Npm audit reported 2 high vulnerabilities

[dcuenot]

Hello,

When I run a npm audit I get 2 hight vulnerabilities and 2 low

High
│ High │ Regular Expression Denial of Service
│ Package │ minimatch
│ Patched in │ >=3.0.2
│ Dependency of │ htmlhint [dev]
│ Path │ htmlhint > jshint > cli > glob > minimatch
│ More info │ https://nodesecurity.io/advisories/118

│ High │ Regular Expression Denial of Service
│ Package │ minimatch
│ Patched in │ >=3.0.2
│ Dependency of │ htmlhint [dev]
│ Path │ htmlhint > jshint > minimatch
│ More info │ https://nodesecurity.io/advisories/118

Low
│ Low │ Prototype Pollution
│ Package │ lodash
│ Patched in │ >=4.17.5
│ Dependency of │ htmlhint [dev]
│ Path │ htmlhint > jshint > lodash
│ More info │ https://nodesecurity.io/advisories/577

│ Low │ Arbitrary File Write
│ Package │ cli
│ Patched in │ >=1.0.0
│ Dependency of │ htmlhint [dev]
│ Path │ htmlhint > jshint > cli
│ More info │ https://nodesecurity.io/advisories/95

Did you plan to fix them?

[ErikHellman]

There is a PR ready to be merged for this (#246). Any chance we could have this fixed soon?

Thanks!

[ErikHellman]

Ping @yaniswang

[thedaviddias]

Hi @ErikHellman, yes it'll be merged pretty soon!

[Shinigami92]

If we have updated all dependencies to their latest versions, many vulnerabilities will be fixed
but maybe we will have some drastic changes then
Luckily, I have planned to convert the code to ES6+ as well

I get this output when I do a fresh installation:

$ npm install
npm WARN deprecated coffee-script@1.3.3: CoffeeScript on NPM has moved to "coffeescript" (no hyphen)
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated jade@0.26.3: Jade has been renamed to pug, please install the latest version of pug instead of jade
npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated tough-cookie@2.2.2: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
npm WARN deprecated graceful-fs@1.2.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated graceful-fs@1.1.14: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated graceful-fs@2.0.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated minimatch@0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch@0.4.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated socks@1.1.10: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN marked-terminal@3.0.0 requires a peer of marked@^0.4.0 but none is installed. You must install peer dependencies yourself.

added 1039 packages from 1303 contributors and audited 7210 packages in 135.936s
found 34 vulnerabilities (9 low, 11 moderate, 13 high, 1 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

[thedaviddias]

All security issues were fixed in a previous merge (on develop) and will be deployed on the master branch in the next 3 days.