You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Given we are delivering the pre-compiled binary via npm install is it possible to remove node-gyp (and maybe others) from the dependencies section?
This surfaced because of a vulnerability warning in the latest version of npm. Recreate the issue...
First upgrade npm if you're not on the latest version:
┌─[aaron @ KT4001]─[~]
└─[$]› npm i -g npm
/QOpenSys/pkgs/lib/nodejs8/bin/npx -> /QOpenSys/pkgs/lib/nodejs8/lib/node_modules/npm/bin/npx-cli.js
/QOpenSys/pkgs/lib/nodejs8/bin/npm -> /QOpenSys/pkgs/lib/nodejs8/lib/node_modules/npm/bin/npm-cli.js
+ npm@6.3.0
added 283 packages, removed 363 packages and updated 41 packages in 315.849s
╭─────────────────────────────────────╮
│ │
│ Update available 5.6.0 → 6.3.0 │
│ Run npm i -g npm to update │
│ │
╰─────────────────────────────────────╯
┌─[aaron @ KT4001]─[~]
└─[$]› npm -v
6.3.0
Create a project to test. The npm audit command requires a package.json file.
$]› mkdir idb-connector-audit
┌─[aaron @ KT4001]─[~/git]
└─[$]› cd idb-connector-audit/
┌─[aaron @ KT4001]─[~/git/idb-connector-audit]
└─[$]› npm -y init
Wrote to /home/aaron/git/idb-connector-audit/package.json:
{
"name": "idb-connector-audit",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
Do an install to see warnings.
┌─[aaron @ KT4001]─[~/git/idb-connector-audit]
└─[$]› npm install idb-connector
> idb-connector@1.1.1 install /home/aaron/git/idb-connector-audit/node_modules/idb-connector
> node-pre-gyp install --fallback-to-build
node-pre-gyp WARN Using request for node-pre-gyp https download
[idb-connector] Success: "/home/aaron/git/idb-connector-audit/node_modules/idb-connector/lib/binding/Release/node-v57-ibmi-ppc64/db2ia.node" is installed via remote
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN idb-connector-audit@1.0.0 No description
npm WARN idb-connector-audit@1.0.0 No repository field.
+ idb-connector@1.1.1
added 173 packages from 109 contributors and audited 287 packages in 118.04s
found 4 moderate severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
Run npm audit as recommended.
┌─[aaron @ KT4001]─[~/git/idb-connector-audit]
└─[$]› npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of idb-connector
Path idb-connector > node-gyp > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
The text was updated successfully, but these errors were encountered:
Original report by Aaron Bartell (Bitbucket: aaronbartell, GitHub: aaronbartell).
Given we are delivering the pre-compiled binary via
npm install
is it possible to removenode-gyp
(and maybe others) from the dependencies section?This surfaced because of a vulnerability warning in the latest version of npm. Recreate the issue...
First upgrade npm if you're not on the latest version:
Create a project to test. The
npm audit
command requires apackage.json
file.Do an install to see warnings.
Run
npm audit
as recommended.The text was updated successfully, but these errors were encountered: