search

alexjoverm / typescript-library-starter

Starter kit with zero-config for building a library in TypeScript, featuring RollupJS, Jest, Prettier, TSLint, Semantic Release, and more!
MIT License
4.37k stars 493 forks source link

found 326 vulnerabilities (73 low, 1 moderate, 252 high) #315

Open apo91 opened 4 years ago

apo91 commented 4 years ago

Right after running npm install and entering the library name this is what I got:

added 1737 packages from 1582 contributors and audited 37136 packages in 363.727s
found 326 vulnerabilities (73 low, 1 moderate, 252 high)
  run `npm audit fix` to fix them, or `npm audit` for details

Running npm audit fix fixed 229 of 326 vulnerabilities but still:

  21 vulnerabilities required manual review and could not be updated
  3 package updates for 76 vulnerabilities involved breaking changes
  (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)

Would be great to have zero vulnerabilities from the start.

lazarljubenovic commented 4 years ago

Still a problem.

found 297 vulnerabilities (74 low, 1 moderate, 222 high)
fixed 220 of 297 vulnerabilities in 37345 scanned packages
  1 vulnerability required manual review and could not be updated
  3 package updates for 76 vulns involved breaking changes
fixed 76 of 77 vulnerabilities in 37290 scanned packages
  1 vulnerability required manual review and could not be updated
  3 package updates for 76 vulns involved breaking changes

I could fix all but one by using npm's audit tool. The remaining one is based on a pretty transitive dependency.

                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ mem                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semantic-release [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semantic-release > @semantic-release/npm > npm > libnpx >    │
│               │ yargs > os-locale > mem                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1084                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Versions of mem prior to 4.0.0 are vulnerable to Denial of Service (DoS). The package fails to remove old values from the cache even after a value passes its maxAge property. This may allow attackers to exhaust the system's memory if they are able to abuse the application logging.