There are 10 critical vulnerabilities from old dependencies

[bpmooch]

mooch@basement2:~/p/electronWebGCS$ npm audit
# npm audit report

minimatch  <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
fix available via `npm audit fix --force`
Will install electron-builder@23.4.0, which is a breaking change
node_modules/dir-compare/node_modules/minimatch
  dir-compare  <=2.4.0
  Depends on vulnerable versions of minimatch
  node_modules/dir-compare
    @electron/universal  1.0.1 - 1.3.3
    Depends on vulnerable versions of dir-compare
    node_modules/@electron/universal
      app-builder-lib  22.10.4 - 24.0.0-alpha.13
      Depends on vulnerable versions of @electron/universal
      node_modules/app-builder-lib
        dmg-builder  22.10.4 - 24.0.0-alpha.13
        Depends on vulnerable versions of app-builder-lib
        node_modules/dmg-builder
          electron-builder  19.25.0 || >=22.10.4
          Depends on vulnerable versions of app-builder-lib
          Depends on vulnerable versions of dmg-builder
          Depends on vulnerable versions of simple-update-notifier
          node_modules/electron-builder

minimist  <=0.2.3 || 1.0.0 - 1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix --force`
Will install leaflet-omnivore@0.3.0, which is a breaking change
node_modules/@mapbox/togeojson/node_modules/minimist
node_modules/optimist/node_modules/minimist
node_modules/static-module/node_modules/minimist
node_modules/togeojson/node_modules/minimist
node_modules/wellknown/node_modules/minimist
  @mapbox/togeojson  *
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of xmldom
  node_modules/@mapbox/togeojson
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/optimist
    csv2geojson  3.8.0 - 5.1.1
    Depends on vulnerable versions of optimist
    node_modules/csv2geojson
  quote-stream  <=1.0.0
  Depends on vulnerable versions of minimist
  node_modules/static-module/node_modules/quote-stream
  togeojson  >=0.4.0
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of xmldom
  node_modules/togeojson
    leaflet-omnivore  >=0.3.1
    Depends on vulnerable versions of brfs
    Depends on vulnerable versions of csv2geojson
    Depends on vulnerable versions of togeojson
    Depends on vulnerable versions of wellknown
    node_modules/leaflet-omnivore
  wellknown  0.3.2 - 0.4.2
  Depends on vulnerable versions of minimist
  node_modules/wellknown

protobufjs  6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix`
node_modules/protobufjs

semver  <=5.7.1 || 6.0.0 - 6.3.0 || 7.0.0 - 7.5.1
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix --force`
Will install eslint-plugin-compat@3.5.1, which is a breaking change
node_modules/@babel/core/node_modules/semver
node_modules/@babel/helper-compilation-targets/node_modules/semver
node_modules/@babel/helper-define-polyfill-provider/node_modules/semver
node_modules/@babel/preset-env/node_modules/semver
node_modules/@electron/get/node_modules/semver
node_modules/babel-plugin-polyfill-corejs2/node_modules/semver
node_modules/eslint-config-airbnb-base/node_modules/semver
node_modules/eslint-import-resolver-webpack/node_modules/semver
node_modules/eslint-plugin-import/node_modules/semver
node_modules/eslint-plugin-jsx-a11y/node_modules/semver
node_modules/eslint-plugin-react/node_modules/semver
node_modules/istanbul-lib-instrument/node_modules/semver
node_modules/make-dir/node_modules/semver
node_modules/semver
node_modules/simple-update-notifier/node_modules/semver
  eslint-plugin-compat  >=3.6.0-0
  Depends on vulnerable versions of semver
  node_modules/eslint-plugin-compat
    eslint-config-erb  >=1.0.0-0
    Depends on vulnerable versions of eslint-plugin-compat
    node_modules/eslint-config-erb
  simple-update-notifier  1.0.7 - 1.1.0
  Depends on vulnerable versions of semver
  node_modules/simple-update-notifier

static-eval  <=2.0.1
Severity: high
Sandbox Breakout / Arbitrary Code Execution in static-eval - https://github.com/advisories/GHSA-x9hc-rw35-f44h
Sandbox Breakout / Arbitrary Code Execution in static-eval - https://github.com/advisories/GHSA-5mjw-6jrh-hvfq
fix available via `npm audit fix`
node_modules/static-eval
  static-module  <=1.5.0
  Depends on vulnerable versions of quote-stream
  Depends on vulnerable versions of static-eval
  node_modules/static-module
    brfs  1.1.0 - 1.4.3
    Depends on vulnerable versions of static-module
    node_modules/brfs

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
fix available via `npm audit fix`
node_modules/tough-cookie

word-wrap  *
Severity: moderate
word-wrap vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-j8xg-fqg3-53r7
fix available via `npm audit fix`
node_modules/word-wrap
  optionator  0.8.3 - 0.9.1
  Depends on vulnerable versions of word-wrap
  node_modules/escodegen/node_modules/optionator
  node_modules/optionator

xmldom  *
Severity: critical
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-5fg8-2547-mr8q
Misinterpretation of malicious XML input - https://github.com/advisories/GHSA-h6q6-9hqw-rwfv
xmldom allows multiple root nodes in a DOM - https://github.com/advisories/GHSA-crh6-fp67-6883
fix available via `npm audit fix --force`
Will install leaflet-omnivore@0.3.0, which is a breaking change
node_modules/xmldom

26 vulnerabilities (8 moderate, 8 high, 10 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

too many vulnerabilities

[danielhonies]

Are these fixed with the latest PR?

[bpmooch]

I don't believe so. It seems like upgrading electron deps will fix a good amount of these. Been pretty busy at $dayjob last couple of weeks but i will probably tackle this soon