Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding to package.json causes npm to report 23 new high vulnerabilities #9209

Closed
3 tasks done
jcoyne opened this issue Nov 12, 2021 · 5 comments
Closed
3 tasks done

Adding to package.json causes npm to report 23 new high vulnerabilities #9209

jcoyne opened this issue Nov 12, 2021 · 5 comments
Assignees
@chrisbonifacio
Labels
dependencies Pull requests that update a dependency file
Projects
Issues Triaging

Comments

@jcoyne
Copy link

jcoyne commented Nov 12, 2021

Before opening, please confirm:

JavaScript Framework

React

Amplify APIs

Not applicable

Amplify Categories

auth

Environment information

before:

$ npm i

up to date, audited 1467 packages in 3s

...

3 vulnerabilities (2 low, 1 moderate)

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

after:

$ npm i @aws-amplify/auth
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated sane@4.1.0: some dependency vulnerabilities fixed, support for node < 10 dropped, and newer ECMAScript syntax/features added
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uuid@3.4.0: Please upgrade  to version 7 or higher.  Older versions may use Math.random() in certain circumstances, which is known to be problematic.  See https://v8.dev/blog/math-random for details.
npm WARN deprecated uglify-es@3.3.9: support for ECMAScript is superseded by `uglify-js` as of v3.13.0

added 556 packages, and audited 2023 packages in 20s
...

34 vulnerabilities (2 low, 9 moderate, 23 high)

To address issues that do not require attention, run:
  npm audit fix

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.

Describe the bug

the package has dependencies that NPM categorizes as having high severity security vulnerabilities

Expected behavior

no dependencies on packages with known vulnerabilities

Reproduction steps

npm i @aws-amplify/auth

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response
@jcoyne
Copy link
Author

jcoyne commented Nov 12, 2021
edited

It looks like this is related to https://github.com/aws-amplify/amplify-js/discussions/7569

And probably caused by pulling in react-native #9119
And is contributed to by facebook/react-native#32328

@chrisbonifacio chrisbonifacio self-assigned this Nov 15, 2021
@chrisbonifacio chrisbonifacio added dependencies Pull requests that update a dependency file pending-triage Issue is pending triage labels Nov 15, 2021
@chrisbonifacio chrisbonifacio added this to Pending Triage in Issues Triaging via automation Nov 15, 2021
@sammartinez
Copy link
Contributor

Thanks for this @jcoyne, in installing now, I am not receiving the high vulnerabilities. Can you please confirm with the latest you are no longer seeing the high vulnerabilities? Thanks ahead of time.

@sammartinez sammartinez added pending-close-response-required A response is required for this issue to remain open, it will be closed within the next 7 days. and removed pending-triage Issue is pending triage labels Nov 29, 2021
@jcoyne
Copy link
Author

jcoyne commented Nov 29, 2021

Yes, it looks like cache-base 4.0.2 was released which fixes this: jonschlinkert/cache-base@afb51c8

@sammartinez
Copy link
Contributor

Awesome! That being stated, I am going to close this issue in favor of the above. Thanks for confirming!

Issues Triaging automation moved this from Pending Triage to Triaged/Closed By DSE Nov 29, 2021
@chrisbonifacio chrisbonifacio removed the pending-close-response-required A response is required for this issue to remain open, it will be closed within the next 7 days. label Dec 2, 2021
@github-actions
Copy link

github-actions bot commented Dec 4, 2022

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels or Discussions for those types of questions.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 4, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@chrisbonifacio chrisbonifacio

Labels
dependencies Pull requests that update a dependency file
Projects
No open projects
Issues Triaging
Triaged/Closed By DSE
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jcoyne @sammartinez @chrisbonifacio