Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm ci reports vulnerabilities that dependabot did not catch #190

Closed
bickelj opened this issue Dec 29, 2022 · 1 comment
Closed

npm ci reports vulnerabilities that dependabot did not catch #190

bickelj opened this issue Dec 29, 2022 · 1 comment
Assignees
@bickelj

Comments

@bickelj
Copy link
Contributor

bickelj commented Dec 29, 2022 

$ npm ci

added 614 packages, and audited 615 packages in 11s

96 packages are looking for funding
  run `npm fund` for details

5 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.
$ npm audit
# npm audit report

json5  <2.2.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install eslint-plugin-import@2.24.1, which is a breaking change
node_modules/json5
node_modules/tsconfig-paths/node_modules/json5
  tsconfig-paths  3.5.0 - 3.9.0 || 3.11.0 - 3.14.1
  Depends on vulnerable versions of json5
  node_modules/tsconfig-paths
    eslint-plugin-import  >=2.24.2
    Depends on vulnerable versions of tsconfig-paths
    node_modules/eslint-plugin-import
      eslint-config-airbnb-base  >=15.0.0
      Depends on vulnerable versions of eslint-plugin-import
      node_modules/eslint-config-airbnb-base
        eslint-config-airbnb-typescript  >=16.0.0
        Depends on vulnerable versions of eslint-config-airbnb-base
        Depends on vulnerable versions of eslint-plugin-import
        node_modules/eslint-config-airbnb-typescript

5 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
bickelj added a commit that referenced this issue Dec 29, 2022
@bickelj
Updates from npm update
ac4eff3 
This update attempt was spurred by an alleged json5 vulnerability.
It is a dev dependency and therefore should not be included in
production code and therefore should not affect deployed instances of
the software.

See import-js/eslint-plugin-import#2447 (comment)

Issue #190 `npm ci` reports vulnerabilities...
@bickelj bickelj mentioned this issue Dec 29, 2022
Merged
bickelj added a commit that referenced this issue Dec 30, 2022
@bickelj
Updates from npm update
aaccf51 
This update attempt was spurred by an alleged json5 vulnerability.
It is a dev dependency and therefore should not be included in
production code and therefore should not affect deployed instances of
the software.

This commit includes an update to json5 v1 which should be compatible
with eslint plugin and removes the vulnerability.

See import-js/eslint-plugin-import#2447 (comment)
See json5/json5#298

Issue #190 `npm ci` reports vulnerabilities...
@bickelj bickelj self-assigned this Jan 5, 2023
@bickelj
Copy link
Contributor Author

bickelj commented Jan 5, 2023

It looks like npm audit now shows 0 [known/published/CVE-listed] vulnerabilities

@bickelj bickelj closed this as completed Jan 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bickelj bickelj

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bickelj