Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit: 4 vulnerabilities found in verdaccio dependencies #691

Closed
todojs opened this issue May 13, 2018 · 7 comments
Closed

npm audit: 4 vulnerabilities found in verdaccio dependencies #691

todojs opened this issue May 13, 2018 · 7 comments
Labels
bug: fixed

Comments

@todojs
Copy link

todojs commented May 13, 2018
edited

If you run the npm audit over verdaccio, this is the result:

=== npm audit security report ===
Run npm update lodash --depth 3 to resolve 1 vulnerability
 Low : Prototype Pollution 
 Package : lodash 
 Dependency of : verdaccio 
 Path : verdaccio > async > lodash 
 More info : https://nodesecurity.io/advisories/577 


 Manual Review 
 Some vulnerabilities require your attention to resolve 
 Visit https://go.npm.me/audit-guide for additional guidance 

 Moderate : Prototype pollution 
 Package : hoek 
 Patched in : > 4.2.0 < 5.0.0 >= 5.0.3 
 Dependency of: verdaccio 
 Path : verdaccio > jsonwebtoken > joi > hoek 
 More info : https://nodesecurity.io/advisories/566 

 Moderate : Prototype pollution 
 Package : hoek 
 Patched in : > 4.2.0 < 5.0.0 >= 5.0.3 
 Dependency of: verdaccio 
 Path : verdaccio > jsonwebtoken > joi > topo > hoek 
 More info : https://nodesecurity.io/advisories/566 

 Low : Prototype Pollution 
 Package : lodash 
 Patched in : >=4.17.5 
 Dependency of: verdaccio 
 Path : verdaccio > lodash 
 More info : https://nodesecurity.io/advisories/577 

[!] 4 vulnerabilities found - Packages audited: 360 (0 dev, 49 optional)
 Severity: 2 Low: 2 Moderate
@juanpicado
Copy link
Member

Refers to sass/node-sass#2355

@juanpicado
Copy link
Member

Refers to caolan/async#1532

@juanpicado juanpicado added the WIP label May 13, 2018
@juanpicado
Copy link
Member

Refers to unclechu/node-deep-extend#41

@todojs
Copy link
Author

todojs commented May 13, 2018
edited

Aditional info, this is the report over master (v3 beta):

                       === npm audit security report ===

# Run  npm install --dev jest@22.4.3  to resolve 4 vulnerabilities

  Low             Prototype Pollution
  Package         deep-extend
  Dependency of   jest [dev]
  Path            jest > jest-cli > jest-haste-map > sane > fsevents >
                  node-pre-gyp > rc > deep-extend
  More info       https://nodesecurity.io/advisories/612


  Low             Prototype Pollution
  Package         deep-extend
  Dependency of   jest [dev]
  Path            jest > jest-cli > jest-runner > jest-haste-map > sane >
                  fsevents > node-pre-gyp > rc > deep-extend
  More info       https://nodesecurity.io/advisories/612

  Low             Prototype Pollution
  Package         deep-extend
  Dependency of   jest [dev]
  Path            jest > jest-cli > jest-runner > jest-runtime >
                  jest-haste-map > sane > fsevents > node-pre-gyp > rc >
                  deep-extend
  More info       https://nodesecurity.io/advisories/612


  Low             Prototype Pollution
  Package         deep-extend
  Dependency of   jest [dev]
  Path            jest > jest-cli > jest-runtime > jest-haste-map > sane >
                  fsevents > node-pre-gyp > rc > deep-extend
  More info       https://nodesecurity.io/advisories/612

# Run  npm install --dev webpack@4.8.3  to resolve 1 vulnerability

  Low             Prototype Pollution
  Package         deep-extend
  Dependency of   webpack [dev]
  Path            webpack > watchpack > chokidar > fsevents > node-pre-gyp >
                  rc > deep-extend
  More info       https://nodesecurity.io/advisories/612

# Run  npm install --dev webpack-dev-server@3.1.4  to resolve 1 vulnerability

  Low             Prototype Pollution
  Package         deep-extend
  Dependency of   webpack-dev-server [dev]
  Path            webpack-dev-server > chokidar > fsevents > node-pre-gyp > rc
                  > deep-extend
  More info       https://nodesecurity.io/advisories/612


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   codecov [dev]
  Path            codecov > request > hawk > boom > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   codecov [dev]
  Path            codecov > request > hawk > cryptiles > boom > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   codecov [dev]
  Path            codecov > request > hawk > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   codecov [dev]
  Path            codecov > request > hawk > sntp > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   node-sass [dev]
  Path            node-sass > request > hawk > boom > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   node-sass [dev]
  Path            node-sass > request > hawk > cryptiles > boom > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   node-sass [dev]
  Path            node-sass > request > hawk > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   node-sass [dev]
  Path            node-sass > request > hawk > sntp > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Memory Exposure
  Package         tunnel-agent
  Patched in      >=0.6.0
  Dependency of   node-sass [dev]
  Path            node-sass > request > tunnel-agent
  More info       https://nodesecurity.io/advisories/598

  Low             Prototype Pollution
  Package         deep-extend
  Patched in      >=0.5.1
  Dependency of   babel-cli [dev]
  Path            babel-cli > chokidar > fsevents > node-pre-gyp > rc >
                  deep-extend
  More info       https://nodesecurity.io/advisories/612

[!] 16 vulnerabilities found - Packages audited: 47670 (47297 dev, 934 optional)
    Severity: 7 Low | 9 Moderate
```

juanpicado added a commit that referenced this issue May 13, 2018
@juanpicado
fix: update dependencies #691
d07bfc5 
webpack
@juanpicado juanpicado mentioned this issue May 13, 2018
Merged
@todojs
Copy link
Author

todojs commented May 13, 2018
edited

@juanpicado Good Work. Master with the new commit and only with production dependencies result:

                       === npm audit security report ===

[+] no known vulnerabilities found
    Packages audited: 373 (0 dev, 50 optional)

@juanpicado
Copy link
Member

👍 👍 👍 👍 thanks @todojs for the report

@juanpicado juanpicado added bug: fixed and removed WIP labels May 22, 2018
@zianakamarudin96
Copy link

i am also have this problem,i am currently to build an apps using ionic and want to use firebase but this type of report is shown when i am using npm audit,hope someone can guide me.tq.

=== npm audit security report ===

                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package lodash

Patched in >=4.17.5

Dependency of cordova-android

Path cordova-android > cordova-common > plist > xmlbuilder >
lodash

More info https://nodesecurity.io/advisories/577

[!] 1 vulnerability found - Packages audited: 3792 (3246 dev, 304 optional)
Severity: 1 Low

@verdaccio verdaccio locked as resolved and limited conversation to collaborators May 25, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug: fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@juanpicado @todojs @zianakamarudin96