search

strapi / strapi-starter-vue-blog

Strapi Starter Vue Blog
https://strapi.io/blog/build-a-blog-with-vue-strapi-and-apollo
65 stars 24 forks source link

npm audit security report run in backend folder shows errors #4

Open adriatic opened 4 years ago

adriatic commented 4 years ago

Hello @Mcastres

I am learning Strapi by running all existing tutorials with the intent to verify how all of them create "friction-less" experience for newbies. My experience tells me that the errors in the documentation and samples is the guaranteed way to lose new developers. As I believe that Strapi deserves all the help I can muster, I created my first PR (https://github.com/strapi/strapi/pull/5725), after having difficult time running the two first tutorials. Now, I am switching to tutorials referenced in https://strapi.io/blog/ with the same intent to help.

adriatic commented 4 years ago
  1. In order to address most of the reported vulnerabilities, I had to run: 
npm install strapi-plugin-users-permissions@3.0.0-next.49

  1. The following vulnerability is still present 

    High            Prototype Pollution Protection Bypass

Package         qs

Patched in      >=6.0.4 <6.1.0 || >=6.1.2 <6.2.0 || >=6.2.3 <6.3.0 ||
              >=6.3.2

Dependency of   strapi

Path            strapi > koa-qs > qs

More info       https://npmjs.com/advisories/1469

    (I believe that you should address this "centrally"

adriatic commented 4 years ago

It is likely that by installing the strapi-plugin-users-permissions@3.0.0-next.49 I broke this app as I got a lot of error messages like

> strapi develop

Building your admin UI with development configuration ...

√ Webpack
  Compiled successfully in 17.40s

[2020-04-12T20:27:21.234Z] error Ignored attempt to bind to get /articles with unknown policy "plugins::users-permissions.permissions"
[2020-04-12T20:27:21.236Z] error Ignored attempt to bind to get /articles/count with unknown policy "plugins::users-permissions.permissions"
[2020-04-12T20:27:21.238Z] error Ignored attempt to bind to get /articles/:id with unknown policy "plugins::users-permissions.permissions"
[2020-04-12T20:27:21.239Z] error Ignored attempt to bind to post /articles with unknown policy "plugins::users-permissions.permissions"
[2020-04-12T20:27:21.239Z] error Ignored attempt to bind to put /articles/:id with unknown policy "plugins::users-permissions.permissions"
[2020-04-12T20:27:21.240Z] error Ignored attempt to bind to delete /articles/:id with unknown policy "plugins::users-permissions.permissions"
[2020-04-12T20:27:21.241Z] error Ignored attempt to bind to get /categories with unknown policy "plugins::users-permissions.permissions"
[2020-04-12T20:27:21.241Z] error Ignored attempt to bind to get /categories/count with unknown policy "plugins::users-permissions.permissions"
[2020-04-12T20:27:21.242Z] error Ignored attempt to bind to get /categories/:id with unknown policy "plugins::users-permissions.permissions"