kopp
commented
6 years ago Here is the output of npm audit:
vdhcoapp_1.2.0_npm_audit.txt
Closed kopp closed 3 years ago
kopp
commented
6 years ago Here is the output of npm audit:
vdhcoapp_1.2.0_npm_audit.txt
xuiqzy
commented
5 years ago for version 1.3.0 there are 17 vulnerabilites and 3 low, 6 moderate, 8 high:
npm WARN deprecated gulp-util@3.0.8: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated nodemailer@2.7.2: All versions below 4.0.1 of Nodemailer are deprecated. See https://nodemailer.com/status/
npm WARN deprecated gulp-util@2.2.20: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated mailcomposer@4.0.1: This project is unmaintained
npm WARN deprecated socks@1.1.9: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0
npm WARN deprecated graceful-fs@3.0.11: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
npm WARN deprecated hawk@3.1.3: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated buildmail@4.0.1: This project is unmaintained
npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated natives@1.1.6: This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.
npm WARN deprecated sntp@1.0.9: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated cryptiles@2.0.5: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated hoek@2.16.3: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated boom@2.10.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated graceful-fs@1.2.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm notice created a lockfile as package-lock.json. You should commit this file.
added 838 packages from 450 contributors and audited 3965 packages in 22.618s
found 17 vulnerabilities (3 low, 6 moderate, 8 high)
run `npm audit fix` to fix them, or `npm audit` for details```
ford--prefect
commented
4 years ago As of 1.4.0 we have now 20 vulns, 10 of which rank high:
npm WARN deprecated gulp-util@3.0.8: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated circular-json@0.5.9: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated nodemailer@2.7.2: All versions below 4.0.1 of Nodemailer are deprecated. See https://nodemailer.com/status/
npm WARN deprecated mkdirp@0.3.5: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated mkdirp@0.5.4: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated request@2.75.0: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated mailcomposer@4.0.1: This project is unmaintained
npm WARN deprecated socks@1.1.9: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0
npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated natives@1.1.6: This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.
npm WARN deprecated node-uuid@1.4.8: Use uuid module instead
npm WARN deprecated hawk@3.1.3: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated buildmail@4.0.1: This project is unmaintained
npm WARN deprecated boom@2.10.1: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated hoek@2.16.3: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated sntp@1.0.9: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated cryptiles@2.0.5: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated urix@0.1.0: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated resolve-url@0.2.1: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated graceful-fs@1.2.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.jsThe lack of action in this thread as well as the piling amount of vulns really speaks for itself…
callmenemo491
commented
4 years ago mates, not sure what u want the guy to do.... all the things you listed are from your Linux distribution..., there is nothing in the code, where he provides , say the "mailcomposer" package, and other packages that are listed !
so as the printout tells you run: "npm audit fix"
ford--prefect
commented
4 years ago I'm far from being an npm expert, but I'm pretty sure this has nothing to do with the distribution. As far as I understand it, the developers state in package.json which dependencies and versions they expect to be installed, and npm audit checks for known vulns in these modules and reports. These modules are pulled from npm directly and have nothing to do with the linux distributions packages.
If it is indeed as I laid out, the developers are using vulnerable outdated npm modules and it is totally on their side to migrate their code to a fixed version.
Running npm audit fix is a crotch of npm to find hopefully matching versions that don't have the same reported vulnerabilities.
Correct me if I'm wrong, but thats the way I understood it so far.
callmenemo491
commented
4 years ago am looking where in code it has "package.json" https://github.com/mi-g/vdhcoapp/search?q=package.json&unscoped_q=package.json
he doesn't provide any package.json... it comes from NPM, so NPM developers would need to update their "package.json" file to not to use the vulnerable (outdated) packages.
ford--prefect
commented
4 years ago What about this one? (I think you were searching in files, not for files)
callmenemo491
commented
4 years ago ah thanks! i looked at the file/link you provided: my previous comment still stands... his 'package.json' lists which packages it depends on from NPM... none of the packages listed in that package.json are in the 'vulnerability printouts'
so it is the base NPM packages that need to be updated/ take care of those vulnerabilities.
these are the listed in the vul. report:
these are what is listed in the tools package.json
if u can find a package listed in the vul. report and the developer's use, then i will 110% agree developer needs to update the code to not use the vul. package.
but, if you cannot find... then the developer (@mi-g ) does not have to modify one character in the code. and the ticket should be closed.
ford--prefect
commented
4 years ago It seems indeed like every of these vulnerabilities was pulled in as a dependency of a dependency, and not directly, meaning that the dependencies need fixing. In my view, a developer is responsible for the code stack released, so also for chosen dependencies. If fixing these (e.g. by moving to another version) is not possible, one has to find another (safer?) library to do the job, IMHO. Don't get me wrong, this is not a demand to anyone (let alone the developer here), but a basic philosophy about responsibility in coding. Feel free to close the ticket, but the issue raised is definitely not solved: when building the project as-is you get a result with know vulnerabilities.
xuiqzy
commented
4 years ago Maybe these vulnerabilites come mostly from one or a few dependencies? That would make fixing it easier.
Is there a nice way to check for that with npm?
mi-g
commented
3 years ago Version 1.6.0 contains 1 vulnerability and it is low severity. At this point we cannot do better.
ford--prefect
commented
3 years ago Thanks for taking care of this!
I just compiled release 1.2.0 under Arch Linux and got the following warnings: