npm audit security vulnerabilities #5335
Comments
|
Just started seeing the same. Happens even with a simple "gatsby new xxxx". |
|
I have seen similar vulnerability errors when trying to install the styled components and the react-next plugins. What can be done to clear these vulnerabilities? |
|
Looking at the info url for most of these vurnerabilities the dependencies need to update. Looks like most of them are caused by old versions of lodash, deep-extend, and mime. These issues probably existed for some time but are just surfacing now because npm aquired Lift Security. |
m-allanson
added
help wanted
|
What versions of npm are you using? I've added a PR to fix the 'moderate' vulnerability. I'd love help updating other dependencies where possible. Note that Gatsby v1 uses webpack v1, so it might not be possible to fix issues where Gatsby is relying on webpack v1 compatible dependencies. This will most likely apply to dependencies based on Babel, webpack and PostCSS. A lot of these look like they'll need dependencies dependencies' to upgrade. |
m-allanson
changed the title
|
I'm getting the same output along with one "Critical" vulnerability: |
|
Same with me but I'm getting 3 criticals: Packages "open", "command-exists", and "macaddress".
|
|
|
|
Any progress on this? |
|
$ npm i gatsby@next
+ gatsby@2.0.0-beta.59
added 1474 packages from 992 contributors and audited 16096 packages in 60.533s
found 1 high severity vulnerability
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >= 1.1.5 <2.0.0 || >=3.3.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gatsby │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ gatsby > remote-redux-devtools > socketcluster-client > ws │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/550 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 16096 scanned packagesIt's in the aforementioned |
|
Resolving #6575 should remove this last high vulnerability. |
|
Like @roachnt I am getting Critical on "Command Injection" on
|
|
=== npm audit security report === Run npm update macaddress --depth 5 to resolve 2 vulnerabilitiesCritical Command Injection Package macaddress Dependency of css-loader [dev] Path css-loader > cssnano > postcss-filter-plugins > uniqid > Critical Command Injection Package macaddress Dependency of cssnano [dev] Path cssnano > postcss-filter-plugins > uniqid > macaddress More info https://nodesecurity.io/advisories/654 Run npm update fill-range --depth 5 to resolve 1 vulnerabilityLow Cryptographically Weak PRNG Package randomatic Dependency of http-proxy-middleware [dev] Path http-proxy-middleware > micromatch > braces > expand-range > More info https://nodesecurity.io/advisories/157 |
|
I am not sure if this is the right place to post about the vulnerabilities warning I found, but I am getting these moderate warnings from gatsby-plugin-sharp regarding tunnel-agency package as you can see below |
|
Closing this since a new |
After install I was warned by npm of many security issues. Here is what I am seeing
These are all (except for a few) dependencies of gatsby
The text was updated successfully, but these errors were encountered: