Skip to content
This repository has been archived by the owner on Jan 14, 2022. It is now read-only.

Package cryptiles Insufficient Entropy #28

Closed
magussiro opened this issue Jan 4, 2019 · 2 comments
Closed

Package cryptiles Insufficient Entropy #28

magussiro opened this issue Jan 4, 2019 · 2 comments

Comments

@magussiro
Copy link

I am tring using npm audit to check if any discovered vulenity in dependency package, after I ran
"npm audit fix --force" ,It's still have this security issue:
OS: macOS 10.13.6
version:0.2.10

Mac :: ~/ProductiveTools/SnippetStore » npm audit

                   === npm audit security report ===

Run npm update cryptiles --depth 4 to resolve 1 vulnerability

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Insufficient Entropy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ universal-analytics │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ universal-analytics > request > hawk > cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/720
└───────────────┴──────────────────────────────────────────────────────────────┘

found 1 high severity vulnerability in 42614 scanned packages
run npm audit fix to fix 1 of them.
@magussiro
Copy link
Author

magussiro commented Jan 4, 2019
edited

update electron to 1.8.8 , and update universal-analytics to 0.4.20 can fix this security issue

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Remote Code Execution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ electron │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ electron [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ electron │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/732
└───────────────┴──────────────────────────────────────────────────────────────┘

Run npm update cryptiles --depth 4 to resolve 1 vulnerability

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Insufficient Entropy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ universal-analytics │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ universal-analytics > request > hawk > cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/720
└───────────────┴──────────────────────────────────────────────────────────────┘

@ZeroX-DG
Copy link
Owner

ZeroX-DG commented Jan 9, 2019

Dependency updated! Thank you for reporting 👍

@ZeroX-DG ZeroX-DG closed this as completed Jan 9, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ZeroX-DG @magussiro