm audit fix`
node_modules/grunt-legacy-log-utils/node_modules/lodash
node_modules/grunt-legacy-log/node_modules/lodash
node_modules/grunt-legacy-util/node_modules/lodash
  grunt-legacy-log  1.0.1 - 3.0.0
  Depends on vulnerable versions of lodash
  node_modules/grunt-legacy-log
  grunt-legacy-log-utils  1.0.0 - 2.1.0
  Depends on vulnerable versions of lodash
  node_modules/grunt-legacy-log-utils
  grunt-legacy-util  1.0.0-rc1 - 2.0.1
  Depends on vulnerable versions of lodash
  node_modules/grunt-legacy-util

minimatch  <=3.1.3
Severity: high
minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern - https://github.com/advisories/GHSA-3ppc-4f35-3m26
minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments - https://github.com/advisories/GHSA-7r86-cg39-jmmj
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions - https://github.com/advisories/GHSA-23c5-xmqv-rm74
fix available via `npm audit fix --force`
Will install spectaql@0.0.2, which is a breaking change
node_modules/globule/node_modules/minimatch
node_modules/grunt/node_modules/minimatch
  globule  *
  Depends on vulnerable versions of minimatch
  node_modules/globule
    gaze  >=0.4.0
    Depends on vulnerable versions of globule
    node_modules/gaze
      grunt-contrib-watch  >=0.5.0
      Depends on vulnerable versions of gaze
      node_modules/grunt-contrib-watch
  grunt  0.4.0-a - 1.6.1
  Depends on vulnerable versions of minimatch
  node_modules/grunt
    spectaql  >=0.0.5
    Depends on vulnerable versions of grunt
    Depends on vulnerable versions of grunt-contrib-watch
    Depends on vulnerable versions of tmp
    node_modules/spectaql

tmp  <0.2.6
Severity: high
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape - https://github.com/advisories/GHSA-ph9p-34f9-6g65
fix available via `npm audit fix --force`
Will install spectaql@0.0.2, which is a breaking change
node_modules/spectaql/node_modules/tmp

11 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force