Depends on vulnerable versions of @octokit dependencies #2519
Description
Describe the bug
npm audit reports ReDoS vulnerabilities in the versions of @octokit packages this library depends on. Output referenced below. I note the following PR has been open for quite some time, and might be worth prioritizing:
To Reproduce
Run npm audit
Expected behavior
Should not depend on vulnerable versions of any packages.
Screenshots
Environment information:
Latest versions.
Additional context
# npm audit report
@octokit/plugin-paginate-rest <=9.2.1
Severity: moderate
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-h5c3-5r3r-rr8q
fix available via `npm audit fix --force`
Will install @auto-it/npm@9.10.4, which is a breaking change
node_modules/@octokit/plugin-paginate-rest
@octokit/rest 16.39.0 - 20.0.1
Depends on vulnerable versions of @octokit/core
Depends on vulnerable versions of @octokit/plugin-paginate-rest
node_modules/@octokit/rest
@auto-it/core >=9.5.0
Depends on vulnerable versions of @octokit/core
Depends on vulnerable versions of @octokit/plugin-enterprise-compatibility
Depends on vulnerable versions of @octokit/plugin-throttling
Depends on vulnerable versions of @octokit/rest
node_modules/@auto-it/core
@auto-it/conventional-commits >=9.10.5
Depends on vulnerable versions of @auto-it/core
node_modules/@auto-it/conventional-commits
@auto-it/first-time-contributor >=9.10.5
Depends on vulnerable versions of @auto-it/core
node_modules/@auto-it/first-time-contributor
@auto-it/jira >=9.10.5
Depends on vulnerable versions of @auto-it/core
node_modules/@auto-it/jira
@auto-it/microsoft-teams *
Depends on vulnerable versions of @auto-it/core
node_modules/@auto-it/microsoft-teams
@auto-it/npm >=9.10.5
Depends on vulnerable versions of @auto-it/core
node_modules/@auto-it/npm
@auto-it/released >=9.10.5
Depends on vulnerable versions of @auto-it/core
node_modules/@auto-it/released
@auto-it/version-file *
Depends on vulnerable versions of @auto-it/core
node_modules/@auto-it/version-file
auto >=9.10.5
Depends on vulnerable versions of @auto-it/core
Depends on vulnerable versions of @auto-it/npm
Depends on vulnerable versions of @auto-it/released
Depends on vulnerable versions of @auto-it/version-file
node_modules/auto
@octokit/request <=8.4.0
Severity: moderate
Depends on vulnerable versions of @octokit/request-error
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-rmvr-2pp2-xj38
fix available via `npm audit fix --force`
Will install @auto-it/npm@9.10.4, which is a breaking change
node_modules/@octokit/request
@octokit/core <=5.0.0-beta.5
Depends on vulnerable versions of @octokit/graphql
Depends on vulnerable versions of @octokit/request
Depends on vulnerable versions of @octokit/request-error
node_modules/@octokit/core
@octokit/plugin-throttling 3.3.2 - 6.1.0
Depends on vulnerable versions of @octokit/core
node_modules/@octokit/plugin-throttling
@octokit/graphql <=2.1.3 || 3.0.0 - 6.0.1
Depends on vulnerable versions of @octokit/request
node_modules/@octokit/graphql
@octokit/request-error <=5.1.0
Severity: moderate
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-xx4v-prfh-6cgc
fix available via `npm audit fix --force`
Will install @auto-it/npm@9.10.4, which is a breaking change
node_modules/@octokit/request-error
@octokit/plugin-enterprise-compatibility 1.2.0 - 3.0.3
Depends on vulnerable versions of @octokit/request-error
node_modules/@octokit/plugin-enterprise-compatibility