search

Hypertopic / Porphyry

Corpus analyses confrontation
https://hypertopic.org/porphyry
GNU Affero General Public License v3.0
21 stars 165 forks source link

`npm install` should not report vulnerabilities #554

Closed benel closed 1 year ago

benel commented 2 years ago

Description

What is the valuable outcome that cannot be achieved because of this bug?

None. As explained by the author the react-scripts (the "vulnerable package"), those vulnerabilities are indeed false positives.

The only problem is "that when there is a real attack poisoning the build toolchain, we won't know about it because it will be buried underneath the 99.9% of false positives".

react-scripts 5.0.0 seems to fix a bunch of those vulnerabilities. However it breaks the build process. Several fixes are proposed as pull requests. We may wait for a few weeks before updating to an unbroken version.

Reproduction scenario

npm install

audited 2135 packages in 9s
104 vulnerabilities (93 moderate, 9 high, 2 critical)
benel commented 2 years ago

Fixed by 465337fb482c201d0bf0209c784974254aaeec64.