uses deprecated dependencies

tmc commented 6 years ago

example from 'npm install':

npm WARN deprecated Faker@0.7.2: Please use the (lowercase) 'faker' package from now on.
npm WARN deprecated uws@0.14.5: stop using this version
npm WARN deprecated connect@2.30.2: connect 2.x series is deprecated
npm WARN deprecated coffee-script@1.12.7: CoffeeScript on NPM has moved to "coffeescript" (no hyphen)
npm WARN deprecated graceful-fs@3.0.11: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated CSSselect@0.7.0: the module is now available as 'css-select'
npm WARN deprecated natives@1.1.3: This module relies on Node.js's internals and will break at some point. Do not use it, and update to graceful-fs@4.x.
npm WARN deprecated CSSwhat@0.4.7: the module is now available as 'css-what'
npm WARN notice [SECURITY] squel has 1 critical vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=squel&version=5.12.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] pg has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=pg&version=4.3.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] ua-parser has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=ua-parser&version=0.3.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] uglify-js has 2 low vulnerabilities. Go here for more details: https://nodesecurity.io/advisories?search=uglify-js&version=1.3.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] ws has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=ws&version=1.1.2 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] debug has 1 low vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=debug&version=2.3.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] debug has 1 low vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=debug&version=0.7.4 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] debug has 1 low vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=debug&version=2.2.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] negotiator has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=negotiator&version=0.5.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] fresh has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=fresh&version=0.3.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] mime has 1 moderate vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=mime&version=1.3.4 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.

okayzed commented 6 years ago

thanks! seems we can go through them one by one and update or remove deps. my npm doesn't have audit sub-command in it, so i'm upgrading / figuring out how to upgrade versions.

for faker, can likely remove the whole feature dependent on it (in app/server/fake_data)
for connect: uncertain if upgrade path to 3.0 is clean
for modules with security problems, likely ok to upgrade them, just need to do some testing.
for squel and pg - they will not be used if you aren't using postgres adapter (in app/server/backends/postgres_)

some of these modules i recognize (ws, ua-parser, uglify), some i don't (negotiator, debug, mime, natives, graceful-fs)

okayzed commented 6 years ago

the workflow to fix this is not pleasant. what i thought can be done: go through each dependency that is out of date and run "npm install --save " followed by npm shrinkwrap.

this doesn't work though because some of the vulnerabilities are in dependencies of dependencies, f.e. "debug" module. it requires going through and updating each dependency that depends on debug to the right version.

is there something i'm missing?

okayzed commented 6 years ago

i blew away node_modules, deleted shrinkwrap and am reinstalling everything.

with all dependencies up to date (afaik), i still get an audit list:

 ---> Running in 7d260c209d2b
npm WARN notice [SECURITY] squel has 1 critical vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=squel&version=5.12.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] pg has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=pg&version=4.3.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] ua-parser has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=ua-parser&version=0.3.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] uglify-js has 2 low vulnerabilities. Go here for more details: https://nodesecurity.io/advisories?search=uglify-js&version=1.3.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] ws has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=ws&version=1.1.2 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] debug has 1 low vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=debug&version=2.3.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] debug has 1 low vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=debug&version=0.7.4 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] negotiator has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=negotiator&version=0.5.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] debug has 1 low vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=debug&version=2.2.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] fresh has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=fresh&version=0.3.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] mime has 1 moderate vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=mime&version=1.3.4 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.

>

so i guess i have to go through these one by one and bug their projects / remove the dependency

okayzed commented 6 years ago

needs triage:

both of these are in optional deps for snorkel that come from using postgres database backends

pg: vulnerability is against malicious databases. seems like an unlikely vector
squel: vulnerability exists in setFields(), is not a method we call from snorkel.

uncertain:

uglifyjs: i believe that we do not pass user input to uglifyjs. uglifyjs is used in the packager for the underlying js framework (superfluous) and no user input is involved.

addressed:

ua-parser: should be switched to useragent (https://nodesecurity.io/advisories/316).
ws (dep of superfluous)
negotiator (dep of connect-redirect in superfluous)
fresh (dep of connect-redirect in superfluous)
mime (dep of connect in superfluous)

not done yet:

debug (sub-dep of superfluous)
deep-extend

current status:

Step 5/9 : RUN npm install
 ---> Running in 19093998f821
npm WARN notice [SECURITY] squel has 1 critical vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=squel&version=5.12.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] pg has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=pg&version=4.3.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] uglify-js has 2 low vulnerabilities. Go here for more details: https://nodesecurity.io/advisories?search=uglify-js&version=1.3.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] deep-extend has 1 low vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=deep-extend&version=0.4.2 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] debug has 1 low vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=debug&version=0.7.4 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.

logv / snorkel

uses deprecated dependencies #27