search

sindresorhus / pageres

Capture website screenshots
MIT License
9.68k stars 744 forks source link

6 high vulnerabilities after install - how I fixed it #408

Closed LostAccount closed 2 years ago

LostAccount commented 3 years ago

I am fresh to npm and node.js which I installed using brew one day ago. I installed it just for pageres but I kept seeing an issue over and over that I could not resolve until I used the --global flag.

Versions Mac OS High Sierra 10.13.6 npm --version 7.5.0 node --version v15.8.0

npm install --global pageres-cli followed by npm audit fix

The global install fixes my issue in that I can use pageres but why is the package 326MB in size? Is this avoidable somehow. I have a feeling that this question is not for the pageres developers but any guidance would be much obliged. I am reading the npm docs for now but node is new to me. I installed it only for pageres.

➜  npm npm install --global pageres-cli

added 259 packages, and audited 260 packages in 52s

33 packages are looking for funding
  run `npm fund` for details

6 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
➜  npm npm audit fix

up to date, audited 1 package in 298ms

found 0 vulnerabilities

This is what kept happening when I did not install globally ( npm install pageres )

➜  npm npm install pageres
((                       )) reify:date-fns: timing reifyNode:node_modules/puppeteer Completed in 1242ms

added 174 packages, and audited 176 packages in 55s

22 packages are looking for funding
  run `npm fund` for details

5 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
➜  npm 
➜  npm 
➜  npm npm audit  
# npm audit report

lodash  <=4.17.18
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/1523
Prototype Pollution - https://npmjs.com/advisories/577
Prototype Pollution - https://npmjs.com/advisories/782
fix available via `npm audit fix --force`
Will install pageres@3.0.2, which is a breaking change
node_modules/cheerio/node_modules/lodash
  cheerio  0.14.0 - 0.19.0
  Depends on vulnerable versions of lodash
  node_modules/cheerio
    w3counter  1.0.0 || >=1.2.0
    Depends on vulnerable versions of cheerio
    node_modules/w3counter
      get-res  >=2.0.0
      Depends on vulnerable versions of w3counter
      node_modules/get-res
        pageres  >=4.0.0
        Depends on vulnerable versions of get-res
        node_modules/pageres

5 high severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force
➜  npm npm audit fix --force
npm WARN using --force Recommended protections disabled.
npm WARN audit Updating pageres to 3.0.2,which is a SemVer major change.
npm WARN deprecated easydate@2.2.1: Development of this module has been stopped.
npm WARN deprecated ini@1.1.0: Please update to ini >=1.3.6 to avoid a prototype pollution issue
npm WARN deprecated json3@3.3.2: Please use the native JSON object instead of JSON 3
npm WARN deprecated npmconf@0.0.24: this package has been reintegrated into npm and is now out of date with respect to npm
npm WARN deprecated mkdirp@0.3.5: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated mkdirp@0.3.5: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated CSSwhat@0.4.7: the module is now available as 'css-what'
npm WARN deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated CSSselect@0.4.1: the module is now available as 'css-select'
npm WARN deprecated core-js@1.2.7: core-js@<3 is no longer maintained and not recommended for usage due to the number of issues. Please, upgrade your dependencies to the actual version of core-js@3.
npm ERR! code 1
npm ERR! path /Users/admin/node_modules/phantomjs
npm ERR! command failed
npm ERR! command sh -c node install.js
npm ERR! Downloading http://phantomjs.googlecode.com/files/phantomjs-1.9.2-macosx.zip
npm ERR! Saving to /var/folders/mt/dbxxpsbx661ctykd_48t9w6m0000gn/T/phantomjs/phantomjs-1.9.2-macosx.zip
npm ERR! Receiving...
npm ERR! Error requesting archive
npm ERR! Phantom installation failed Error: Error with http request: {
npm ERR!   'content-type': 'text/html; charset=UTF-8',
npm ERR!   'referrer-policy': 'no-referrer',
npm ERR!   'content-length': '1593',
npm ERR!   date: 'Tue, 16 Feb 2021 23:18:53 GMT',
npm ERR!   connection: 'close'
npm ERR! }
npm ERR!     at ClientRequest.<anonymous> (/Users/admin/node_modules/phantomjs/install.js:227:23)
npm ERR!     at Object.onceWrapper (node:events:485:26)
npm ERR!     at ClientRequest.emit (node:events:378:20)
npm ERR!     at HTTPParser.parserOnIncomingClient [as onIncoming] (node:_http_client:636:27)
npm ERR!     at HTTPParser.parserOnHeadersComplete (node:_http_common:129:17)
npm ERR!     at Socket.socketOnData (node:_http_client:502:22)
npm ERR!     at Socket.emit (node:events:378:20)
npm ERR!     at addChunk (node:internal/streams/readable:313:12)
npm ERR!     at readableAddChunk (node:internal/streams/readable:288:9)
npm ERR!     at Socket.Readable.push (node:internal/streams/readable:227:10) Error: Error with http request: {
npm ERR!   'content-type': 'text/html; charset=UTF-8',
npm ERR!   'referrer-policy': 'no-referrer',
npm ERR!   'content-length': '1593',
npm ERR!   date: 'Tue, 16 Feb 2021 23:18:53 GMT',
npm ERR!   connection: 'close'
npm ERR! }
npm ERR!     at ClientRequest.<anonymous> (/Users/admin/node_modules/phantomjs/install.js:227:23)
npm ERR!     at Object.onceWrapper (node:events:485:26)
npm ERR!     at ClientRequest.emit (node:events:378:20)
npm ERR!     at HTTPParser.parserOnIncomingClient [as onIncoming] (node:_http_client:636:27)
npm ERR!     at HTTPParser.parserOnHeadersComplete (node:_http_common:129:17)
npm ERR!     at Socket.socketOnData (node:_http_client:502:22)
npm ERR!     at Socket.emit (node:events:378:20)
npm ERR!     at addChunk (node:internal/streams/readable:313:12)
npm ERR!     at readableAddChunk (node:internal/streams/readable:288:9)
npm ERR!     at Socket.Readable.push (node:internal/streams/readable:227:10)

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/admin/.npm/_logs/2021-02-16T23_18_53_716Z-debug.log
➜  npm npm list
admin@ /Users/admin
├── lodash@4.17.20
└── pageres@6.1.0

➜  npm npm uninstall pageres

removed 174 packages, and audited 2 packages in 2s

found 0 vulnerabilities
LostAccount commented 3 years ago

Reopened issue to understand the following.

The npm global install fixes my issue in that I can use pageres but why is the package 326MB in size?

sindresorhus commented 2 years ago

Fixed in https://github.com/sindresorhus/pageres/releases/tag/v7.0.0