NPM security issues by node audit

leandrocrs commented 5 years ago
gulp.spritesmith is causing security issues following the npm audit report.
npm audit output:
                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Sandbox Breakout / Arbitrary Code Execution                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ static-eval                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp.spritesmith [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp.spritesmith > spritesmith > pixelsmith > ndarray-fill > │
│               │ cwise > static-module > static-eval                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/548                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Sandbox Breakout / Arbitrary Code Execution                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ static-eval                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.0.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp.spritesmith [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp.spritesmith > spritesmith > pixelsmith > ndarray-fill > │
│               │ cwise > static-module > static-eval                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/758                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 moderate severity vulnerabilities in 30392 scanned packages
  2 vulnerabilities require manual review. See the full report for details.
twolfson commented 5 years ago
This is being patched in https://github.com/twolfson/pixelsmith/pull/17. Unfortunately, I haven't had time to land it yet but will by the end of the month
twolfson commented 5 years ago
We've landed https://github.com/twolfson/pixelsmith/pull/17 and released it in:
pixelsmith@2.3.0
gulp.spritesmith@6.11.0
twolfson / gulp.spritesmith

NPM security issues by node audit #147
