-
Notifications
You must be signed in to change notification settings - Fork 131
npm@6.x.x npm audit security report #162
Comments
@EvanHunt thanks for the review, but this looks like something that needs to be fixed in tunnel agent and caw first. See: kevva/caw#22. |
@tcoopman kevva/caw#22 |
@slaby93 this is not a direct dependency of this package so not something I can fix. |
Could you shrinkwrap and pin caw to the latest commit hash in my branch of it? (Referenced in this issue: kevva/caw#22) Or if you feel more comfortable, fork my fork and pin that? I've had a PR out for a minute now and it doesn't seem to be going anywhere. |
Just so people have it for reference, here's the root cause: request/tunnel-agent#41. It seems the fix was already made 🎉 but the release hasn't been pushed to npm 😞. |
Looks like it's down to 2 (still stemming from found 2 moderate severity vulnerabilities ...
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-webp > cwebp-bin > bin-build │
│ │ > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Memory Exposure │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ image-webpack-loader > imagemin-webp > cwebp-bin > │
│ │ bin-wrapper > download > caw > tunnel-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/598 │
└───────────────┴──────────────────────────────────────────────────────────────┘ I guess some of the other dependencies were able to factor out |
you can use my fork with all fixes: https://github.com/seiya-npm/tunnel-agent |
This would clean our |
Thanks @JohannesLamberts , I've opened PR #174 which resolves all warnings. @tcoopman do you have any time to check it? |
I looked at package-lock.json for image-webpack-loader, and there were several plug-in packages that relied on tunnel-agent versions < 6.0.0.
I'll prompt you when I execute the compile command
in the package-lock.json
manually upgrading related packages yourself will cause more npm audit prompts
The text was updated successfully, but these errors were encountered: