I have been getting vulnerabilities in internal dependency glob-parent package of npm package - gulp.
High glob-parent before 5.1.2 vulnerable to Regular Expression
Denial of Service in enclosure regex
Package glob-parent
Patched in >=5.1.2
Dependency of gulp [dev]
Path gulp > glob-watcher > chokidar > glob-parent
I have gone through other questions as well regarding the same topic but I am unsure that those ways will keep the application working as it is now as I have seen different versions of glob-parent in package-lock.json.
Those suggested to use overrides property in package.json for glob-parent or add glob-parent to resolutions section.
Also, it has been found that this is a false positive vulnerability which is only reported in case of NPM not Yarn.
Due to some reasons, I will have to use NPM only.
Please suggest a way to get rid of these vulnerabilities where it should not affect the application.
Related
after running npm install --save-dev #nomicfoundation/hardhat-toolbox then npm audit the following report appears:
# npm audit report
flat <5.0.1
Severity: critical
flat vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-2j2x-2gpw-g8fm
No fix available
node_modules/eth-gas-reporter/node_modules/flat
yargs-unparser <=1.6.3
Depends on vulnerable versions of flat
node_modules/eth-gas-reporter/node_modules/yargs-unparser
mocha 5.1.0 - 9.2.1
Depends on vulnerable versions of minimatch
Depends on vulnerable versions of yargs-unparser
node_modules/eth-gas-reporter/node_modules/mocha
eth-gas-reporter >=0.2.1
Depends on vulnerable versions of mocha
node_modules/eth-gas-reporter
hardhat-gas-reporter *
Depends on vulnerable versions of eth-gas-reporter
node_modules/hardhat-gas-reporter
#nomicfoundation/hardhat-toolbox *
Depends on vulnerable versions of hardhat-gas-reporter
Depends on vulnerable versions of solidity-coverage
node_modules/#nomicfoundation/hardhat-toolbox
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/got
web3-bzz <=1.7.4
Depends on vulnerable versions of got
node_modules/web3-bzz
web3 1.0.0-beta.1 - 1.7.4 || 2.0.0-alpha - 3.0.0-rc.0
Depends on vulnerable versions of web3-bzz
node_modules/web3
#truffle/provider <=0.3.0
Depends on vulnerable versions of web3
node_modules/#truffle/provider
solidity-coverage 0.7.0-beta.0 - 0.8.0-rc.test.0
Depends on vulnerable versions of #truffle/provider
node_modules/solidity-coverage
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
No fix available
node_modules/eth-gas-reporter/node_modules/minimatch
12 vulnerabilities (5 moderate, 4 high, 3 critical)
Some issues need review, and may require choosing
a different dependency.
my nodejs version is node-v18.14.1-x64
I'm trying to set up the hardhat development environment by following the tutorial on their website: https://hardhat.org/tutorial
I tried running npm audit fix --force but it did not work
Turns out audit is just broken and it was a non-error for all practical purposes.
https://overreacted.io/npm-audit-broken-by-design/
I need some help understanding and properly correcting the vulnerabilities I see when I run an npm audit (or just npm install) on my Angular project. I just updated from Angular v12 to v13 and there were several vulnerabilities listed. Note, I already ran an 'npm install' and an 'npm update' but still get these audit warnings. The problem is, I don't understand which vulnerabilities I can fix by updating a package, without causing issues with Angular. I started investigating this and noticed that my angular dependencies don't even list the older version being called out by the npm audit, so apparently I don't even understand that.
Further below are 6 examples of audit warnings from over 20 that appear for the postcss package when I run 'npm audit' in my workspace. However, in my package-lock.json file, "#angular-devkit/build-angular" has a "requires" list that includes:
"postcss": "8.4.4",
"postcss-import": "14.0.2",
"postcss-loader": "6.2.1",
"postcss-preset-env": "6.7.0",
I have so many questions... first off, postcss is listed as 8.4.4 so I don't understand why I would have a version previous to 8.2.13 installed, per the audit warning. But, the audit warning says "Path #angular-devkit/build-angular > postcss-preset-env > autoprefixer > postcss"... so does this mean that postcss-preset-env is a different package that's using an older version of the postcss package as it's own dependency? More importantly, does this indicate that the older version (6.7.0 in this case) is required and if I update this or run the audit fix, that I'm not fulfilling the dependency here? After all, there's no caret (^6.7.0) so it seems to be indicating a specific version. I just can't tell what I can or should do here. I resolved other 'high' vulnerabilities that were not related to angular, but what do I do about these ones? Can I fix them without breaking my app? What command would actually update postcss-preset-env? Should I just ignore these as warnings the Angular team has already reviewed and gone ahead with, in their release?
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > postcss-preset-env >
autoprefixer > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > postcss-preset-env >
css-blank-pseudo > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > postcss-preset-env >
css-has-pseudo > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > postcss-preset-env >
css-prefers-color-scheme > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > postcss-preset-env > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
Moderate Regular Expression Denial of Service in postcss
Package postcss
Patched in >=8.2.13
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > postcss-preset-env >
postcss-attribute-case-insensitive > postcss
More info https://github.com/advisories/GHSA-566m-qj78-rww5
When I run npm audit it tells me the following about vulnerabilities:
react-dev-utils 0.4.0 - 12.0.0-next.60
Severity: critical
Improper Neutralization of Special Elements used in an OS Command. - https://github.com/advisories/GHSA-5q6m-3h65-w53x
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of fork-ts-checker-webpack-plugin
Depends on vulnerable versions of globby
Depends on vulnerable versions of immer
Depends on vulnerable versions of immer
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of strip-ansi
fix available via `npm audit fix --force`
Will install #sambego/storybook-state#1.3.6, which is a breaking change
node_modules/#sambego/storybook-state/node_modules/react-dev-utils
node_modules/react-dev-utils
It says npm fix will install
--> #sambego/storybook-state#1.3.6,
but in my package.json it says
--> "#sambego/storybook-state": "^2.0.1",
So my package is much newer than the recommended package.
I will accept any answer that tells me if and why I can ignore this critical npm vulnerability.
This is happening for me as well. If you see the below image, fix suggests to install an outdated version of testcafe.
Same thing happens codelyzer as well, It is complaining about angular version and suggests to install codelyzer#0.0.28 instead of the version 6.x.x which is used in project
In my package.json I have listed gulp as one of my dependencies.
{
"name": "myproject",
"devDependencies": {
"gulp": "^4.0.2"
// other stuff
}
}
When I run npm i I get a message there are moderate security vulnerabilities. So I do npm audit and I get this
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of gulp [dev]
Path gulp > glob-watcher > chokidar > glob-parent
More info https://npmjs.com/advisories/1751
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of gulp [dev]
Path gulp > vinyl-fs > glob-stream > glob-parent
More info https://npmjs.com/advisories/1751
found 2 moderate severity vulnerabilities in 751 scanned packages
2 vulnerabilities require manual review. See the full report for details.
So then I thought it was all a matter of changing the version of gulp to the highest version where it is (probably) patched. But it seems that this is already the highest version, so what do I do about the vulnerability?
If anyone is curious how I actually "solved" this issue, I started using yarn for all my projects. To me it seems superior to npm.
The following commands will take care of you:
Install yarn
Remove npm's "package-lock" to not mix project package managers
Run yarn
Enjoy
Commands:
npm i --global yarn
rm -rf package-lock.json
yarn
I am developing a web application with Angular but I have a problem installing json server. Please help me correct this problem.
Depends on vulnerable versions of browserslist
node_modules/react-dev-utils
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of #pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via npm audit fix --force
Will install react-scripts#1.1.5, which is a breaking change
node_modules/react-scripts/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/react-scripts/node_modules/webpack-dev-server/node_modules/chokidar
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/react-scripts/node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/react-scripts/node_modules/webpack
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
node_modules/react-scripts/node_modules/webpack-dev-server
node_modules/webpack-dev-server
#angular-devkit/build-angular *
Depends on vulnerable versions of #angular-devkit/build-webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/#angular-devkit/build-angular
#angular-devkit/build-webpack *
Depends on vulnerable versions of webpack-dev-server
node_modules/#angular-devkit/build-webpack
#pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-beta.4
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts/node_modules/#pmmmwh/react-refresh-webpack-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of #pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
12 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
enter image description here
enter image description here
It's just a warning to let you know that there is some known vulnerabilities on the packages you using in your project.
vulnerabilities can be missbehavior, bugs, crashes, security vulnerabilities, etc...
npm keep tracks of known vulnerabilities of all the npm packages.
So basiacally you have to wait updates on your package to fix the vulnerability, you can also try to use a different version of the package, or use a different package.
Duplicate of : how to solve this npm glob-parent problem
Answer: ​https://stackoverflow.com/a/68342168/158649
As it is a dev dependency, not a big deal,
npm update glob-parent#5.1.2 --depth 4
has no effect on the npm audit message.
npm audit warnings can be a little bit boy-crying-wolf sometimes.
npm install glob-parent#5.1.2 --save-dev
does remove the warning but not really much to worry about.