New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Npm audit reports security concerns | 1 Critical #7825
Comments
I created a PR for the "critical" one, heimdalljs/heimdall-fs-monitor#20 |
Seems that a patch release can be done for |
I don't see how the Seems like an npm bug to me... |
@Turbo87 the mocha dependency on
|
Yeah, and I think that's a bug in npm, because npm shouldn't care about nested dev dependencies |
Well @Turbo87 If you think npm should change the way See:
I'm not sure how to convince npm that they should not audit Unless npm changes how I don't think that is the best first impression for developers trying to create a new ember app. I think the alternative is that ember-cli could put a message to ignore Should developers be told/expected to ignore security warnings from |
I am talking about nested dev deps. Those don't even get installed on your machine, and yet still npm is screaming about them... |
@Turbo87 yeah I get that Just thought it would be actually easy to squelch the "Critical" warning for I found these issues on npm's tracker:
We'll see what happens. If you feel strongly that is not worth addressing - a minor patch to avoid the "Critital" warning. I'm happy to close this issue. I think the downside of not addressing it is that some will get a bad impression that Ember has critical security warnings. (Many people just take things at surface level). People at work were talking about filing security bugs for our ember apps and reporting them to our security team. I was able to object, "This is not a real security issue and ember-cli will update so we don't have to panic about the 'critical' warnings." |
don't get me wrong, I do think it's worth addressing the issue in the |
@Turbo87 cool, yeah thanks for all the feedback. My sense of urgency is to prevent a bit of explaining from ember developers to their skeptics, e.g. managers and teams. And, to avoid scaring off those evaluating ember. Not everyone is a fan of using Ember given the popularity of other libraries; so trying to reduce yet another concern regarding a choice to use ember. "Well, who knows how responsive they are to security issues". I thought that since it is trivial to remove the critical warning, why not. I get that there are other priorities and it's an interruption. Just thought it would be a slam dunk and also the kind of thing that shows the ember community (though not backed by a large company) is considerate of security concerns - even when they are not legitimate. Those who advocate using ember may prefer not to raise eyebrows during first impressions of trying ember and seeing a critical security warning. And since npm has been promoting their new security feature |
I would agree with both of y’all. But as @pixelhandler points out, we should be adressing npm audit in the default blueprint. While you may not agree with the method used to audit, this is the way that node security project has done things for a while and it has been integrated directly into npm. IMO these are two separate issues.
|
@Turbo87 - That isn't actually the issue here. heimdall-fs-monitor@0.2.0 had |
As of this morning these steps:
Results in:
|
okay, that makes a lot more sense. thanks for the clarification! I guess since this is fixed now we can close the issue? |
The remaining reports are going to require a new |
I fixed the |
@rwjblue Thanks for resolving this :) Quick question: for existing apps that currently report this critical security warning, what is the path to removing that. Change lock files ? Upgrade to a patch of ember-cli ? |
Should just need to update your nested dependencies however you normally do that in your project. One possible way would be to clear your lockfile and regenerate it, though that will result in many more changes than "just" fixing this one vulnerability. With |
Today I pulled master of ember-cli and ran
npm install
thennpm audit
See https://docs.npmjs.com/getting-started/running-a-security-audit#running-a-security-audit-with-npm-audit
Full output below version info...
Output from
ember version --verbose && npm --version && yarn --version
:Npm output following install and audit commands...
The text was updated successfully, but these errors were encountered: