Bud depends on vulnerable express

eavonius · May 4, 2024, 3:06pm

I’m getting the following when I run npm audit fix with 6.21.0 of bud:

express <4.19.2
Severity: moderate
Express.js Open Redirect in malformed URLs - Express.js Open Redirect in malformed URLs · CVE-2024-29041 · GitHub Advisory Database · GitHub
fix available via npm audit fix --force
Will install @roots/bud@6.6.6, which is a breaking change
node_modules/express
@roots/bud-support 0.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of express
Depends on vulnerable versions of webpack-dev-middleware
node_modules/@roots/bud-support
@roots/bud 0.0.0 || 3.2.0-next.0 - 4.0.0 || 5.7.5 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud-api
Depends on vulnerable versions of @roots/bud-build
Depends on vulnerable versions of @roots/bud-cache
Depends on vulnerable versions of @roots/bud-compiler
Depends on vulnerable versions of @roots/bud-dashboard
Depends on vulnerable versions of @roots/bud-entrypoints
Depends on vulnerable versions of @roots/bud-extensions
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-hooks
Depends on vulnerable versions of @roots/bud-minify
Depends on vulnerable versions of @roots/bud-server
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud
@roots/bud-babel 0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-babel
@roots/sage 0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud
Depends on vulnerable versions of @roots/bud-babel
Depends on vulnerable versions of @roots/bud-build
Depends on vulnerable versions of @roots/bud-entrypoints
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-postcss
Depends on vulnerable versions of @roots/bud-preset-wordpress
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/sage
@roots/bud-entrypoints 0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud
Depends on vulnerable versions of @roots/bud-framework
node_modules/@roots/bud-entrypoints
@roots/bud-preset-recommend 0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-postcss
Depends on vulnerable versions of @roots/bud-swc
node_modules/@roots/bud-preset-recommend
@roots/bud-preset-wordpress 0.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud-extensions
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-preset-recommend
Depends on vulnerable versions of @roots/bud-react
Depends on vulnerable versions of @roots/bud-support
Depends on vulnerable versions of @roots/bud-tailwindcss-theme-json
Depends on vulnerable versions of @roots/bud-wordpress-dependencies
Depends on vulnerable versions of @roots/bud-wordpress-externals
Depends on vulnerable versions of @roots/bud-wordpress-theme-json
node_modules/@roots/bud-preset-wordpress
@roots/bud-swc 0.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-swc
@roots/bud-tailwindcss <=2.0.0-next.32 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-postcss
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-tailwindcss
@roots/bud-tailwindcss-theme-json <=2024.5.3-7
Depends on vulnerable versions of @roots/bud
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-support
Depends on vulnerable versions of @roots/bud-wordpress-theme-json
node_modules/@roots/bud-tailwindcss-theme-json
@roots/bud-wordpress-dependencies 0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud
Depends on vulnerable versions of @roots/bud-framework
node_modules/@roots/bud-wordpress-dependencies
@roots/bud-api 0.0.0 || 5.7.5 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud-extensions
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-minify
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-api
@roots/bud-build 0.0.0 || 3.2.0-next.0 - 4.0.0 || 5.7.5 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-build
@roots/bud-postcss 0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud-build
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-postcss
@roots/bud-cache 0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-cache
@roots/bud-compiler 0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud-dashboard
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-compiler
@roots/bud-dashboard 0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-dashboard
@roots/bud-extensions 0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-minify
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-extensions
@roots/bud-framework 0.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-framework
@roots/bud-hooks 0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-hooks
@roots/bud-react 0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-react
@roots/bud-server 0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-server
@roots/bud-wordpress-externals 0.0.0 || 3.2.0-next.0 - 4.0.0 || 6.6.7 - 2024.5.3-7
Depends on vulnerable versions of @roots/bud-framework
node_modules/@roots/bud-wordpress-externals
@roots/bud-minify <=2024.5.3-7
Depends on vulnerable versions of @roots/bud
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-minify
@roots/bud-wordpress-theme-json <=2024.5.3-7
Depends on vulnerable versions of @roots/bud-framework
Depends on vulnerable versions of @roots/bud-support
node_modules/@roots/bud-wordpress-theme-json

webpack-dev-middleware 6.0.0 - 6.1.1
Severity: high
Path traversal in webpack-dev-middleware - https://github.com/advisories/GHSA-wr3j-pwj9-hqq6