found 3225 vulnerabilities

[FDiskas]

=== npm audit security report ===

found 0 vulnerabilities
in 331894 scanned packages

[coveralls]

Coverage remained the same at 88.149% when pulling 4bac7ba on FDiskas:fix-audit into 21a6ab9 on exoframejs:master.

[yamalight]

@FDiskas was there any critical vulnerabilities worth fixing? Otherwise I'm not sure that's needed at all

[FDiskas]

Sure. Because its going to be installed on server. This is important in any case

[yamalight]

@FDiskas what were the vulnerabilities? are you sure the code they were in was actually used? (and not a build-time dependency as it is in ~95% of cases)

[FDiskas]

Are you actually want me to reproduce the security issues? I'm not going do that. It's a good practice to keep your subdependencies up to date. Remember redoss example...

Thous issues was fixed using npm audit fix --force you should trust npm :P

[yamalight]

@FDiskas definitely not asking to reproduce anything.
I'm asking which reported vulnerabilities were actually in the code used by the server.
The reason I'm asking is simple - most of those are either non-issues, or part of dev tooling and do not impact the server itself at all.

[FDiskas]

found 3225 vulnerabilities (3198 low, 27 moderate)

So I removed most errors produced but used only in dev like jest and eslint and got thous:

                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm update minimist --depth 2  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ coveralls [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ coveralls > minimist                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm update tar-fs --depth 2  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ dockerode [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ dockerode > tar-fs > mkdirp > minimist                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm update mkdirp --depth 2  to resolve 2 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ tar-fs [dev]                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ tar-fs > mkdirp > minimist                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nock [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nock > mkdirp > minimist                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

And it looks like it is used in production

[yamalight]

@FDiskas looks like it's just minimist (arg parsing) with prototype pollution issue.
exoframe-server doesn't accept or parse any args. all args that are passed to listed packages are generated by exoframe-server itself. so this is a non-issue.

[FDiskas]

Why you against updating it?

[yamalight]

@FDiskas because if we want to update it - we need to do a new release.
And that new release won't contain anything "new" or even fixed.
So I don't honestly see any point in doing this.