P
Prisma2mo ago
RYTRO

Vulnerabilities That Won't Be Fixed

Hi, when I was trying to run npm install prisma --save-dev I keep getting 15 vulnerabilities. And if I try to run npm audit fix --force, I still get the vulnerabilities.
No description
Solution:
None of those packages are Prisma packages. I would reach out to those maintainers.
Jump to solution
9 Replies
adam boukhris
adam boukhris2mo ago
What node -v are you using ?
RYTRO
RYTRO2mo ago
v20.14.0
adam boukhris
adam boukhris2mo ago
Did you try to ask gpt? Also try without the --save-dev
RYTRO
RYTRO2mo ago
Without --save-dev it's giving the same issue Nothing from gpt has seemed to work for me
jonfanz
jonfanz2mo ago
I would not worry too much about this. But, to make sure we cover our bases: could you please post the output from npm audit?
Jan Piotrowski (janpio)
There are not vulnerabilities in Prisma:
>npm install prisma

added 6 packages, and audited 7 packages in 7s

found 0 vulnerabilities

>npm audit
found 0 vulnerabilities

>node -v
v20.10.0
>npm install prisma

added 6 packages, and audited 7 packages in 7s

found 0 vulnerabilities

>npm audit
found 0 vulnerabilities

>node -v
v20.10.0
Is the command amybe reporting also all the ones from other packages already installed in your project? Yes, that is the case. This is what happens in a new project where I install the follow@0.12.1 that is mentioned in your output above:
C:\Users\Jan\Documents\throwaway\vuln>npm install prisma
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: 'follow@0.12.1',
npm WARN EBADENGINE required: { node: '0.12.x || 0.10.x || 0.8.x' },
npm WARN EBADENGINE current: { node: 'v20.10.0', npm: '10.2.3' }
npm WARN EBADENGINE }

added 6 packages, and audited 67 packages in 4s

10 vulnerabilities (3 moderate, 7 high)

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details
C:\Users\Jan\Documents\throwaway\vuln>npm install prisma
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE package: 'follow@0.12.1',
npm WARN EBADENGINE required: { node: '0.12.x || 0.10.x || 0.8.x' },
npm WARN EBADENGINE current: { node: 'v20.10.0', npm: '10.2.3' }
npm WARN EBADENGINE }

added 6 packages, and audited 67 packages in 4s

10 vulnerabilities (3 moderate, 7 high)

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details
Suddenly the npm install prisma output changes based on the other packages that are installed.
RYTRO
RYTRO2mo ago
rywong@Rys-MacBook-Air nextjs_sample-main_2 % npm audit
# npm audit report

bl <1.2.3
Severity: moderate
Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/bl
request *
Depends on vulnerable versions of bl
Depends on vulnerable versions of hawk
Depends on vulnerable versions of qs
Depends on vulnerable versions of tunnel-agent
node_modules/request
follow *
Depends on vulnerable versions of request
node_modules/follow
clerk >=0.2.0
Depends on vulnerable versions of follow
Depends on vulnerable versions of superagent
node_modules/clerk

cookiejar <2.1.4
Severity: moderate
cookiejar Regular Expression Denial of Service via Cookie.parse function - https://github.com/advisories/GHSA-h452-7996-h45h
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/cookiejar
superagent <=3.6.3
Depends on vulnerable versions of cookiejar
Depends on vulnerable versions of extend
Depends on vulnerable versions of mime
Depends on vulnerable versions of qs
node_modules/superagent

extend 3.0.0 - 3.0.1
Severity: moderate
Prototype Pollution in extend - https://github.com/advisories/GHSA-qrmc-fj45-qfc2
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/extend
rywong@Rys-MacBook-Air nextjs_sample-main_2 % npm audit
# npm audit report

bl <1.2.3
Severity: moderate
Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/bl
request *
Depends on vulnerable versions of bl
Depends on vulnerable versions of hawk
Depends on vulnerable versions of qs
Depends on vulnerable versions of tunnel-agent
node_modules/request
follow *
Depends on vulnerable versions of request
node_modules/follow
clerk >=0.2.0
Depends on vulnerable versions of follow
Depends on vulnerable versions of superagent
node_modules/clerk

