New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

npm audit: 4 vulnerabilities found in verdaccio dependencies #691

Closed
todojs opened this Issue May 13, 2018 · 7 comments

Comments

Projects
None yet
3 participants
@todojs

todojs commented May 13, 2018

If you run the npm audit over verdaccio, this is the result:

=== npm audit security report ===
Run npm update lodash --depth 3 to resolve 1 vulnerability
 Low : Prototype Pollution 
 Package : lodash 
 Dependency of : verdaccio 
 Path : verdaccio > async > lodash 
 More info : https://nodesecurity.io/advisories/577 


 Manual Review 
 Some vulnerabilities require your attention to resolve 
 Visit https://go.npm.me/audit-guide for additional guidance 

 Moderate : Prototype pollution 
 Package : hoek 
 Patched in : > 4.2.0 < 5.0.0 >= 5.0.3 
 Dependency of: verdaccio 
 Path : verdaccio > jsonwebtoken > joi > hoek 
 More info : https://nodesecurity.io/advisories/566 

 Moderate : Prototype pollution 
 Package : hoek 
 Patched in : > 4.2.0 < 5.0.0 >= 5.0.3 
 Dependency of: verdaccio 
 Path : verdaccio > jsonwebtoken > joi > topo > hoek 
 More info : https://nodesecurity.io/advisories/566 

 Low : Prototype Pollution 
 Package : lodash 
 Patched in : >=4.17.5 
 Dependency of: verdaccio 
 Path : verdaccio > lodash 
 More info : https://nodesecurity.io/advisories/577 

[!] 4 vulnerabilities found - Packages audited: 360 (0 dev, 49 optional)
 Severity: 2 Low: 2 Moderate
@juanpicado

This comment has been minimized.

Member

juanpicado commented May 13, 2018

@juanpicado

This comment has been minimized.

Member

juanpicado commented May 13, 2018

Refers to caolan/async#1532

@juanpicado juanpicado added the WIP label May 13, 2018

@juanpicado

This comment has been minimized.

Member

juanpicado commented May 13, 2018

@todojs

This comment has been minimized.

todojs commented May 13, 2018

Aditional info, this is the report over master (v3 beta):

                       === npm audit security report ===

# Run  npm install --dev jest@22.4.3  to resolve 4 vulnerabilities

  Low             Prototype Pollution
  Package         deep-extend
  Dependency of   jest [dev]
  Path            jest > jest-cli > jest-haste-map > sane > fsevents >
                  node-pre-gyp > rc > deep-extend
  More info       https://nodesecurity.io/advisories/612


  Low             Prototype Pollution
  Package         deep-extend
  Dependency of   jest [dev]
  Path            jest > jest-cli > jest-runner > jest-haste-map > sane >
                  fsevents > node-pre-gyp > rc > deep-extend
  More info       https://nodesecurity.io/advisories/612

  Low             Prototype Pollution
  Package         deep-extend
  Dependency of   jest [dev]
  Path            jest > jest-cli > jest-runner > jest-runtime >
                  jest-haste-map > sane > fsevents > node-pre-gyp > rc >
                  deep-extend
  More info       https://nodesecurity.io/advisories/612


  Low             Prototype Pollution
  Package         deep-extend
  Dependency of   jest [dev]
  Path            jest > jest-cli > jest-runtime > jest-haste-map > sane >
                  fsevents > node-pre-gyp > rc > deep-extend
  More info       https://nodesecurity.io/advisories/612

# Run  npm install --dev webpack@4.8.3  to resolve 1 vulnerability

  Low             Prototype Pollution
  Package         deep-extend
  Dependency of   webpack [dev]
  Path            webpack > watchpack > chokidar > fsevents > node-pre-gyp >
                  rc > deep-extend
  More info       https://nodesecurity.io/advisories/612

# Run  npm install --dev webpack-dev-server@3.1.4  to resolve 1 vulnerability

  Low             Prototype Pollution
  Package         deep-extend
  Dependency of   webpack-dev-server [dev]
  Path            webpack-dev-server > chokidar > fsevents > node-pre-gyp > rc
                  > deep-extend
  More info       https://nodesecurity.io/advisories/612


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   codecov [dev]
  Path            codecov > request > hawk > boom > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   codecov [dev]
  Path            codecov > request > hawk > cryptiles > boom > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   codecov [dev]
  Path            codecov > request > hawk > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   codecov [dev]
  Path            codecov > request > hawk > sntp > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   node-sass [dev]
  Path            node-sass > request > hawk > boom > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   node-sass [dev]
  Path            node-sass > request > hawk > cryptiles > boom > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   node-sass [dev]
  Path            node-sass > request > hawk > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution
  Package         hoek
  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3
  Dependency of   node-sass [dev]
  Path            node-sass > request > hawk > sntp > hoek
  More info       https://nodesecurity.io/advisories/566

  Moderate        Memory Exposure
  Package         tunnel-agent
  Patched in      >=0.6.0
  Dependency of   node-sass [dev]
  Path            node-sass > request > tunnel-agent
  More info       https://nodesecurity.io/advisories/598

  Low             Prototype Pollution
  Package         deep-extend
  Patched in      >=0.5.1
  Dependency of   babel-cli [dev]
  Path            babel-cli > chokidar > fsevents > node-pre-gyp > rc >
                  deep-extend
  More info       https://nodesecurity.io/advisories/612

[!] 16 vulnerabilities found - Packages audited: 47670 (47297 dev, 934 optional)
    Severity: 7 Low | 9 Moderate
```

juanpicado added a commit that referenced this issue May 13, 2018

@todojs

This comment has been minimized.

todojs commented May 13, 2018

@juanpicado Good Work. Master with the new commit and only with production dependencies result:

                       === npm audit security report ===

[+] no known vulnerabilities found
    Packages audited: 373 (0 dev, 50 optional)
@juanpicado

This comment has been minimized.

Member

juanpicado commented May 13, 2018

👍 👍 👍 👍 thanks @todojs for the report

@juanpicado juanpicado closed this May 13, 2018

@juanpicado juanpicado added Fixed and removed WIP labels May 22, 2018

@zianakamarudin96

This comment has been minimized.

zianakamarudin96 commented May 25, 2018

i am also have this problem,i am currently to build an apps using ionic and want to use firebase but this type of report is shown when i am using npm audit,hope someone can guide me.tq.

=== npm audit security report ===

                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package lodash

Patched in >=4.17.5

Dependency of cordova-android

Path cordova-android > cordova-common > plist > xmlbuilder >
lodash

More info https://nodesecurity.io/advisories/577

[!] 1 vulnerability found - Packages audited: 3792 (3246 dev, 304 optional)
Severity: 1 Low

@verdaccio verdaccio locked as resolved and limited conversation to collaborators May 25, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.