kochhar
commented
6 years ago Thanks for reporting this. This should be tracked in a JiRA item.
On Wed 16 May, 2018 15:39 Manoj L, notifications@github.com wrote:
Hi,
I was trying out cloning this repo and doing install locally, npm install indicated 99 vulnerabilities found.
Reporting issue - so this does not fall out of track.
added 2145 packages from 1770 contributors in 464.896s [!] 99 vulnerabilities found [18775 packages audited] Severity: 42 Low | 23 Moderate | 32 High | 2 Critical Run
npm auditfor more detailmj@my-lappy:~/GIT/ekstep-repos-all/sunbird-portal/src$ npm audit
=== npm audit security report ===Run npm install karma@2.0.2 to resolve 21 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Low Prototype Pollution
Package lodash
Dependency of karma
Path karma > lodash
More info https://nodesecurity.io/advisories/577
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > body-parser > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > compression > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > connect-timeout > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > express-session > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > finalhandler > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > morgan > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > serve-index > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > serve-static > send > debug
More info https://nodesecurity.io/advisories/534
High Regular Expression Denial of Service
Package minimatch
Dependency of karma [dev]
Path karma > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package negotiator
Dependency of karma [dev]
Path karma > connect > compression > accepts > negotiator
More info https://nodesecurity.io/advisories/106
High Regular Expression Denial of Service
Package negotiator
Dependency of karma [dev]
Path karma > connect > serve-index > accepts > negotiator
More info https://nodesecurity.io/advisories/106
High Regular Expression Denial of Service
Package fresh
Dependency of karma [dev]
Path karma > connect > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package fresh
Dependency of karma [dev]
Path karma > connect > serve-favicon > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package fresh
Dependency of karma [dev]
Path karma > connect > serve-static > send > fresh
More info https://nodesecurity.io/advisories/526
Moderate Regular Expression Denial of Service
Package mime
Dependency of karma [dev]
Path karma > connect > serve-static > send > mime
More info https://nodesecurity.io/advisories/535
High Denial of Service
Package ws
Dependency of karma [dev]
Path karma > socket.io > socket.io-client > ws
More info https://nodesecurity.io/advisories/550
High DoS due to excessively large websocket message
Package ws
Dependency of karma [dev]
Path karma > socket.io > socket.io-client > ws
More info https://nodesecurity.io/advisories/120
Low Remote Memory Disclosure
Package ws
Dependency of karma [dev]
Path karma > socket.io > socket.io-client > ws
More info https://nodesecurity.io/advisories/67
High Regular Expression Denial of Service
Package minimatch
Dependency of karma [dev]
Path karma > glob > minimatch
More info https://nodesecurity.io/advisories/118
Run npm install gulp-less@4.0.0 to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Moderate Prototype pollution
Package hoek
Dependency of gulp-less
Path gulp-less > less > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of gulp-less
Path gulp-less > less > request > hawk > cryptiles > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of gulp-less
Path gulp-less > less > request > hawk > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of gulp-less
Path gulp-less > less > request > hawk > sntp > hoek
More info https://nodesecurity.io/advisories/566
Run npm install phantomjs-prebuilt@2.1.16 to resolve 4 vulnerabilities
Moderate Prototype pollution
Package hoek
Dependency of phantomjs-prebuilt
Path phantomjs-prebuilt > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of phantomjs-prebuilt
Path phantomjs-prebuilt > request > hawk > cryptiles > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of phantomjs-prebuilt
Path phantomjs-prebuilt > request > hawk > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of phantomjs-prebuilt
Path phantomjs-prebuilt > request > hawk > sntp > hoek
More info https://nodesecurity.io/advisories/566
Run npm install --dev gulp@4.0.0 to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Low Prototype Pollution
Package lodash
Dependency of gulp [dev]
Path gulp > vinyl-fs > glob-watcher > gaze > globule > lodash
More info https://nodesecurity.io/advisories/577
High Regular Expression Denial of Service
Package minimatch
Dependency of gulp [dev]
Path gulp > vinyl-fs > glob-stream > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Dependency of gulp [dev]
Path gulp > vinyl-fs > glob-watcher > gaze > globule > glob > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Dependency of gulp [dev]
Path gulp > vinyl-fs > glob-watcher > gaze > globule > minimatch
More info https://nodesecurity.io/advisories/118
