Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] npm audit results #916

Closed
captn3m0 opened this Issue Mar 13, 2019 · 3 comments

Comments

Projects
None yet
2 participants
@captn3m0
Copy link

captn3m0 commented Mar 13, 2019

I ran a npm audit on the latest master and it returns back with the following:

found 89 vulnerabilities (76 low, 3 moderate, 10 high) in 29458 scanned packages
89 vulnerabilities require semver-major dependency updates.

Noting down all moderate and high severity vulnerabilities here:

package severity command-to-fix vulnerability advisory path
base64-url high npm install koa-connect@2.0.1 Out-of-bounds Read https://npmjs.com/advisories/660 koa-connect>connect>express-session>uid-safe>base64-url
fresh high npm install koa-connect@2.0.1 Regular Expression Denial of Service https://npmjs.com/advisories/526 koa-connect>connect>fresh
fresh high npm install koa-connect@2.0.1 Regular Expression Denial of Service https://npmjs.com/advisories/526 koa-connect>connect>serve-favicon>fresh
fresh high npm install koa-connect@2.0.1 Regular Expression Denial of Service https://npmjs.com/advisories/526 koa-connect>connect>serve-static>send>fresh
minimatch high npm install sequelize-cli@5.4.0 Regular Expression Denial of Service https://npmjs.com/advisories/118 sequelize-cli>gulp>vinyl-fs>glob-stream>glob>minimatch
minimatch high npm install sequelize-cli@5.4.0 Regular Expression Denial of Service https://npmjs.com/advisories/118 sequelize-cli>gulp>vinyl-fs>glob-stream>minimatch
minimatch high npm install sequelize-cli@5.4.0 Regular Expression Denial of Service https://npmjs.com/advisories/118 sequelize-cli>gulp>vinyl-fs>glob-watcher>gaze>globule>glob>minimatch
minimatch high npm install sequelize-cli@5.4.0 Regular Expression Denial of Service https://npmjs.com/advisories/118 sequelize-cli>gulp>vinyl-fs>glob-watcher>gaze>globule>minimatch
negotiator high npm install koa-connect@2.0.1 Regular Expression Denial of Service https://npmjs.com/advisories/106 koa-connect>connect>compression>accepts>negotiator
negotiator high npm install koa-connect@2.0.1 Regular Expression Denial of Service https://npmjs.com/advisories/106 koa-connect>connect>serve-index>accepts>negotiator
lodash moderate npm install sequelize-cli@5.4.0 Prototype Pollution https://npmjs.com/advisories/782 sequelize-cli>gulp>vinyl-fs>glob-watcher>gaze>globule>lodash
mime moderate npm install koa-connect@2.0.1 Regular Expression Denial of Service https://npmjs.com/advisories/535 koa-connect>connect>serve-static>send>mime
morgan moderate npm install koa-connect@2.0.1 Code Injection https://npmjs.com/advisories/736 koa-connect>connect>morgan
@captn3m0

This comment has been minimized.

Copy link
Author

captn3m0 commented Mar 13, 2019

Commit that I ran this on: 7b7ec52

@tommoor tommoor self-assigned this Mar 14, 2019

@tommoor tommoor closed this in a7d49e9 Mar 14, 2019

@tommoor

This comment has been minimized.

Copy link
Member

tommoor commented Mar 14, 2019

Thanks for reporting 👍. It's worth noting that none of these dependencies were used in the production environment.

@captn3m0

This comment has been minimized.

Copy link
Author

captn3m0 commented Mar 14, 2019

I did try npm audit with npm audit --only-prod and it gave the same results. Perhaps the dependency usage is not marked correctly in package.json?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.