Security audit fails

[srfrnk]

gc-stats is no longer supported and contains 4 vulnerabilities (2 moderate, 2 high)

$ npm audit fix
npm WARN audit fix [email protected] node_modules/gc-stats/node_modules/tar
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/gc-stats
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the gc-stats package.
npm WARN audit fix [email protected] node_modules/gc-stats/node_modules/ini
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/gc-stats
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the gc-stats package.
npm WARN audit fix [email protected] node_modules/gc-stats/node_modules/rc/node_modules/minimist
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/gc-stats
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the gc-stats package.
npm WARN audit fix [email protected] node_modules/gc-stats/node_modules/minimist
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/gc-stats
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the gc-stats package.
npm WARN audit fix [email protected] node_modules/gc-stats/node_modules/mkdirp
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/gc-stats
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the gc-stats package.

up to date, audited 270 packages in 859ms

15 packages are looking for funding
  run `npm fund` for details

# npm audit report

ini  <1.3.6
Severity: high
Prototype Pollution - https://github.com/advisories/GHSA-qqgx-2p2h-9c37
fix available via `npm audit fix`
node_modules/gc-stats/node_modules/ini

minimist  >=1.0.0 <1.2.3 || <0.2.1
Severity: moderate
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix`
node_modules/gc-stats/node_modules/minimist
node_modules/gc-stats/node_modules/rc/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/gc-stats/node_modules/mkdirp

tar  <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw
fix available via `npm audit fix`
node_modules/gc-stats/node_modules/tar

4 vulnerabilities (2 moderate, 2 high)

To address all issues, run:
  npm audit fix

What's the best way to make using this secure again?

[mman]

Apparently there is a fork of gc-stats with updated dependencies available here: https://github.com/adnanrahic/node-gcstats#readme.

Any chance we can use that?

[SimenB]

https://github.com/SimenB/node-prometheus-gc-stats/releases/tag/v1.0.0