npm audit/outdated log - Githubissues

BryanWilhite commented 6 years ago

angular.io-official:


                       === npm audit security report ===

# Run  npm install npm@6.4.1  to resolve 20 vulnerabilities

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > cryptiles
                  > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > sntp >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > cryptiles >
                  boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

# Run  npm install --save-dev @angular/cli@6.2.3  to resolve 25 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Low             Incorrect Handling of Non-Boolean Comparisons During
                  Minification

  Package         uglify-js

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > postcss-url > directory-encoder > handlebars
                  > uglify-js

  More info       https://nodesecurity.io/advisories/39

  Low             Regular Expression Denial of Service

  Package         uglify-js

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > postcss-url > directory-encoder > handlebars
                  > uglify-js

  More info       https://nodesecurity.io/advisories/48

  Moderate        Regular Expression Denial of Service

  Package         mime

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > url-loader > mime

  More info       https://nodesecurity.io/advisories/535

  High            Cross-Site Scripting

  Package         handlebars

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > postcss-url > directory-encoder > handlebars

  More info       https://nodesecurity.io/advisories/61

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > compression > debug

  More info       https://nodesecurity.io/advisories/534

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > serve-index > debug

  More info       https://nodesecurity.io/advisories/534

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > express > debug

  More info       https://nodesecurity.io/advisories/534

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > express > finalhandler >
                  debug

  More info       https://nodesecurity.io/advisories/534

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > express > send > debug

  More info       https://nodesecurity.io/advisories/534

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > express > serve-static >
                  send > debug

  More info       https://nodesecurity.io/advisories/534

  Critical        Command Injection

  Package         macaddress

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > css-loader > cssnano > postcss-filter-plugins
                  > uniqid > macaddress

  More info       https://nodesecurity.io/advisories/654

  Critical        Command Injection

  Package         macaddress

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > cssnano > postcss-filter-plugins > uniqid >
                  macaddress

  More info       https://nodesecurity.io/advisories/654

  High            Regular Expression Denial of Service

  Package         no-case

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > html-webpack-plugin > html-minifier >
                  camel-case > no-case

  More info       https://nodesecurity.io/advisories/529

  High            Regular Expression Denial of Service

  Package         no-case

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > html-webpack-plugin > html-minifier >
                  param-case > no-case

  More info       https://nodesecurity.io/advisories/529

  Moderate        Regular Expression Denial of Service

  Package         mime

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > express > send > mime

  More info       https://nodesecurity.io/advisories/535

  Moderate        Regular Expression Denial of Service

  Package         mime

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > express > serve-static >
                  send > mime

  More info       https://nodesecurity.io/advisories/535

  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack > watchpack > chokidar > anymatch >
                  micromatch > braces > expand-range > fill-range > randomatic

  More info       https://nodesecurity.io/advisories/157

  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > chokidar > anymatch >
                  micromatch > braces > expand-range > fill-range > randomatic

  More info       https://nodesecurity.io/advisories/157

  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > http-proxy-middleware >
                  micromatch > braces > expand-range > fill-range > randomatic

  More info       https://nodesecurity.io/advisories/157

  High            Regular Expression Denial of Service

  Package         fresh

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > express > fresh

  More info       https://nodesecurity.io/advisories/526

  High            Regular Expression Denial of Service

  Package         fresh

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > express > send > fresh

  More info       https://nodesecurity.io/advisories/526

  High            Regular Expression Denial of Service

  Package         fresh

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > express > serve-static >
                  send > fresh

  More info       https://nodesecurity.io/advisories/526

  High            Regular Expression Denial of Service

  Package         forwarded

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > express > proxy-addr >
                  forwarded

  More info       https://nodesecurity.io/advisories/527

  High            Open Redirect

  Package         url-parse

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > sockjs-client >
                  eventsource > original > url-parse

  More info       https://nodesecurity.io/advisories/678

  High            Open Redirect

  Package         url-parse

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > sockjs-client >
                  url-parse

  More info       https://nodesecurity.io/advisories/678

# Run  npm install karma@3.0.0  to resolve 7 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   karma

  Path            karma > log4js > loggly > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   karma

  Path            karma > log4js > loggly > request > hawk > cryptiles > boom
                  > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   karma

  Path            karma > log4js > loggly > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   karma

  Path            karma > log4js > loggly > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Memory Exposure

  Package         tunnel-agent

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > request > tunnel-agent

  More info       https://nodesecurity.io/advisories/598

  Low             Regular Expression Denial of Service

  Package         timespan

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > timespan

  More info       https://nodesecurity.io/advisories/533

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > request > stringstream

  More info       https://nodesecurity.io/advisories/664

found 52 vulnerabilities (12 low, 29 moderate, 9 high, 2 critical) in 11147 scanned packages
  run `npm audit fix` to fix 20 of them.
  32 vulnerabilities require semver-major dependency updates.

