Hold on, we're currently generating a fresh version of this report

This package has been deprecated with the following message: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

Generated on May 7, 2024 via pnpm

botpress 10.51.10

The world's first CMS for bots. Easily create, manage and extend chatbots.

microsoft bot framework

Package summary

98

issues

14

licenses

Package created

16 Nov 2016

Version published

19 Jan 2019

Maintainers

5

Total deps

685

Direct deps

57

License

AGPL-3.0-only

Issues

98

19 critical severity issues

knex@0.12.9

SQL Injection in knex

Recommendation: Upgrade to version 0.19.5 or later

via: knex@0.12.9

vm2@3.9.19

vm2 Sandbox Escape vulnerability

Recommendation: None

via: vm2@3.9.19

vm2@3.9.19

vm2 Sandbox Escape vulnerability

Recommendation: None

via: vm2@3.9.19

minimist@1.1.3

Prototype Pollution in minimist

Recommendation: Upgrade to version 1.2.6 or later

via: knex@0.12.9

socket.io-parser@2.3.1

Insufficient validation when decoding a Socket.IO packet

Recommendation: Upgrade to version 3.3.3 or later

via: socket.io@1.7.4

arraybuffer.slice@0.0.6

Package has no specified license

Recommendation: Check the package code and files for license information

via: socket.io@1.7.4

better-assert@1.0.2

Package has no specified license

Recommendation: Check the package code and files for license information

via: socket.io@1.7.4

blob@0.0.4

Package has no specified license

Recommendation: Check the package code and files for license information

via: socket.io@1.7.4

callsite@1.0.0

Package has no specified license

Recommendation: Check the package code and files for license information

via: socket.io@1.7.4

component-bind@1.0.0

Package has no specified license

Recommendation: Check the package code and files for license information

via: socket.io-client@2.5.0 & others

component-emitter@1.1.2

Package has no specified license

Recommendation: Check the package code and files for license information

via: socket.io@1.7.4

component-inherit@0.0.3

Package has no specified license

Recommendation: Check the package code and files for license information

via: socket.io-client@2.5.0 & others

cycle@1.0.3

Package has no specified license

Recommendation: Check the package code and files for license information

via: prompt@1.3.0 & others

indexof@0.0.1

Package has no specified license

Recommendation: Check the package code and files for license information

via: socket.io-client@2.5.0 & others

ms@0.7.1

Package has no specified license

Recommendation: Check the package code and files for license information

via: socket.io@1.7.4

object-component@0.0.3

Package has no specified license

Recommendation: Check the package code and files for license information

via: socket.io@1.7.4

options@0.0.6

Package has no specified license

Recommendation: Check the package code and files for license information

via: socket.io@1.7.4

tamper@1.1.0

Package has no specified license

Recommendation: Check the package code and files for license information

via: tamper@1.1.0

valid-url@1.0.9

Package has no specified license

Recommendation: Check the package code and files for license information

via: valid-url@1.0.9

48 high severity issues

engine.io@1.8.5

Resource exhaustion in engine.io

Recommendation: Upgrade to version 3.6.0 or later

via: socket.io@1.7.4

socket.io-parser@2.3.1

Resource exhaustion in socket.io-parser

Recommendation: Upgrade to version 3.3.2 or later

via: socket.io@1.7.4

parsejson@0.0.3

Regular Expression Denial of Service in parsejson

Recommendation: None

via: socket.io@1.7.4

axios@0.15.3

Denial of Service in axios

Recommendation: Upgrade to version 0.18.1 or later

via: axios@0.15.3

dicer@0.2.5

Crash in HeaderParser in dicer

Recommendation: None

via: multer@1.4.4

hoek@2.16.3

Prototype Pollution in hoek

Recommendation: Upgrade to version 4.2.1 or later

via: jsonwebtoken@7.4.3

knex@0.12.9

Knex.js has a limited SQL injection vulnerability

Recommendation: Upgrade to version 2.4.0 or later

via: knex@0.12.9

debug@2.3.3

debug Inefficient Regular Expression Complexity vulnerability

Recommendation: Upgrade to version 2.6.9 or later

via: socket.io@1.7.4

axios@0.15.3

axios Inefficient Regular Expression Complexity vulnerability

Recommendation: Upgrade to version 0.21.2 or later

via: axios@0.15.3

glob-parent@2.0.0

glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex

Recommendation: Upgrade to version 5.1.2 or later

via: knex@0.12.9 & others

follow-redirects@1.0.0

Exposure of sensitive information in follow-redirects

Recommendation: Upgrade to version 1.14.7 or later

via: axios@0.15.3

node-fetch@1.7.3

node-fetch forwards secure headers to untrusted sites

Recommendation: Upgrade to version 2.6.7 or later

via: react-toastify@3.4.3

hoek@5.0.4

hoek subject to prototype pollution via the clone function.

Recommendation: None

via: joi@13.7.0 & others

@botpress/util-roles@10.51.10

Package uses a problematic Network Protective license ("AGPL-3.0-only")

Recommendation: Validate that the package complies with your license policy

via: @botpress/util-roles@10.51.10

botpress@10.51.10

Package uses a problematic Network Protective license ("AGPL-3.0-only")

Recommendation: Validate that the package complies with your license policy

via: botpress@10.51.10

rc@1.2.8

Package uses a custom license expression: `(BSD-2-Clause OR MIT OR Apache-2.0)`

Recommendation: Validate that the license expression complies with your license policy

via: nodemon@1.19.4 & others

revalidator@0.1.8

Package uses an invalid SPDX license ("Apache 2.0")

Recommendation: Validate that the package complies with your license policy

via: prompt@1.3.0

semver@4.3.2

Package uses an invalid SPDX license ("BSD")

Recommendation: Validate that the package complies with your license policy

via: pg@6.4.2

@botpress/util-roles@10.51.10

Deprecated package

via: @botpress/util-roles@10.51.10

axios@0.15.3

Deprecated package

via: axios@0.15.3

botpress@10.51.10

Deprecated package

via: botpress@10.51.10

chokidar@2.1.8

Deprecated package

via: nodemon@1.19.4

core-js@1.2.7

Deprecated package

via: react-toastify@3.4.3

core-js@2.6.12

Deprecated package

via: babel-polyfill@6.26.0 & others

core-js@2.6.12

Package uses postinstall script: "node -e "try{require('./postinstall')}catch(e){}""

via: babel-polyfill@6.26.0 & others

fsevents@1.2.13

Deprecated package

via: nodemon@1.19.4

fsevents@1.2.13

Package uses install script: "node install.js"

via: nodemon@1.19.4

har-validator@5.1.5

Deprecated package

via: universal-analytics@0.4.23

hoek@2.16.3

Deprecated package

via: jsonwebtoken@7.4.3

hoek@5.0.4

Deprecated package

via: joi@13.7.0

hoek@6.1.3

Deprecated package

via: joi@13.7.0

joi@13.7.0

Deprecated package

via: joi@13.7.0

joi@6.10.1

Deprecated package

via: jsonwebtoken@7.4.3

json3@3.3.2

Deprecated package

via: socket.io@1.7.4

monitorctrlc@2.0.1

Deprecated package

via: monitorctrlc@2.0.1

multer@1.4.4

Deprecated package

via: multer@1.4.4

node-pre-gyp@0.11.0

Deprecated package

via: sqlite3@4.2.0

nodemon@1.19.4

Package uses postinstall script: "node bin/postinstall || exit 0"

via: nodemon@1.19.4

react-jsonschema-form@1.8.1

Deprecated package

via: react-jsonschema-form@1.8.1

request@2.88.2

Deprecated package

via: universal-analytics@0.4.23

resolve-url@0.2.1

Deprecated package

via: nodemon@1.19.4

source-map-resolve@0.5.3

Deprecated package

via: nodemon@1.19.4

source-map-url@0.4.1

Deprecated package

via: nodemon@1.19.4

sqlite3@4.2.0

Package uses install script: "node-pre-gyp install --fallback-to-build"

via: sqlite3@4.2.0

topo@1.1.0

Deprecated package

via: jsonwebtoken@7.4.3

topo@3.0.3

Deprecated package

via: joi@13.7.0

urix@0.1.0

Deprecated package

via: nodemon@1.19.4

uuid@3.4.0

Deprecated package

via: knex@0.12.9 & others

25 moderate severity issues

mem@1.1.0

Denial of Service in mem

Recommendation: Upgrade to version 4.0.0 or later

via: username@3.0.0

got@6.7.1

Got allows a redirect to a UNIX socket

Recommendation: Upgrade to version 11.8.5 or later

via: nodemon@1.19.4

jsonwebtoken@7.4.3

jsonwebtoken unrestricted key type could lead to legacy keys usage

Recommendation: Upgrade to version 9.0.0 or later

via: jsonwebtoken@7.4.3 & others

engine.io@1.8.5

Uncaught exception in engine.io

Recommendation: Upgrade to version 3.6.1 or later

via: socket.io@1.7.4

axios@0.15.3

Axios vulnerable to Server-Side Request Forgery

Recommendation: Upgrade to version 0.21.1 or later

via: axios@0.15.3

jsonwebtoken@7.4.3

jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC

Recommendation: Upgrade to version 9.0.0 or later

via: jsonwebtoken@7.4.3 & others

jsonwebtoken@7.4.3

jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()

Recommendation: Upgrade to version 9.0.0 or later

via: jsonwebtoken@7.4.3 & others

follow-redirects@1.0.0

Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects

Recommendation: Upgrade to version 1.14.8 or later

via: axios@0.15.3

socket.io@1.7.4

CORS misconfiguration in socket.io

Recommendation: Upgrade to version 2.4.0 or later

via: socket.io@1.7.4

ms@0.7.3

Vercel ms Inefficient Regular Expression Complexity vulnerability

Recommendation: Upgrade to version 2.0.0 or later

via: ms@0.7.3 & others

follow-redirects@1.0.0

Follow Redirects improperly handles URLs in the url.parse() function

Recommendation: Upgrade to version 1.15.4 or later

via: axios@0.15.3

minimist@1.1.3

Prototype Pollution in minimist

Recommendation: Upgrade to version 1.2.3 or later

via: knex@0.12.9

semver@4.3.2

semver vulnerable to Regular Expression Denial of Service

Recommendation: Upgrade to version 5.7.2 or later

via: pg@6.4.2

axios@0.15.3

Axios Cross-Site Request Forgery Vulnerability

Recommendation: Upgrade to version 0.28.0 or later

via: axios@0.15.3

tough-cookie@2.5.0

tough-cookie Prototype Pollution vulnerability

Recommendation: Upgrade to version 4.1.3 or later

via: universal-analytics@0.4.23

request@2.88.2

Server-Side Request Forgery in Request

Recommendation: None

via: universal-analytics@0.4.23

follow-redirects@1.0.0

follow-redirects' Proxy-Authorization header kept across hosts

Recommendation: Upgrade to version 1.15.6 or later

via: axios@0.15.3

tar@4.4.19

Denial of service while parsing a tar file due to lack of folders count validation

Recommendation: Upgrade to version 6.2.1 or later

via: sqlite3@4.2.0

@botpress/util-roles@10.51.10

Package has no specified source code repository

via: @botpress/util-roles@10.51.10

callsite@1.0.0

Package has no specified source code repository

via: socket.io@1.7.4

eyes@0.1.8

Package has no specified source code repository

via: prompt@1.3.0 & others

has-binary2@1.0.3

Package has no specified source code repository

via: socket.io-client@2.5.0

has-binary@0.1.7

Package has no specified source code repository

via: socket.io@1.7.4

indexof@0.0.1

Package has no specified source code repository

via: socket.io-client@2.5.0 & others

object-component@0.0.3

Package has no specified source code repository

via: socket.io@1.7.4

6 low severity issues

braces@1.8.5

Regular Expression Denial of Service in braces

Recommendation: Upgrade to version 2.3.1 or later

via: knex@0.12.9

braces@1.8.5

Regular Expression Denial of Service (ReDoS) in braces

Recommendation: Upgrade to version 2.3.1 or later

via: knex@0.12.9

node-fetch@1.7.3

The `size` option isn't honored after following a redirect in node-fetch

Recommendation: Upgrade to version 2.6.1 or later

via: react-toastify@3.4.3

debug@2.3.3

Regular Expression Denial of Service in debug

Recommendation: Upgrade to version 2.6.9 or later

via: socket.io@1.7.4

revalidator@0.1.8

Package uses a license that is not OSI approved ("Apache 2.0")

Recommendation: Read and validate the license terms

via: prompt@1.3.0

semver@4.3.2

Package uses a license that is not OSI approved ("BSD")

Recommendation: Read and validate the license terms

via: pg@6.4.2

Licenses

MIT License

Permissive

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

sublicense

private-use

Cannot

hold-liable

Must

include-copyright

include-license

572 Packages, Including:

@babel/runtime-corejs2@7.24.5

@babel/runtime@7.24.5

@colors/colors@1.5.0

@types/keyv@3.1.4

@types/node@20.12.10

@types/responselike@1.0.3

accepts@1.3.3

accepts@1.3.8

acorn-walk@8.3.2

acorn@8.11.3

after@0.8.2

ajv@6.12.6

ansi-bgblack@0.1.1

ansi-bgblue@0.1.1

ansi-bgcyan@0.1.1

ansi-bggreen@0.1.1

ansi-bgmagenta@0.1.1

ansi-bgred@0.1.1

ansi-bgwhite@0.1.1

ansi-bgyellow@0.1.1

ansi-black@0.1.1

ansi-blue@0.1.1

ansi-bold@0.1.1

ansi-colors@0.2.0

ansi-cyan@0.1.1

ansi-dim@0.1.1

ansi-gray@0.1.1

ansi-green@0.1.1

ansi-grey@0.1.1

ansi-hidden@0.1.1

ansi-inverse@0.1.1

ansi-italic@0.1.1

ansi-magenta@0.1.1

ansi-red@0.1.1

ansi-regex@2.1.1

ansi-regex@3.0.1

ansi-reset@0.1.1

ansi-strikethrough@0.1.1

ansi-styles@2.2.1

ansi-styles@3.2.1

ansi-underline@0.1.1

ansi-white@0.1.1

ansi-wrap@0.1.0

ansi-yellow@0.1.1

append-field@1.0.0

argparse@1.0.10

arr-diff@2.0.0

arr-diff@4.0.0

arr-flatten@1.1.0

arr-swap@1.0.1

ISC License

Permissive

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

Cannot

hold-liable

Must

include-copyright

include-license

54 Packages, Including:

abbrev@1.1.1

ansi-align@2.0.0

anymatch@2.0.0

aproba@1.2.0

are-we-there-yet@1.1.7

chownr@1.1.4

console-control-strings@1.1.0

fs-minipass@1.2.7

fs.realpath@1.0.0

gauge@2.7.4

glob-parent@2.0.0

glob-parent@3.1.0

glob@7.2.3

graceful-fs@4.2.11

har-schema@2.0.0

has-unicode@2.0.1

ignore-by-default@1.0.1

ignore-walk@3.0.4

inflight@1.0.6

inherits@2.0.4

ini@1.3.8

isexe@2.0.0

json-stringify-safe@5.0.1

lru-cache@4.1.5

minimatch@3.1.2

minipass@2.9.0

mute-stream@0.0.7

mute-stream@0.0.8

nopt@4.0.3

npm-bundled@1.1.2

npm-normalize-package-bin@1.0.1

npm-packlist@1.4.8

npmlog@4.1.2

once@1.4.0

osenv@0.1.5

pg-int8@1.0.1

pseudomap@1.0.2

read@1.0.7

remove-trailing-separator@1.1.0

rimraf@2.7.1

sax@1.3.0

semver@5.7.2

set-blocking@2.0.0

setprototypeof@1.2.0

signal-exit@3.0.7

split2@4.2.0

tar@4.4.19

touch@3.1.0

which@1.3.1

wide-align@1.1.5

BSD 3-Clause "New" or "Revised" License

Permissive

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

place-warranty

Cannot

use-trademark

hold-liable

Must

include-copyright

include-license

21 Packages, Including:

bcrypt-pbkdf@1.0.2

buffer-equal-constant-time@1.0.1

duplexer3@0.1.5

hoek@2.16.3

hoek@5.0.4

hoek@6.1.3

hoist-non-react-statics@2.5.5

hyphenate-style-name@1.0.4

isemail@3.2.0

joi@13.7.0

joi@6.10.1

node-pre-gyp@0.11.0

qs@6.11.0

qs@6.5.3

react-transition-group@2.9.0

source-map@0.5.7

sprintf-js@1.0.3

sqlite3@4.2.0

topo@1.1.0

topo@3.0.3

tough-cookie@2.5.0

N/A

N/A

14 Packages, Including:

arraybuffer.slice@0.0.6

better-assert@1.0.2

blob@0.0.4

callsite@1.0.0

component-bind@1.0.0

component-emitter@1.1.2

component-inherit@0.0.3

cycle@1.0.3

indexof@0.0.1

ms@0.7.1

object-component@0.0.3

options@0.0.6

tamper@1.1.0

valid-url@1.0.9

Apache License 2.0

Permissive

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

sublicense

private-use

use-patent-claims

place-warranty

Cannot

hold-liable

use-trademark

Must

include-copyright

include-license

state-changes

include-notice

9 Packages, Including:

aws-sign2@0.7.0

caseless@0.12.0

detect-libc@1.0.3

ecdsa-sig-formatter@1.0.11

forever-agent@0.6.1

oauth-sign@0.9.0

react-jsonschema-form@1.8.1

request@2.88.2

tunnel-agent@0.6.0

BSD 2-Clause "Simplified" License

Permissive

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

place-warranty

Cannot

hold-liable

Must

include-copyright

include-license

6 Packages, Including:

configstore@3.1.5

dotenv@4.0.0

esprima@4.0.1

isemail@1.2.0

update-notifier@2.5.0

uri-js@4.4.1

GNU Affero General Public License v3.0 only

Network Protective

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

modify

distribute

place-warranty

Cannot

sublicense

hold-liable

Must

include-copyright

include-license

state-changes

disclose-source

include-install-instructions

2 Packages, Including:

@botpress/util-roles@10.51.10

botpress@10.51.10

(MIT OR Apache-2.0)

Permissive

1 Packages, Including:

atob@2.1.2

(AFL-2.1 OR BSD-3-Clause)

Permissive

1 Packages, Including:

json-schema@0.4.0

(WTFPL OR MIT)

Permissive

1 Packages, Including:

path-is-inside@1.0.2

(BSD-2-Clause OR MIT OR Apache-2.0)

Expression

1 Packages, Including:

rc@1.2.8

Apache 2.0

Invalid

Not OSI Approved

1 Packages, Including:

revalidator@0.1.8

BSD

Invalid

Not OSI Approved

1 Packages, Including:

semver@4.3.2

The Unlicense

Public Domain

OSI Approved

This is a human-readable summary of (and not a substitute for) the license. Disclaimer.

Can

commercial-use

private-use

modify

Cannot

include-copyright

hold-liable

Must

1 Packages, Including:

tweetnacl@0.14.5

Direct Dependencies

57

All Dependencies CSV

ⓘ This is a list of botpress 's direct dependencies. Data on all dependencies, including transitive ones, is available via CSV download.

Name	Version	Size	License	Type	Vulnerabilities
@botpress/util-roles	10.51.10	6.39 kB	AGPL-3.0-only	prod	2 1
axios	0.15.3	74.51 kB	MIT	prod	4 5
babel-polyfill	6.26.0	129.23 kB	MIT	prod	2
bluebird	3.7.2	136.03 kB	MIT	prod
body-parser	1.20.2	14.75 kB	MIT	prod
chalk	2.4.2	9.63 kB	MIT	prod
commander	2.20.3	18.26 kB	MIT	prod
compression	1.7.4	7.64 kB	MIT	prod
dotenv	4.0.0	5.89 kB	BSD-2-Clause	prod
eventemitter2	2.2.2	9.09 kB	MIT	prod
express	4.19.2	209.73 kB	MIT	prod
glob	7.2.3	15.08 kB	ISC	prod
history	4.10.1	21.13 kB	MIT	prod
howler	2.2.4	71 kB	MIT	prod
joi	13.7.0	35.46 kB	BSD-3-Clause	prod	5
js-yaml	3.14.1	75.07 kB	MIT	prod
json5	1.0.2	21.68 kB	MIT	prod
jsonwebtoken	7.4.3	86.72 kB	MIT	prod	5 3
knex	0.12.9	168.26 kB	MIT	prod	2 5 1 2
loaders.css	0.1.2	20.65 kB	MIT	prod
lodash	4.17.21	311.49 kB	MIT	prod
mkdirp	0.5.6	2.95 kB	MIT	prod optional
moment	2.30.1	698.76 kB	MIT	prod
monitorctrlc	2.0.1	3.09 kB	MIT	prod	1
ms	0.7.3	2.81 kB	MIT	prod	1
multer	1.4.4	9.07 kB	MIT	prod	2
mustache	2.3.2	22.61 kB	MIT	prod
mware	0.0.3	2.61 kB	MIT	prod
nanoid	1.3.4	7.27 kB	MIT	prod
node-machine-id	1.1.12	12.76 kB	MIT	prod
nodemon	1.19.4	32.94 kB	MIT	prod	10 1
opn	5.5.0	9.27 kB	MIT	prod
pg	6.4.2	27.26 kB	MIT	prod	1 1 1
prepend-file	1.3.1	2.74 kB	MIT	prod
prompt-confirm	1.2.0	3.23 kB	MIT	prod
prompt	1.3.0	25.04 kB	MIT	prod	1 1 1 1
query-string	5.1.1	4.61 kB	MIT	prod
randomstring	1.3.0	5.15 kB	MIT	prod
react-jsonschema-form	1.8.1	732.33 kB	Apache-2.0	prod	3
react-loaders	3.0.1	6.21 kB	MIT	prod
react-router-dom	4.3.1	40.48 kB	MIT	prod
react-toastify	3.4.3	178.83 kB	MIT	prod	2 1
rimraf	2.7.1	5.53 kB	ISC	prod optional
semver	5.7.2	17.45 kB	ISC	prod optional
socket.io-client	2.5.0	388.33 kB	MIT	prod	3 2
socket.io	1.7.4	19.67 kB	MIT	prod	12 5 7 1
socketio-jwt	4.6.2	24.46 kB	MIT	prod	3
source-map-support	0.4.18	23.9 kB	MIT	prod
sqlite3	4.2.0	2.79 MB	BSD-3-Clause	prod optional	3 1
tamper	1.1.0	3.65 kB	UNKNOWN	prod	1
universal-analytics	0.4.23	25.02 kB	MIT	prod	3 2
username	3.0.0	1.91 kB	MIT	prod	1
valid-url	1.0.9	5 kB	UNKNOWN	prod	1
verror	1.10.1	11.88 kB	MIT	prod
vm2	3.9.19	52.97 kB	MIT	prod	2
winston	2.4.7	40.46 kB	MIT	prod	1 1
yn	2.0.0	2.37 kB	MIT	prod