Run `npm audit` and upgrade identified vulnerable deps

hunterlester commented 5 years ago

yarn team is working on it's own command but it's not ready yet: https://github.com/yarnpkg/yarn/issues/5808

Requires package-lock.json and npm@6.
Remove node_modules directories and then run npm i to produce package-lock.json.
Run npm audit and then npm audit fix to upgrade vulnerable dependencies.
package.json will have been automatically updated.
Remove package-lock.json
Run yarn to produce an updated yarn.lock to commit to repo.

hunterlester commented 5 years ago

This task is more involved than appears:

In order to be able to create package-lock.json, spectron needs to be installed with npm i spectron --save-dev, which will upgrade spectron's major version. This breaks several tests, requiring a separate task to fix all the tasks when this task is concerned with finding and upgrading vulnerable dependencies.

hunterlester commented 5 years ago

Proposal to close this task. There are two possibly significant vulnerabilities identified, which should be resolved when we upgrade the electron version:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Insufficient Entropy                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ cryptiles                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.3 <4.0.0 || >=4.1.2                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ electron                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ electron > electron-download > nugget > request > hawk >     │
│               │ cryptiles                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/720                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Insufficient Entropy                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ cryptiles                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.3 <4.0.0 || >=4.1.2                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ asar                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ asar > mksnapshot > request > hawk > cryptiles               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/720                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

joshuef commented 5 years ago

Okay, let's mark this as blocked until the electron version is updated (and with that, we'd need to update spectron also, I suspect)

maidsafe / sn_browser

Run `npm audit` and upgrade identified vulnerable deps #386