Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Vulnerable Dependencies Marked by npm audit #27

Closed
petermetz opened this issue Nov 6, 2019 · 2 comments · Fixed by #287
Closed

Fix Vulnerable Dependencies Marked by npm audit #27

petermetz opened this issue Nov 6, 2019 · 2 comments · Fixed by #287
Assignees
@petermetz
Labels
enhancement New feature or request good-first-issue Good for newcomers
Milestone
v0.2.0

Comments

@petermetz
Copy link
Member

petermetz commented Nov 6, 2019
edited

If necessary, using npm audit fix --force is justified as well.
Might need to get rid of the 8.x NodeJS engine requirement first because the upgraded dependencies may break on 8.x.

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Insecure Credential Storage                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ web3                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ web3                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ web3                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/877                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ mem                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=4.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm-check [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm-check > depcheck > yargs > os-locale > mem               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/1084                      │
└───────────────┴──────────────────────────────────────────────────────────────┘
@petermetz petermetz added enhancement New feature or request good-first-issue Good for newcomers labels Nov 6, 2019
@petermetz petermetz added this to the v0.2.0 milestone Nov 6, 2019
@petermetz petermetz self-assigned this Nov 6, 2019
@petermetz petermetz removed this from the v0.2.0 milestone Nov 6, 2019
@petermetz
Copy link
Member Author

https://nodesecurity.io/advisories/877
This one is a false positive because we do not use Web3 in the browser and therefore no localStorage vulnerability is present in our code.

https://nodesecurity.io/advisories/1084
Does not have a fix merged yet so waiting on that: dylang/npm-check#345

@petermetz
Copy link
Member Author

To run the audit in the first place we'll need a little tweak in the project with the new architecture:
https://www.npmjs.com/package/lerna-audit

@petermetz petermetz added this to the v0.2.0 milestone Jun 9, 2020
petermetz added a commit to petermetz/cacti that referenced this issue Sep 24, 2020
@petermetz
chore(package-json): fix npm audit security warnings
8fc0201 
Note: vulnerabilities that have no patches to them are not fixed
(of course)

Fixes hyperledger#27
@petermetz petermetz mentioned this issue Sep 24, 2020
Merged
petermetz added a commit to petermetz/cacti that referenced this issue Sep 24, 2020
@petermetz
chore(package-json): fix npm audit security warnings
ce66101 
Note: vulnerabilities that have no patches to them are not fixed
(of course)

Fixes hyperledger#27

Signed-off-by: Peter Somogyvari <peter.metz@unarin.com>
petermetz added a commit to petermetz/cacti that referenced this issue Oct 6, 2020
@petermetz
chore(package-json): fix npm audit security warnings
ad2446f 
Note: vulnerabilities that have no patches to them are not fixed
(of course)

Fixes hyperledger#27

Signed-off-by: Peter Somogyvari <peter.metz@unarin.com>
petermetz added a commit to petermetz/cacti that referenced this issue Oct 6, 2020
@petermetz
chore(package-json): fix npm audit security warnings
7ef6e5a 
Note: vulnerabilities that have no patches to them are not fixed
(of course)

Fixes hyperledger#27

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz added a commit that referenced this issue Oct 6, 2020
@petermetz
chore(package-json): fix npm audit security warnings
a7d4b29 
Note: vulnerabilities that have no patches to them are not fixed
(of course)

Fixes #27

Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petermetz petermetz

Labels
enhancement New feature or request good-first-issue Good for newcomers
Projects
None yet
Milestone
v0.2.0
Development

Successfully merging a pull request may close this issue.

chore(package-json): fix npm audit security warnings petermetz/cacti
1 participant
@petermetz