Running npm audit on master version of service-runner reports 10 vulnerabilities (7 high, 3 critical). Since there are many services in WMF infstructure that is written on top of service-runner, these issues affect them too.
Also see T293853: Service-runner depends on preq, a wrapper of request, which is deprecated and T200374: Update indirect dependency on github.com/gwicke/kad.git indicating the requirement for active maintainance of the library.
Following is the log for npm audit as of v5.0.0:
➜ service-runner git:(master) git log --oneline -n1 5c8fac8 (HEAD -> master, tag: v5.0.0, tag: v.5.0.0, origin/master, origin/HEAD) Release v5.0.0 ➜ service-runner git:(master) npm audit # npm audit report ms <2.0.0 Severity: moderate Vercel ms Inefficient Regular Expression Complexity vulnerability - https://github.com/advisories/GHSA-w9mr-4mfr-499f fix available via `npm audit fix --force` Will install limitation@0.2.2, which is a breaking change node_modules/wikimedia-kad-fork/node_modules/ms wikimedia-kad-fork * Depends on vulnerable versions of ms node_modules/wikimedia-kad-fork limitation >=0.2.3 Depends on vulnerable versions of wikimedia-kad-fork node_modules/limitation request * Severity: moderate Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6 Depends on vulnerable versions of tough-cookie No fix available node_modules/request coveralls * Depends on vulnerable versions of request node_modules/coveralls preq * Depends on vulnerable versions of request Depends on vulnerable versions of requestretry node_modules/preq requestretry * Depends on vulnerable versions of request node_modules/requestretry tough-cookie <4.1.3 Severity: moderate tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3 No fix available node_modules/tough-cookie 8 vulnerabilities (6 moderate, 2 high) To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency.