keystonejs / keystone-classic

Node.js CMS and web app framework
http://v4.keystonejs.com
MIT License
14.62k stars 2.21k forks source link

npm audit vulnerabilities #4845

Open henryprescott opened 6 years ago

henryprescott commented 6 years ago

npm audit vulnerabilities & warnings.

Expected behavior

npm audit should not produce deprecation warnings or warn about vulnerabilities relating to keystone.

Actual/Current behavior

                   === npm audit security report ===

                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package lodash

Patched in >=4.17.5

Dependency of keystone

Path keystone > asyncdi > lodash

More info https://nodesecurity.io/advisories/577

Low Prototype Pollution

Package lodash

Patched in >=4.17.5

Dependency of keystone

Path keystone > grappling-hook > lodash

More info https://nodesecurity.io/advisories/577

Low Prototype Pollution

Package lodash

Patched in >=4.17.5

Dependency of keystone

Path keystone > embedly > lodash

More info https://nodesecurity.io/advisories/577

Low Prototype Pollution

Package lodash

Patched in >=4.17.5

Dependency of keystone

Path keystone > expression-match > lodash

More info https://nodesecurity.io/advisories/577

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of keystone

Path keystone > less-middleware > less > request > hawk > boom > hoek

More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of keystone

Path keystone > less-middleware > less > request > hawk > cryptiles > boom > hoek

More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of keystone

Path keystone > less-middleware > less > request > hawk > hoek

More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of keystone

Path keystone > less-middleware > less > request > hawk > sntp > hoek

More info https://nodesecurity.io/advisories/566

Moderate Regular Expression Denial of Service

Package mime

Patched in >= 1.4.1 < 2.0.0 || >= 2.0.3

Dependency of keystone

Path keystone > embedly > superagent > mime

More info https://nodesecurity.io/advisories/535

Low Large gzip Denial of Service

Package superagent

Patched in >=3.7.0

Dependency of keystone

Path keystone > embedly > superagent

More info https://nodesecurity.io/advisories/479

found 10 vulnerabilities (5 low, 5 moderate) in 12806 scanned packages 10 vulnerabilities require manual review. See the full report for details.

Steps to reproduce the actual/current behavior

npm audit

Environment

Software Version
Keystone 4.0.0
Node.js 10.13.0
OS Windows 7
npm 6.4.0
stennie commented 6 years ago

@henryprescott While ideally npm audit should not produce any warnings, these issues need to be addressed in the upstream packages with flagged dependencies. Aside from less-middleware (which will be updated via #4822), there do not appear to be updated packages available for Keystone to require. Some of those packages haven't had releases in a few years, so it's possible there may be more actively maintained alternatives to use (appreciate if anyone would like to comment with suggestions).

Per the Manual Review information in the npm audit docs, it would be best to create issues (or PRs) in the upstream repos. I'll do so for these.

Regards, Stennie

stennie commented 6 years ago

Issues/PRs for dependency updates:

henryprescott commented 6 years ago

@stennie Thanks for the help, that's great. So now do we wait for those changes to get approved? It looks like some of those repos haven't been touched in a while!

stennie commented 6 years ago

@henryprescott Yes, have to wait for those commits to be merged and included in an npm release. If the repos aren't maintained and there's no response, we could continue ignoring the npm warnings, fork the package and re-release, or look for an alternative package that is actively maintained.

henryprescott commented 6 years ago

@stennie I've been doing some manual updating locally just to see how far I can get. I've managed to get down to 1 low vulnerability, before I run into an issue when running keystone.js:

<project directory>\node_modules\grappling-hook\index.js:498 var middleware = this.__grappling.middleware; ^ TypeError: Cannot read property '__grappling' of undefined at <project directory>\node_modules\grappling-hook\index.js:498:26 at arrayEach (<project directory>\node_modules\grappling-hook\node_modules\lodash\lodash.js:516:11) at Function.forEach (<project directory>\node_modules\grappling-hook\node_modules\lodash\lodash.js:9344:14) at Keystone.allowHooks (<project directory>\node_modules\grappling-hook\index.js:493:5) at new Keystone (<project directory>\node_modules\keystone\index.js:25:24) at Object.<anonymous> (<project directory>\node_modules\keystone\index.js:140:33) at Module._compile (internal/modules/cjs/loader.js:688:30) at Object.Module._extensions..js (internal/modules/cjs/loader.js:699:10) at Module.load (internal/modules/cjs/loader.js:598:32) at tryModuleLoad (internal/modules/cjs/loader.js:537:12)

Did you have this issue when modifying grappling-hook - keystonejs/grappling-hook#58?