Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update deps to fix some vulnerability issues #154

Merged
merged 2 commits into from
Jun 11, 2018
Merged

Update deps to fix some vulnerability issues #154

merged 2 commits into from
Jun 11, 2018

Conversation

Jezzamonn
Copy link
Contributor

Running npm audit shows some vulnerabilities. This fixes those that can be fixed automatically and also replaces the open package with opn to remove dependency on the critical security issue.

@Jezzamonn
Update dependencies with npm audit fix
0973dbb 
npm reported some issues in the dependencies. These are the automatic fixes.
@Jezzamonn
Replace unmaintained open package with opn.
19b79db 
open is unmaintained and has a critical vulnerability issue: pwnall/node-open#67.
opn is pretty much a drop in replacement.
@Jezzamonn
Copy link
Contributor Author

FYI after this there are still some issues that can be fixed by updating two packages, they're potentially breaking changes though & I'm not that familiar with this to know whether that's ok

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm install ws@5.2.0  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ ws                                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ws                                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ws                                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/550                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm install --save-dev standard@11.0.1  to resolve 7 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard > eslint > debug                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard > eslint-plugin-import > debug                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard > eslint-plugin-import >                            │
│               │ eslint-import-resolver-node > debug                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard > eslint-plugin-import > eslint-module-utils >      │
│               │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard > eslint > inquirer > lodash                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard > eslint > lodash                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ standard > eslint > table > lodash                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 8 vulnerabilities (7 low, 1 high) in 637 scanned packages

@alallier
Copy link
Owner

Thanks for the MRs will look at these this week

@alallier
Copy link
Owner

Thanks @Jezzamonn, sorry this took so long. I will clean up the other security problems right after this

@alallier alallier merged commit 4079aa7 into alallier:master Jun 11, 2018
@g-harel
Copy link

g-harel commented Jun 12, 2018

It's awesome to see you were responsive to this issue!

@alallier
Copy link
Owner

Thanks I appreciate that! I personally should have triaged it and taken care of it a lot faster

@g-harel
Copy link

g-harel commented Jun 12, 2018

No problem, I've had maintainers ask me for donations to merge security patches ... This is refreshing 🍹

@Jezzamonn Jezzamonn deleted the update-deps branch June 13, 2018 15:36
@renovate renovate bot mentioned this pull request May 29, 2021
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Jezzamonn @alallier @g-harel