Security Vulnerabilites

[eightysixed]

   found 113 vulnerabilities (82 moderate, 30 high, 1 critical)
     run `npm audit fix` to fix them, or `npm audit` for details

I reran the Heroku install script today (I know, I'm 5 weeks late, the players in my league hate me). Just wanted to make sure that everything is good. I haven't been up to speed with new CVE's lately, but 82/30/1 sounds a bit steep right out of the box. I wonder what the Critical issue is, but still 30 high and 82 moderate? I don't really care about the moderate ones, but what were high and critical?

What do you estimate risk(s) to be? I don't remember seeing that last season.

[eightysixed]

-----> Building on the Heroku-20 stack
-----> Determining which buildpack to use for this app
-----> Gradle app detected
-----> Installing JDK 1.8... done
-----> Building Gradle app...
-----> executing ./gradlew stage
Downloading https://services.gradle.org/distributions/gradle-5.6.2-all.zip
.....................................................................................................................................
To honour the JVM settings for this build a new JVM will be forked. Please consider using the daemon: https://docs.gradle.org/5.6.2/userguide/gradle_daemon.html.
Daemon will be stopped at the end of the build stopping after processing
> Task :backend:clean UP-TO-DATE
> Task :backend:nodeSetup
> Task :backend:npmSetup SKIPPED
> Task :backend:npmInstall

   > node-sass@4.14.1 install /tmp/build_61e42315/frontend/node_modules/node-sass
   > node scripts/install.js
   
   Downloading binary from https://github.com/sass/node-sass/releases/download/v4.14.1/linux-x64-83_binding.node
   Download complete
   Binary saved to /tmp/build_61e42315/frontend/node_modules/node-sass/vendor/linux-x64-83/binding.node
   Caching binary to /app/.npm/node-sass/4.14.1/linux-x64-83_binding.node
   
   > core-js@2.6.11 postinstall /tmp/build_61e42315/frontend/node_modules/babel-runtime/node_modules/core-js
   > node -e "try{require('./postinstall')}catch(e){}"
   
   Thank you for using core-js ( https://github.com/zloirock/core-js ) for polyfilling JavaScript standard library!
   
   The project needs your help! Please consider supporting of core-js on Open Collective or Patreon: 
   > https://opencollective.com/core-js 
   > https://www.patreon.com/zloirock 
   
   Also, the author of core-js ( https://github.com/zloirock ) is looking for a good job -)
   
   
   > core-js@3.6.5 postinstall /tmp/build_61e42315/frontend/node_modules/core-js
   > node -e "try{require('./postinstall')}catch(e){}"
   
   
   > core-js-pure@3.6.5 postinstall /tmp/build_61e42315/frontend/node_modules/core-js-pure
   > node -e "try{require('./postinstall')}catch(e){}"
   
   
   > node-sass@4.14.1 postinstall /tmp/build_61e42315/frontend/node_modules/node-sass
   > node scripts/build.js
   
   Binary found at /tmp/build_61e42315/frontend/node_modules/node-sass/vendor/linux-x64-83/binding.node
   Testing binary
   Binary is fine
   npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/webpack-dev-server/node_modules/fsevents):
   npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
   npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/watchpack-chokidar2/node_modules/fsevents):
   npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
   npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.13 (node_modules/jest-haste-map/node_modules/fsevents):
   npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.13: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
   npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.1.2 (node_modules/fsevents):
   npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.1.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
   
   added 1717 packages from 804 contributors and audited 1723 packages in 47.832s
   
   70 packages are looking for funding
     run `npm fund` for details
   
   found 113 vulnerabilities (82 moderate, 30 high, 1 critical)
     run `npm audit fix` to fix them, or `npm audit` for details
   
   > Task :backend:buildFrontend
   
   > webapp@0.1.0 build /tmp/build_61e42315/frontend
   > react-scripts build
   
   Creating an optimized production build...
   Browserslist: caniuse-lite is outdated. Please run:
   npx browserslist@latest --update-db
   
   Why you should do it regularly:
   https://github.com/browserslist/browserslist#browsers-data-updating
   Compiled successfully.
   
   File sizes after gzip:
   
     52.5 KB  build/static/js/2.2e9ee554.chunk.js
     2.62 KB  build/static/js/main.fb4177f8.chunk.js
     969 B    build/static/css/main.255cf332.chunk.css
     767 B    build/static/js/runtime-main.00ed32f5.js
   
   The project was built assuming it is hosted at /.
   You can control this with the homepage field in your package.json.
   
   The build folder is ready to be deployed.
   You may serve it with a static server:
   
     npm install -g serve
     serve -s build
   
   Find out more about deployment here:
   
     bit.ly/CRA-deploy
   
   
   > Task :backend:cleanFrontend UP-TO-DATE
   > Task :backend:copyFrontend
   
   > Task :shared:compileKotlin
   w: Runtime JAR files in the classpath should have the same version. These files were found in the classpath:
       /tmp/codon/tmp/cache/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib-jdk8/1.4.0/e3765b66f0610afc92053ff1a93a87a544fca2b/kotlin-stdlib-jdk8-1.4.0.jar (version 1.4)
       /tmp/codon/tmp/cache/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib-jdk7/1.4.0/9cc187c3dfaf6e4001bdf962e3cdadff7690261b/kotlin-stdlib-jdk7-1.4.0.jar (version 1.4)
       /tmp/codon/tmp/cache/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.3.72/86613e1a669a701b0c660bfd2af4f82a7ae11fca/kotlin-reflect-1.3.72.jar (version 1.3)
       /tmp/codon/tmp/cache/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.4.0/63e75298e93d4ae0b299bb869cf0c627196f8843/kotlin-stdlib-1.4.0.jar (version 1.4)
       /tmp/codon/tmp/cache/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib-common/1.4.0/1c752cce0ead8d504ccc88a4fed6471fd83ab0dd/kotlin-stdlib-common-1.4.0.jar (version 1.4)
   w: Consider providing an explicit dependency on kotlin-reflect 1.4 to prevent strange errors
   w: Some runtime JAR files in the classpath have an incompatible version. Consider removing them from the classpath
   
   > Task :shared:compileJava NO-SOURCE
   > Task :shared:processResources NO-SOURCE
   > Task :shared:classes UP-TO-DATE
   > Task :shared:inspectClassesForKotlinIC
   > Task :shared:jar
   
   > Task :backend:compileKotlin
   w: /tmp/build_61e42315/backend/src/com/landonpatmore/yahoofantasybot/backend/Application.kt: (48, 24): Parameter 'testing' is never used
   
   > Task :backend:compileJava NO-SOURCE
   > Task :backend:processResources
   > Task :backend:classes
   > Task :backend:shadowJar
   > Task :backend:copyToLib
   > Task :backend:stage
   > Task :bot:clean UP-TO-DATE
   
   > Task :bot:compileKotlin
   w: /tmp/build_61e42315/bot/src/main/kotlin/com/landonpatmore/yahoofantasybot/bot/messaging/MessagingService.kt: (47, 40): 'cleanMessage(String): String' is deprecated. To be removed soon
   w: /tmp/build_61e42315/bot/src/main/kotlin/com/landonpatmore/yahoofantasybot/bot/messaging/MessagingService.kt: (51, 32): The corresponding parameter in the supertype 'IMessagingService' is named 'message'. This may cause problems when calling this function with named arguments.
   w: /tmp/build_61e42315/bot/src/main/kotlin/com/landonpatmore/yahoofantasybot/bot/modules/UtilsModule.kt: (35, 35): No cast needed
   w: /tmp/build_61e42315/bot/src/main/kotlin/com/landonpatmore/yahoofantasybot/bot/utils/Arbiter.kt: (69, 47): 'yahooApiRequest(YahooApiRequest): Document' is deprecated. To be replaced soon with a generic object that the rest of the system can read, thus no reliance on the document object from jsoup
   w: /tmp/build_61e42315/bot/src/main/kotlin/com/landonpatmore/yahoofantasybot/bot/utils/DataRetriever.kt: (109, 45): 'getTransactions(): Document' is deprecated. Overrides deprecated member in 'com.landonpatmore.yahoofantasybot.bot.utils.IDataRetriever'. To be replaced soon with a generic object that the rest of the system can read, thus no reliance on the document object from jsoup
   w: /tmp/build_61e42315/bot/src/main/kotlin/com/landonpatmore/yahoofantasybot/bot/utils/DataRetriever.kt: (110, 42): 'getStandings(): Document' is deprecated. Overrides deprecated member in 'com.landonpatmore.yahoofantasybot.bot.utils.IDataRetriever'. To be replaced soon with a generic object that the rest of the system can read, thus no reliance on the document object from jsoup
   w: /tmp/build_61e42315/bot/src/main/kotlin/com/landonpatmore/yahoofantasybot/bot/utils/DataRetriever.kt: (111, 42): 'getTeamsData(): Document' is deprecated. Overrides deprecated member in 'com.landonpatmore.yahoofantasybot.bot.utils.IDataRetriever'. To be replaced soon with a generic object that the rest of the system can read, thus no reliance on the document object from jsoup
   w: /tmp/build_61e42315/bot/src/main/kotlin/com/landonpatmore/yahoofantasybot/bot/utils/alerts/CloseScoreAlert.kt: (41, 34): 'yahooApiRequest(YahooApiRequest): Document' is deprecated. To be replaced soon with a generic object that the rest of the system can read, thus no reliance on the document object from jsoup
   w: /tmp/build_61e42315/bot/src/main/kotlin/com/landonpatmore/yahoofantasybot/bot/utils/alerts/MatchUpAlert.kt: (41, 34): 'yahooApiRequest(YahooApiRequest): Document' is deprecated. To be replaced soon with a generic object that the rest of the system can read, thus no reliance on the document object from jsoup
   w: /tmp/build_61e42315/bot/src/main/kotlin/com/landonpatmore/yahoofantasybot/bot/utils/alerts/ScoreAlert.kt: (40, 34): 'yahooApiRequest(YahooApiRequest): Document' is deprecated. To be replaced soon with a generic object that the rest of the system can read, thus no reliance on the document object from jsoup
   w: /tmp/build_61e42315/bot/src/main/kotlin/com/landonpatmore/yahoofantasybot/bot/utils/alerts/StandingsAlert.kt: (40, 34): 'yahooApiRequest(YahooApiRequest): Document' is deprecated. To be replaced soon with a generic object that the rest of the system can read, thus no reliance on the document object from jsoup
   
   > Task :bot:compileJava NO-SOURCE
   > Task :bot:processResources NO-SOURCE
   > Task :bot:classes UP-TO-DATE
   > Task :bot:shadowJar
   > Task :bot:copyToLib
   > Task :bot:stage
   
   Deprecated Gradle features were used in this build, making it incompatible with Gradle 6.0.
   Use '--warning-mode all' to show the individual deprecation warnings.
   See https://docs.gradle.org/5.6.2/userguide/command_line_interface.html#sec:command_line_warnings
   
   BUILD SUCCESSFUL in 3m 14s
   17 actionable tasks: 14 executed, 3 up-to-date

-----> Discovering process types
Procfile declares types -> bot, web
-----> Compressing...
Done: 197M
-----> Launching...
Released v6
https://REDACTED-fantasy-football.herokuapp.com/ deployed to Heroku

There's the full Heroku build log that was just generated. A lot of things are either outdated or deprecated. I thought this would help with the original issue. I'd be super happy to help, but Kotlin is not my thing; I've never touched it in any dev environment :)