Open apo91 opened 4 years ago
Still a problem.
found 297 vulnerabilities (74 low, 1 moderate, 222 high)
fixed 220 of 297 vulnerabilities in 37345 scanned packages
1 vulnerability required manual review and could not be updated
3 package updates for 76 vulns involved breaking changes
fixed 76 of 77 vulnerabilities in 37290 scanned packages
1 vulnerability required manual review and could not be updated
3 package updates for 76 vulns involved breaking changes
I could fix all but one by using npm
's audit
tool. The remaining one is based on a pretty transitive dependency.
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ mem │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.0.0 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semantic-release [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ semantic-release > @semantic-release/npm > npm > libnpx > │
│ │ yargs > os-locale > mem │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1084 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.
Right after running
npm install
and entering the library name this is what I got:Running
npm audit fix
fixed229 of 326 vulnerabilities
but still:Would be great to have zero vulnerabilities from the start.