Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerable dependencies #132

Closed
devlato opened this issue Jun 6, 2018 · 8 comments
Closed

Vulnerable dependencies #132

devlato opened this issue Jun 6, 2018 · 8 comments

Comments

@devlato
Copy link

devlato commented Jun 6, 2018

Hello,

according to the output of npm audit command, the latest version of favicons-webpack-plugin has the following vulnerabilities:

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ favicons-webpack-plugin                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ favicons-webpack-plugin > favicons > merge-defaults > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ favicons-webpack-plugin [dev]                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ favicons-webpack-plugin > favicons > cheerio > lodash        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in>= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ favicons-webpack-plugin [dev]                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ favicons-webpack-plugin > favicons > node-rest-client >      │
│               │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Could you update the dependencies please?
@jamesball27
Copy link

+1 still receiving these warnings on 0.0.9 @jantimon

This was referenced Aug 1, 2018
Merged
Closed
@jackkoppa jackkoppa mentioned this issue Sep 4, 2018
Merged
@TrevorSayre
Copy link

This feels abandoned. Is there a fork that stays up to date with security issues?

@zsoltime
Copy link

zsoltime commented Oct 3, 2018

@TrevorSayre @brunocodutra has an up-to-date fork webapp-webpack-plugin and it seems to be working fine :)

@DanielRuf
Copy link

@TrevorSayre @brunocodutra has an up-to-date fork webapp-webpack-plugin and it seems to be working fine :)

What is the migration path?

Current status:

✗ Low severity vulnerability found in ms
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/npm:ms:20170412
  Introduced through: favicons-webpack-plugin@0.0.9
  From: favicons-webpack-plugin@0.0.9 > favicons@4.8.6 > node-rest-client@1.8.0 > debug@2.2.0 > ms@0.7.1
  Remediation: 
    Some paths have no direct dependency upgrade that can address this issue. Run `snyk wizard` to explore remediation options.

✗ Low severity vulnerability found in lodash
  Description: Prototype Pollution
  Info: https://snyk.io/vuln/npm:lodash:20180130
  Introduced through: babel-core@6.26.0, babel-register@6.26.0, gulp-svg-sprite@1.3.7, babel-preset-es2015@6.24.1, webpack@2.7.0, gulp-babel@6.1.2, gulp-sass@3.1.0, gulp-uncss@1.0.6, favicons-webpack-plugin@0.0.9
  From: babel-core@6.26.0 > lodash@4.17.4
  From: babel-register@6.26.0 > lodash@4.17.4
  From: babel-core@6.26.0 > babel-template@6.26.0 > lodash@4.17.4
  and 199 more...
  Remediation:
    Your dependencies are out of date, otherwise you would be using a newer version of lodash. 
    Try deleting node_modules, reinstalling and running `snyk test` again. If the problem persists, one of your dependencies may be bundling outdated modules.

✗ Low severity vulnerability found in hoek
  Description: Prototype Pollution
  Info: https://snyk.io/vuln/npm:hoek:20180212
  Introduced through: gulp-cli@1.4.0, gulp-uncss@1.0.6, gulp-sass@3.1.0, gulp-svg-sprite@1.3.7, favicons-webpack-plugin@0.0.9
  From: gulp-cli@1.4.0 > wreck@6.3.0 > hoek@2.16.3
  From: gulp-cli@1.4.0 > wreck@6.3.0 > boom@2.10.1 > hoek@2.16.3
  From: gulp-uncss@1.0.6 > uncss@0.14.1 > request@2.69.0 > hawk@3.1.3 > hoek@2.16.3
  and 23 more...
  Remediation:
    Your dependencies are out of date, otherwise you would be using a newer version of hoek. 
    Try deleting node_modules, reinstalling and running `snyk test` again. If the problem persists, one of your dependencies may be bundling outdated modules.


✗ Low severity vulnerability found in debug
  Description: Regular Expression Denial of Service (ReDoS)
  Info: https://snyk.io/vuln/npm:debug:20170905
  Introduced through: favicons-webpack-plugin@0.0.9
  From: favicons-webpack-plugin@0.0.9 > favicons@4.8.6 > node-rest-client@1.8.0 > debug@2.2.0
  Remediation: 
    Some paths have no direct dependency upgrade that can address this issue. Run `snyk wizard` to explore remediation options.

✗ Medium severity vulnerability found in cryptiles
  Description: Insecure Randomness
  Info: https://snyk.io/vuln/npm:cryptiles:20180710
  Introduced through: gulp-sass@3.1.0, gulp-uncss@1.0.6, gulp-svg-sprite@1.3.7, favicons-webpack-plugin@0.0.9
  From: gulp-sass@3.1.0 > node-sass@4.7.2 > request@2.79.0 > hawk@3.1.3 > cryptiles@2.0.5
  From: gulp-uncss@1.0.6 > uncss@0.14.1 > request@2.69.0 > hawk@3.1.3 > cryptiles@2.0.5
  From: gulp-svg-sprite@1.3.7 > svg-sprite@1.3.7 > phantomjs-prebuilt@2.1.16 > request@2.81.0 > hawk@3.1.3 > cryptiles@2.0.5
  and 3 more...
  Remediation:
    Your dependencies are out of date, otherwise you would be using a newer version of cryptiles. 
    Try deleting node_modules, reinstalling and running `snyk test` again. If the problem persists, one of your dependencies may be bundling outdated modules.

@TrevorSayre
Copy link

@DanielRuf The migration is super simple.

npm uninstall favicons-webpack-plugin
npm install --save-dev webapp-webpack-plugin

then in your webpack.config.js

remove:

const FaviconsWebpackPlugin = require('favicons-webpack-plugin');

replace with:

const WebappWebpackPlugin = require('webapp-webpack-plugin');

find FaviconsWebpackPlugin and replace with WebappWebpackPlugin

@DanielRuf
Copy link

Was just curious about the APIs. I guess there are some more small differences.

@keskiju keskiju mentioned this issue Apr 11, 2019
Closed
@gyto
Copy link

gyto commented Jun 28, 2019

Does favicons-webpack-plugin getting an update for it dependencies?

@dwoowb dwoowb mentioned this issue Aug 1, 2019
Closed
@jantimon
Copy link
Owner

Done in #157.

Can you please take a look?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@TrevorSayre @DanielRuf @devlato @zsoltime @jantimon @gyto @jamesball27