In my package.json I have listed gulp as one of my dependencies.
{
"name": "myproject",
"devDependencies": {
"gulp": "^4.0.2"
// other stuff
}
}
When I run npm i I get a message there are moderate security vulnerabilities. So I do npm audit and I get this
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of gulp [dev]
Path gulp > glob-watcher > chokidar > glob-parent
More info https://npmjs.com/advisories/1751
Moderate Regular expression denial of service
Package glob-parent
Patched in >=5.1.2
Dependency of gulp [dev]
Path gulp > vinyl-fs > glob-stream > glob-parent
More info https://npmjs.com/advisories/1751
found 2 moderate severity vulnerabilities in 751 scanned packages
2 vulnerabilities require manual review. See the full report for details.
So then I thought it was all a matter of changing the version of gulp to the highest version where it is (probably) patched. But it seems that this is already the highest version, so what do I do about the vulnerability?
If anyone is curious how I actually "solved" this issue, I started using yarn for all my projects. To me it seems superior to npm.
The following commands will take care of you:
Install yarn
Remove npm's "package-lock" to not mix project package managers
Run yarn
Enjoy
Commands:
npm i --global yarn
rm -rf package-lock.json
yarn
Related
I have been getting vulnerabilities in internal dependency glob-parent package of npm package - gulp.
High glob-parent before 5.1.2 vulnerable to Regular Expression
Denial of Service in enclosure regex
Package glob-parent
Patched in >=5.1.2
Dependency of gulp [dev]
Path gulp > glob-watcher > chokidar > glob-parent
I have gone through other questions as well regarding the same topic but I am unsure that those ways will keep the application working as it is now as I have seen different versions of glob-parent in package-lock.json.
Those suggested to use overrides property in package.json for glob-parent or add glob-parent to resolutions section.
Also, it has been found that this is a false positive vulnerability which is only reported in case of NPM not Yarn.
Due to some reasons, I will have to use NPM only.
Please suggest a way to get rid of these vulnerabilities where it should not affect the application.
for some reason I am unable to install gulp, it always brings up this error:
/wp-content/themes/the-advocates-theme$ npm i gulp-install
added 4 packages, and audited 755 packages in 2s
39 packages are looking for funding
run `npm fund` for details
12 vulnerabilities (3 moderate, 6 high, 3 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Run `npm audit` for details.
and this is what I get when I run npm audit:
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install gulp#3.9.1, which is a breaking change
node_modules/glob-stream/node_modules/glob-parent
node_modules/glob-watcher/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/glob-watcher/node_modules/chokidar
glob-watcher >=3.0.0
Depends on vulnerable versions of chokidar
node_modules/glob-watcher
glob-stream 5.3.0 - 6.1.0
Depends on vulnerable versions of glob-parent
node_modules/glob-stream
vinyl-fs >=2.4.2
Depends on vulnerable versions of glob-stream
node_modules/vinyl-fs
gulp >=4.0.0
Depends on vulnerable versions of vinyl-fs
node_modules/gulp
lodash.template <4.5.0
Severity: critical
Prototype Pollution in lodash - https://github.com/advisories/GHSA-jf85-cpcp-j695
No fix available
node_modules/lodash.template
gulp-util >=1.1.0
Depends on vulnerable versions of lodash.template
node_modules/gulp-util
gulp-install *
Depends on vulnerable versions of gulp-util
node_modules/gulp-install
postcss <8.2.13
Severity: moderate
Regular Expression Denial of Service in postcss - https://github.com/advisories/GHSA-566m-qj78-rww5
fix available via `npm audit fix --force`
Will install gulp-sourcemaps#2.6.5, which is a breaking change
node_modules/#gulp-sourcemaps/identity-map/node_modules/postcss
#gulp-sourcemaps/identity-map >=2.0.0
Depends on vulnerable versions of postcss
node_modules/#gulp-sourcemaps/identity-map
gulp-sourcemaps >=3.0.0
Depends on vulnerable versions of #gulp-sourcemaps/identity-map
node_modules/gulp-sourcemaps
12 vulnerabilities (3 moderate, 6 high, 3 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues possible (including breaking changes), run:
npm audit fix --force
Some issues need review, and may require choosing
a different dependency.
Those are not errors, they are warnings issued by npm. The gulp team is aware of those warnings but has decided that they do not need to be regarded.
Instead, they insist that npm audit is broken and should be fixed. You may ask them to change their minds, but beware that your request would be likely flagged as spam: 1, 2, 3.
I am trying to teach myself web development and so far it's making my head hurt, but I'm not giving up. At the moment, I am trying to learn WordPress theme development using the Understrap framework. This is what I have done so far to try and get it all working:
Install Node using Homebrew on my Mac
Created a project folder on my Desktop
Ran the following git command to install Understrap in my project folder: git clone https://github.com/understrap/understrap.git
Then ran npm install within the director in a terminal window
After doing all of this, I keep getting the following errors, but not being a seasoned web dev expert, this has me a bit boggled:
72 packages are looking for funding
run `npm fund` for details
6 high severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Then I ran "npm audit" to get a better idea of the issue and this is where I am completely lost and hoping one of you fantastic folks on here can provide some assistance:
glob-parent <5.1.2
Severity: high
Regular expression denial of service - https://github.com/advisories/GHSA-ww39-953v-wcq6
fix available via `npm audit fix --force`
Will install gulp#3.9.1, which is a breaking change
node_modules/glob-stream/node_modules/glob-parent
node_modules/glob-watcher/node_modules/glob-parent
chokidar 1.0.0-rc1 - 2.1.8
Depends on vulnerable versions of glob-parent
node_modules/glob-watcher/node_modules/chokidar
glob-watcher >=3.0.0
Depends on vulnerable versions of chokidar
node_modules/glob-watcher
gulp >=4.0.0
Depends on vulnerable versions of glob-watcher
node_modules/gulp
glob-stream 5.3.0 - 6.1.0
Depends on vulnerable versions of glob-parent
node_modules/glob-stream
vinyl-fs >=2.4.2
Depends on vulnerable versions of glob-stream
node_modules/vinyl-fs
6 high severity vulnerabilities
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
BTW, I ran "npm audit fix --force", but it did not resolve this issue.
Thank you all so much for your help on this, I really appreciate it!
Suddenly i got around 79 moderate vulnerabilities related to postcss package.
One of them is :
Moderate Regular Expression Denial of Service
Package postcss
Patched in >=8.2.10
Dependency of react-scripts
Path react-scripts > resolve-url-loader > postcss
More info https://npmjs.com/advisories/1693
I tired running npm audit fix but these require manual review.
Does anyone know how to fix these?
You could wait for react-scripts to update their dependencies or as an alternative use "resolutions" in your package.json to overrule the version:
"resolutions": {
"postcss": "^8.2.10"
}
I recently updated my version of angular using ng update
and when running npm audit it found 1 high severity vulnerability but offered no suggestions on how to resolve it. It usually suggests to upgrade a package from package.json like: "angular-devkit/build-angular" but I am already using their latest version.
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of #angular-devkit/build-angular [dev]
Path #angular-devkit/build-angular > node-sass > node-gyp > tar
More info https://npmjs.com/advisories/803
found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.
I thought of installing npm i tar but I am not sure.
The following worked for me:
Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.
Then run:
npm i
npm audit
npm audit fix
npm audit
you should see 0 vulnerabilities.
I've updated a few angular projects and each project had the same issue. Doing the above worked all the time.
angular-cli relies on node-gyp, who have an open issue for this: https://github.com/nodejs/node-gyp/issues/1714
To work around, you can patch node-gyp and then patch angular to use your patched node-gyp. Or wait and hope that they will fix it soon.
You should search in your package-lock.json this:
"tar": {
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
And reemplace for that:
"tar": {
"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
That worked for me