Skip to content

NPM package with 7 issues #148

New issue
New issue
Open
Open
NPM package with 7 issues#148
@monsieur-ricky

Description

@monsieur-ricky
monsieur-ricky
opened on Sep 3, 2025

Hey @leolabs,

There are currently 7 issues (4 low, 2 moderate, 1 critical) in some NPM packages used by JSON Autotranslate. Addressing these issues is essential to patch security vulnerabilities, prevent technical debt and ensure the long-term health of the project.

# npm audit report

@babel/helpers  <7.26.10
Severity: moderate
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups - https://github.com/advisories/GHSA-968p-4wvh-cqc8
fix available via `npm audit fix`
node_modules/@babel/helpers

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/@jest/reporters/node_modules/brace-expansion
node_modules/brace-expansion
node_modules/jest-config/node_modules/brace-expansion
node_modules/jest-runtime/node_modules/brace-expansion
node_modules/test-exclude/node_modules/brace-expansion
node_modules/tslint/node_modules/brace-expansion

form-data  >=3.0.0 <3.0.4 || <2.5.4
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/@types/request/node_modules/form-data
node_modules/form-data

micromatch  <4.0.8
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch - https://github.com/advisories/GHSA-952p-6rrq-rcjv
fix available via `npm audit fix`
node_modules/micromatch

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix --force`
Will install inquirer@12.9.4, which is a breaking change
node_modules/tmp
  external-editor  >=1.1.1
  Depends on vulnerable versions of tmp
  node_modules/external-editor
    inquirer  3.0.0 - 8.2.6 || 9.0.0 - 9.3.7
    Depends on vulnerable versions of external-editor
    node_modules/inquirer

7 vulnerabilities (4 low, 2 moderate, 1 critical)

To address issues that do not require attention, run:
  npm audit `fix`

If there's an update planned in the short term, it would be great to add this task to that PR.
In case no changes are planned in the next weeks, I'll create a PR with these fixes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions