Npm audit reports security concerns | 1 Critical

[pixelhandler]

Today I pulled master of ember-cli and ran npm install then npm audit

[!] 12 vulnerabilities found - Packages audited: 10118 (1328 dev, 295 optional)
    Severity: 3 Low | 8 Moderate | 1 Critical

See https://docs.npmjs.com/getting-started/running-a-security-audit#running-a-security-audit-with-npm-audit

Full output below version info...

Output from ember version --verbose && npm --version && yarn --version:

⚡ ember version --verbose && npm --version && yarn --version
ember-cli: 3.1.2
http_parser: 2.8.0
node: 8.11.1
v8: 6.2.414.50
uv: 1.19.1
zlib: 1.2.11
ares: 1.10.1-DEV
modules: 57
nghttp2: 1.25.0
openssl: 1.0.2o
icu: 60.1
unicode: 10.0
cldr: 32.0
tz: 2017c
os: linux x64
6.0.1
1.6.0

Npm output following install and audit commands...

ubuntu-vb ~/src/ember-cli/ember-cli ±master 
⚡ npm install
npm WARN deprecated exists-sync@0.0.3: Please replace with usage of fs.existsSync
npm WARN deprecated exists-sync@0.0.4: Please replace with usage of fs.existsSync
npm WARN deprecated node-uuid@1.4.8: Use uuid module instead

> spawn-sync@1.0.15 postinstall /home/billheat/src/ember-cli/ember-cli/node_modules/spawn-sync
> node postinstall

npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.3 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.3: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

added 1003 packages from 1392 contributors in 24.288s
[!] 12 vulnerabilities found [10118 packages audited]
    Severity: 3 Low | 8 Moderate | 1 Critical
    Run `npm audit` for more detail

ubuntu-vb ~/src/ember-cli/ember-cli ±master 
⚡ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ growl                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.10.2                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ heimdalljs-fs-monitor                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ heimdalljs-fs-monitor > mocha > growl                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/146                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ yuidocjs [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ yuidocjs > yui > request > hawk > boom > hoek                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ yuidocjs [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ yuidocjs > yui > request > hawk > cryptiles > boom > hoek    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ yuidocjs [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ yuidocjs > yui > request > hawk > hoek                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ > 4.2.0 < 5.0.0 || >= 5.0.3                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ yuidocjs [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ yuidocjs > yui > request > hawk > sntp > hoek                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ heimdalljs-fs-monitor                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ heimdalljs-fs-monitor > mocha > debug                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli-broccoli-sane-watcher                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli-broccoli-sane-watcher > sane > fsevents >          │
│               │ node-pre-gyp > rc > deep-extend                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ sane                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ sane > fsevents > node-pre-gyp > rc > deep-extend            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Remote Memory Exposure                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ request                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.68.0                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ yuidocjs [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ yuidocjs > yui > request                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/309                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ mime                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 1.4.1 < 2.0.0 || >= 2.0.3                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ yuidocjs [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ yuidocjs > yui > request > form-data > mime                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/535                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hawk                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.3 < 4.0.0 || >=4.1.1                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ yuidocjs [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ yuidocjs > yui > request > hawk                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/77                        │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tunnel-agent                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ yuidocjs [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ yuidocjs > yui > request > tunnel-agent                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/598                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[!] 12 vulnerabilities found - Packages audited: 10118 (1328 dev, 295 optional)
    Severity: 3 Low | 8 Moderate | 1 Critical

[pixelhandler]

I created a PR for the "critical" one, heimdalljs/heimdall-fs-monitor#20

[pixelhandler]

Seems that a patch release can be done for heimdall-fs-monitor we can bump up the version in ember-cli and release a minor patch of ember-cli as well.

@hjdivad @Turbo87 @rwjblue @stefanpenner

[Turbo87]

I don't see how the mocha dev dependency is relevant for this 🤔

Seems like an npm bug to me...

[pixelhandler]

@Turbo87 the mocha dependency on heimdall-fs-monitor results in reporting a critical security warning for ember-cli generated apps

⚡ npm install npm@latest -g
⚡ ember new application
⚡ cd application/                                                                 
⚡ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ growl                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.10.2                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli > heimdalljs-fs-monitor > mocha > growl            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/146                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli > ember-cli-broccoli-sane-watcher > sane >         │
│               │ fsevents > node-pre-gyp > rc > deep-extend                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli > sane > fsevents > node-pre-gyp > rc >            │
│               │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli-qunit [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli-qunit > ember-qunit > qunit > chokidar > fsevents  │
│               │ > node-pre-gyp > rc > deep-extend                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli > heimdalljs-fs-monitor > mocha > debug            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity

For example....io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint-plugin-ember [dev]                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint-plugin-ember > require-folder-tree > lodash           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[!] 6 vulnerabilities found - Packages audited: 56341 (56341 dev, 322 optional)
    Severity: 5 Low | 1 Critical

[Turbo87]

Yeah, and I think that's a bug in npm, because npm shouldn't care about nested dev dependencies

[pixelhandler]

Well @Turbo87 If you think npm should change the way npm audit works then yeah we could ignore this security warning.

See:

• https://docs.npmjs.com/getting-started/running-a-security-audit#running-a-security-audit-with-npm-audit
• https://docs.npmjs.com/getting-started/running-a-security-audit#update-dependent-packages-if-a-fix-exists

The npm audit command submits a description of the dependencies configured in your package to your default registry and asks for a report of known vulnerabilities. npm audit checks direct dependencies, devDependencies, bundledDependencies, and optionalDependencies, but does not check peerDependencies.

Update dependent packages if a fix exists

If a fix exists but packages that depend on the package with the vulnerability have not been updated to include the fixed version, you may want to open a pull or merge request on the dependent package repository to use the fixed version.

I'm not sure how to convince npm that they should not audit devDependencies. According to the npm docs they indicate that devDependencies should be checked and reported.

Unless npm changes how npm audit works when developers / companies evaluate Ember and run ember new my-app-name then at some point run npm install they will see a Critical warning.

I don't think that is the best first impression for developers trying to create a new ember app. I think the alternative is that ember-cli could put a message to ignore npm audit reports for dev dependencies.

Should developers be told/expected to ignore security warnings from npm audit? Do we want developers first impression after running ember new ... and npm install be... "I wonder, do the maintainers of Ember make it a practice to ignore security concerns"

[Turbo87]

I am talking about nested dev deps. Those don't even get installed on your machine, and yet still npm is screaming about them...

[pixelhandler]

@Turbo87 yeah I get that npm audit is reporting warnings on nested dev dependencies and that is not desireable. But it is, and the fix was so tiny and easy to update heimdalljs-fs-monitor.

Just thought it would be actually easy to squelch the "Critical" warning for ember-cli created apps. And that it would be a good thing for dependent projects to get an update as well.

I found these issues on npm's tracker:

• Allow npm audit to ignore dev dependencies npm/npm#20564
• npm audit reports uninstalled optional dependencies npm/npm#20586

We'll see what happens.

If you feel strongly that is not worth addressing - a minor patch to avoid the "Critital" warning. I'm happy to close this issue. I think the downside of not addressing it is that some will get a bad impression that Ember has critical security warnings. (Many people just take things at surface level). People at work were talking about filing security bugs for our ember apps and reporting them to our security team. I was able to object, "This is not a real security issue and ember-cli will update so we don't have to panic about the 'critical' warnings."

[Turbo87]

don't get me wrong, I do think it's worth addressing the issue in the heimdalljs-fs-monitor project, but I don't think it's an urgent issue for Ember CLI itself

[pixelhandler]

@Turbo87 cool, yeah thanks for all the feedback. My sense of urgency is to prevent a bit of explaining from ember developers to their skeptics, e.g. managers and teams. And, to avoid scaring off those evaluating ember.

Not everyone is a fan of using Ember given the popularity of other libraries; so trying to reduce yet another concern regarding a choice to use ember. "Well, who knows how responsive they are to security issues". I thought that since it is trivial to remove the critical warning, why not.

I get that there are other priorities and it's an interruption. Just thought it would be a slam dunk and also the kind of thing that shows the ember community (though not backed by a large company) is considerate of security concerns - even when they are not legitimate. Those who advocate using ember may prefer not to raise eyebrows during first impressions of trying ember and seeing a critical security warning.

And since npm has been promoting their new security feature npm audit - it would be great for ember developers not to have to explain why we can safely ignore the critical report from npm audit in our existing apps.

[rtablada]

I would agree with both of y’all. But as @pixelhandler points out, we should be adressing npm audit in the default blueprint. While you may not agree with the method used to audit, this is the way that node security project has done things for a while and it has been integrated directly into npm.
It’s bad optics for us to argue about how and just stay put.

IMO these are two separate issues.

1. A new Ember project should have audit issues full stop. This hurts the general image of ember and creates a worry about security and the optics of Ember in general.
2. Those that think that they way audit works should make an issue in npm and discuss there

[rwjblue]

I don't see how the mocha dev dependency is relevant for this 🤔

@Turbo87 - That isn't actually the issue here. heimdall-fs-monitor@0.2.0 had mocha and chai as dependencies not devDependencies.

[rwjblue]

As of this morning these steps:

⚡ npm install -g npm
⚡ ember new application
⚡ cd application/                                                                 
⚡ npm audit

Results in:

[!] 4 vulnerabilities found - Packages audited: 56298 (56298 dev, 322 optional)
    Severity: 4 Low

❯ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli > ember-cli-broccoli-sane-watcher > sane >         │
│               │ fsevents > node-pre-gyp > rc > deep-extend                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli > sane > fsevents > node-pre-gyp > rc >            │
│               │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli-qunit [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli-qunit > ember-qunit > qunit > chokidar > fsevents  │
│               │ > node-pre-gyp > rc > deep-extend                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint-plugin-ember [dev]                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint-plugin-ember > require-folder-tree > lodash           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[!] 4 vulnerabilities found - Packages audited: 56298 (56298 dev, 322 optional)
    Severity: 4 Low

[Turbo87]

That isn't actually the issue here. heimdall-fs-monitor@0.2.0 had mocha and chai as dependencies not devDependencies.

okay, that makes a lot more sense. thanks for the clarification!

I guess since this is fixed now we can close the issue?

[rwjblue]

The remaining reports are going to require a new fsevents release because they bundle node-pre-gyp instead of allowing it (and its dependencies) to be resolved naturally (node-pre-gyp already allows for rc@1.2.7 due to using ^1.1.7).

[rwjblue]

I fixed the eslint-plugin-ember warning (in ember-cli/eslint-plugin-ember#254 released as v5.1.1) and created fsevents/fsevents#222 to track resolving the remaining vulnerabilities.

[pixelhandler]

@rwjblue Thanks for resolving this :)

Quick question: for existing apps that currently report this critical security warning, what is the path to removing that. Change lock files ? Upgrade to a patch of ember-cli ?

[rwjblue]

Quick question: for existing apps that currently report this critical security warning, what is the path to removing that. Change lock files ? Upgrade to a patch of ember-cli ?

Should just need to update your nested dependencies however you normally do that in your project. One possible way would be to clear your lockfile and regenerate it, though that will result in many more changes than "just" fixing this one vulnerability. With yarn you can use resolutions to force the nested dep to be a specific version. I'm unsure exactly how to do that with npm without hand editing package.json / package-lock.json which seems pretty error prone...