Package vulnerabilities

Shopify Apps
1

We have several high severity vulnerabilities, but It ask me to downgrade some packages to fix it, causing that the app crash, any idea how to fix this vulnerabilities?:

npm audit report

body-parser <1.20.3
Severity: high
body-parser vulnerable to denial of service when url encoding is enabled - https://github.com/advisories/GHSA-qwcr-r2fm-qrc7
fix available via npm audit fix --force
Will install @Shopify_77 /app@3.15.0, which is a breaking change
node_modules/@shopify/app/node_modules/body-parser
node_modules/@shopify/app/node_modules/express/node_modules/body-parser
@Shopify_77 /app <=0.0.0-nightly-20240413160158 || >=3.6.0
Depends on vulnerable versions of @Shopify_77 /cli-kit
Depends on vulnerable versions of @Shopify_77 /create-app
Depends on vulnerable versions of @Shopify_77 /plugin-cloudflare
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of express
Depends on vulnerable versions of micromatch
Depends on vulnerable versions of serve-static
Depends on vulnerable versions of ws
node_modules/@shopify/app
express <=4.21.1 || 5.0.0-alpha.1 - 5.0.0
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of cookie
Depends on vulnerable versions of path-to-regexp
Depends on vulnerable versions of send
Depends on vulnerable versions of serve-static
node_modules/@shopify/app/node_modules/express

cookie <0.7.0
cookie accepts cookie name, path, and domain with out of bounds characters - https://github.com/advisories/GHSA-pxg6-pf52-xh8x
fix available via npm audit fix --force
Will install @remix-run/serve@1.15.0, which is a breaking change
node_modules/@shopify/app/node_modules/cookie
node_modules/cookie
@remix-run/server-runtime *
Depends on vulnerable versions of cookie
node_modules/@remix-run/server-runtime
@remix-run/dev <=0.0.0-nightly-ff40409-20230514 || >=1.2.0-pre.0
Depends on vulnerable versions of @remix-run/node
Depends on vulnerable versions of @remix-run/react
Depends on vulnerable versions of @remix-run/serve
Depends on vulnerable versions of @remix-run/server-runtime
node_modules/@remix-run/dev
@remix-run/node *
Depends on vulnerable versions of @remix-run/server-runtime
node_modules/@remix-run/node
@remix-run/express *
Depends on vulnerable versions of @remix-run/node
node_modules/@remix-run/express
@remix-run/serve *
Depends on vulnerable versions of @remix-run/express
Depends on vulnerable versions of @remix-run/node
node_modules/@remix-run/serve
@Shopify_77 /shopify-app-remix *
Depends on vulnerable versions of @remix-run/node
Depends on vulnerable versions of @remix-run/server-runtime
node_modules/@shopify/shopify-app-remix
@remix-run/react <=0.0.0-nightly-fef7d16-20240205 || >=2.0.0-pre.0
Depends on vulnerable versions of @remix-run/server-runtime
node_modules/@remix-run/react

cross-spawn <6.0.6
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via npm audit fix --force
Will install @Shopify_77 /app@3.15.0, which is a breaking change
node_modules/pid-from-port/node_modules/cross-spawn
execa 0.5.0 - 0.9.0
Depends on vulnerable versions of cross-spawn
node_modules/pid-from-port/node_modules/execa
pid-from-port *
Depends on vulnerable versions of execa
node_modules/pid-from-port
kill-port-process *
Depends on vulnerable versions of pid-from-port
node_modules/kill-port-process
@Shopify_77 /cli-kit <=0.0.0-snapshot-20241017102314 || 3.6.0 - 3.68.1
Depends on vulnerable versions of kill-port-process
node_modules/@shopify/cli-kit
@Shopify_77 /create-app <=0.0.0-nightly-20240413160158 || 3.6.0 - 3.58.2
Depends on vulnerable versions of @Shopify_77 /cli-kit
node_modules/@shopify/create-app
@Shopify_77 /plugin-cloudflare <=3.68.1
Depends on vulnerable versions of @Shopify_77 /cli-kit
node_modules/@shopify/plugin-cloudflare

micromatch <4.0.8
Severity: moderate
Regular Expression Denial of Service (ReDoS) in micromatch - https://github.com/advisories/GHSA-952p-6rrq-rcjv
fix available via npm audit fix --force
Will install @Shopify_77 /app@3.15.0, which is a breaking change
node_modules/@shopify/app/node_modules/micromatch

path-to-regexp <=0.1.11
Severity: high
path-to-regexp outputs backtracking regular expressions - https://github.com/advisories/GHSA-9wv6-86v2-598j
Unpatched path-to-regexp ReDoS in 0.1.x - https://github.com/advisories/GHSA-rhx6-c78j-4q9w
fix available via npm audit fix
node_modules/@shopify/app/node_modules/path-to-regexp

send <0.19.0
send vulnerable to template injection that can lead to XSS - https://github.com/advisories/GHSA-m6fv-jmcg-4jfg
fix available via npm audit fix --force
Will install @Shopify_77 /app@3.15.0, which is a breaking change
node_modules/@shopify/app/node_modules/send
node_modules/serve-static/node_modules/send
serve-static <=1.16.0
Depends on vulnerable versions of send
node_modules/serve-static

ws 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers - https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via npm audit fix --force
Will install @Shopify_77 /app@3.15.0, which is a breaking change
node_modules/@shopify/app/node_modules/ws

23 vulnerabilities (10 low, 1 moderate, 12 high)

To address issues that do not require attention, run:
npm audit fix

To address all issues possible (including breaking changes), run:
npm audit fix --force

Some issues need review, and may require choosing a different dependency.