cookiejar <2.1.4
Severity: moderate
cookiejar Regular Expression Denial of Service via Cookie.parse function - https://github.com/advisories/GHSA-h452-7996-h45h
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/cookiejar
superagent <=3.6.3
Depends on vulnerable versions of cookiejar
Depends on vulnerable versions of extend
Depends on vulnerable versions of mime
Depends on vulnerable versions of qs
node_modules/superagent

extend 3.0.0 - 3.0.1
Severity: moderate
Prototype Pollution in extend - https://github.com/advisories/GHSA-qrmc-fj45-qfc2
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/extend
hawk <=9.0.0
Severity: high
Regular Expression Denial of Service in hawk - https://github.com/advisories/GHSA-jcpv-g9rr-qxrc
Uncontrolled Resource Consumption in Hawk - https://github.com/advisories/GHSA-44pw-h2cw-w3vq
Depends on vulnerable versions of boom
Depends on vulnerable versions of cryptiles
Depends on vulnerable versions of hoek
Depends on vulnerable versions of sntp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/hawk

hoek *
Severity: high
Prototype Pollution in hoek - https://github.com/advisories/GHSA-jp4x-w63m-7wgm
hoek subject to prototype pollution via the clone function. - https://github.com/advisories/GHSA-c429-5p7v-vgjp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/hoek
boom <=3.1.2
Depends on vulnerable versions of hoek
node_modules/boom
cryptiles <=2.0.5
Depends on vulnerable versions of boom
node_modules/cryptiles
sntp 0.0.0 || 0.1.1 - 2.0.0
Depends on vulnerable versions of hoek
node_modules/sntp

mime <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/mime

qs <=6.2.3
Severity: high
Prototype Pollution Protection Bypass in qs - https://github.com/advisories/GHSA-gqgv-6jq5-jjj9
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/qs
node_modules/superagent/node_modules/qs
hawk <=9.0.0
Severity: high
Regular Expression Denial of Service in hawk - https://github.com/advisories/GHSA-jcpv-g9rr-qxrc
Uncontrolled Resource Consumption in Hawk - https://github.com/advisories/GHSA-44pw-h2cw-w3vq
Depends on vulnerable versions of boom
Depends on vulnerable versions of cryptiles
Depends on vulnerable versions of hoek
Depends on vulnerable versions of sntp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/hawk

hoek *
Severity: high
Prototype Pollution in hoek - https://github.com/advisories/GHSA-jp4x-w63m-7wgm
hoek subject to prototype pollution via the clone function. - https://github.com/advisories/GHSA-c429-5p7v-vgjp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/hoek
boom <=3.1.2
Depends on vulnerable versions of hoek
node_modules/boom
cryptiles <=2.0.5
Depends on vulnerable versions of boom
node_modules/cryptiles
sntp 0.0.0 || 0.1.1 - 2.0.0
Depends on vulnerable versions of hoek
node_modules/sntp

mime <1.4.1
Severity: high
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input - https://github.com/advisories/GHSA-wrvr-8mpx-r7pp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/mime

qs <=6.2.3
Severity: high
Prototype Pollution Protection Bypass in qs - https://github.com/advisories/GHSA-gqgv-6jq5-jjj9
qs vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-hrpp-h998-j3pp
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/qs
node_modules/superagent/node_modules/qs
tunnel-agent <0.6.0
Severity: moderate
Memory Exposure in tunnel-agent - https://github.com/advisories/GHSA-xc7v-wxcw-j472
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/tunnel-agent

15 vulnerabilities (6 moderate, 9 high)

To address all issues (including breaking changes), run:
npm audit fix --force
tunnel-agent <0.6.0
Severity: moderate
Memory Exposure in tunnel-agent - https://github.com/advisories/GHSA-xc7v-wxcw-j472
fix available via `npm audit fix --force`
Will install clerk@0.6.1, which is a breaking change
node_modules/tunnel-agent

15 vulnerabilities (6 moderate, 9 high)

To address all issues (including breaking changes), run:
npm audit fix --force
Solution
jonfanz
jonfanz2mo ago
None of those packages are Prisma packages. I would reach out to those maintainers.
RYTRO
RYTRO2mo ago
Ok Thanks for your help