Open henryprescott opened 6 years ago
@henryprescott While ideally npm audit
should not produce any warnings, these issues need to be addressed in the upstream packages with flagged dependencies. Aside from less-middleware
(which will be updated via #4822), there do not appear to be updated packages available for Keystone to require. Some of those packages haven't had releases in a few years, so it's possible there may be more actively maintained alternatives to use (appreciate if anyone would like to comment with suggestions).
Per the Manual Review information in the npm audit docs, it would be best to create issues (or PRs) in the upstream repos. I'll do so for these.
Regards, Stennie
Issues/PRs for dependency updates:
@stennie Thanks for the help, that's great. So now do we wait for those changes to get approved? It looks like some of those repos haven't been touched in a while!
@henryprescott Yes, have to wait for those commits to be merged and included in an npm release. If the repos aren't maintained and there's no response, we could continue ignoring the npm warnings, fork the package and re-release, or look for an alternative package that is actively maintained.
@stennie I've been doing some manual updating locally just to see how far I can get. I've managed to get down to 1 low vulnerability, before I run into an issue when running keystone.js:
<project directory>\node_modules\grappling-hook\index.js:498 var middleware = this.__grappling.middleware;
^
TypeError: Cannot read property '__grappling' of undefined at <project directory>\node_modules\grappling-hook\index.js:498:26 at arrayEach (<project directory>\node_modules\grappling-hook\node_modules\lodash\lodash.js:516:11) at Function.forEach (<project directory>\node_modules\grappling-hook\node_modules\lodash\lodash.js:9344:14) at Keystone.allowHooks (<project directory>\node_modules\grappling-hook\index.js:493:5) at new Keystone (<project directory>\node_modules\keystone\index.js:25:24) at Object.<anonymous> (<project directory>\node_modules\keystone\index.js:140:33) at Module._compile (internal/modules/cjs/loader.js:688:30) at Object.Module._extensions..js (internal/modules/cjs/loader.js:699:10) at Module.load (internal/modules/cjs/loader.js:598:32) at tryModuleLoad (internal/modules/cjs/loader.js:537:12)
Did you have this issue when modifying grappling-hook - keystonejs/grappling-hook#58?
npm audit vulnerabilities & warnings.
Expected behavior
npm audit should not produce deprecation warnings or warn about vulnerabilities relating to keystone.
Actual/Current behavior
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of keystone
Path keystone > asyncdi > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of keystone
Path keystone > grappling-hook > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of keystone
Path keystone > embedly > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of keystone
Path keystone > expression-match > lodash
More info https://nodesecurity.io/advisories/577
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of keystone
Path keystone > less-middleware > less > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of keystone
Path keystone > less-middleware > less > request > hawk > cryptiles > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of keystone
Path keystone > less-middleware > less > request > hawk > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of keystone
Path keystone > less-middleware > less > request > hawk > sntp > hoek
More info https://nodesecurity.io/advisories/566
Moderate Regular Expression Denial of Service
Package mime
Patched in >= 1.4.1 < 2.0.0 || >= 2.0.3
Dependency of keystone
Path keystone > embedly > superagent > mime
More info https://nodesecurity.io/advisories/535
Low Large gzip Denial of Service
Package superagent
Patched in >=3.7.0
Dependency of keystone
Path keystone > embedly > superagent
More info https://nodesecurity.io/advisories/479
found 10 vulnerabilities (5 low, 5 moderate) in 12806 scanned packages 10 vulnerabilities require manual review. See the full report for details.
Steps to reproduce the actual/current behavior
npm audit
Environment