ovhemert
commented
5 years ago Lockfiles were intentionally disabled as you can see here: https://github.com/nearform/udaru/pull/499#discussion_r176905785
Although they are never added to a commit, we can generate them using npm i --package-lock-only and then run npm audit.
As of today, for all 4 packages, this results in: 43 vulnerabilities (6 low, 22 moderate, 15 high)
Almost all of them introduced through npx.
The npx package is mainly used to just run internal scripts from package.json. But since it runs packages that are already in the dependencies, it would be better to run them directly.
Example:
In udaru-core => package.json => scripts there is: "depcheck": "npx depcheck"
But we could just run depcheck, because that package is already in devDependencies.
I suggest:
- remove the
npxpackage (only used inpackage.jsonscripts) completely from all dependencies and replace it with direct calls. This would remove almost all vulnerability warnings. - add script to easily run
npm auditfor all the individual packages
cc: @dberesford @mcollina
mcollina
Let's take a look at https://blog.npmjs.org/post/173719309445/npm-audit-identify-and-fix-insecure and hopefully incorporate into udaru CI.
We do need to add a lockfile to udaru-hapi-server first (which we should do anyway). Running this locally there appears to be a lot of warnings about npx and a few other modules, let's dig into these and see if we can get to a clean scan.