Vulnerabilities in packages - NPM

HerreraG commented 6 years ago

Issue type

I'm submitting a ... (check one with "x")

[ ] bug report
[ ] feature request
[x] question about the decisions made in the repository

Issue description

Current behavior: When I run npm install npm informs me that it found 22 vulnerabilities. I leave report.

found 22 vulnerabilities (11 low, 5 moderate, 6 high) runnpm audit fixto fix them, ornpm auditfor details

# Run  npm install --save-dev karma@2.0.4  to resolve 13 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Low             Prototype Pollution

  Package         lodash

  Dependency of   karma [dev]

  Path            karma > lodash

  More info       https://nodesecurity.io/advisories/577

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > debug

  More info       https://nodesecurity.io/advisories/534

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > engine.io > debug

  More info       https://nodesecurity.io/advisories/534

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-adapter > debug

  More info       https://nodesecurity.io/advisories/534

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > debug

  More info       https://nodesecurity.io/advisories/534

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > engine.io-client >
                  debug

  More info       https://nodesecurity.io/advisories/534

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-adapter > socket.io-parser >
                  debug

  More info       https://nodesecurity.io/advisories/534

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > socket.io-parser >
                  debug

  More info       https://nodesecurity.io/advisories/534

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-parser > debug

  More info       https://nodesecurity.io/advisories/534

  High            Denial of Service

  Package         ws

  Dependency of   karma [dev]

  Path            karma > socket.io > engine.io > ws

  More info       https://nodesecurity.io/advisories/550

  High            Denial of Service

  Package         ws

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > engine.io-client > ws

  More info       https://nodesecurity.io/advisories/550

  High            Regular Expression Denial of Service

  Package         parsejson

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > engine.io-client >
                  parsejson

  More info       https://nodesecurity.io/advisories/528

  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   karma [dev]

  Path            karma > chokidar > anymatch > micromatch > braces >
                  expand-range > fill-range > randomatic

  More info       https://nodesecurity.io/advisories/157

# Run  npm install --save-dev protractor@5.3.2  to resolve 8 vulnerabilities

  High            Denial of Service

  Package         https-proxy-agent

  Dependency of   protractor [dev]

  Path            protractor > saucelabs > https-proxy-agent

  More info       https://nodesecurity.io/advisories/593

  High            Denial of Service

  Package         ws

  Dependency of   protractor [dev]

  Path            protractor > webdriver-js-extender > selenium-webdriver > ws

  More info       https://nodesecurity.io/advisories/550

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > cryptiles
                  > boom > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > sntp >
                  hoek

  More info       https://nodesecurity.io/advisories/566

  High            Regular Expression Denial of Service

  Package         sshpk

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > http-signature >
                  sshpk

  More info       https://nodesecurity.io/advisories/606

  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > stringstream

  More info       https://nodesecurity.io/advisories/664

# Run  npm update fill-range --depth 5  to resolve 1 vulnerability

  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   stylelint [dev]

  Path            stylelint > micromatch > braces > expand-range > fill-range
                  > randomatic

  More info       https://nodesecurity.io/advisories/157

Expected behavior: Not have high vulnerabilities.

Steps to reproduce: Clone project starter-kit and run npm install

Other information:

Angular CLI: 6.0.0
Node: 8.9.3
NPM: 6.1.0
OS: win32 x64
Angular: 6.0.0

Thank you and excuse me for my English. Regards

jpldevpub commented 6 years ago

Unfortunately I have the same problem

blankstar85 commented 6 years ago

I noticed this as well, I started a pr (branched off my fork) and started looking, however a lot of the vulnerabilities have to do with karma, Karma Issue, which is waiting for Log4js to update, which 2 days ago just fixed its vulnerabilities Log4js Issue. I'll keep track over the next couple days to see how this moves.

Ledimor commented 5 years ago

Hello, do you have any news on this issue? I now have 27 vulnerabilities with the same environment.

blankstar85 commented 5 years ago

Log4js Issue is resolved, still waiting on karma, They did a 2.x version release, the Updated log4js required karma to drop nodev4, which they have a merged fix, but it will start in v3 of karma which hasn't been released just yet,

blankstar85 commented 5 years ago

https://github.com/akveo/ngx-admin/pull/1822 Created PR, fixes 90% of issues

lienbacher commented 5 years ago

Hello! Just ran npm install on a fresh clone today and now it's 54 vulnerabilities. added 1757 packages from 1379 contributors and audited 23286 packages in 31.621s found 54 vulnerabilities (17 low, 22 moderate, 15 high)

blankstar85 commented 5 years ago

Hello, I have updated my own and have 0, I'll pull the official one down and finish getting everything cleared out. Then just need to get the pr merged.

fauzie commented 5 years ago

Still exists on v3.0.0?

added 1998 packages from 1382 contributors and audited 25850 packages in 101.583s
found 42 vulnerabilities (17 low, 11 moderate, 14 high)
  run `npm audit fix` to fix them, or `npm audit` for details

akveo / ngx-admin