Closed tmc closed 5 years ago
thanks! seems we can go through them one by one and update or remove deps. my npm doesn't have audit
sub-command in it, so i'm upgrading / figuring out how to upgrade versions.
some of these modules i recognize (ws, ua-parser, uglify), some i don't (negotiator, debug, mime, natives, graceful-fs)
the workflow to fix this is not pleasant. what i thought can be done: go through each dependency that is out of date and run "npm install --save
this doesn't work though because some of the vulnerabilities are in dependencies of dependencies, f.e. "debug" module. it requires going through and updating each dependency that depends on debug to the right version.
is there something i'm missing?
i blew away node_modules, deleted shrinkwrap and am reinstalling everything.
with all dependencies up to date (afaik), i still get an audit list:
---> Running in 7d260c209d2b
npm WARN notice [SECURITY] squel has 1 critical vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=squel&version=5.12.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] pg has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=pg&version=4.3.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] ua-parser has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=ua-parser&version=0.3.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] uglify-js has 2 low vulnerabilities. Go here for more details: https://nodesecurity.io/advisories?search=uglify-js&version=1.3.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] ws has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=ws&version=1.1.2 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] debug has 1 low vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=debug&version=2.3.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] debug has 1 low vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=debug&version=0.7.4 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] negotiator has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=negotiator&version=0.5.3 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] debug has 1 low vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=debug&version=2.2.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] fresh has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=fresh&version=0.3.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] mime has 1 moderate vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=mime&version=1.3.4 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
>
so i guess i have to go through these one by one and bug their projects / remove the dependency
needs triage:
both of these are in optional deps for snorkel that come from using postgres database backends
uncertain:
addressed:
not done yet:
current status:
Step 5/9 : RUN npm install
---> Running in 19093998f821
npm WARN notice [SECURITY] squel has 1 critical vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=squel&version=5.12.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] pg has 1 high vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=pg&version=4.3.0 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] uglify-js has 2 low vulnerabilities. Go here for more details: https://nodesecurity.io/advisories?search=uglify-js&version=1.3.5 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] deep-extend has 1 low vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=deep-extend&version=0.4.2 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] debug has 1 low vulnerability. Go here for more details: https://nodesecurity.io/advisories?search=debug&version=0.7.4 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
example from 'npm install':