BryanWilhite commented 6 years ago

for angular.io-official: ran npm install --save-dev @angular/cli@1.7.4 to avoid 6.x move:


                       === npm audit security report ===

# Run  npm install --save-dev @angular/cli@6.2.3  to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > less > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > less > request > hawk > cryptiles > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > less > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > less > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

found 4 moderate severity vulnerabilities in 12897 scanned packages
  4 vulnerabilities require semver-major dependency updates.

BryanWilhite commented 6 years ago

for angular.io-tour-of-heroes/quickstart:


                       === npm audit security report ===

# Run  npm install npm@6.4.1  to resolve 20 vulnerabilities

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > cryptiles
                  > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > sntp >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > cryptiles >
                  boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

# Run  npm install @angular/cli@6.2.3  to resolve 11 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > less > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > less > request > hawk > cryptiles > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > less > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > less > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > node-sass > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > node-sass > request > hawk > cryptiles > boom
                  > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > node-sass > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > node-sass > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Memory Exposure

  Package         tunnel-agent

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > node-sass > request > tunnel-agent

  More info       https://nodesecurity.io/advisories/598

  High            Open Redirect

  Package         url-parse

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > sockjs-client >
                  eventsource > original > url-parse

  More info       https://nodesecurity.io/advisories/678

  High            Open Redirect

  Package         url-parse

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > sockjs-client >
                  url-parse

  More info       https://nodesecurity.io/advisories/678

# Run  npm install karma@3.0.0  to resolve 6 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   karma

  Path            karma > log4js > loggly > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   karma

  Path            karma > log4js > loggly > request > hawk > cryptiles > boom
                  > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   karma

  Path            karma > log4js > loggly > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   karma

  Path            karma > log4js > loggly > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Memory Exposure

  Package         tunnel-agent

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > request > tunnel-agent

  More info       https://nodesecurity.io/advisories/598

  Low             Regular Expression Denial of Service

  Package         timespan

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > timespan

  More info       https://nodesecurity.io/advisories/533

# Run  npm update browser-sync --depth 2  to resolve 2 vulnerabilities

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   lite-server [dev]

  Path            lite-server > browser-sync > localtunnel > debug

  More info       https://nodesecurity.io/advisories/534

  Low             Prototype Pollution

  Package         lodash

  Dependency of   lite-server [dev]

  Path            lite-server > browser-sync > easy-extender > lodash

  More info       https://nodesecurity.io/advisories/577

found 39 vulnerabilities (3 low, 34 moderate, 2 high) in 13756 scanned packages
  run `npm audit fix` to fix 22 of them.
  17 vulnerabilities require semver-major dependency updates.

BryanWilhite commented 6 years ago

for angular.io-tour-of-heroes/quickstart:


                       === npm audit security report ===

# Run  npm install npm@6.4.1  to resolve 20 vulnerabilities

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > cryptiles
                  > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > sntp >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > cryptiles >
                  boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

# Run  npm install @angular/cli@6.2.3  to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > less > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > less > request > hawk > cryptiles > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > less > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > less > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

# Run  npm update browser-sync --depth 2  to resolve 2 vulnerabilities

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   lite-server [dev]

  Path            lite-server > browser-sync > localtunnel > debug

  More info       https://nodesecurity.io/advisories/534

  Low             Prototype Pollution

  Package         lodash

  Dependency of   lite-server [dev]

  Path            lite-server > browser-sync > easy-extender > lodash

  More info       https://nodesecurity.io/advisories/577

found 26 vulnerabilities (2 low, 24 moderate) in 13367 scanned packages
  run `npm audit fix` to fix 22 of them.
  4 vulnerabilities require semver-major dependency updates.

