TaylorHo · TaylorHo · May 8, 2025 · May 7, 2025 · May 7, 2025 · May 7, 2025
@@ -7,13 +7,21 @@
 To test the project locally, you use one of the test audits as input to this script, as shown below:
 
 1. To test with a NodeJS v16+ audit:
+
 ```bash
-cat .playwright/fixtures/npm-audit-v16.json | node ./src/index.js <parameters>
+cat .playwright/fixtures/npm-audit-node-v16.json | node ./src/index.js <parameters>
 ```
 
 2. To test with a NodeJS v10 to v15 audits:
+
+```bash
+cat .playwright/fixtures/npm-audit-node-v10.json | node ./src/index.js <parameters>
+```
+
+3. To test with pnpm audits:
+
 ```bash
-cat .playwright/fixtures/npm-audit-v10.json | node ./src/index.js <parameters>
+cat .playwright/fixtures/pnpm-audit-v10.json | node ./src/index.js <parameters>
 ```
 
 ## Node.js Version Compatibility
@@ -23,12 +31,13 @@ The tool is designed to work with different versions of Node.js. Specifically:
 - For Node.js v10 to v14.
 - For Node.js v16 and higher.
 
-<sub>odd versions aren't listed, but also works.</sub>
+<sub>It also works with <code>npm</code>, <code>pnpm</code> and <code>yarn</code></sub><br/>
+<sub>Odd versions aren't listed, but also works.</sub>
 
-So make sure to test the tool in both version ranges to ensure compatibility. 🔄
+So make sure to test the tool in both version ranges and tools to ensure compatibility. 🔄
 
 ## Thank You! 🙌
 
 We would like to extend our heartfelt gratitude to all contributors who have helped improve this project. Your time and effort are highly appreciated. If you encounter any issues or have suggestions, please open an issue or submit a pull request. Together, we can make audit-export even more awesome! 💪
 
-Happy coding! 🚀
+Happy coding! 🚀
@@ -55,10 +55,16 @@ jobs:
         if: matrix.browser == 'webkit'
 
       - name: Generate mock audit report for Node v10 ~ v14 (default options)
-        run: cat ${{ github.workspace }}/.playwright/fixtures/npm-audit-v10.json | node ./src/index.js --path ${{ github.workspace }}/npm-audit-v10.html --title playwright-test
+        run: cat ${{ github.workspace }}/.playwright/fixtures/npm-audit-node-v10.json | node ./src/index.js --path ${{ github.workspace }}/npm-audit-node-v10.html --title playwright-test
 
       - name: Generate mock audit report for Node v16 ~ lts (default options)
-        run: cat ${{ github.workspace }}/.playwright/fixtures/npm-audit-v16.json | node ./src/index.js --path ${{ github.workspace }}/npm-audit-v16.html --title playwright-test
+        run: cat ${{ github.workspace }}/.playwright/fixtures/npm-audit-node-v16.json | node ./src/index.js --path ${{ github.workspace }}/npm-audit-node-v16.html --title playwright-test
+
+      - name: Generate mock audit report for pnpm v10 (default options)
+        run: cat ${{ github.workspace }}/.playwright/fixtures/pnpm-audit-v10.json | node ./src/index.js --path ${{ github.workspace }}/pnpm-audit-v10.html --title playwright-test
+
+      - name: Generate mock audit report for yarn (default options)
+        run: cat ${{ github.workspace }}/.playwright/fixtures/yarn-audit.jsonl | node ./src/index.js --path ${{ github.workspace }}/yarn-audit.html --title playwright-test
 
       - name: Run Playwright tests for ${{ matrix.browser }}
         env:

@@ -0,0 +1,174 @@
+{
+  "actions": [
+    {
+      "action": "review",
+      "module": "esbuild",
+      "resolves": [
+        {
+          "id": 1102341,
+          "path": ".>@sveltejs/adapter-vercel>esbuild",
+          "dev": false,
+          "optional": false,
+          "bundled": false
+        }
+      ]
+    },
+    {
+      "action": "review",
+      "module": "cookie",
+      "resolves": [
+        {
+          "id": 1103907,
+          "path": ".>@sveltejs/kit>cookie",
+          "dev": false,
+          "optional": false,
+          "bundled": false
+        }
+      ]
+    },
+    {
+      "action": "review",
+      "module": "vite",
+      "resolves": [
+        {
+          "id": 1104176,
+          "path": ".>vite",
+          "dev": false,
+          "optional": false,
+          "bundled": false
+        }
+      ]
+    }
+  ],
+  "advisories": {
+    "1102341": {
+      "findings": [
+        {
+          "version": "0.24.2",
+          "paths": [
+            ".>@sveltejs/adapter-vercel>esbuild"
+          ]
+        }
+      ],
+      "found_by": null,
+      "deleted": null,
+      "references": "- https://github.com/evanw/esbuild/security/advisories/GHSA-67mh-4wv8-2f99\n- https://github.com/evanw/esbuild/commit/de85afd65edec9ebc44a11e245fd9e9a2e99760d\n- https://github.com/advisories/GHSA-67mh-4wv8-2f99",
+      "created": "2025-02-10T17:48:07.000Z",
+      "id": 1102341,
+      "npm_advisory_id": null,
+      "overview": "### Summary\n\nesbuild allows any websites to send any request to the development server and read the response due to default CORS settings.\n\n### Details\n\nesbuild sets `Access-Control-Allow-Origin: *` header to all requests, including the SSE connection, which allows any websites to send any request to the development server and read the response.\n\nhttps://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L121\nhttps://github.com/evanw/esbuild/blob/df815ac27b84f8b34374c9182a93c94718f8a630/pkg/api/serve_other.go#L363\n\n**Attack scenario**:\n\n1. The attacker serves a malicious web page (`http://malicious.example.com`).\n1. The user accesses the malicious web page.\n1. The attacker sends a `fetch('http://127.0.0.1:8000/main.js')` request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.\n1. The attacker gets the content of `http://127.0.0.1:8000/main.js`.\n\nIn this scenario, I assumed that the attacker knows the URL of the bundle output file name. But the attacker can also get that information by\n\n- Fetching `/index.html`: normally you have a script tag here\n- Fetching `/assets`: it's common to have a `assets` directory when you have JS files and CSS files in a different directory and the directory listing feature tells the attacker the list of files\n- Connecting `/esbuild` SSE endpoint: the SSE endpoint sends the URL path of the changed files when the file is changed (`new EventSource('/esbuild').addEventListener('change', e => console.log(e.type, e.data))`)\n- Fetching URLs in the known file: once the attacker knows one file, the attacker can know the URLs imported from that file\n\nThe scenario above fetches the compiled content, but if the victim has the source map option enabled, the attacker can also get the non-compiled content by fetching the source map file.\n\n### PoC\n\n1. Download [reproduction.zip](https://github.com/user-attachments/files/18561484/reproduction.zip)\n2. Extract it and move to that directory\n1. Run `npm i`\n1. Run `npm run watch`\n1. Run `fetch('http://127.0.0.1:8000/app.js').then(r => r.text()).then(content => console.log(content))` in a different website's dev tools.\n\n![image](https://github.com/user-attachments/assets/08fc2e4d-e1ec-44ca-b0ea-78a73c3c40e9)\n\n### Impact\n\nUsers using the serve feature may get the source code stolen by malicious websites.",
+      "reported_by": null,
+      "title": "esbuild enables any website to send any requests to the development server and read the response",
+      "metadata": null,
+      "cves": [],
+      "access": "public",
+      "severity": "moderate",
+      "module_name": "esbuild",
+      "vulnerable_versions": "<=0.24.2",
+      "github_advisory_id": "GHSA-67mh-4wv8-2f99",
