Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

found 5 vulnerabilities (1 low, 4 high) #2201

Closed
silverskyvicto opened this issue Jul 1, 2018 · 3 comments
Closed

found 5 vulnerabilities (1 low, 4 high) #2201

silverskyvicto opened this issue Jul 1, 2018 · 3 comments

Comments

@silverskyvicto
Copy link

Hi.

I installed gulp globally. A warning indicating that the dependent library is vulnerable has been output.

I execute npm audit command. Result is below.

$ npm audit

                       === npm audit security report ===

# Run  npm install --save-dev gulp@4.0.0  to resolve 5 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp > vinyl-fs > glob-stream > glob > minimatch             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp > vinyl-fs > glob-stream > minimatch                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp > vinyl-fs > glob-watcher > gaze > globule > glob >     │
│               │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp > vinyl-fs > glob-watcher > gaze > globule > minimatch  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev]                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp > vinyl-fs > glob-watcher > gaze > globule > lodash     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 5 vulnerabilities (1 low, 4 high) in 1418 scanned packages
  5 vulnerabilities require semver-major dependency updates.

I should execute npm audit fix command? Or I need to execute npm update minimatch/lodash?
@yocontra
Copy link
Member

yocontra commented Jul 1, 2018

npm audit is broken and reports things that are not really security issues for us (dev dependencies 3 levels deep that don't even get installed). None of these warnings pose any real risk to you as a user of gulp, so you can ignore them. If you feel strongly enough about it you can open a ticket on npm and ask them to fix audit, but I don't think it will happen any time soon.

@phated
Copy link
Member

phated commented Jul 1, 2018

Those issues have been "known" forever because they are references to gulp 3 (notice the gaze dependency?).
Like contra said, they don't effect us.

@phated phated closed this as completed Jul 1, 2018
@silverskyvicto
Copy link
Author

Sorry. I was installing gulp at npm without specifying the version.

Without specifying the version, running 'npm install gulp' seemed to install version 3.9.1.

The problem was solved by specifying the version of gulp and running npm install.

@sylhare sylhare mentioned this issue Oct 13, 2018
Closed
@trinaldi trinaldi mentioned this issue Nov 22, 2018
Closed
@evanmwillhite evanmwillhite mentioned this issue Dec 10, 2018
Open
JonnyJD added a commit to EBiSC/ebisc that referenced this issue Aug 22, 2019
@JonnyJD
run npm audit fix
0a754d2 
the rest of the problems are related to gulp,
and according to the team
"None of these warnings pose any real risk
to you as a user of gulp, so you can ignore them."
gulpjs/gulp#2201
@igsekor igsekor mentioned this issue Apr 5, 2022
Merged
@ebrandin ebrandin mentioned this issue Sep 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yocontra @phated @silverskyvicto