Below are the vulnerabilities that I get:
-You can see that all vulnerabilities depend on node-fetch <=2.6.6 When I look upon how to fix it on GitHub it says that versions lower than 2.6.1 need to be updated. Yet my version is 2.6.6 and I'm still getting a vulnerability message. Are there any possible ways of fixing this? Another issue is that I can't seem to find it in package-lock.json folder either and I'm unable to update/change it manually. I've tried uninstalling the entire package-lock.json and reinstalling it, and I'm still stuck with this vulnerability message. Thanks to anyone who can help!
Severity: high
The `size` option isn't honored after following a redirect in node-fetch - https://github.com/advisories/GHSA-w7rc-rwvf-8q5r
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor - https://github.com/advisories/GHSA-r683-j2x4-v87g
No fix available
node_modules/isomorphic-fetch/node_modules/node-fetch
Depends on vulnerable versions of node-fetch
node_modules/isomorphic-fetch
fbjs 0.7.0 - 1.0.0
Depends on vulnerable versions of isomorphic-fetch
node_modules/fbjs
fbemitter 2.0.3 - 3.0.0-alpha.1
Depends on vulnerable versions of fbjs
node_modules/fbemitter
expo >=14.0.0
Depends on vulnerable versions of fbemitter
node_modules/expo
Depends on vulnerable versions of fbemitter
node_modules/expo-updates```
Related
I have inherited a project from a previous developer and having a bit of trouble getting it set up and running. I copied the files and then did npm install and now I am being presented with the following:
# npm audit report
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via `npm audit fix --force`
Will install babel-core#4.7.16, which is a breaking change
node_modules/babel-core/node_modules/json5
babel-core 5.8.20 - 7.0.0-beta.3
Depends on vulnerable versions of babel-register
Depends on vulnerable versions of json5
node_modules/babel-core
babel-register *
Depends on vulnerable versions of babel-core
node_modules/babel-register
3 high severity vulnerabilities
Any idea how I can get around these issues?
You are getting these warnings because, the packages that you are using have bugs. To dismiss this, you have to upgrade your packages to their latest versions.
your packages are outdated. that's why you are getting this type of error, to update all package.
try this command.
npx npm-check-updates -u
We have a legacy app and it's been using Angular 2.4 since the beginning. Currently package.json is having overrides for many packgages and for our build, we are using npm install --force because of multiple conflicting peer dependency, cannot resolve dependency of some packages, etc. I can foresee that we would keep using override for other dependency update and expanding the package.json.
I'd like to understand:
the risks if we don't upgrade Angular version and keep using Angular 2.4?
Is it okay to use npm install --force in build/release pipeline in production?
Short answer is no
Older versions of packages "decay" over time.
Sometimes because a version of a package had dependencies which are no longer maintained
or (the worse) because their n-th level dependency is no longer maintained.
once a version is out of the LTS terms (or deprecated like angular v2 and older are) you also start to loose its documentation.
Then there is the unknowns of having your locked version of a package having to run with newer versions of its dependencies. And you would having to provide some of the fixes yourself.
There are plenty of security issues that the 100's of dependencies a package like angular has and can only be addressed by upgrading.
Your app might still work with forcing dependencies to update. But it would certainly be exposed to a fair bit of know issues which newer versions have already addressed.
I just installed #Vue-cli and I decided to create my first project using Vue3.
After running vue create hello-world and it finished building the project, the cli said
7 moderate severity vulnerabilities
How bad are these? moderate is very subjective. I tried running npm audit fix --force which instead said
28 vulnerabilities (16 moderate, 12 high).
Is this just one of the things you should just accept and hope that no one exploits the vulnerabilities?
After running npm audit it said this
# npm audit report
ansi-regex >2.1.1 <5.0.1
Severity: moderate
Inefficient Regular Expression Complexity in chalk/ansi-regex - https://github.com/advisories/GHSA-93q8-gq69-wqmw
fix available via `npm audit fix --force`
Will install #vue/cli-service#4.5.17, which is a breaking change
node_modules/log-update/node_modules/ansi-regex
strip-ansi 4.0.0 - 5.2.0
Depends on vulnerable versions of ansi-regex
node_modules/log-update/node_modules/strip-ansi
string-width 2.1.0 - 4.1.0
Depends on vulnerable versions of strip-ansi
node_modules/log-update/node_modules/string-width
wrap-ansi 3.0.0 - 6.1.0
Depends on vulnerable versions of string-width
Depends on vulnerable versions of strip-ansi
node_modules/log-update/node_modules/wrap-ansi
log-update 2.1.0 - 3.4.0
Depends on vulnerable versions of wrap-ansi
node_modules/log-update
progress-webpack-plugin *
Depends on vulnerable versions of log-update
node_modules/progress-webpack-plugin
#vue/cli-service >=5.0.0-alpha.0
Depends on vulnerable versions of progress-webpack-plugin
node_modules/#vue/cli-service
Which to me looks like it all boils down to Inefficient Regular Expression Complexity in chalk/ansi-regex.
What's the proper way of dealing with this? Just letting it be or is it as easy as updating a package?
On top of my other answer, I'll add that everything is hackable nowadays. Is it an issue per-se? Not really since you're not really launching rockets.
Is it spooky? Yeah maybe because of how it sounds but at the end, if somebody in your company opens a phishing email you're exposed, so yeah: live your life and don't worry too much about it.
Also, a as reminder: every package that you install can be malicious at some point and during various steps. If you want a 100% bullet-proof codebase, you'll need to write everything yourself from bottom to top.
When I run npm audit it tells me the following about vulnerabilities:
react-dev-utils 0.4.0 - 12.0.0-next.60
Severity: critical
Improper Neutralization of Special Elements used in an OS Command. - https://github.com/advisories/GHSA-5q6m-3h65-w53x
Depends on vulnerable versions of browserslist
Depends on vulnerable versions of fork-ts-checker-webpack-plugin
Depends on vulnerable versions of globby
Depends on vulnerable versions of immer
Depends on vulnerable versions of immer
Depends on vulnerable versions of inquirer
Depends on vulnerable versions of strip-ansi
fix available via `npm audit fix --force`
Will install #sambego/storybook-state#1.3.6, which is a breaking change
node_modules/#sambego/storybook-state/node_modules/react-dev-utils
node_modules/react-dev-utils
It says npm fix will install
--> #sambego/storybook-state#1.3.6,
but in my package.json it says
--> "#sambego/storybook-state": "^2.0.1",
So my package is much newer than the recommended package.
I will accept any answer that tells me if and why I can ignore this critical npm vulnerability.
This is happening for me as well. If you see the below image, fix suggests to install an outdated version of testcafe.
Same thing happens codelyzer as well, It is complaining about angular version and suggests to install codelyzer#0.0.28 instead of the version 6.x.x which is used in project
I got an email from GitHub stating that one of my project's dependencies "hoek" had a known security vulnerability and I should update it. However, hoek itself is not something I installed but is a dependency of one of my other dependencies. Is there anything I can do about this or does the maintainer of the project that uses hoek have to update the version they use?
The package CVE-2018-3728 is vulnerable. The vulnerable versions of hoek are prior to 4.2.1 and 5.0.3 and are vulnerable to prototype pollution.
The affected versions of hoek are until version 5.0.2, The remediation is to update to version 4.2.1, 5.0.3 or later.
For more information, you can view the fix pull request here: https://github.com/hapijs/hoek/pull/231/commits/5aed1a8c4a3d55722d1c799f2368857bf418d6df