Any ideas on fixes? It seems that all is coming from the handlebars package.
package.json
{
"devDependencies": {},
"scripts": {},
"dependencies": {
"siesta-lite": "^5.3.1"
}
}
npm i siesta-lite
npm WARN saveError ENOENT: no such file or directory, open 'd:\Projects\espos\tt\package.json'
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open 'd:\Projects\espos\tt\package.json'
npm WARN tt No description
npm WARN tt No repository field.
npm WARN tt No README data
npm WARN tt No license field.
+ siesta-lite@5.3.1
added 326 packages from 162 contributors and audited 660 packages in 11.411s
1 package is looking for funding
run `npm fund` for details
found 7 vulnerabilities (1 moderate, 5 high, 1 critical)
run `npm audit fix` to fix them, or `npm audit` for details
npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Critical Prototype Pollution
Package handlebars
Patched in >=4.0.14 <4.1.0 || >=4.1.2
Dependency of siesta-lite
Path siesta-lite > nyc > istanbul-reports > handlebars
More info https://npmjs.com/advisories/755
High Prototype Pollution
Package handlebars
Patched in >=4.3.0
Dependency of siesta-lite
Path siesta-lite > nyc > istanbul-reports > handlebars
More info https://npmjs.com/advisories/1164
Moderate Denial of Service
Package handlebars
Patched in >=4.4.5
Dependency of siesta-lite
Path siesta-lite > nyc > istanbul-reports > handlebars
More info https://npmjs.com/advisories/1300
High Arbitrary Code Execution
Package handlebars
Patched in >=4.5.2
Dependency of siesta-lite
Path siesta-lite > nyc > istanbul-reports > handlebars
More info https://npmjs.com/advisories/1316
High Arbitrary Code Execution
Package handlebars
Patched in >=4.5.3
Dependency of siesta-lite
Path siesta-lite > nyc > istanbul-reports > handlebars
More info https://npmjs.com/advisories/1324
High Prototype Pollution
Package handlebars
Patched in >=4.5.3
Dependency of siesta-lite
Path siesta-lite > nyc > istanbul-reports > handlebars
More info https://npmjs.com/advisories/1325
High Prototype Pollution
Package lodash
Patched in >=4.17.12
Dependency of siesta-lite
Path siesta-lite > nyc > istanbul-reports > handlebars > async >
lodash
More info https://npmjs.com/advisories/1065
found 7 vulnerabilities (1 moderate, 5 high, 1 critical) in 660 scanned packages
7 vulnerabilities require manual review. See the full report for details.