Skip to content

Bug Report: npm 6 vulnerabilities (1 low, 3 moderate, 2 high) #763

New issue
New issue
Closed
Closed
Bug Report: npm 6 vulnerabilities (1 low, 3 moderate, 2 high)#763
Assignees
Thomas-Boi
Labels
bugUse this label for pointing out bugs
@amacado

Description

@amacado
amacado
opened on Jul 19, 2021

Bug

We're using dependencies which have known vulnerabilities.

found 6 vulnerabilities (1 low, 3 moderate, 2 high) in 585 scanned packages
  run `npm audit fix` to fix 2 of them.
  1 vulnerability requires semver-major dependency updates.
  3 vulnerabilities require manual review. See the full report for details.

How to replicate the bug

Checkout develop branch and execute npm install. Use npm audit for details about the vulnerabilities.

git checkout develop
npm install
npm audit

=== npm audit security report ===                        
                                                                                
# Run  npm install --save-dev gulp-sass@5.0.0  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
                                                                                
  High            Regular Expression Denial of Service                                                                                                         
  Package         trim-newlines                                                                                                                                
  Dependency of   gulp-sass [dev]                                                                                                                               
  Path            gulp-sass > node-sass > meow > trim-newlines                                                                                                  
  More info       https://npmjs.com/advisories/1753                             
 
# Run  npm update y18n --depth 5  to resolve 1 vulnerability                                                                              
  High            Prototype Pollution                                                                                                                          
  Package         y18n                                                                                                                                          
  Dependency of   gulp-sass [dev]                                               
  Path            gulp-sass > node-sass > sass-graph > yargs > y18n                                                                                             
  More info       https://npmjs.com/advisories/1654                             
                                                                               
# Run  npm update chokidar --depth 2  to resolve 1 vulnerability                                                                               
  Moderate        Regular expression denial of service                                                                                                          
  Package         glob-parent                                                                                                                                   
  Dependency of   sass [dev]                                                                                                                               
  Path            sass > chokidar > glob-parent                                                                                                               
  More info       https://npmjs.com/advisories/1751                             
                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                               
  Low             Prototype Pollution                                                                                                                         
  Package         yargs-parser                                                                                                                                 
  Patched in      >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2                                                                                             
  Dependency of   gulp [dev]                                                                                                                                    
  Path            gulp > gulp-cli > yargs > yargs-parser                                                                                                       
  More info       https://npmjs.com/advisories/1500                                                                                                            
                                                                                
  Moderate        Regular expression denial of service                                                                                                          
  Package         glob-parent                                                                                                                                   
  Patched in      >=5.1.2                                                                                                                                       
  Dependency of   gulp [dev]                                                                                                                                    
  Path            gulp > glob-watcher > chokidar > glob-parent                                                                                              
  More info       https://npmjs.com/advisories/1751                             
                                                                                                                                                              
  Moderate        Regular expression denial of service                                                                                                         
  Package         glob-parent                                                                                                                        
  Patched in      >=5.1.2                                                                                                                                       
  Dependency of   gulp [dev]                                                                                                                    
  Path            gulp > vinyl-fs > glob-stream > glob-parent                                                                                                  
  More info       https://npmjs.com/advisories/1751

Possible Fixes/Solutions

Some of the vulnerabilities can be auto-fixed using npm audit fix, other need manual review.

Metadata

Metadata

Assignees

Labels

bugUse this label for pointing out bugs

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions