The tracking issue for npm audit fix commits

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/50499

• Created at 2019-07-15 23:36:31 by spichugi (@droideck)
• Assigned to nobody

---

Issue Description

New vulnerabilities can arise from time to time in npm audit reports and they should be addressed by running npm audit fix. Sometimes it can require manual intrusion.

The PRs can be linked to this issue.

[389-ds-bot]

Comment from spichugi (@droideck) at 2019-07-16 00:47:14

#3556

[389-ds-bot]

Comment from spichugi (@droideck) at 2019-07-16 00:47:15

Metadata Update from @droideck:

• Custom field origin adjusted to None
• Custom field reviewstatus adjusted to None

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-08-08 17:26:06

Metadata Update from @mreynolds389:

• Issue set to the milestone: FUTURE

[389-ds-bot]

Comment from vashirov (@vashirov) at 2019-08-23 09:53:49

NPM audit report JSON:
{
  "actions": [
    {
      "action": "update",
      "resolves": [
        {
          "id": 1118,
          "path": "eslint>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1118,
          "path": "eslint-plugin-node>eslint-plugin-es>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1118,
          "path": "eslint-plugin-node>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "eslint-utils",
      "target": "1.4.2",
      "depth": 3
    }
  ],
  "advisories": {
    "1118": {
      "findings": [
        {
          "version": "1.3.1",
          "paths": [
            "eslint>eslint-utils",
            "eslint-plugin-node>eslint-plugin-es>eslint-utils",
            "eslint-plugin-node>eslint-utils"
          ]
        }
      ],
      "id": 1118,
      "created": "2019-08-20T15:17:53.538Z",
      "updated": "2019-08-22T18:54:18.136Z",
      "deleted": null,
      "title": "Arbitrary Code Execution",
      "found_by": {
        "link": "",
        "name": "Toru Nagashima"
      },
      "reported_by": {
        "link": "",
        "name": "Toru Nagashima"
      },
      "module_name": "eslint-utils",
      "cves": [],
      "vulnerable_versions": ">=1.2.0 <1.4.1",
      "patched_versions": ">=1.4.1",
      "overview": "Versions of `eslint-utils` >=1.2.0 or <1.4.1 are vulnerable to Arbitrary Code Execution. The `getStaticValue` does not properly sanitize user input allowing attackers to supply malicious input that executes arbitrary code during the linting process. The `getStringIfConstant` and `getPropertyName` functions are not affected.",
      "recommendation": "Upgrade to version 1.4.1 or later.",
      "references": "- [ESLint release](https://eslint.org/blog/2019/08/eslint-v6.2.1-released)\n- [eslint-utils advisory](https://github.com/mysticatea/eslint-utils/security/advisories/GHSA-3gx7-xhv7-5mx3)",
      "access": "public",
      "severity": "critical",
      "cwe": "CWE-94",
      "metadata": {
        "module_type": "",
        "exploitability": 3,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1118"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 0,
      "critical": 3
    },
    "dependencies": 2883,
    "devDependencies": 7047,
    "optionalDependencies": 280,
    "totalDependencies": 10113
  },
  "runId": "1dbb03fb-3b04-452f-8254-4440e9691b7b"
}
Failed security audit due to critical vulnerabilities.
Exiting...
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! 389-console@1.0.0 audit-ci: `audit-ci --config audit-ci.json`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the 389-console@1.0.0 audit-ci script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2019-08-23T07_50_04_578Z-debug.log

[389-ds-bot]

Comment from spichugi (@droideck) at 2019-08-23 10:17:33

#3616

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-09-27 23:25:01

Commit 2e85b4a3 relates to this ticket

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-09-27 23:26:45

Fixes npm "handlebar" audit alert

Commit 2e85b4a relates to this ticket

67d69bf..4f84db6 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

[389-ds-bot]

Comment from spichugi (@droideck) at 2019-11-04 22:18:19

Commit 5202ad8b relates to this ticket

[389-ds-bot]

Comment from spichugi (@droideck) at 2019-11-04 22:24:02

Fixes npm "handlebar" audit alert - again

1299143..5202ad8 master -> master
9c210f7..49c7044 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-11-15 17:04:44

Commit b1d67c11 relates to this ticket

[389-ds-bot]

Comment from spichugi (@droideck) at 2019-11-20 12:21:19

Commit 9f475988 relates to this ticket

[389-ds-bot]

Comment from vashirov (@vashirov) at 2019-12-11 16:02:58

Commit 80e0ce24 relates to this ticket
a9fa0ad..d619905 389-ds-base-1.4.1 -> 389-ds-base-1.4.1