npm reports moderate severity vulnerability (via mapillary_sprite_source)

[matkoniecz]

On installation I got recommendation to run npm audit fix or npm audit due to "1 moderate severity vulnerability"

npm audit fix was unable to fix issue automatically and recommended running npm audit to get detailed info.

npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Sandbox Breakout / Arbitrary Code Execution                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ static-eval                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ mapillary_sprite_source [dev]                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ mapillary_sprite_source > brfs > static-module > static-eval │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/548                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 moderate severity vulnerability in 2335 scanned packages
  1 vulnerability requires manual review. See the full report for details.

[bhousel]

Yeah - People don't really like this security audit feature because it highlights stuff like this in the dev dependencies that are not real vulnerabilities.

Even though mapillary is using brfs to assemble the sprites for browserify, the vulnerability can't affect us downstream because we only use the svgs from their repository. iD doesn't actually run brfs anywhere.

The overagressive warning is reported here: npm/npm#20564 and I think they are working on it, but it's hard to tell since they have switched the project to a new repository.

[matkoniecz]

wow, they moved bug reporting to a forum ( https://npm.community/c/bugs )

Well, at least now https://github.com/openstreetmap/iD/issues?utf8=%E2%9C%93&q=npm+audit+ gives some results.