BryanWilhite commented 6 years ago

for aurelia-official:


                       === npm audit security report ===

# Run  npm install npm@6.4.1  to resolve 20 vulnerabilities

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > cryptiles
                  > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > sntp >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > cryptiles >
                  boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

# Run  npm install --save-dev aurelia-cli@0.35.1  to resolve 9 vulnerabilities

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > libcipm > npm-lifecycle > node-gyp >
                  request > stringstream

  More info       https://nodesecurity.io/advisories/664

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > node-gyp > request > stringstream

  More info       https://nodesecurity.io/advisories/664

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > npm-lifecycle > node-gyp > request >
                  stringstream

  More info       https://nodesecurity.io/advisories/664

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > npm-registry-client > request >
                  stringstream

  More info       https://nodesecurity.io/advisories/664

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > request > stringstream

  More info       https://nodesecurity.io/advisories/664

  High            Denial of Service

  Package         http-proxy-agent

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > npm-profile > make-fetch-happen >
                  http-proxy-agent

  More info       https://nodesecurity.io/advisories/607

  High            Denial of Service

  Package         https-proxy-agent

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > npm-profile > make-fetch-happen >
                  https-proxy-agent

  More info       https://nodesecurity.io/advisories/593

  Low             Prototype Pollution

  Package         lodash

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > cli-table2 > lodash

  More info       https://nodesecurity.io/advisories/577

  Low             Prototype Pollution

  Package         lodash

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > npm-audit-report > cli-table2 > lodash

  More info       https://nodesecurity.io/advisories/577

# Run  npm install karma@3.0.0  to resolve 6 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   karma

  Path            karma > log4js > loggly > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   karma

  Path            karma > log4js > loggly > request > hawk > cryptiles > boom
                  > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   karma

  Path            karma > log4js > loggly > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   karma

  Path            karma > log4js > loggly > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Memory Exposure

  Package         tunnel-agent

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > request > tunnel-agent

  More info       https://nodesecurity.io/advisories/598

  Low             Regular Expression Denial of Service

  Package         timespan

  Dependency of   karma [dev]

  Path            karma > log4js > loggly > timespan

  More info       https://nodesecurity.io/advisories/533

# Run  npm install --save-dev browser-sync@2.24.7  to resolve 2 vulnerabilities

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   browser-sync [dev]

  Path            browser-sync > localtunnel > debug

  More info       https://nodesecurity.io/advisories/534

  Low             Prototype Pollution

  Package         lodash

  Dependency of   browser-sync [dev]

  Path            browser-sync > easy-extender > lodash

  More info       https://nodesecurity.io/advisories/577

# Run  npm update marked --depth 4  to resolve 1 vulnerability

  High            Regular Expression Denial of Service

  Package         marked

  Dependency of   gulp-notify [dev]

  Path            gulp-notify > node-notifier > cli-usage > marked

  More info       https://nodesecurity.io/advisories/531

# Run  npm update fill-range --depth 7  to resolve 2 vulnerabilities

  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   gulp-typescript [dev]

  Path            gulp-typescript > vinyl-fs > glob-stream > micromatch >
                  braces > expand-range > fill-range > randomatic

  More info       https://nodesecurity.io/advisories/157

  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   vinyl-fs [dev]

  Path            vinyl-fs > glob-stream > micromatch > braces > expand-range
                  > fill-range > randomatic

  More info       https://nodesecurity.io/advisories/157

found 40 vulnerabilities (7 low, 30 moderate, 3 high) in 17360 scanned packages
  run `npm audit fix` to fix 34 of them.
  6 vulnerabilities require semver-major dependency updates.

BryanWilhite commented 6 years ago

for aurelia-official:


                       === npm audit security report ===

# Run  npm install npm@6.4.1  to resolve 20 vulnerabilities

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > libcipm > npm-lifecycle > node-gyp > request > hawk >
                  sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > node-gyp > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > cryptiles
                  > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-lifecycle > node-gyp > request > hawk > sntp >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > cryptiles >
                  boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > npm-registry-client > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   npm

  Path            npm > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

# Run  npm install --save-dev aurelia-cli@0.35.1  to resolve 9 vulnerabilities

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > libcipm > npm-lifecycle > node-gyp >
                  request > stringstream

  More info       https://nodesecurity.io/advisories/664

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > node-gyp > request > stringstream

  More info       https://nodesecurity.io/advisories/664

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > npm-lifecycle > node-gyp > request >
                  stringstream

  More info       https://nodesecurity.io/advisories/664

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > npm-registry-client > request >
                  stringstream

  More info       https://nodesecurity.io/advisories/664

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > request > stringstream

  More info       https://nodesecurity.io/advisories/664

  High            Denial of Service

  Package         http-proxy-agent

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > npm-profile > make-fetch-happen >
                  http-proxy-agent

  More info       https://nodesecurity.io/advisories/607

  High            Denial of Service

  Package         https-proxy-agent

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > npm-profile > make-fetch-happen >
                  https-proxy-agent

  More info       https://nodesecurity.io/advisories/593

  Low             Prototype Pollution

  Package         lodash

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > cli-table2 > lodash

  More info       https://nodesecurity.io/advisories/577

  Low             Prototype Pollution

  Package         lodash

  Dependency of   aurelia-cli [dev]

  Path            aurelia-cli > npm > npm-audit-report > cli-table2 > lodash

  More info       https://nodesecurity.io/advisories/577

# Run  npm install @angular/cli@6.2.3  to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > less > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > less > request > hawk > cryptiles > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > less > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli

  Path            @angular/cli > less > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

# Run  npm install --save-dev browser-sync@2.24.7  to resolve 2 vulnerabilities

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   browser-sync [dev]

  Path            browser-sync > localtunnel > debug

  More info       https://nodesecurity.io/advisories/534

  Low             Prototype Pollution

  Package         lodash

  Dependency of   browser-sync [dev]

  Path            browser-sync > easy-extender > lodash

  More info       https://nodesecurity.io/advisories/577

# Run  npm update marked --depth 4  to resolve 1 vulnerability

  High            Regular Expression Denial of Service

  Package         marked

  Dependency of   gulp-notify [dev]

  Path            gulp-notify > node-notifier > cli-usage > marked

  More info       https://nodesecurity.io/advisories/531

# Run  npm update fill-range --depth 7  to resolve 2 vulnerabilities

  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   gulp-typescript [dev]

  Path            gulp-typescript > vinyl-fs > glob-stream > micromatch >
                  braces > expand-range > fill-range > randomatic

  More info       https://nodesecurity.io/advisories/157

  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   vinyl-fs [dev]

  Path            vinyl-fs > glob-stream > micromatch > braces > expand-range
                  > fill-range > randomatic

  More info       https://nodesecurity.io/advisories/157

found 38 vulnerabilities (6 low, 29 moderate, 3 high) in 22766 scanned packages
  run `npm audit fix` to fix 34 of them.
  4 vulnerabilities require semver-major dependency updates.

BryanWilhite commented 6 years ago

for aurelia-official this is not fixing:

# Run  npm update marked --depth 4  to resolve 1 vulnerability

  High            Regular Expression Denial of Service

  Package         marked

  Dependency of   gulp-notify [dev]

  Path            gulp-notify > node-notifier > cli-usage > marked

  More info       https://nodesecurity.io/advisories/531

BryanWilhite commented 6 years ago

for jquery-audio5:


                       === npm audit security report ===

# Run  npm install --save-dev gulp@4.0.0  to resolve 5 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  High            Regular Expression Denial of Service

  Package         minimatch

  Dependency of   gulp [dev]

  Path            gulp > vinyl-fs > glob-stream > glob > minimatch

  More info       https://nodesecurity.io/advisories/118

  High            Regular Expression Denial of Service

  Package         minimatch

  Dependency of   gulp [dev]

  Path            gulp > vinyl-fs > glob-stream > minimatch

  More info       https://nodesecurity.io/advisories/118

  High            Regular Expression Denial of Service

  Package         minimatch

  Dependency of   gulp [dev]

  Path            gulp > vinyl-fs > glob-watcher > gaze > globule > glob >
                  minimatch

  More info       https://nodesecurity.io/advisories/118

  High            Regular Expression Denial of Service

  Package         minimatch

  Dependency of   gulp [dev]

  Path            gulp > vinyl-fs > glob-watcher > gaze > globule > minimatch

  More info       https://nodesecurity.io/advisories/118

  Low             Prototype Pollution

  Package         lodash

  Dependency of   gulp [dev]

  Path            gulp > vinyl-fs > glob-watcher > gaze > globule > lodash

  More info       https://nodesecurity.io/advisories/577

# Run  npm update minimatch --depth 4  to resolve 1 vulnerability

  High            Regular Expression Denial of Service

  Package         minimatch

  Dependency of   vinyl-fs [dev]

  Path            vinyl-fs > glob-stream > glob > minimatch

  More info       https://nodesecurity.io/advisories/118

found 6 vulnerabilities (1 low, 5 high) in 1361 scanned packages
  run `npm audit fix` to fix 1 of them.
  5 vulnerabilities require semver-major dependency updates.

BryanWilhite commented 6 years ago

for office-addin-excel/my-add-in-angular:


                       === npm audit security report ===

# Run  npm install --save-dev @angular/cli@6.2.3  to resolve 20 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > less > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > less > request > hawk > cryptiles > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > less > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > less > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > @angular-devkit/core > chokidar > anymatch >
                  micromatch > braces > expand-range > fill-range > randomatic

  More info       https://nodesecurity.io/advisories/157

  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > webpack-dev-server > http-proxy-middleware >
                  micromatch > braces > expand-range > fill-range > randomatic

  More info       https://nodesecurity.io/advisories/157

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > @angular-devkit/core > chokidar > fsevents >
                  node-pre-gyp > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > @angular-devkit/core > chokidar > fsevents >
                  node-pre-gyp > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > @angular-devkit/core > chokidar > fsevents >
                  node-pre-gyp > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > @angular-devkit/core > chokidar > fsevents >
                  node-pre-gyp > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > @angular-devkit/core > chokidar > fsevents >
                  node-pre-gyp > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > @angular-devkit/core > chokidar > fsevents >
                  node-pre-gyp > request > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > @angular-devkit/core > chokidar > fsevents >
                  node-pre-gyp > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > @angular-devkit/core > chokidar > fsevents >
                  node-pre-gyp > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Low             Prototype Pollution

  Package         deep-extend

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > @angular-devkit/core > chokidar > fsevents >
                  node-pre-gyp > rc > deep-extend

  More info       https://nodesecurity.io/advisories/612

  High            Regular Expression Denial of Service

  Package         sshpk

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > @angular-devkit/core > chokidar > fsevents >
                  node-pre-gyp > request > http-signature > sshpk

  More info       https://nodesecurity.io/advisories/606

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > @angular-devkit/core > chokidar > fsevents >
                  node-pre-gyp > request > stringstream

  More info       https://nodesecurity.io/advisories/664

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > less > request > stringstream

  More info       https://nodesecurity.io/advisories/664

  High            Regular Expression Denial of Service

  Package         tough-cookie

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > @angular-devkit/core > chokidar > fsevents >
                  node-pre-gyp > request > tough-cookie

  More info       https://nodesecurity.io/advisories/525

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   @angular/cli [dev]

  Path            @angular/cli > @angular-devkit/core > chokidar > fsevents >
                  node-pre-gyp > tar-pack > debug

  More info       https://nodesecurity.io/advisories/534

# Run  npm install --save-dev protractor@5.4.1  to resolve 9 vulnerabilities

  High            Denial of Service

  Package         https-proxy-agent

  Dependency of   protractor [dev]

  Path            protractor > saucelabs > https-proxy-agent

  More info       https://nodesecurity.io/advisories/593

  High            Arbitrary File Write via Archive Extraction

  Package         adm-zip

  Dependency of   protractor [dev]

  Path            protractor > webdriver-js-extender > selenium-webdriver >
                  adm-zip

  More info       https://nodesecurity.io/advisories/681

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > cryptiles
                  > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > sntp >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > stringstream

  More info       https://nodesecurity.io/advisories/664

  High            Arbitrary File Write via Archive Extraction

  Package         adm-zip

  Dependency of   protractor [dev]

  Path            protractor > selenium-webdriver > adm-zip

  More info       https://nodesecurity.io/advisories/681

  High            Arbitrary File Write via Archive Extraction

  Package         adm-zip

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > adm-zip

  More info       https://nodesecurity.io/advisories/681

# Run  npm update fsevents --depth 3  to resolve 13 vulnerabilities

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/compiler-cli [dev]

  Path            @angular/compiler-cli > chokidar > fsevents > node-pre-gyp >
                  hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/compiler-cli [dev]

  Path            @angular/compiler-cli > chokidar > fsevents > node-pre-gyp >
                  hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/compiler-cli [dev]

  Path            @angular/compiler-cli > chokidar > fsevents > node-pre-gyp >
                  hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/compiler-cli [dev]

  Path            @angular/compiler-cli > chokidar > fsevents > node-pre-gyp >
                  hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/compiler-cli [dev]

