While auditing the npm packages after a fresh Ghost install, npm tells me that there are 25 vulnerabilities (11 moderate, 14 high):
npm audit report
dot-prop <4.2.1
Severity: high
dot-prop Prototype Pollution vulnerability - https:// github. com/advisories/GHSA-ff7x-qrg7-qggm
fix available via npm audit fix --force
Will install standard-version@9.5.0, which is a breaking change
node_modules/dot-prop
compare-func <=1.3.4
Depends on vulnerable versions of dot-prop
node_modules/compare-func
conventional-changelog-angular 0.0.1 - 5.0.10
Depends on vulnerable versions of compare-func
node_modules/conventional-changelog-angular
conventional-changelog 1.0.0 - 2.0.3
Depends on vulnerable versions of conventional-changelog-angular
Depends on vulnerable versions of conventional-changelog-core
Depends on vulnerable versions of conventional-changelog-jshint
node_modules/conventional-changelog
standard-version <=8.0.0
Depends on vulnerable versions of conventional-changelog
Depends on vulnerable versions of yargs
node_modules/standard-version
conventional-changelog-jshint <=2.0.7
Depends on vulnerable versions of compare-func
node_modules/conventional-changelog-jshint
conventional-changelog-writer <=4.0.16
Depends on vulnerable versions of compare-func
Depends on vulnerable versions of meow
node_modules/conventional-changelog-writer
conventional-changelog-core 2.0.5 - 4.2.1
Depends on vulnerable versions of conventional-changelog-writer
Depends on vulnerable versions of conventional-commits-parser
Depends on vulnerable versions of git-raw-commits
Depends on vulnerable versions of git-semver-tags
node_modules/conventional-changelog-core
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https:// github. com/advisories/GHSA-pfrx-2q88-qq97
fix available via npm audit fix --force
Will install got@12.3.1, which is a breaking change
node_modules/download/node_modules/got
node_modules/got
download >=4.0.0
Depends on vulnerable versions of got
node_modules/download
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/latest-version/node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/latest-version
mem <4.0.0
Severity: moderate
Denial of Service in mem - https:// github. com/advisories/GHSA-4xcv-9jjx-gfj3
fix available via npm audit fix --force
Will install standard-version@9.5.0, which is a breaking change
node_modules/mem
os-locale 2.0.0 - 3.0.0
Depends on vulnerable versions of mem
node_modules/os-locale
yargs 8.0.0-candidate.0 - 12.0.5
Depends on vulnerable versions of os-locale
Depends on vulnerable versions of yargs-parser
node_modules/standard-version/node_modules/yargs
moment <=2.29.3
Severity: high
Inefficient Regular Expression Complexity in moment - https:// github. com/advisories/GHSA-wc69-rhjr-hc9g
Path Traversal: ‘dir/…/…/filename’ in moment.locale - https:// github. com/advisories/GHSA-8hfj-j24r-96c4
fix available via npm audit fix --force
Will install moment@2.29.4, which is outside the stated dependency range
node_modules/moment
nanoid 3.0.0 - 3.1.30
Severity: moderate
Exposure of Sensitive Information to an Unauthorized Actor in nanoid - https:// github. com/advisories/GHSA-qrpm-p2h7-hrv2
fix available via npm audit fix --force
Will install mocha@10.0.0, which is a breaking change
node_modules/nanoid
mocha 8.2.0 - 9.1.4
Depends on vulnerable versions of nanoid
node_modules/mocha
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https:// github. com/advisories/GHSA-7p7h-4mm5-852v
fix available via npm audit fix --force
Will install standard-version@9.5.0, which is a breaking change
node_modules/conventional-recommended-bump/node_modules/trim-newlines
node_modules/get-pkg-repo/node_modules/trim-newlines
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/conventional-recommended-bump/node_modules/meow
node_modules/get-pkg-repo/node_modules/meow
node_modules/meow
conventional-commits-parser 2.1.5 - 3.0.8
Depends on vulnerable versions of meow
node_modules/conventional-commits-parser
git-raw-commits 1.3.4 - 2.0.3
Depends on vulnerable versions of meow
node_modules/git-raw-commits
git-semver-tags 1.3.4 - 3.0.1
Depends on vulnerable versions of meow
node_modules/git-semver-tags
validator <13.7.0
Severity: moderate
Inefficient Regular Expression Complexity in validator.js - https:// github. com/advisories/GHSA-qgmg-gppg-76g5
fix available via npm audit fix --force
Will install validator@13.7.0, which is a breaking change
node_modules/validator
yargs-parser 6.0.0 - 13.1.1
Severity: moderate
yargs-parser Vulnerable to Prototype Pollution - https:// github. com/advisories/GHSA-p9pc-299p-vxgp
fix available via npm audit fix --force
Will install standard-version@9.5.0, which is a breaking change
node_modules/standard-version/node_modules/yargs-parser
25 vulnerabilities (11 moderate, 14 high)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Additionally, I had to create a package-lock.json with npm i --package-lock-only
in /usr/lib/node_modules/ghost-cli to be able to audit.