Closed Berdmanfolk closed 2 years ago
bsrdjan
commented
2 years ago All vulnerabilities are related to development dependency typings and have no impact on run-time.
The node-rfc can't fix that but you can create the issue in typings repository.
Berdmanfolk
commented
2 years ago Sorry @bsrdjan I inserted old log, which was before.
Now these vulnerabilities shows:
C:\node-rfc-main>npm install
> node-rfc@2.5.1 preinstall C:\node-rfc-main
> npm install cmake-js prebuild-install prebuild node-addon-api
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated har-validator@5.1.5: this library is no longer supported
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
+ node-addon-api@4.0.0
+ prebuild-install@6.1.4
+ prebuild@10.0.1
+ cmake-js@6.2.1
updated 4 packages and audited 813 packages in 25.858s
46 packages are looking for funding
run `npm fund` for details
found 4 high severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
> node-rfc@2.5.1 install C:\node-rfc-main
> prebuild-install --tag-prefix -r napi || cmake-js rebuild
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@2.3.2 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})
audited 813 packages in 31.025s
54 packages are looking for funding
run `npm fund` for details
found 4 high severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
C:\node-rfc-main>node -v
v14.15.4
C:\node-rfc-main>npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Creation/Overwrite due to insufficient
absolute path sanitization
Package tar
Patched in >=3.2.2 <4.0.0 || >=4.4.14 <5.0.0 || >=5.0.6 <6.0.0 ||
>=6.1.1
Dependency of prebuild [dev]
Path prebuild > node-ninja > tar
More info https://npmjs.com/advisories/1770
High Arbitrary File Creation/Overwrite due to insufficient
absolute path sanitization
Package tar
Patched in >=3.2.2 <4.0.0 || >=4.4.14 <5.0.0 || >=5.0.6 <6.0.0 ||
>=6.1.1
Dependency of prebuild [dev]
Path prebuild > nw-gyp > tar
More info https://npmjs.com/advisories/1770
High Arbitrary File Creation/Overwrite via insufficient symlink
protection due to directory cache poisoning
Package tar
Patched in >=3.2.3 <4.0.0 || >=4.4.15 <5.0.0 || >=5.0.7 <6.0.0 ||
>=6.1.2
Dependency of prebuild [dev]
Path prebuild > node-ninja > tar
More info https://npmjs.com/advisories/1771
High Arbitrary File Creation/Overwrite via insufficient symlink
protection due to directory cache poisoning
Package tar
Patched in >=3.2.3 <4.0.0 || >=4.4.15 <5.0.0 || >=5.0.7 <6.0.0 ||
>=6.1.2
Dependency of prebuild [dev]
Path prebuild > nw-gyp > tar
More info https://npmjs.com/advisories/1771
found 4 high severity vulnerabilities in 813 scanned packages
4 vulnerabilities require manual review. See the full report for details.
C:\node-rfc-main>These four are from another external package, https://github.com/prebuild/prebuild, using vulnerable dependencies. I see no possibility to fix that in node-rfc.
Also in this case run-time is not affected.
Hello, @bsrdjan I try to compile from source, but again to get the same error: