issues
search
eWaterCycle
/
setup-singularity
GitHub action to setup singularity
Apache License 2.0
16
stars
2
forks
source link
Fix audit
#11
Closed
sverhoeven
closed
1 year ago
sverhoeven
commented
1 year ago
Fix audit problems in previous CI job
```shell Run npm audit --audit-level=high === npm audit security report === # Run npm update @actions/core --depth 2 to resolve 2 vulnerabilities ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ @actions/core has Delimiter Injection Vulnerability in │ │ │ exportVariable │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ @actions/core │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @actions/core │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @actions/core │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-7r3h-m5j6-3q[4](https://github.com/eWaterCycle/setup-singularity/actions/runs/4637604493/jobs/8258293910#step:7:5)2 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ @actions/core has Delimiter Injection Vulnerability in │ │ │ exportVariable │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ @actions/core │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @actions/tool-cache │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @actions/tool-cache > @actions/core │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-7r3h-m[5](https://github.com/eWaterCycle/setup-singularity/actions/runs/4637604493/jobs/8258293910#step:7:6)j[6](https://github.com/eWaterCycle/setup-singularity/actions/runs/4637604493/jobs/8258293910#step:7:7)-3q42 │ └───────────────┴──────────────────────────────────────────────────────────────┘ # Run npm update node-fetch --depth 5 to resolve 2 vulnerabilities ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ node-fetch is vulnerable to Exposure of Sensitive │ │ │ Information to an Unauthorized Actor │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ node-fetch │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @actions/github │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @actions/github > @octokit/core > @octokit/request > │ │ │ node-fetch │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-r683-j2x4-v8[7](https://github.com/eWaterCycle/setup-singularity/actions/runs/4637604493/jobs/8258293910#step:7:8)g │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ node-fetch is vulnerable to Exposure of Sensitive │ │ │ Information to an Unauthorized Actor │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ node-fetch │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @actions/github │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @actions/github > @octokit/core > @octokit/graphql > │ │ │ @octokit/request > node-fetch │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-r6[8](https://github.com/eWaterCycle/setup-singularity/actions/runs/4637604493/jobs/8258293910#step:7:9)3-j2x4-v87g │ └───────────────┴──────────────────────────────────────────────────────────────┘ found 4 vulnerabilities (2 moderate, 2 high) in [33](https://github.com/eWaterCycle/setup-singularity/actions/runs/4637604493/jobs/8258293910#step:7:34) scanned packages run `npm audit fix` to fix 4 of them. ```
Fix audit problems in previous CI job
```shell Run npm audit --audit-level=high === npm audit security report === # Run npm update @actions/core --depth 2 to resolve 2 vulnerabilities ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ @actions/core has Delimiter Injection Vulnerability in │ │ │ exportVariable │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ @actions/core │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @actions/core │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @actions/core │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-7r3h-m5j6-3q[4](https://github.com/eWaterCycle/setup-singularity/actions/runs/4637604493/jobs/8258293910#step:7:5)2 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ @actions/core has Delimiter Injection Vulnerability in │ │ │ exportVariable │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ @actions/core │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @actions/tool-cache │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @actions/tool-cache > @actions/core │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-7r3h-m[5](https://github.com/eWaterCycle/setup-singularity/actions/runs/4637604493/jobs/8258293910#step:7:6)j[6](https://github.com/eWaterCycle/setup-singularity/actions/runs/4637604493/jobs/8258293910#step:7:7)-3q42 │ └───────────────┴──────────────────────────────────────────────────────────────┘ # Run npm update node-fetch --depth 5 to resolve 2 vulnerabilities ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ node-fetch is vulnerable to Exposure of Sensitive │ │ │ Information to an Unauthorized Actor │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ node-fetch │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @actions/github │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @actions/github > @octokit/core > @octokit/request > │ │ │ node-fetch │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-r683-j2x4-v8[7](https://github.com/eWaterCycle/setup-singularity/actions/runs/4637604493/jobs/8258293910#step:7:8)g │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ node-fetch is vulnerable to Exposure of Sensitive │ │ │ Information to an Unauthorized Actor │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ node-fetch │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ @actions/github │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ @actions/github > @octokit/core > @octokit/graphql > │ │ │ @octokit/request > node-fetch │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://github.com/advisories/GHSA-r6[8](https://github.com/eWaterCycle/setup-singularity/actions/runs/4637604493/jobs/8258293910#step:7:9)3-j2x4-v87g │ └───────────────┴──────────────────────────────────────────────────────────────┘ found 4 vulnerabilities (2 moderate, 2 high) in [33](https://github.com/eWaterCycle/setup-singularity/actions/runs/4637604493/jobs/8258293910#step:7:34) scanned packages run `npm audit fix` to fix 4 of them. ```