Run npm install --dev gulp-connect@5.5.0 to resolve 11 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > body-parser > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > compression > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > connect-timeout > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > express-session > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > finalhandler > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > morgan > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > serve-index > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > serve-static > send > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > tiny-lr > body-parser > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > tiny-lr > debug
More info https://nodesecurity.io/advisories/534
Run npm install jsonwebtoken@8.2.1 to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Moderate Prototype pollution
Package hoek
Dependency of jsonwebtoken
Path jsonwebtoken > joi > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of jsonwebtoken
Path jsonwebtoken > joi > topo > hoek
More info https://nodesecurity.io/advisories/566
Run npm install --dev gulp-imagemin@4.1.0 to resolve 6 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Moderate Memory Exposure
Package tunnel-agent
Dependency of gulp-imagemin [dev]
Path gulp-imagemin > imagemin > imagemin-gifsicle > gifsicle > bin-build > download > caw > tunnel-agent
More info https://nodesecurity.io/advisories/598
Moderate Memory Exposure
Package tunnel-agent
Dependency of gulp-imagemin [dev]
Path gulp-imagemin > imagemin > imagemin-gifsicle > gifsicle > bin-wrapper > download > caw > tunnel-agent
More info https://nodesecurity.io/advisories/598
Moderate Memory Exposure
Package tunnel-agent
Dependency of gulp-imagemin [dev]
Path gulp-imagemin > imagemin > imagemin-jpegtran > jpegtran-bin
bin-build > download > caw > tunnel-agent
More info https://nodesecurity.io/advisories/598
Moderate Memory Exposure
Package tunnel-agent
Dependency of gulp-imagemin [dev]
Path gulp-imagemin > imagemin > imagemin-jpegtran > jpegtran-bin
bin-wrapper > download > caw > tunnel-agent
More info https://nodesecurity.io/advisories/598
Moderate Memory Exposure
Package tunnel-agent
Dependency of gulp-imagemin [dev]
Path gulp-imagemin > imagemin > imagemin-optipng > optipng-bin > bin-build > download > caw > tunnel-agent
More info https://nodesecurity.io/advisories/598
Moderate Memory Exposure
Package tunnel-agent
Dependency of gulp-imagemin [dev]
Path gulp-imagemin > imagemin > imagemin-optipng > optipng-bin > bin-wrapper > download > caw > tunnel-agent
More info https://nodesecurity.io/advisories/598
Run npm install helmet@3.12.0 to resolve 2 vulnerabilities
Low Regular Expression Denial of Service
Package debug
Dependency of helmet
Path helmet > connect > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of helmet
Path helmet > connect > finalhandler > debug
More info https://nodesecurity.io/advisories/534
Run npm install --dev wiredep@4.0.0 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
Low Prototype Pollution
Package lodash
Dependency of wiredep [dev]
Path wiredep > lodash
More info https://nodesecurity.io/advisories/577
Run npm install --dev chai-http@4.0.0 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
Low Large gzip Denial of Service
Package superagent
Dependency of chai-http [dev]
Path chai-http > superagent
More info https://nodesecurity.io/advisories/479
Run npm update phantomjs-prebuilt --depth 2 to resolve 4 vulnerabilities
Moderate Prototype pollution
Package hoek
Dependency of karma-phantomjs-launcher
Path karma-phantomjs-launcher > phantomjs-prebuilt > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of karma-phantomjs-launcher
Path karma-phantomjs-launcher > phantomjs-prebuilt > request > hawk > cryptiles > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of karma-phantomjs-launcher
Path karma-phantomjs-launcher > phantomjs-prebuilt > request > hawk > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of karma-phantomjs-launcher
Path karma-phantomjs-launcher > phantomjs-prebuilt > request > hawk > sntp > hoek
More info https://nodesecurity.io/advisories/566
Manual Review Some vulnerabilities require your attention to resolve Visit https://go.npm.me/audit-guide for additional guidanceHigh Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp [dev]
Path gulp > vinyl-fs > glob-stream > glob > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-jshint [dev]
Path gulp-jshint > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-load-plugins [dev]
Path gulp-load-plugins > findup-sync > glob > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-load-plugins [dev]
Path gulp-load-plugins > multimatch > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of wiredep [dev]
Path wiredep > glob > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-jasmine-node [dev]
Path gulp-jasmine-node > jasmine-node > gaze > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-test [dev]
Path gulp-test > gulp-mocha > mocha > glob > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-jasmine-node [dev]
Path gulp-jasmine-node > jasmine-node > gaze > fileset > glob > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-test [dev]
Path gulp-test > gulp-istanbul > istanbul > fileset > glob > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-test [dev]
Path gulp-test > gulp-jshint > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-test [dev]
Path gulp-test > gulp-load-plugins > findup-sync > glob > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-test [dev]
Path gulp-test > gulp-load-plugins > multimatch > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-jasmine-node [dev]
Path gulp-jasmine-node > jasmine-node > gaze > fileset > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-test [dev]
Path gulp-test > gulp-istanbul > istanbul > fileset > minimatch
More info https://nodesecurity.io/advisories/118
Critical Command Injection
Package growl
Patched in >=1.10.2
Dependency of gulp-jasmine-node [dev]
Path gulp-jasmine-node > jasmine-node > jasmine-growl-reporter > growl
More info https://nodesecurity.io/advisories/146
Critical Command Injection
Package growl
Patched in >=1.10.2
Dependency of gulp-test [dev]
Path gulp-test > gulp-mocha > mocha > growl
More info https://nodesecurity.io/advisories/146
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of asyncawait
Path asyncawait > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-jshint
Path gulp-jshint > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-jshint [dev]
Path gulp-jshint > jshint > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-test [dev]
Path gulp-test > gulp-jshint > jshint > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-jshint [dev]
Path gulp-jshint > rcloader > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-test [dev]
Path gulp-test > gulp-istanbul > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-test [dev]
Path gulp-test > gulp-jshint > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-test [dev]
Path gulp-test > gulp-jshint > rcloader > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-test [dev]
Path gulp-test > gulp-load-plugins > findup-sync > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-test [dev]
Path gulp-test > gulp-help > lodash
More info https://nodesecurity.io/advisories/577
High Regular Expression Denial of Service
Package fresh
Patched in >= 0.5.2
Dependency of gulp-connect [dev]
Path gulp-connect > connect > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package fresh
Patched in >= 0.5.2
Dependency of gulp-connect [dev]
Path gulp-connect > connect > serve-favicon > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package fresh
Patched in >= 0.5.2
Dependency of gulp-connect [dev]
Path gulp-connect > connect > serve-static > send > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package negotiator
Patched in >= 0.6.1
Dependency of gulp-connect [dev]
Path gulp-connect > connect > compression > accepts > negotiator
More info https://nodesecurity.io/advisories/106
High Regular Expression Denial of Service
Package negotiator
Patched in >= 0.6.1
Dependency of gulp-connect [dev]
Path gulp-connect > connect > serve-index > accepts > negotiator
More info https://nodesecurity.io/advisories/106
High Cross-Site Scripting
Package handlebars
Patched in >=4.0.0
Dependency of gulp-test [dev]
Path gulp-test > gulp-istanbul > istanbul > handlebars
More info https://nodesecurity.io/advisories/61
Low Incorrect Handling of Non-Boolean Comparisons During Minification
Package uglify-js
Patched in >= 2.4.24
Dependency of gulp-test [dev]
Path gulp-test > gulp-istanbul > istanbul > handlebars > uglify-js
More info https://nodesecurity.io/advisories/39
Low Incorrect Handling of Non-Boolean Comparisons During Minification
Package uglify-js
Patched in >= 2.4.24
Dependency of karma [dev]
Path karma > socket.io > socket.io-client > uglify-js
More info https://nodesecurity.io/advisories/39
Low Regular Expression Denial of Service
Package uglify-js
Patched in >=2.6.0
Dependency of gulp-test [dev]
Path gulp-test > gulp-istanbul > istanbul > handlebars > uglify-js
More info https://nodesecurity.io/advisories/48
Low Regular Expression Denial of Service
Package uglify-js
Patched in >=2.6.0
Dependency of karma [dev]
Path karma > socket.io > socket.io-client > uglify-js
More info https://nodesecurity.io/advisories/48
Moderate Regular Expression Denial of Service
Package ms
Patched in >0.7.0
Dependency of gulp-test [dev]
Path gulp-test > gulp-mocha > mocha > debug > ms
More info https://nodesecurity.io/advisories/46
Moderate Regular Expression Denial of Service
Package mime
Patched in >= 1.4.1 < 2.0.0 || >= 2.0.3
Dependency of gulp-connect [dev]
Path gulp-connect > connect > serve-static > send > mime
More info https://nodesecurity.io/advisories/535
Low Regular Expression Denial of Service
Package debug
Patched in >= 2.6.9 < 3.0.0 || >= 3.1.0
Dependency of gulp-test [dev]
Path gulp-test > gulp-mocha > mocha > debug
More info https://nodesecurity.io/advisories/534
[!] 99 vulnerabilities found - Packages audited: 18775 (18032 dev, 8557 optional) Severity: 42 Low | 23 Moderate | 32 High | 2 Critical
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/project-sunbird/sunbird-portal/issues/511, or mute the thread https://github.com/notifications/unsubscribe-auth/AAGVqk9OTbpP-BSf4deDCoYB0JRQjlyeks5ty_rZgaJpZM4UBBjk .
Hi,
I was trying out cloning this repo and doing install locally, npm install indicated 99 vulnerabilities found.
Reporting issue - so this does not fall out of track. (master branch)