npm@6.x.x npm audit security report

[gaofant101]

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tunnel-agent                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev]                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ image-webpack-loader > imagemin-gifsicle > gifsicle >        │
│               │ bin-build > download > caw > tunnel-agent                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/598                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

I looked at package-lock.json for image-webpack-loader, and there were several plug-in packages that relied on tunnel-agent versions < 6.0.0.
I'll prompt you when I execute the compile command

found 9 moderate severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

in the package-lock.json

https://github.com/tcoopman/image-webpack-loader/blob/master/package-lock.json#L1268

https://github.com/tcoopman/image-webpack-loader/blob/master/package-lock.json#L6751

manually upgrading related packages yourself will cause more npm audit prompts

[tcoopman]

@EvanHunt thanks for the review, but this looks like something that needs to be fixed in tunnel agent and caw first. See: kevva/caw#22.

[slaby93]

@tcoopman kevva/caw#22
Maybe switch to this one? -> https://github.com/koichik/node-tunnel

[tcoopman]

@slaby93 this is not a direct dependency of this package so not something I can fix.

[SalomonSmeke]

@tcoopman

Could you shrinkwrap and pin caw to the latest commit hash in my branch of it? (Referenced in this issue: kevva/caw#22)

Or if you feel more comfortable, fork my fork and pin that? I've had a PR out for a minute now and it doesn't seem to be going anywhere.

[skipjack]

Just so people have it for reference, here's the root cause: request/tunnel-agent#41. It seems the fix was already made 🎉 but the release hasn't been pushed to npm 😞.

[skipjack]

Looks like it's down to 2 (still stemming from caw > tunnel-agent):

found 2 moderate severity vulnerabilities ...
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tunnel-agent                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev]                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ image-webpack-loader > imagemin-webp > cwebp-bin > bin-build │
│               │ > download > caw > tunnel-agent                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/598                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tunnel-agent                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.6.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ image-webpack-loader [dev]                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ image-webpack-loader > imagemin-webp > cwebp-bin >           │
│               │ bin-wrapper > download > caw > tunnel-agent                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/598                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

I guess some of the other dependencies were able to factor out caw / tunnel-agent. Maybe imagemin-webp will too 🙏.

[seiya-git]

you can use my fork with all fixes: https://github.com/seiya-npm/tunnel-agent

[JohannesLamberts]

cwebp-bin updated dependencies as of imagemin/cwebp-bin#26.

image-webpack-loader will need to update imagemin-webp to ^5.0.0 for this to tace effect (the dependency-update was introduced as major in both cwebp-bin and imagemin-webp).

This would clean our npm audit 👍

[ersel]

Thanks @JohannesLamberts , I've opened PR #174 which resolves all warnings.

@tcoopman do you have any time to check it?