Open joepaquette opened 5 years ago
Installing the latest NPM release (4.7) currently triggers a High NPM audit warning due to another weakness in lodash:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ fhir │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ fhir > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1065 │
Cloned the current master branch and found the following
npm audit
results: ` .../FHIR.js$ npm audit// Run npm install --save-dev webpack@4.29.2 to resolve 3 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change │ Low │ Prototype Pollution │ Package │ lodash │ Dependency of │ webpack [dev] │ Path │ webpack > async > lodash │ More info │ https://nodesecurity.io/advisories/577
│ Low │ Prototype Pollution │ Package │ lodash │ Dependency of │ webpack [dev] │ Path │ webpack > watchpack > async > lodash │ More info │ https://nodesecurity.io/advisories/577
│ Low │ Cryptographically Weak PRNG │ Package │ randomatic │ Dependency of │ webpack [dev] │ Path │ webpack > watchpack > chokidar > anymatch > micromatch > │ │ braces > expand-range > fill-range > randomatic │ More info │ https://nodesecurity.io/advisories/157
// Run npm update lodash --depth 4 to resolve 1 vulnerability │ Low │ Prototype Pollution │ Package │ lodash │ Dependency of │ typedoc [dev] │ Path │ typedoc > handlebars > async > lodash │ More info │ https://nodesecurity.io/advisories/577
found 4 low severity vulnerabilities in 1119 scanned packages run
npm audit fix
to fix 1 of them. 3 vulnerabilities require semver-major dependency updates. `