  Path            @angular/compiler-cli > chokidar > fsevents > node-pre-gyp >
                  request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/compiler-cli [dev]

  Path            @angular/compiler-cli > chokidar > fsevents > node-pre-gyp >
                  request > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/compiler-cli [dev]

  Path            @angular/compiler-cli > chokidar > fsevents > node-pre-gyp >
                  request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   @angular/compiler-cli [dev]

  Path            @angular/compiler-cli > chokidar > fsevents > node-pre-gyp >
                  request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566

  Low             Prototype Pollution

  Package         deep-extend

  Dependency of   @angular/compiler-cli [dev]

  Path            @angular/compiler-cli > chokidar > fsevents > node-pre-gyp >
                  rc > deep-extend

  More info       https://nodesecurity.io/advisories/612

  High            Regular Expression Denial of Service

  Package         sshpk

  Dependency of   @angular/compiler-cli [dev]

  Path            @angular/compiler-cli > chokidar > fsevents > node-pre-gyp >
                  request > http-signature > sshpk

  More info       https://nodesecurity.io/advisories/606

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   @angular/compiler-cli [dev]

  Path            @angular/compiler-cli > chokidar > fsevents > node-pre-gyp >
                  request > stringstream

  More info       https://nodesecurity.io/advisories/664

  High            Regular Expression Denial of Service

  Package         tough-cookie

  Dependency of   @angular/compiler-cli [dev]

  Path            @angular/compiler-cli > chokidar > fsevents > node-pre-gyp >
                  request > tough-cookie

  More info       https://nodesecurity.io/advisories/525

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   @angular/compiler-cli [dev]

  Path            @angular/compiler-cli > chokidar > fsevents > node-pre-gyp >
                  tar-pack > debug

  More info       https://nodesecurity.io/advisories/534

# Run  npm update fill-range --depth 7  to resolve 1 vulnerability

  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   @angular/compiler-cli [dev]

  Path            @angular/compiler-cli > chokidar > anymatch > micromatch >
                  braces > expand-range > fill-range > randomatic

  More info       https://nodesecurity.io/advisories/157

found 43 vulnerabilities (7 low, 28 moderate, 8 high) in 8298 scanned packages
  run `npm audit fix` to fix 23 of them.
  20 vulnerabilities require semver-major dependency updates.

BryanWilhite commented 6 years ago

for tiffany-rayside-svg-verlet:

                       === npm audit security report ===

# Run  npm install --save-dev gulp@4.0.0  to resolve 5 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  High            Regular Expression Denial of Service

  Package         minimatch

  Dependency of   gulp [dev]

  Path            gulp > vinyl-fs > glob-stream > glob > minimatch

  More info       https://nodesecurity.io/advisories/118

  High            Regular Expression Denial of Service

  Package         minimatch

  Dependency of   gulp [dev]

  Path            gulp > vinyl-fs > glob-stream > minimatch

  More info       https://nodesecurity.io/advisories/118

  High            Regular Expression Denial of Service

  Package         minimatch

  Dependency of   gulp [dev]

  Path            gulp > vinyl-fs > glob-watcher > gaze > globule > glob >
                  minimatch

  More info       https://nodesecurity.io/advisories/118

  High            Regular Expression Denial of Service

  Package         minimatch

  Dependency of   gulp [dev]

  Path            gulp > vinyl-fs > glob-watcher > gaze > globule > minimatch

  More info       https://nodesecurity.io/advisories/118

  Low             Prototype Pollution

  Package         lodash

  Dependency of   gulp [dev]

  Path            gulp > vinyl-fs > glob-watcher > gaze > globule > lodash

  More info       https://nodesecurity.io/advisories/577

found 5 vulnerabilities (1 low, 4 high) in 1397 scanned packages
  5 vulnerabilities require semver-major dependency updates.

BryanWilhite commented 6 years ago

for svg-and-object-element this issue repeats about 20 times and will not go away:

High            Regular Expression Denial of Service

  Package         minimatch

  Dependency of   svg-to-png [dev]

  Path            svg-to-png > imagemin > imagemin-jpegtran > jpegtran-bin >
                  bin-wrapper > download > gulp-decompress > decompress >
                  vinyl-fs > glob-stream > glob > minimatch

  More info       https://nodesecurity.io/advisories/118

BryanWilhite commented 4 years ago

i am used to npm outdated and npm audit rituals :bulb:

BryanWilhite / nodejs

npm audit/outdated log #11