Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

1 vulnerability required manual review and could not be updated #10176

usama-asfar opened this issue Jul 7, 2019 · 4 comments


None yet
5 participants
Copy link

commented Jul 7, 2019

OS: ubuntu 18.04.2 LTS
NPM: 6.9.0
babel-cli: "^6.26.0",

usama@usama:~/Documents/Project/Back-End/apollo-gql-api$ npm audit fix
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.9 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.9: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

up to date in 10.115s
fixed 0 of 1 vulnerability in 3834 scanned packages
  1 vulnerability required manual review and could not be updated

usama@usama:~/Documents/Project/Back-End/apollo-gql-api$ npm audit
                       === npm audit security report ===                        
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit for additional guidance          │
│ Low           │ Regular Expression Denial of Service                         │
│ Package       │ braces                                                       │
│ Patched in    │ >=2.3.1                                                      │
│ Dependency of │ babel-cli [dev]                                              │
│ Path          │ babel-cli > chokidar > anymatch > micromatch > braces        │
│ More info     │                             │
found 1 low severity vulnerability in 3834 scanned packages
  1 vulnerability requires manual review. See the full report for details.


This comment has been minimized.

Copy link

commented Jul 7, 2019

Hey @usama-asfar! We really appreciate you taking the time to report an issue. The collaborators
on this project attempt to help as many people as possible, but we're a limited number of volunteers,
so it's possible this won't be addressed swiftly.

If you need any help, or just have general Babel or JavaScript questions, we have a vibrant Slack
that typically always has someone willing to help. You can sign-up here
for an invite.


This comment has been minimized.

Copy link

commented Jul 12, 2019

This should be as simple as a dependency update...?


This comment has been minimized.

Copy link

commented Jul 12, 2019

Yes, but we will only release new v6 versions for critical security vulnerabilities. This has been fixed in Babel 7.

This vulnerability only affects babel-cli --watch'. Since babel-cli --watch is only used during developmenet/deployment, and the only way an attacker could use this vulnerability to DoS you is by changing the paths you are passing to Babel as a cli argument.

It should run something like this:


But if the attacker can run an arbitrary command, you have bigger problems 😛

For this reason, this vulnerability is even lower for Babel users than how it is specified in the report.

For reference, this is the braces bug fix: micromatch/braces@abdafb0


This comment has been minimized.

Copy link

commented Jul 12, 2019

I have setup a repo, installed babel/cli 7.5 and it turns out there are 22 prototype pollution reports comes from chokidar 2 only.

Recently chokidar has released v3 with far less dependencies and better performance. Hopefully we can get rid of the affected dependency by upgrading chokidar to v3.

However, chokidar v3 dropped Node.js 6 support, which should be a reason why we would not update chokidar to v3 on Babel 7.

@nicolo-ribaudo Should we target chokidar v3 upgrade to Babel 8?

@nicolo-ribaudo nicolo-ribaudo added i: 6.0 and removed i: bug labels Jul 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.