New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update karma to 3.0.0 #384

Closed
0xazure opened this Issue Sep 10, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@0xazure
Contributor

0xazure commented Sep 10, 2018

A fresh install of the project dependencies ends with a little blurb about dependency vulnerabilities:

added 1079 packages from 1531 contributors and audited 9518 packages in 33.813s
found 6 vulnerabilities (1 low, 5 moderate)
  run `npm audit fix` to fix them, or `npm audit` for details

The full output of npm audit is as follows (and rather long, see details), but the audit suggests a key take-away:

=== npm audit security report ===                        
                                                                                
# Run  npm install --save-dev karma@3.0.0  to resolve 6 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tunnel-agent                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > log4js > loggly > request > tunnel-agent             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/598                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > log4js > loggly > request > hawk > boom > hoek       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > log4js > loggly > request > hawk > cryptiles > boom  │
│               │ > hoek                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > log4js > loggly > request > hawk > hoek              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > log4js > loggly > request > hawk > sntp > hoek       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ timespan                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > log4js > loggly > timespan                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/533                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 6 vulnerabilities (1 low, 5 moderate) in 9518 scanned packages
  6 vulnerabilities require semver-major dependency updates.
# Run  npm install --save-dev karma@3.0.0  to resolve 6 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

It seems like upgrading the karma dev dependency resolves all of the issues identified in the audit.

The breaking change between the 2.x and 3.x branches seems to be dropping Nodejs4 support but no other major changes, so this should be a pretty straight-forward upgrade.

@humphd

This comment has been minimized.

Contributor

humphd commented Sep 10, 2018

@0xazure thanks for reporting this. Would you be willing to send a pull request with an update to our karma version in package.json? Let me know if you need any help with that.

@0xazure

This comment has been minimized.

Contributor

0xazure commented Sep 11, 2018

I'd be happy to! I'll dig into npm audit a bit and see what I can find out about the specific advisories too. :shipit:

0xazure added a commit to 0xazure/filer that referenced this issue Sep 13, 2018

Update karma dev dependency
Resolves `npm audit` warnings about 1 low, 5
moderate vulnerabilities related to versions before
karma@3.0.0.

Closes filerjs#384.

@humphd humphd closed this in #385 Sep 13, 2018

humphd added a commit that referenced this issue Sep 13, 2018

Update karma dev dependency
Resolves `npm audit` warnings about 1 low, 5
moderate vulnerabilities related to versions before
karma@3.0.0.

Closes #384.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment