You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have been using the NPM modules nsp and snyk to test the node modules in my project for security vulnerabilities.
Reported by nsp:
$ nsp check --output json
[
{
"id": 533,
"updated_at": "2017-09-25T19:11:21.203Z",
"created_at": "2017-09-21T20:44:30.777Z",
"publish_date": "2017-09-25T19:11:21.202Z",
"overview": "The timespan module is vulnerable to regular expression denial of service. Given 50k characters of untrusted user input it will block the event loop for around 10 seconds.",
"recommendation": null,
"cvss_vector": null,
"cvss_score": null,
"module": "timespan",
"version": "2.3.0",
"vulnerable_versions": "<=99.999.99999",
"patched_versions": "<0.0.0",
"title": "Regular Expression Denial of Service",
"path": [
"edm@1.0.0",
"forever@0.15.3",
"timespan@2.3.0"
],
"advisory": "https://nodesecurity.io/advisories/533"
}
]
Reported by snyk:
$ snyk test
✗ Low severity vulnerability found on debug@2.6.8
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:debug:20170905
- from: edm@1.0.0 > forever@0.15.3 > forever-monitor@1.7.1 > chokidar@1.7.0 > fsevents@1.1.2 > node-pre-gyp@0.6.36 > tar-pack@3.4.0 > debug@2.6.8
Your dependencies are out of date, otherwise you would be using a newer debug than debug@2.6.8.
Try deleting node_modules, reinstalling and running `snyk test` again.
If the problem persists, one of your dependencies may be bundling outdated modules.
✗ High severity vulnerability found on timespan@2.3.0
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:timespan:20170907
- from: edm@1.0.0 > forever@0.15.3 > timespan@2.3.0
Fix: None available. Consider removing this dependency.
✗ Medium severity vulnerability found on tough-cookie@2.3.2
- desc: Regular Expression Denial of Service (ReDoS)
- info: https://snyk.io/vuln/npm:tough-cookie:20170905
- from: edm@1.0.0 > forever@0.15.3 > forever-monitor@1.7.1 > chokidar@1.7.0 > fsevents@1.1.2 > node-pre-gyp@0.6.36 > request@2.81.0 > tough-cookie@2.3.2
Your dependencies are out of date, otherwise you would be using a newer tough-cookie than tough-cookie@2.3.2.
Try deleting node_modules, reinstalling and running `snyk test` again.
If the problem persists, one of your dependencies may be bundling outdated modules.
Tested 365 dependencies for known vulnerabilities, found 3 vulnerabilities, 3 vulnerable paths.
The text was updated successfully, but these errors were encountered:
I have been using the NPM modules nsp and snyk to test the node modules in my project for security vulnerabilities.
Reported by nsp:
Reported by snyk:
The text was updated successfully, but these errors were encountered: