Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:
npm audit report
cryptiles <=4.1.1
Severity: high
Insufficient Entropy - https://npmjs.com/advisories/1464
Depends on vulnerable versions of boom
fix available via npm audit fix --force
Will install tap@15.0.9, which is a breaking change
node_modules/cryptiles
hawk 0.0.6 - 6.0.2
Depends on vulnerable versions of boom
Depends on vulnerable versions of cryptiles
Depends on vulnerable versions of hoek
Depends on vulnerable versions of sntp
node_modules/hawk
request 2.16.0 - 2.81.0
Depends on vulnerable versions of hawk
Depends on vulnerable versions of tunnel-agent
node_modules/request
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0
Depends on vulnerable versions of coveralls
Depends on vulnerable versions of nyc
node_modules/tap
diff <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via npm audit fix
node_modules/diff
tap-mocha-reporter 0.0.4 - 5.0.0
Depends on vulnerable versions of diff
node_modules/tap-mocha-reporter
hoek <=4.2.0 || 5.0.0 - 5.0.2
Severity: moderate
Prototype Pollution - https://npmjs.com/advisories/566
fix available via npm audit fix --force
Will install tap@15.0.9, which is a breaking change
node_modules/hoek
boom <=3.1.2
Depends on vulnerable versions of hoek
node_modules/boom
cryptiles <=4.1.1
Depends on vulnerable versions of boom
node_modules/cryptiles
hawk 0.0.6 - 6.0.2
Depends on vulnerable versions of boom
Depends on vulnerable versions of cryptiles
Depends on vulnerable versions of hoek
Depends on vulnerable versions of sntp
node_modules/hawk
request 2.16.0 - 2.81.0
Depends on vulnerable versions of hawk
Depends on vulnerable versions of tunnel-agent
node_modules/request
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0
Depends on vulnerable versions of coveralls
Depends on vulnerable versions of nyc
node_modules/tap
sntp 0.0.0 || 0.1.1 - 2.0.0
Depends on vulnerable versions of hoek
node_modules/sntp
js-yaml <=3.13.0
Severity: high
Denial of Service - https://npmjs.com/advisories/788
Code Injection - https://npmjs.com/advisories/813
fix available via npm audit fix --force
Will install tap@15.0.9, which is a breaking change
node_modules/coveralls/node_modules/js-yaml
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0
Depends on vulnerable versions of coveralls
Depends on vulnerable versions of nyc
node_modules/tap
lodash <=4.17.20
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1065
Prototype Pollution - https://npmjs.com/advisories/1523
Command Injection - https://npmjs.com/advisories/1673
Prototype Pollution - https://npmjs.com/advisories/577
Prototype Pollution - https://npmjs.com/advisories/782
fix available via npm audit fix --force
Will install tap@15.0.9, which is a breaking change
node_modules/lodash
nyc <=5.0.1 || 6.2.0-alpha - 6.6.1
Depends on vulnerable versions of istanbul
Depends on vulnerable versions of lodash
node_modules/nyc
tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0
Depends on vulnerable versions of coveralls
Depends on vulnerable versions of nyc
node_modules/tap
minimatch <=3.0.1
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/118
fix available via npm audit fix --force
Will install browserify@17.0.0, which is a breaking change
node_modules/minimatch
fileset 0.1.0 - 0.2.1
Depends on vulnerable versions of minimatch
node_modules/fileset
istanbul <=0.4.4
Depends on vulnerable versions of fileset
node_modules/istanbul
nyc <=5.0.1 || 6.2.0-alpha - 6.6.1
Depends on vulnerable versions of istanbul
Depends on vulnerable versions of lodash
node_modules/nyc
tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0
Depends on vulnerable versions of coveralls
Depends on vulnerable versions of nyc
node_modules/tap
glob 3.0.0 - 5.0.14
Depends on vulnerable versions of minimatch
node_modules/glob
browserify 2.3.0 - 11.2.0
Depends on vulnerable versions of glob
Depends on vulnerable versions of shell-quote
node_modules/browserify
minimist <0.2.1 || >=1.0.0 <1.2.3
Prototype Pollution - https://npmjs.com/advisories/1179
fix available via npm audit fix --force
Will install tap@15.0.9, which is a breaking change
node_modules/coveralls/node_modules/minimist
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0
Depends on vulnerable versions of coveralls
Depends on vulnerable versions of nyc
node_modules/tap
shell-quote <=1.6.0
Severity: critical
Potential Command Injection - https://npmjs.com/advisories/117
fix available via npm audit fix --force
Will install browserify@17.0.0, which is a breaking change
node_modules/shell-quote
browserify 2.3.0 - 11.2.0
Depends on vulnerable versions of glob
Depends on vulnerable versions of shell-quote
node_modules/browserify
tunnel-agent <0.6.0
Severity: moderate
Memory Exposure - https://npmjs.com/advisories/598
fix available via npm audit fix --force
Will install tap@15.0.9, which is a breaking change
node_modules/tunnel-agent
request 2.16.0 - 2.81.0
Depends on vulnerable versions of hawk
Depends on vulnerable versions of tunnel-agent
node_modules/request
coveralls <=2.13.3
Depends on vulnerable versions of js-yaml
Depends on vulnerable versions of minimist
Depends on vulnerable versions of request
node_modules/coveralls
tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0
Depends on vulnerable versions of coveralls
Depends on vulnerable versions of nyc
node_modules/tap
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:
Will you fix the vulnerabilities mentioned above? (Yes/No), and why?:
Do you have any additional comments? (If so, please write it down):
For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.
Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].
Steps to reproduce:
Go to the root folder of the project where the package.json file located
Execute “npm audit”
Look at the list of vulnerabilities reported
Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.
Issue: We detected vulnerable dependencies in your project by using the command “npm audit”:
npm audit report
cryptiles <=4.1.1 Severity: high Insufficient Entropy - https://npmjs.com/advisories/1464 Depends on vulnerable versions of boom fix available via
npm audit fix --forceWill install tap@15.0.9, which is a breaking change node_modules/cryptiles hawk 0.0.6 - 6.0.2 Depends on vulnerable versions of boom Depends on vulnerable versions of cryptiles Depends on vulnerable versions of hoek Depends on vulnerable versions of sntp node_modules/hawk request 2.16.0 - 2.81.0 Depends on vulnerable versions of hawk Depends on vulnerable versions of tunnel-agent node_modules/request coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coveralls tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0 Depends on vulnerable versions of coveralls Depends on vulnerable versions of nyc node_modules/tapdiff <3.5.0 Severity: high Regular Expression Denial of Service - https://npmjs.com/advisories/1631 fix available via
npm audit fixnode_modules/diff tap-mocha-reporter 0.0.4 - 5.0.0 Depends on vulnerable versions of diff node_modules/tap-mocha-reporterhoek <=4.2.0 || 5.0.0 - 5.0.2 Severity: moderate Prototype Pollution - https://npmjs.com/advisories/566 fix available via
npm audit fix --forceWill install tap@15.0.9, which is a breaking change node_modules/hoek boom <=3.1.2 Depends on vulnerable versions of hoek node_modules/boom cryptiles <=4.1.1 Depends on vulnerable versions of boom node_modules/cryptiles hawk 0.0.6 - 6.0.2 Depends on vulnerable versions of boom Depends on vulnerable versions of cryptiles Depends on vulnerable versions of hoek Depends on vulnerable versions of sntp node_modules/hawk request 2.16.0 - 2.81.0 Depends on vulnerable versions of hawk Depends on vulnerable versions of tunnel-agent node_modules/request coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coveralls tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0 Depends on vulnerable versions of coveralls Depends on vulnerable versions of nyc node_modules/tap sntp 0.0.0 || 0.1.1 - 2.0.0 Depends on vulnerable versions of hoek node_modules/sntpjs-yaml <=3.13.0 Severity: high Denial of Service - https://npmjs.com/advisories/788 Code Injection - https://npmjs.com/advisories/813 fix available via
npm audit fix --forceWill install tap@15.0.9, which is a breaking change node_modules/coveralls/node_modules/js-yaml coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coveralls tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0 Depends on vulnerable versions of coveralls Depends on vulnerable versions of nyc node_modules/taplodash <=4.17.20 Severity: high Prototype Pollution - https://npmjs.com/advisories/1065 Prototype Pollution - https://npmjs.com/advisories/1523 Command Injection - https://npmjs.com/advisories/1673 Prototype Pollution - https://npmjs.com/advisories/577 Prototype Pollution - https://npmjs.com/advisories/782 fix available via
npm audit fix --forceWill install tap@15.0.9, which is a breaking change node_modules/lodash nyc <=5.0.1 || 6.2.0-alpha - 6.6.1 Depends on vulnerable versions of istanbul Depends on vulnerable versions of lodash node_modules/nyc tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0 Depends on vulnerable versions of coveralls Depends on vulnerable versions of nyc node_modules/tapminimatch <=3.0.1 Severity: high Regular Expression Denial of Service - https://npmjs.com/advisories/118 fix available via
npm audit fix --forceWill install browserify@17.0.0, which is a breaking change node_modules/minimatch fileset 0.1.0 - 0.2.1 Depends on vulnerable versions of minimatch node_modules/fileset istanbul <=0.4.4 Depends on vulnerable versions of fileset node_modules/istanbul nyc <=5.0.1 || 6.2.0-alpha - 6.6.1 Depends on vulnerable versions of istanbul Depends on vulnerable versions of lodash node_modules/nyc tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0 Depends on vulnerable versions of coveralls Depends on vulnerable versions of nyc node_modules/tap glob 3.0.0 - 5.0.14 Depends on vulnerable versions of minimatch node_modules/glob browserify 2.3.0 - 11.2.0 Depends on vulnerable versions of glob Depends on vulnerable versions of shell-quote node_modules/browserifyminimist <0.2.1 || >=1.0.0 <1.2.3 Prototype Pollution - https://npmjs.com/advisories/1179 fix available via
npm audit fix --forceWill install tap@15.0.9, which is a breaking change node_modules/coveralls/node_modules/minimist coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coveralls tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0 Depends on vulnerable versions of coveralls Depends on vulnerable versions of nyc node_modules/tapshell-quote <=1.6.0 Severity: critical Potential Command Injection - https://npmjs.com/advisories/117 fix available via
npm audit fix --forceWill install browserify@17.0.0, which is a breaking change node_modules/shell-quote browserify 2.3.0 - 11.2.0 Depends on vulnerable versions of glob Depends on vulnerable versions of shell-quote node_modules/browserifytunnel-agent <0.6.0 Severity: moderate Memory Exposure - https://npmjs.com/advisories/598 fix available via
npm audit fix --forceWill install tap@15.0.9, which is a breaking change node_modules/tunnel-agent request 2.16.0 - 2.81.0 Depends on vulnerable versions of hawk Depends on vulnerable versions of tunnel-agent node_modules/request coveralls <=2.13.3 Depends on vulnerable versions of js-yaml Depends on vulnerable versions of minimist Depends on vulnerable versions of request node_modules/coveralls tap 1.1.0 - 11.1.2 || 13.0.0-rc.0 - 13.0.0 Depends on vulnerable versions of coveralls Depends on vulnerable versions of nyc node_modules/tap21 vulnerabilities (1 low, 6 moderate, 12 high, 2 critical)
To address issues that do not require attention, run: npm audit fix
To address all issues (including breaking changes), run: npm audit fix --force
Questions: We are conducting a research study on vulnerable dependencies in open-source JS projects. We are curious:
For any publication or research report based on this study, we will share all responses from developers in an anonymous way. Both your projects and personal information will be kept confidential.
Description: Many popular NPM packages have been found vulnerable and may carry significant risks [1]. Developers are recommended to monitor and avoid the vulnerable versions of the library. The vulnerabilities have been identified and reported by other developers, and their descriptions are available in the npm registry [2].
Steps to reproduce:
Suggested Solution: Npm has introduced the “npm audit fix” command to fix the vulnerabilities. Execute the command to apply remediation to the dependency tree.
References: