diff --git a/audit.txt b/audit.txt new file mode 100644 index 00000000..d298c9a9 --- /dev/null +++ b/audit.txt @@ -0,0 +1,343 @@ +# npm audit report + +braces <=2.3.2 +Severity: high +Regular Expression Denial of Service in braces - https://github.com/advisories/GHSA-g95f-p29q-9xw4 +Depends on vulnerable versions of snapdragon +fix available via `npm audit fix` +node_modules/braces +node_modules/readdirp/node_modules/braces + micromatch 0.2.0 - 3.1.10 + Depends on vulnerable versions of braces + Depends on vulnerable versions of parse-glob + Depends on vulnerable versions of snapdragon + node_modules/micromatch + node_modules/readdirp/node_modules/micromatch + anymatch 1.2.0 - 1.3.2 + Depends on vulnerable versions of micromatch + node_modules/anymatch + chokidar 1.0.0-rc1 - 2.1.8 + Depends on vulnerable versions of anymatch + Depends on vulnerable versions of glob-parent + node_modules/chokidar + babel-cli * + Depends on vulnerable versions of chokidar + node_modules/babel-cli + minify-js * + Depends on vulnerable versions of babel-cli + Depends on vulnerable versions of utils-igor + node_modules/dir_cache/node_modules/minify-js + node_modules/minify-js + node_modules/utils-igor/node_modules/minify-js + dir_cache >=1.0.2 + Depends on vulnerable versions of minify-js + node_modules/dir_cache + utils-igor >=2.0.0 + Depends on vulnerable versions of minify-js + node_modules/dir_cache/node_modules/minify-js/node_modules/utils-igor + node_modules/utils-igor + readdirp 2.2.0 - 2.2.1 + Depends on vulnerable versions of micromatch + node_modules/readdirp + +deep-extend <0.5.1 +Severity: critical +Prototype Pollution in deep-extend - https://github.com/advisories/GHSA-hr2v-3952-633q +fix available via `npm audit fix` +node_modules/deep-extend + column-layout >=1.3.0 + Depends on vulnerable versions of command-line-args + Depends on vulnerable versions of deep-extend + node_modules/column-layout + command-line-usage 2.0.0 - 3.0.8 + Depends on vulnerable versions of column-layout + Depends on vulnerable versions of table-layout + node_modules/column-layout/node_modules/command-line-usage + node_modules/command-line-usage + node_modules/jsdoc-parse/node_modules/command-line-usage + cli-commands <=0.1.0 + Depends on vulnerable versions of command-line-usage + node_modules/cli-commands + usage-stats 0.8.0 - 0.8.6 + Depends on vulnerable versions of cli-commands + node_modules/usage-stats + app-usage-stats 0.4.0 - 0.5.0 + Depends on vulnerable versions of usage-stats + node_modules/app-usage-stats + jsdoc2md-stats 1.0.6 - 2.0.0 + Depends on vulnerable versions of app-usage-stats + node_modules/jsdoc2md-stats + command-line-args 2.1.0 - 2.1.6 + Depends on vulnerable versions of command-line-usage + node_modules/column-layout/node_modules/command-line-args + node_modules/jsdoc-parse/node_modules/command-line-args + jsdoc-parse 0.2.5 - 2.0.0 + Depends on vulnerable versions of command-line-args + Depends on vulnerable versions of file-set + Depends on vulnerable versions of jsdoc-api + node_modules/jsdoc-parse + jsdoc-to-markdown 0.6.0 - 0.6.4 || 1.3.1 - 2.0.0-alpha.23 + Depends on vulnerable versions of command-line-usage + Depends on vulnerable versions of dmd + Depends on vulnerable versions of jsdoc-parse + node_modules/jsdoc-to-markdown + grunt-jsdoc-to-markdown 0.5.0 - 0.5.1 || 1.2.0 - 1.2.1 + Depends on vulnerable versions of jsdoc-to-markdown + node_modules/grunt-jsdoc-to-markdown + command-line-tool 0.3.0 - 0.6.4 + Depends on vulnerable versions of command-line-usage + node_modules/command-line-tool + dmd 0.3.23 - 2.0.1 + Depends on vulnerable versions of command-line-tool + Depends on vulnerable versions of ddata + Depends on vulnerable versions of stream-handlebars + node_modules/dmd + table-layout <=0.4.0 + Depends on vulnerable versions of deep-extend + node_modules/table-layout + +glob-parent <5.1.2 +Severity: high +Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6 +fix available via `npm audit fix` +node_modules/glob-parent + chokidar 1.0.0-rc1 - 2.1.8 + Depends on vulnerable versions of anymatch + Depends on vulnerable versions of glob-parent + node_modules/chokidar + babel-cli * + Depends on vulnerable versions of chokidar + node_modules/babel-cli + minify-js * + Depends on vulnerable versions of babel-cli + Depends on vulnerable versions of utils-igor + node_modules/dir_cache/node_modules/minify-js + node_modules/minify-js + node_modules/utils-igor/node_modules/minify-js + dir_cache >=1.0.2 + Depends on vulnerable versions of minify-js + node_modules/dir_cache + utils-igor >=2.0.0 + Depends on vulnerable versions of minify-js + node_modules/dir_cache/node_modules/minify-js/node_modules/utils-igor + node_modules/utils-igor + glob-base * + Depends on vulnerable versions of glob-parent + node_modules/glob-base + parse-glob >=2.1.0 + Depends on vulnerable versions of glob-base + node_modules/parse-glob + micromatch 0.2.0 - 3.1.10 + Depends on vulnerable versions of braces + Depends on vulnerable versions of parse-glob + Depends on vulnerable versions of snapdragon + node_modules/micromatch + node_modules/readdirp/node_modules/micromatch + anymatch 1.2.0 - 1.3.2 + Depends on vulnerable versions of micromatch + node_modules/anymatch + readdirp 2.2.0 - 2.2.1 + Depends on vulnerable versions of micromatch + node_modules/readdirp + +handlebars <=4.7.6 +Severity: critical +Remote code execution in handlebars when compiling templates - https://github.com/advisories/GHSA-f2jv-r9rf-7988 +Prototype Pollution in handlebars - https://github.com/advisories/GHSA-w457-6q6x-cgp9 +Cross-Site Scripting in handlebars - https://github.com/advisories/GHSA-9prh-257w-9277 +Depends on vulnerable versions of optimist +fix available via `npm audit fix` +node_modules/ddata/node_modules/handlebars +node_modules/stream-handlebars/node_modules/handlebars + ddata >=0.1.18 + Depends on vulnerable versions of handlebars + node_modules/ddata + dmd 0.3.23 - 2.0.1 + Depends on vulnerable versions of command-line-tool + Depends on vulnerable versions of ddata + Depends on vulnerable versions of stream-handlebars + node_modules/dmd + jsdoc-to-markdown 0.6.0 - 0.6.4 || 1.3.1 - 2.0.0-alpha.23 + Depends on vulnerable versions of command-line-usage + Depends on vulnerable versions of dmd + Depends on vulnerable versions of jsdoc-parse + node_modules/jsdoc-to-markdown + grunt-jsdoc-to-markdown 0.5.0 - 0.5.1 || 1.2.0 - 1.2.1 + Depends on vulnerable versions of jsdoc-to-markdown + node_modules/grunt-jsdoc-to-markdown + stream-handlebars <=0.1.6 + Depends on vulnerable versions of handlebars + node_modules/stream-handlebars + +minimatch <3.0.2 +Severity: high +Regular Expression Denial of Service in minimatch - https://github.com/advisories/GHSA-hxm2-r34f-qmc5 +fix available via `npm audit fix` +node_modules/jsdoc-parse/node_modules/minimatch + glob 3.0.0 - 5.0.14 + Depends on vulnerable versions of minimatch + node_modules/jsdoc-parse/node_modules/glob + file-set <=0.2.8 + Depends on vulnerable versions of glob + node_modules/jsdoc-parse/node_modules/file-set + jsdoc-parse 0.2.5 - 2.0.0 + Depends on vulnerable versions of command-line-args + Depends on vulnerable versions of file-set + Depends on vulnerable versions of jsdoc-api + node_modules/jsdoc-parse + jsdoc-to-markdown 0.6.0 - 0.6.4 || 1.3.1 - 2.0.0-alpha.23 + Depends on vulnerable versions of command-line-usage + Depends on vulnerable versions of dmd + Depends on vulnerable versions of jsdoc-parse + node_modules/jsdoc-to-markdown + grunt-jsdoc-to-markdown 0.5.0 - 0.5.1 || 1.2.0 - 1.2.1 + Depends on vulnerable versions of jsdoc-to-markdown + node_modules/grunt-jsdoc-to-markdown + +minimist <0.2.1 +Severity: moderate +Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m +fix available via `npm audit fix` +node_modules/optimist/node_modules/minimist + optimist >=0.6.0 + Depends on vulnerable versions of minimist + node_modules/optimist + handlebars <=4.7.6 + Depends on vulnerable versions of optimist + node_modules/ddata/node_modules/handlebars + node_modules/stream-handlebars/node_modules/handlebars + ddata >=0.1.18 + Depends on vulnerable versions of handlebars + node_modules/ddata + dmd 0.3.23 - 2.0.1 + Depends on vulnerable versions of command-line-tool + Depends on vulnerable versions of ddata + Depends on vulnerable versions of stream-handlebars + node_modules/dmd + jsdoc-to-markdown 0.6.0 - 0.6.4 || 1.3.1 - 2.0.0-alpha.23 + Depends on vulnerable versions of command-line-usage + Depends on vulnerable versions of dmd + Depends on vulnerable versions of jsdoc-parse + node_modules/jsdoc-to-markdown + grunt-jsdoc-to-markdown 0.5.0 - 0.5.1 || 1.2.0 - 1.2.1 + Depends on vulnerable versions of jsdoc-to-markdown + node_modules/grunt-jsdoc-to-markdown + stream-handlebars <=0.1.6 + Depends on vulnerable versions of handlebars + node_modules/stream-handlebars + node-windows >=0.1.5 + Depends on vulnerable versions of optimist + node_modules/node-windows + +nedb * +Severity: high +Prototype Pollution - https://github.com/advisories/GHSA-339j-hqgx-qrrx +Depends on vulnerable versions of binary-search-tree +Depends on vulnerable versions of underscore +No fix available +node_modules/nedb + +set-value <4.0.1 +Severity: high +Prototype Pollution in set-value - https://github.com/advisories/GHSA-4jqc-8m5r-9rpr +fix available via `npm audit fix` +node_modules/set-value + cache-base >=0.7.0 + Depends on vulnerable versions of set-value + Depends on vulnerable versions of union-value + node_modules/cache-base + base >=0.7.0 + Depends on vulnerable versions of cache-base + node_modules/base + snapdragon 0.6.0 - 0.10.1 + Depends on vulnerable versions of base + node_modules/snapdragon + braces <=2.3.2 + Depends on vulnerable versions of snapdragon + node_modules/braces + node_modules/readdirp/node_modules/braces + micromatch 0.2.0 - 3.1.10 + Depends on vulnerable versions of braces + Depends on vulnerable versions of parse-glob + Depends on vulnerable versions of snapdragon + node_modules/micromatch + node_modules/readdirp/node_modules/micromatch + anymatch 1.2.0 - 1.3.2 + Depends on vulnerable versions of micromatch + node_modules/anymatch + chokidar 1.0.0-rc1 - 2.1.8 + Depends on vulnerable versions of anymatch + Depends on vulnerable versions of glob-parent + node_modules/chokidar + babel-cli * + Depends on vulnerable versions of chokidar + node_modules/babel-cli + minify-js * + Depends on vulnerable versions of babel-cli + Depends on vulnerable versions of utils-igor + node_modules/dir_cache/node_modules/minify-js + node_modules/minify-js + node_modules/utils-igor/node_modules/minify-js + dir_cache >=1.0.2 + Depends on vulnerable versions of minify-js + node_modules/dir_cache + utils-igor >=2.0.0 + Depends on vulnerable versions of minify-js + node_modules/dir_cache/node_modules/minify-js/node_modules/utils-igor + node_modules/utils-igor + readdirp 2.2.0 - 2.2.1 + Depends on vulnerable versions of micromatch + node_modules/readdirp + expand-brackets 1.0.0 - 2.1.4 + Depends on vulnerable versions of snapdragon + node_modules/readdirp/node_modules/expand-brackets + extglob 1.0.0 - 2.0.4 + Depends on vulnerable versions of snapdragon + node_modules/readdirp/node_modules/extglob + nanomatch >=0.1.1 + Depends on vulnerable versions of snapdragon + node_modules/nanomatch + union-value * + Depends on vulnerable versions of set-value + node_modules/union-value + +underscore 1.3.2 - 1.12.0 +Severity: high +Arbitrary Code Execution in underscore - https://github.com/advisories/GHSA-cf4h-3jhx-xvhq +No fix available +node_modules/jsdoc-75lb/node_modules/underscore +node_modules/underscore + binary-search-tree * + Depends on vulnerable versions of underscore + node_modules/binary-search-tree + nedb * + Depends on vulnerable versions of binary-search-tree + Depends on vulnerable versions of underscore + node_modules/nedb + jsdoc-75lb * + Depends on vulnerable versions of underscore + node_modules/jsdoc-75lb + jsdoc-api 0.1.0 - 3.0.0 + Depends on vulnerable versions of jsdoc-75lb + node_modules/jsdoc-api + jsdoc-parse 0.2.5 - 2.0.0 + Depends on vulnerable versions of command-line-args + Depends on vulnerable versions of file-set + Depends on vulnerable versions of jsdoc-api + node_modules/jsdoc-parse + jsdoc-to-markdown 0.6.0 - 0.6.4 || 1.3.1 - 2.0.0-alpha.23 + Depends on vulnerable versions of command-line-usage + Depends on vulnerable versions of dmd + Depends on vulnerable versions of jsdoc-parse + node_modules/jsdoc-to-markdown + grunt-jsdoc-to-markdown 0.5.0 - 0.5.1 || 1.2.0 - 1.2.1 + Depends on vulnerable versions of jsdoc-to-markdown + node_modules/grunt-jsdoc-to-markdown + +48 vulnerabilities (1 low, 3 moderate, 27 high, 17 critical) + +To address issues that do not require attention, run: + npm audit fix + +Some issues need review, and may require choosing +a different dependency. diff --git a/views/default-mobile.handlebars b/views/default-mobile.handlebars index 76f97c81..2143ca8a 100644 --- a/views/default-mobile.handlebars +++ b/views/default-mobile.handlebars @@ -1303,7 +1303,7 @@ QV('managePhoneNumber1', (features & 0x02000000) && (features & 0x04000000)); QV('managePhoneNumber2', (features & 0x02000000) && !(features & 0x04000000)); - attemptWebRTC = 0; // For now, default WebRTC off unless we set it in the URL. + //attemptWebRTC = false; // For now, default WebRTC off unless we set it in the URL. if (args.webrtc != null) { attemptWebRTC = (args.webrtc == 1); } // Session Refresh Timer diff --git a/views/default.handlebars b/views/default.handlebars index ba00aae9..8663e0c4 100644 --- a/views/default.handlebars +++ b/views/default.handlebars @@ -1463,7 +1463,7 @@ if (!args.locale) { var x = getstore('loctag', 0); if ((x != null) && (x != '*')) { args.locale = x; } } debugmode = args.debug; - attemptWebRTC = 0; // For now, default WebRTC off unless we set it in the URL. + //attemptWebRTC = false; // For now, default WebRTC off unless we set it in the URL. if (args.webrtc != null) { attemptWebRTC = (args.webrtc == 1); } QV('p13AutoConnect', debugmode); // Files