+      "recommendation": "Upgrade to version 0.25.0 or later",
+      "patched_versions": ">=0.25.0",
+      "updated": "2025-02-10T17:48:08.000Z",
+      "cvss": {
+        "score": 5.3,
+        "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
+      },
+      "cwe": [
+        "CWE-346"
+      ],
+      "url": "https://github.com/advisories/GHSA-67mh-4wv8-2f99"
+    },
+    "1103907": {
+      "findings": [
+        {
+          "version": "0.6.0",
+          "paths": [
+            ".>@sveltejs/kit>cookie"
+          ]
+        }
+      ],
+      "found_by": null,
+      "deleted": null,
+      "references": "- https://github.com/jshttp/cookie/security/advisories/GHSA-pxg6-pf52-xh8x\n- https://github.com/jshttp/cookie/pull/167\n- https://github.com/jshttp/cookie/commit/e10042845354fea83bd8f34af72475eed1dadf5c\n- https://github.com/advisories/GHSA-pxg6-pf52-xh8x",
+      "created": "2024-10-04T20:31:00.000Z",
+      "id": 1103907,
+      "npm_advisory_id": null,
+      "overview": "### Impact\n\nThe cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, `serialize(\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a\", value)` would result in `\"userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test\"`, setting `userName` cookie to `<script>` and ignoring `value`.\n\nA similar escape can be used for `path` and `domain`, which could be abused to alter other fields of the cookie.\n\n### Patches\n\nUpgrade to 0.7.0, which updates the validation for `name`, `path`, and `domain`.\n\n### Workarounds\n\nAvoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.\n\n### References\n\n* https://github.com/jshttp/cookie/pull/167",
+      "reported_by": null,
+      "title": "cookie accepts cookie name, path, and domain with out of bounds characters",
+      "metadata": null,
+      "cves": [
+        "CVE-2024-47764"
+      ],
+      "access": "public",
+      "severity": "low",
+      "module_name": "cookie",
+      "vulnerable_versions": "<0.7.0",
+      "github_advisory_id": "GHSA-pxg6-pf52-xh8x",
+      "recommendation": "Upgrade to version 0.7.0 or later",
+      "patched_versions": ">=0.7.0",
+      "updated": "2025-04-15T13:56:44.000Z",
+      "cvss": {
+        "score": 0,
+        "vectorString": null
+      },
+      "cwe": [
+        "CWE-74"
+      ],
+      "url": "https://github.com/advisories/GHSA-pxg6-pf52-xh8x"
+    },
+    "1104176": {
+      "findings": [
+        {
+          "version": "6.3.2",
+          "paths": [
+            ".>vite"
+          ]
+        }
+      ],
+      "found_by": null,
+      "deleted": null,
+      "references": "- https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3\n- https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb\n- https://nvd.nist.gov/vuln/detail/CVE-2025-46565\n- https://github.com/advisories/GHSA-859w-5945-r5v3",
+      "created": "2025-04-30T17:40:27.000Z",
+      "id": 1104176,
+      "npm_advisory_id": null,
+      "overview": "### Summary\nThe contents of files in [the project `root`](https://vite.dev/config/shared-options.html#root) that are denied by a file matching pattern can be returned to the browser.\n\n### Impact\n\nOnly apps explicitly exposing the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) are affected.\nOnly files that are under [project `root`](https://vite.dev/config/shared-options.html#root) and are denied by a file matching pattern can be bypassed.\n\n- Examples of file matching patterns: `.env`, `.env.*`, `*.{crt,pem}`, `**/.env`\n- Examples of other patterns: `**/.git/**`, `.git/**`, `.git/**/*`\n\n### Details\n[`server.fs.deny`](https://vite.dev/config/server-options.html#server-fs-deny) can contain patterns matching against files (by default it includes `.env`, `.env.*`, `*.{crt,pem}` as such patterns).\nThese patterns were able to bypass for files under `root` by using a combination of slash and dot (`/.`).\n\n### PoC\n```\nnpm create vite@latest\ncd vite-project/\ncat \"secret\" > .env\nnpm install\nnpm run dev\ncurl --request-target /.env/. http://localhost:5173\n```\n\n![image](https://github.com/user-attachments/assets/822f4416-aa42-461f-8c95-a88d155e674b)\n![image](https://github.com/user-attachments/assets/42902144-863a-4afb-ac5b-fc16effa37cc)",
+      "reported_by": null,
+      "title": "Vite's server.fs.deny bypassed with /. for files under project root",
+      "metadata": null,
+      "cves": [
+        "CVE-2025-46565"
+      ],
+      "access": "public",
+      "severity": "moderate",
+      "module_name": "vite",
+      "vulnerable_versions": ">=6.3.0 <=6.3.3",
+      "github_advisory_id": "GHSA-859w-5945-r5v3",
+      "recommendation": "Upgrade to version 6.3.4 or later",
+      "patched_versions": ">=6.3.4",
+      "updated": "2025-05-02T15:33:48.000Z",
+      "cvss": {
+        "score": 0,
+        "vectorString": null
+      },
+      "cwe": [
+        "CWE-22"
+      ],
+      "url": "https://github.com/advisories/GHSA-859w-5945-r5v3"
+    }
+  },
+  "muted": [],
+  "metadata": {
+    "vulnerabilities": {
+      "info": 0,
+      "low": 1,
+      "moderate": 2,
+      "high": 0,
+      "critical": 0
+    },
+    "dependencies": 314,
+    "devDependencies": 0,
+    "optionalDependencies": 0,
+    "totalDependencies": 314
+  }
+}
@@ -0,0 +1,4 @@
+{"type":"info","data":"No lockfile found."}
+{"type":"auditAdvisory","data":{"resolution":{"id":1102459,"path":"rspress>@rspress/core>react-syntax-highlighter>refractor>prismjs","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.27.0","paths":["rspress>@rspress/core>react-syntax-highlighter>refractor>prismjs","rspress>@rspress/core>@rspress/theme-default>react-syntax-highlighter>refractor>prismjs"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-53382\n- https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660\n- https://github.com/PrismJS/prism/blob/59e5a3471377057de1f401ba38337aca27b80e03/prism.js#L226-L259\n- https://github.com/PrismJS/prism/pull/3863\n- https://github.com/PrismJS/prism/commit/8e8b9352dac64457194dd9e51096b4772532e53d\n- https://github.com/advisories/GHSA-x7hr-w5r2-h6wg","created":"2025-03-03T09:30:34.000Z","id":1102459,"npm_advisory_id":null,"overview":"Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.","reported_by":null,"title":"PrismJS DOM Clobbering vulnerability","metadata":null,"cves":["CVE-2024-53382"],"access":"public","severity":"moderate","module_name":"prismjs","vulnerable_versions":"<1.30.0","github_advisory_id":"GHSA-x7hr-w5r2-h6wg","recommendation":"Upgrade to version 1.30.0 or later","patched_versions":">=1.30.0","updated":"2025-03-10T22:19:23.000Z","cvss":{"score":4.9,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},"cwe":["CWE-94"],"url":"https://github.com/advisories/GHSA-x7hr-w5r2-h6wg"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1102459,"path":"rspress>@rspress/core>@rspress/theme-default>react-syntax-highlighter>refractor>prismjs","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.27.0","paths":["rspress>@rspress/core>react-syntax-highlighter>refractor>prismjs","rspress>@rspress/core>@rspress/theme-default>react-syntax-highlighter>refractor>prismjs"]}],"found_by":null,"deleted":null,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2024-53382\n- https://gist.github.com/jackfromeast/aeb128e44f05f95828a1a824708df660\n- https://github.com/PrismJS/prism/blob/59e5a3471377057de1f401ba38337aca27b80e03/prism.js#L226-L259\n- https://github.com/PrismJS/prism/pull/3863\n- https://github.com/PrismJS/prism/commit/8e8b9352dac64457194dd9e51096b4772532e53d\n- https://github.com/advisories/GHSA-x7hr-w5r2-h6wg","created":"2025-03-03T09:30:34.000Z","id":1102459,"npm_advisory_id":null,"overview":"Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.","reported_by":null,"title":"PrismJS DOM Clobbering vulnerability","metadata":null,"cves":["CVE-2024-53382"],"access":"public","severity":"moderate","module_name":"prismjs","vulnerable_versions":"<1.30.0","github_advisory_id":"GHSA-x7hr-w5r2-h6wg","recommendation":"Upgrade to version 1.30.0 or later","patched_versions":">=1.30.0","updated":"2025-03-10T22:19:23.000Z","cvss":{"score":4.9,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"},"cwe":["CWE-94"],"url":"https://github.com/advisories/GHSA-x7hr-w5r2-h6wg"}}}
+{"type":"auditSummary","data":{"vulnerabilities":{"info":0,"low":0,"moderate":2,"high":0,"critical":0},"dependencies":372,"devDependencies":0,"optionalDependencies":0,"totalDependencies":372}}