vulnerabilities in `eg gateway create`

[yogeshgadge]

19 vulnerabilities (5 moderate, 9 high, 5 critical) - Fri June 9th 2023

As of Fri June 9th 2023 npm is reporting 5 critical and 9 high vulnerabilities.

$ eg --version

Configuring yargs through package.json is deprecated and will be removed in a future major release, please use the JS API instead.
1.16.11

$ npm audit

# npm audit report

degenerator  <3.0.1
Severity: high
Code Injection in pac-resolver - https://github.com/advisories/GHSA-9j49-mfvp-vmhm
fix available via `npm audit fix --force`
Will install express-gateway@0.0.6, which is a breaking change
node_modules/degenerator
  pac-resolver  <=4.2.0
  Depends on vulnerable versions of degenerator
  node_modules/pac-resolver
    pac-proxy-agent  <=4.1.0
    Depends on vulnerable versions of pac-resolver
    node_modules/pac-proxy-agent
      proxy-agent  1.1.0 - 4.0.1
      Depends on vulnerable versions of pac-proxy-agent
      node_modules/proxy-agent
        express-gateway  >=0.0.3
        Depends on vulnerable versions of ejs
        Depends on vulnerable versions of jsonwebtoken
        Depends on vulnerable versions of passport
        Depends on vulnerable versions of proxy-agent
        Depends on vulnerable versions of yeoman-generator
        node_modules/express-gateway

ejs  <3.1.7
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
fix available via `npm audit fix --force`
Will install express-gateway@0.0.6, which is a breaking change
node_modules/ejs
  mem-fs-editor  2.0.0 - 6.0.0 || 7.0.1 - 7.1.0
  Depends on vulnerable versions of ejs
  Depends on vulnerable versions of globby
  node_modules/mem-fs-editor
  node_modules/yeoman-environment/node_modules/yeoman-generator/node_modules/mem-fs-editor
  node_modules/yeoman-generator/node_modules/mem-fs-editor
    yeoman-environment  2.1.0 - 2.10.3
    Depends on vulnerable versions of globby
    Depends on vulnerable versions of mem-fs-editor
    node_modules/yeoman-environment
      yeoman-generator  0.20.0 - 4.13.0
      Depends on vulnerable versions of github-username
      Depends on vulnerable versions of mem-fs-editor
      Depends on vulnerable versions of mem-fs-editor
      Depends on vulnerable versions of yeoman-environment
      node_modules/yeoman-environment/node_modules/yeoman-generator
      node_modules/yeoman-generator

glob-parent  <5.1.2
Severity: high
glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix`
node_modules/fast-glob/node_modules/glob-parent
  fast-glob  <=2.2.7
  Depends on vulnerable versions of glob-parent
  node_modules/fast-glob
    globby  8.0.0 - 9.2.0
    Depends on vulnerable versions of fast-glob
    node_modules/globby
    node_modules/mem-fs-editor/node_modules/globby
    node_modules/yeoman-environment/node_modules/yeoman-generator/node_modules/globby

got  <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix`
node_modules/got
node_modules/yeoman-environment/node_modules/got
  gh-got  <=9.0.0
  Depends on vulnerable versions of got
  node_modules/gh-got
  node_modules/yeoman-environment/node_modules/gh-got
    github-username  2.0.0 - 5.0.1
    Depends on vulnerable versions of gh-got
    node_modules/github-username
    node_modules/yeoman-environment/node_modules/github-username

jsonwebtoken  <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage  - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install express-gateway@0.0.6, which is a breaking change
node_modules/jsonwebtoken


passport  <0.6.0
Severity: moderate
Passport before 0.6.0 vulnerable to session regeneration when a users logs in or out - https://github.com/advisories/GHSA-v923-w3x8-wh69
fix available via `npm audit fix --force`
Will install express-gateway@0.0.6, which is a breaking change
node_modules/passport

redis  2.6.0 - 3.1.0
Severity: high
Node-Redis potential exponential regex in monitor mode - https://github.com/advisories/GHSA-35q2-47q7-3pc3
fix available via `npm audit fix`
node_modules/redis
  rate-limit-redis  1.7.0
  Depends on vulnerable versions of redis
  node_modules/rate-limit-redis

19 vulnerabilities (5 moderate, 9 high, 5 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

[yogeshgadge]

npm audit fix fixes nothing and npm audit fix --force I am afraid my getting started might break.

[yogeshgadge]

I thought this was caused by dependency produced by eg gateway create

"express-gateway": "^0.0.1"

but after updating 1.16.11 I still have

19 vulnerabilities (5 moderate, 9 high, 5 critical)

[l3ernardo]

@yogeshgadge did you find an answer to your question? I'm also having the same problem.