I just installed #Vue-cli and I decided to create my first project using Vue3.
After running vue create hello-world and it finished building the project, the cli said
7 moderate severity vulnerabilities
How bad are these? moderate is very subjective. I tried running npm audit fix --force which instead said
28 vulnerabilities (16 moderate, 12 high).
Is this just one of the things you should just accept and hope that no one exploits the vulnerabilities?
After running npm audit it said this
# npm audit report
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install #vue/cli-service#4.5.17, which is a breaking change
node_modules/log-update/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/log-update/node_modules/strip-ansi
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/log-update/node_modules/string-width
wrap-ansi 3.0.0 - 6.1.0
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/log-update/node_modules/wrap-ansi
log-update 2.1.0 - 3.4.0
Depends on vulnerable versions of wrap-ansi
node_modules/log-update
progress-webpack-plugin *
Depends on vulnerable versions of log-update
node_modules/progress-webpack-plugin
#vue/cli-service >=5.0.0-alpha.0
Depends on vulnerable versions of progress-webpack-plugin
node_modules/#vue/cli-service
Which to me looks like it all boils down to Inefficient Regular Expression Complexity in chalk/ansi-regex.
What's the proper way of dealing with this? Just letting it be or is it as easy as updating a package?
On top of my other answer, I'll add that everything is hackable nowadays. Is it an issue per-se? Not really since you're not really launching rockets.
Is it spooky? Yeah maybe because of how it sounds but at the end, if somebody in your company opens a phishing email you're exposed, so yeah: live your life and don't worry too much about it.
Also, a as reminder: every package that you install can be malicious at some point and during various steps. If you want a 100% bullet-proof codebase, you'll need to write everything yourself from bottom to top.
Related
after running npm install --save-dev #nomicfoundation/hardhat-toolbox then npm audit the following report appears:
# npm audit report
flat <5.0.1
Severity: critical
flat vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-2j2x-2gpw-g8fm
No fix available
node_modules/eth-gas-reporter/node_modules/flat
yargs-unparser <=1.6.3
Depends on vulnerable versions of flat
node_modules/eth-gas-reporter/node_modules/yargs-unparser
mocha 5.1.0 - 9.2.1
Depends on vulnerable versions of minimatch
Depends on vulnerable versions of yargs-unparser
node_modules/eth-gas-reporter/node_modules/mocha
eth-gas-reporter >=0.2.1
Depends on vulnerable versions of mocha
node_modules/eth-gas-reporter
hardhat-gas-reporter *
Depends on vulnerable versions of eth-gas-reporter
node_modules/hardhat-gas-reporter
#nomicfoundation/hardhat-toolbox *
Depends on vulnerable versions of hardhat-gas-reporter
Depends on vulnerable versions of solidity-coverage
node_modules/#nomicfoundation/hardhat-toolbox
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
No fix available
node_modules/got
web3-bzz <=1.7.4
Depends on vulnerable versions of got
node_modules/web3-bzz
web3 1.0.0-beta.1 - 1.7.4 || 2.0.0-alpha - 3.0.0-rc.0
Depends on vulnerable versions of web3-bzz
node_modules/web3
#truffle/provider <=0.3.0
Depends on vulnerable versions of web3
node_modules/#truffle/provider
solidity-coverage 0.7.0-beta.0 - 0.8.0-rc.test.0
Depends on vulnerable versions of #truffle/provider
node_modules/solidity-coverage
minimatch <3.0.5
Severity: high
minimatch ReDoS vulnerability - https://github.com/advisories/GHSA-f8q6-p94x-37v3
No fix available
node_modules/eth-gas-reporter/node_modules/minimatch
12 vulnerabilities (5 moderate, 4 high, 3 critical)
Some issues need review, and may require choosing
a different dependency.
my nodejs version is node-v18.14.1-x64
I'm trying to set up the hardhat development environment by following the tutorial on their website: https://hardhat.org/tutorial
I tried running npm audit fix --force but it did not work
Turns out audit is just broken and it was a non-error for all practical purposes.
https://overreacted.io/npm-audit-broken-by-design/
Below are the vulnerabilities that I get:
-You can see that all vulnerabilities depend on node-fetch <=2.6.6 When I look upon how to fix it on GitHub it says that versions lower than 2.6.1 need to be updated. Yet my version is 2.6.6 and I'm still getting a vulnerability message. Are there any possible ways of fixing this? Another issue is that I can't seem to find it in package-lock.json folder either and I'm unable to update/change it manually. I've tried uninstalling the entire package-lock.json and reinstalling it, and I'm still stuck with this vulnerability message. Thanks to anyone who can help!
Severity: high
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
No fix available
node_modules/isomorphic-fetch/node_modules/node-fetch
Depends on vulnerable versions of node-fetch
node_modules/isomorphic-fetch
fbjs 0.7.0 - 1.0.0
Depends on vulnerable versions of isomorphic-fetch
node_modules/fbjs
fbemitter 2.0.3 - 3.0.0-alpha.1
Depends on vulnerable versions of fbjs
node_modules/fbemitter
expo >=14.0.0
Depends on vulnerable versions of fbemitter
node_modules/expo
Depends on vulnerable versions of fbemitter
node_modules/expo-updates```
I read a lot of questions/articles related to npm audit where people have provided the response of the npm audit in a tabular format. But when I run the npm audit I get the response as plain text.
I tried to install a library npm-audit-html and get the format in HTML as provided in answer but that is running into the issue: zsh: command not found: npm-audit-html
Can someone please explain and help in resolving the beautification of the npm audit response? Currently, my npm audit response shows up something like this:
postcss-overflow-shorthand <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-overflow-shorthand
postcss-page-break <=2.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-page-break
postcss-place <=5.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-place
postcss-pseudo-class-any-link <=6.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-pseudo-class-any-link
postcss-reduce-initial <=4.0.3
Depends on vulnerable versions of postcss
node_modules/postcss-reduce-initial
postcss-reduce-transforms <=4.0.2
Depends on vulnerable versions of postcss
node_modules/postcss-reduce-transforms
postcss-replace-overflow-wrap <=3.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-replace-overflow-wrap
postcss-selector-matches *
Depends on vulnerable versions of postcss
node_modules/postcss-selector-matches
postcss-selector-not <=4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-selector-not
postcss-svgo <=5.0.0-rc.2
Depends on vulnerable versions of postcss
Depends on vulnerable versions of svgo
node_modules/postcss-svgo
postcss-unique-selectors <=4.0.1
Depends on vulnerable versions of postcss
node_modules/postcss-unique-selectors
postcss-url 3.3.0 - 10.0.0
Depends on vulnerable versions of postcss
node_modules/postcss-url
stylehacks <=4.0.3
Depends on vulnerable versions of postcss
node_modules/stylehacks
90 vulnerabilities (84 moderate, 6 high)
In windows, I've used npm audit with ">" to write its content in a json file, refer below command:
npm audit --json > FOLDER_PATH\FILE_NAME.json
The npm audit format you posted is a breaking change of npm 7.
Output and data structure is significantly refactored to call attention to issues, identify classes of fixes not previously available, and remove extraneous data not used for any purpose.
BREAKING CHANGE: Any tools consuming the output of npm audit will almost certainly need to be updated, as this has changed significantly, both in the readable and --json output styles.
Source: npm release notes
As the output format not officially explained, there is a post try to find it out. You can check the post for more details.
When I run npm audit it tells me the following about vulnerabilities:
react-dev-utils 0.4.0 - 12.0.0-next.60
Severity: critical
Improper Neutralization of Special Elements used in an OS Command. - https://github.com/advisories/GHSA-5q6m-3h65-w53x
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of fork-ts-checker-webpack-plugin
Depends on vulnerable versions of globby
Depends on vulnerable versions of immer
Depends on vulnerable versions of immer
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of strip-ansi
fix available via `npm audit fix --force`
Will install #sambego/storybook-state#1.3.6, which is a breaking change
node_modules/#sambego/storybook-state/node_modules/react-dev-utils
node_modules/react-dev-utils
It says npm fix will install
--> #sambego/storybook-state#1.3.6,
but in my package.json it says
--> "#sambego/storybook-state": "^2.0.1",
So my package is much newer than the recommended package.
I will accept any answer that tells me if and why I can ignore this critical npm vulnerability.
This is happening for me as well. If you see the below image, fix suggests to install an outdated version of testcafe.
Same thing happens codelyzer as well, It is complaining about angular version and suggests to install codelyzer#0.0.28 instead of the version 6.x.x which is used in project
I am developing a web application with Angular but I have a problem installing json server. Please help me correct this problem.
Depends on vulnerable versions of browserslist
node_modules/react-dev-utils
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of #pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
glob-parent <5.1.2
Severity: moderate
Regular expression denial of service - https://npmjs.com/advisories/1751
fix available via npm audit fix --force
Will install react-scripts#1.1.5, which is a breaking change
node_modules/react-scripts/node_modules/glob-parent
node_modules/watchpack-chokidar2/node_modules/glob-parent
node_modules/webpack-dev-server/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/react-scripts/node_modules/webpack-dev-server/node_modules/chokidar
node_modules/watchpack-chokidar2/node_modules/chokidar
node_modules/webpack-dev-server/node_modules/chokidar
watchpack-chokidar2 *
Depends on vulnerable versions of chokidar
node_modules/watchpack-chokidar2
watchpack 1.7.2 - 1.7.5
Depends on vulnerable versions of watchpack-chokidar2
node_modules/react-scripts/node_modules/watchpack
webpack 4.44.0 - 4.46.0
Depends on vulnerable versions of watchpack
node_modules/react-scripts/node_modules/webpack
webpack-dev-server 2.0.0-beta - 3.11.2
Depends on vulnerable versions of chokidar
node_modules/react-scripts/node_modules/webpack-dev-server
node_modules/webpack-dev-server
#angular-devkit/build-angular *
Depends on vulnerable versions of #angular-devkit/build-webpack
Depends on vulnerable versions of webpack-dev-server
node_modules/#angular-devkit/build-angular
#angular-devkit/build-webpack *
Depends on vulnerable versions of webpack-dev-server
node_modules/#angular-devkit/build-webpack
#pmmmwh/react-refresh-webpack-plugin 0.3.1 - 0.5.0-beta.4
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts/node_modules/#pmmmwh/react-refresh-webpack-plugin
react-scripts >=0.10.0-alpha.328cb32e
Depends on vulnerable versions of #pmmmwh/react-refresh-webpack-plugin
Depends on vulnerable versions of react-dev-utils
Depends on vulnerable versions of webpack-dev-server
node_modules/react-scripts
12 moderate severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
enter image description here
enter image description here
It's just a warning to let you know that there is some known vulnerabilities on the packages you using in your project.
vulnerabilities can be missbehavior, bugs, crashes, security vulnerabilities, etc...
npm keep tracks of known vulnerabilities of all the npm packages.
So basiacally you have to wait updates on your package to fix the vulnerability, you can also try to use a different version of the package, or use a different package.
Duplicate of : how to solve this npm glob-parent problem
Answer: ​https://stackoverflow.com/a/68342168/158649
As it is a dev dependency, not a big deal,
npm update glob-parent#5.1.2 --depth 4
has no effect on the npm audit message.
npm audit warnings can be a little bit boy-crying-wolf sometimes.
npm install glob-parent#5.1.2 --save-dev
does remove the warning but not really much to worry about.