search

lantanagroup / FHIR.js

Node.JS library for serializing/deserializing FHIR resources between JS/JSON and XML using various node.js XML libraries
Apache License 2.0
103 stars 29 forks source link

NPM audit vulnerabilities #15

Open joepaquette opened 5 years ago

joepaquette commented 5 years ago

Cloned the current master branch and found the following npm audit results: ` .../FHIR.js$ npm audit

            === npm audit security report ===

// Run npm install --save-dev webpack@4.29.2 to resolve 3 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change │ Low │ Prototype Pollution │ Package │ lodash │ Dependency of │ webpack [dev] │ Path │ webpack > async > lodash │ More info │ https://nodesecurity.io/advisories/577

│ Low │ Prototype Pollution │ Package │ lodash │ Dependency of │ webpack [dev] │ Path │ webpack > watchpack > async > lodash │ More info │ https://nodesecurity.io/advisories/577

│ Low │ Cryptographically Weak PRNG │ Package │ randomatic │ Dependency of │ webpack [dev] │ Path │ webpack > watchpack > chokidar > anymatch > micromatch > │ │ braces > expand-range > fill-range > randomatic │ More info │ https://nodesecurity.io/advisories/157

// Run npm update lodash --depth 4 to resolve 1 vulnerability │ Low │ Prototype Pollution │ Package │ lodash │ Dependency of │ typedoc [dev] │ Path │ typedoc > handlebars > async > lodash │ More info │ https://nodesecurity.io/advisories/577

found 4 low severity vulnerabilities in 1119 scanned packages run npm audit fix to fix 1 of them. 3 vulnerabilities require semver-major dependency updates. `

ghost commented 4 years ago

Installing the latest NPM release (4.7) currently triggers a High NPM audit warning due to another weakness in lodash:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.12                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fhir                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ fhir > lodash                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1065                            │