Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix npm audit errors #3169

Merged
merged 5 commits into from Feb 11, 2022
Merged

Fix npm audit errors #3169

merged 5 commits into from Feb 11, 2022

Conversation

magicznyleszek
Copy link
Member

@magicznyleszek magicznyleszek commented Apr 29, 2021
edited

Description

We had these errors in npm audit:

elliptic  <6.5.4
Severity: moderate
Use of a Broken or Risky Cryptographic Algorithm - https://npmjs.com/advisories/1648
fix available via `npm audit fix`
node_modules/elliptic

ini  <1.3.6
Prototype Pollution - https://npmjs.com/advisories/1589
fix available via `npm audit fix`
node_modules/ini

minimist  <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via `npm audit fix --force`
Will install mocha-chrome@1.1.0, which is a breaking change
node_modules/chrome-launcher/node_modules/minimist
node_modules/optimist/node_modules/minimist
node_modules/static-module/node_modules/minimist
node_modules/togeojson/node_modules/minimist
node_modules/wellknown/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/chrome-launcher/node_modules/mkdirp
    chrome-launcher  0.2.1 - 0.13.0
    Depends on vulnerable versions of mkdirp
    node_modules/chrome-launcher
      mocha-chrome  >=0.1.0
      Depends on vulnerable versions of chrome-launcher
      Depends on vulnerable versions of meow
      node_modules/mocha-chrome
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/optimist
    coffeelint  >=1.5.0
    Depends on vulnerable versions of optimist
    node_modules/coffeelint
      less-terrible-coffeelint-loader  *
      Depends on vulnerable versions of coffeelint
      node_modules/less-terrible-coffeelint-loader
    csv2geojson  >=3.8.0
    Depends on vulnerable versions of optimist
    node_modules/csv2geojson
  quote-stream  <=1.0.0
  Depends on vulnerable versions of minimist
  node_modules/static-module/node_modules/quote-stream
  togeojson  >=0.4.0
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of xmldom
  node_modules/togeojson
    @mapbox/leaflet-omnivore  *
    Depends on vulnerable versions of togeojson
    node_modules/@mapbox/leaflet-omnivore
  wellknown  0.1.0 - 0.4.2
  Depends on vulnerable versions of minimist
  node_modules/wellknown

node-fetch  <=2.6.0 || 3.0.0-beta.1 - 3.0.0-beta.8
Denial of Service - https://npmjs.com/advisories/1556
fix available via `npm audit fix`
node_modules/node-fetch
  isomorphic-fetch  2.0.0 - 2.2.1
  Depends on vulnerable versions of node-fetch
  node_modules/isomorphic-fetch
    fbjs  0.7.0 - 1.0.0
    Depends on vulnerable versions of isomorphic-fetch
    node_modules/fbjs
      create-react-class  15.5.0 - 15.6.3
      Depends on vulnerable versions of fbjs
      node_modules/create-react-class

node-forge  <=0.9.2
Severity: high
Prototype Pollution in node-forge - https://npmjs.com/advisories/1561
fix available via `npm audit fix`
node_modules/node-forge
  selfsigned  1.1.1 - 1.10.7
  Depends on vulnerable versions of node-forge
  node_modules/selfsigned

ssri  5.2.2 - 6.0.1 || 7.0.0 - 8.0.0
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/565
fix available via `npm audit fix`
node_modules/ssri

static-eval  <=2.0.1
Severity: moderate
Sandbox Breakout / Arbitrary Code Execution - https://npmjs.com/advisories/548
Sandbox Breakout / Arbitrary Code Execution - https://npmjs.com/advisories/758
fix available via `npm audit fix`
node_modules/static-eval
  static-module  <=1.5.0
  Depends on vulnerable versions of static-eval
  node_modules/static-module
    brfs  1.1.0 - 1.4.3
    Depends on vulnerable versions of static-module
    node_modules/brfs

xmldom  <0.5.0
Misinterpretation of malicious XML input - https://npmjs.com/advisories/1650
No fix available
node_modules/xmldom
  svg2ttf  <=5.1.0
  Depends on vulnerable versions of xmldom
  node_modules/svg2ttf
    webfonts-generator  *
    Depends on vulnerable versions of svg2ttf
    node_modules/webfonts-generator
  togeojson  >=0.4.0
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of xmldom
  node_modules/togeojson
    @mapbox/leaflet-omnivore  *
    Depends on vulnerable versions of togeojson
    node_modules/@mapbox/leaflet-omnivore

y18n  <3.2.2||=4.0.0||>=5.0.0 <5.0.5
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1654
fix available via `npm audit fix`
node_modules/y18n

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix --force`
Will install mocha-chrome@1.1.0, which is a breaking change
node_modules/meow/node_modules/yargs-parser
  meow  5.0.0 - 6.0.1
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    mocha-chrome  >=0.1.0
    Depends on vulnerable versions of chrome-launcher
    Depends on vulnerable versions of meow
    node_modules/mocha-chrome

30 vulnerabilities (22 low, 5 moderate, 3 high)

Now after npm audit fix (the non breaking way) we have these:

minimist  <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
No fix available
node_modules/chrome-launcher/node_modules/minimist
node_modules/optimist/node_modules/minimist
node_modules/static-module/node_modules/minimist
node_modules/togeojson/node_modules/minimist
node_modules/wellknown/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/chrome-launcher/node_modules/mkdirp
    chrome-launcher  0.2.1 - 0.13.0
    Depends on vulnerable versions of mkdirp
    node_modules/chrome-launcher
      mocha-chrome  >=0.1.0
      Depends on vulnerable versions of chrome-launcher
      Depends on vulnerable versions of meow
      node_modules/mocha-chrome
  optimist  >=0.6.0
  Depends on vulnerable versions of minimist
  node_modules/optimist
    coffeelint  >=1.5.0
    Depends on vulnerable versions of optimist
    node_modules/coffeelint
      less-terrible-coffeelint-loader  *
      Depends on vulnerable versions of coffeelint
      node_modules/less-terrible-coffeelint-loader
    csv2geojson  >=3.8.0
    Depends on vulnerable versions of optimist
    node_modules/csv2geojson
  quote-stream  <=1.0.0
  Depends on vulnerable versions of minimist
  node_modules/static-module/node_modules/quote-stream
  togeojson  >=0.4.0
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of xmldom
  node_modules/togeojson
    @mapbox/leaflet-omnivore  *
    Depends on vulnerable versions of togeojson
    node_modules/@mapbox/leaflet-omnivore
  wellknown  0.1.0 - 0.4.2
  Depends on vulnerable versions of minimist
  node_modules/wellknown

static-eval  <=2.0.1
Severity: moderate
Sandbox Breakout / Arbitrary Code Execution - https://npmjs.com/advisories/548
Sandbox Breakout / Arbitrary Code Execution - https://npmjs.com/advisories/758
fix available via `npm audit fix`
node_modules/static-eval
  static-module  <=1.5.0
  Depends on vulnerable versions of static-eval
  node_modules/static-module
    brfs  1.1.0 - 1.4.3
    Depends on vulnerable versions of static-module
    node_modules/brfs

xmldom  <0.5.0
Misinterpretation of malicious XML input - https://npmjs.com/advisories/1650
No fix available
node_modules/xmldom
  svg2ttf  <=5.1.0
  Depends on vulnerable versions of xmldom
  node_modules/svg2ttf
    webfonts-generator  *
    Depends on vulnerable versions of svg2ttf
    node_modules/webfonts-generator
  togeojson  >=0.4.0
  Depends on vulnerable versions of minimist
  Depends on vulnerable versions of xmldom
  node_modules/togeojson
    @mapbox/leaflet-omnivore  *
    Depends on vulnerable versions of togeojson
    node_modules/@mapbox/leaflet-omnivore

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix --force`
Will install mocha-chrome@1.1.0, which is a breaking change
node_modules/meow/node_modules/yargs-parser
  meow  5.0.0 - 6.0.1
  Depends on vulnerable versions of yargs-parser
  node_modules/meow
    mocha-chrome  >=0.1.0
    Depends on vulnerable versions of chrome-launcher
    Depends on vulnerable versions of meow
    node_modules/mocha-chrome

20 vulnerabilities (17 low, 3 moderate)

Note that no "high" are left, including the vulnerability from y18n

Fixes #3167

@magicznyleszek magicznyleszek requested a review from jnm April 29, 2021 23:27
@magicznyleszek magicznyleszek changed the base branch from master to beta April 29, 2021 23:33
@magicznyleszek
Copy link
Member Author

After 10 months we jumped to 57 vulnerabilities (50 moderate, 7 high) (after applying audit)

@magicznyleszek
Copy link
Member Author

I'm going to merge this - we are not updating dependencies often enough to avoid high vulnerabilities, but it will include a config for dependency check 👍

@magicznyleszek magicznyleszek merged commit 3f7cf15 into beta Feb 11, 2022
@magicznyleszek magicznyleszek deleted the fix-npm-audit-errors branch February 11, 2022 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jnm jnm Awaiting requested review from jnm

Assignees

@jnm jnm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@magicznyleszek @jnm