Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NPM security warnings #35

Closed
AgentGoldPaw opened this issue Jun 25, 2018 · 1 comment
Closed

NPM security warnings #35

AgentGoldPaw opened this issue Jun 25, 2018 · 1 comment

Comments

@AgentGoldPaw
Copy link

I am currently using this module and noticed that I am getting so many errors that the maximum call stack size exceeded.


                      === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  High            Regular Expression Denial of Service

  Package         minimatch

  Patched in      >=3.0.2

  Dependency of   shipit

  Path            shipit > grunt > findup-sync > glob > minimatch

  More info       https://nodesecurity.io/advisories/118


  High            Regular Expression Denial of Service

  Package         minimatch

  Patched in      >=3.0.2

  Dependency of   shipit

  Path            shipit > grunt > glob > minimatch

  More info       https://nodesecurity.io/advisories/118


  High            Regular Expression Denial of Service

  Package         minimatch

  Patched in      >=3.0.2

  Dependency of   shipit

  Path            shipit > grunt > minimatch

  More info       https://nodesecurity.io/advisories/118


  High            Denial-of-Service Memory Exhaustion

  Package         qs

  Patched in      >= 1.x

  Dependency of   shipit

  Path            shipit > request > qs

  More info       https://nodesecurity.io/advisories/29


  High            Denial-of-Service Extended Event Loop Blocking

  Package         qs

  Patched in      >= 1.x

  Dependency of   shipit

  Path            shipit > request > qs

  More info       https://nodesecurity.io/advisories/28


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   dynogels

  Path            dynogels > lodash

  More info       https://nodesecurity.io/advisories/577


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   shipit

  Path            shipit > grunt > findup-sync > lodash

  More info       https://nodesecurity.io/advisories/577


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   shipit

  Path            shipit > grunt > grunt-legacy-log > grunt-legacy-log-utils >
                  lodash

  More info       https://nodesecurity.io/advisories/577


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   shipit

  Path            shipit > grunt > grunt-legacy-log > lodash

  More info       https://nodesecurity.io/advisories/577


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   shipit

  Path            shipit > grunt-contrib-coffee > lodash

  More info       https://nodesecurity.io/advisories/577


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   shipit

  Path            shipit > grunt > grunt-legacy-util > lodash

  More info       https://nodesecurity.io/advisories/577


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   shipit

  Path            shipit > grunt > lodash

  More info       https://nodesecurity.io/advisories/577


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   shipit

  Path            shipit > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   shipit

  Path            shipit > request > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   shipit

  Path            shipit > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   shipit

  Path            shipit > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566


  Low             Regular Expression Denial of Service

  Package         moment

  Patched in      >=2.19.3

  Dependency of   stringbuilder

  Path            stringbuilder > moment

  More info       https://nodesecurity.io/advisories/532


  Moderate        Regular Expression Denial of Service

  Package         moment

  Patched in      >=2.11.2

  Dependency of   stringbuilder

  Path            stringbuilder > moment

  More info       https://nodesecurity.io/advisories/55


  Moderate        Remote Memory Exposure

  Package         request

  Patched in      >=2.68.0

  Dependency of   shipit

  Path            shipit > request

  More info       https://nodesecurity.io/advisories/309


  Moderate        Regular Expression Denial of Service

  Package         mime

  Patched in      >= 1.4.1 < 2.0.0 || >= 2.0.3

  Dependency of   shipit

  Path            shipit > request > form-data > mime

  More info       https://nodesecurity.io/advisories/535


  Moderate        Regular Expression Denial of Service

  Package         mime

  Patched in      >= 1.4.1 < 2.0.0 || >= 2.0.3

  Dependency of   shipit

  Path            shipit > request > mime

  More info       https://nodesecurity.io/advisories/535


  High            Denial of Service

  Package         https-proxy-agent

  Patched in      >=2.2.0

  Dependency of   serverless [dev]

  Path            serverless > https-proxy-agent

  More info       https://nodesecurity.io/advisories/593


  Moderate        Memory Exposure

  Package         tunnel-agent

  Patched in      >=0.6.0

  Dependency of   shipit

  Path            shipit > request > tunnel-agent

  More info       https://nodesecurity.io/advisories/598


  Moderate        Regular Expression Denial of Service

  Package         hawk

  Patched in      >=3.1.3 < 4.0.0 || >=4.1.1

  Dependency of   shipit

  Path            shipit > request > hawk

  More info       https://nodesecurity.io/advisories/77

found 24 vulnerabilities (8 low, 10 moderate, 6 high) in 30338 scanned packages
@sailrish
Copy link
Owner

Most of these have now been fixed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sailrish @AgentGoldPaw