Skip to content
This repository has been archived by the owner on Apr 16, 2024. It is now read-only.

Bug: Multiple vulnerabilities after upgrade to node 10 #816

Closed
grosspersky opened this issue Jul 15, 2018 · 0 comments · Fixed by #817
Closed

Bug: Multiple vulnerabilities after upgrade to node 10 #816

grosspersky opened this issue Jul 15, 2018 · 0 comments · Fixed by #817
Assignees
@grosspersky
Labels
api All Backend related Issues bug This Issue describes a unwanted behavior web-frontend All frontend related issues

Comments

@grosspersky
Copy link
Collaborator

After upgrading to node 10.6.0 and npm 6.2.0 running npm install on reveals multiple vulnerabilities in current versions of some the dependencies of the api and the frontend:

D:\Git\geli\api>npm install
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

audited 8935 packages in 12.238s
found 11 vulnerabilities (3 low, 8 high)
  run `npm audit fix` to fix them, or `npm audit` for details

D:\Git\geli\app\webFrontend>npm install
npm WARN [email protected] requires a peer of ajv@^6.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

added 124 packages from 87 contributors, removed 136 packages, updated 119 packages and audited 24375 packages in 168.899s
found 31 vulnerabilities (1 low, 30 moderate)
  run `npm audit fix` to fix them, or `npm audit` for details

Running npm audit for the api reveals the following:

D:\Git\geli\api>npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm install --save-dev [email protected]  to resolve 5 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
                                                                                
  High            Regular Expression Denial of Service                          
                                                                                
  Package         minimatch                                                     
                                                                                
  Dependency of   gulp [dev]                                                    
                                                                                
  Path            gulp > vinyl-fs > glob-stream > glob > minimatch              
                                                                                
  More info       https://nodesecurity.io/advisories/118                        
                                                                                


                                                                                
  High            Regular Expression Denial of Service                          
                                                                                
  Package         minimatch                                                     
                                                                                
  Dependency of   gulp [dev]                                                    
                                                                                
  Path            gulp > vinyl-fs > glob-stream > minimatch                     
                                                                                
  More info       https://nodesecurity.io/advisories/118                        
                                                                                


                                                                                
  High            Regular Expression Denial of Service                          
                                                                                
  Package         minimatch                                                     
                                                                                
  Dependency of   gulp [dev]                                                    
                                                                                
  Path            gulp > vinyl-fs > glob-watcher > gaze > globule > glob >      
                  minimatch                                                     
                                                                                
  More info       https://nodesecurity.io/advisories/118                        
                                                                                


                                                                                
  High            Regular Expression Denial of Service                          
                                                                                
  Package         minimatch                                                     
                                                                                
  Dependency of   gulp [dev]                                                    
                                                                                
  Path            gulp > vinyl-fs > glob-watcher > gaze > globule > minimatch   
                                                                                
  More info       https://nodesecurity.io/advisories/118                        
                                                                                


                                                                                
  Low             Prototype Pollution                                           
                                                                                
  Package         lodash                                                        
                                                                                
  Dependency of   gulp [dev]                                                    
                                                                                
  Path            gulp > vinyl-fs > glob-watcher > gaze > globule > lodash      
                                                                                
  More info       https://nodesecurity.io/advisories/577                        
                                                                                


# Run  npm install [email protected]  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
                                                                                
  Low             Prototype Pollution                                           
                                                                                
  Package         deep-extend                                                   
                                                                                
  Dependency of   bcrypt                                                        
                                                                                
  Path            bcrypt > node-pre-gyp > rc > deep-extend                      
                                                                                
  More info       https://nodesecurity.io/advisories/612                        
                                                                                


                                                                                
                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                
                                                                                
  High            Regular Expression Denial of Service                          
                                                                                
  Package         minimatch                                                     
                                                                                
  Patched in      >=3.0.2                                                       
                                                                                
  Dependency of   gulp-nodemon [dev]                                            
                                                                                
  Path            gulp-nodemon > gulp > vinyl-fs > glob-stream > glob >         
                  minimatch                                                     
                                                                                
  More info       https://nodesecurity.io/advisories/118                        
                                                                                
                                                                                
  High            Regular Expression Denial of Service                          
                                                                                
  Package         minimatch                                                     
                                                                                
  Patched in      >=3.0.2                                                       
                                                                                
  Dependency of   gulp-nodemon [dev]                                            
                                                                                
  Path            gulp-nodemon > gulp > vinyl-fs > glob-stream > minimatch      
                                                                                
  More info       https://nodesecurity.io/advisories/118                        
                                                                                
                                                                                
  High            Regular Expression Denial of Service                          
                                                                                
  Package         minimatch                                                     
                                                                                
  Patched in      >=3.0.2                                                       
                                                                                
  Dependency of   gulp-nodemon [dev]                                            
                                                                                
  Path            gulp-nodemon > gulp > vinyl-fs > glob-watcher > gaze >        
                  globule > glob > minimatch                                    
                                                                                
  More info       https://nodesecurity.io/advisories/118                        
                                                                                
                                                                                
  High            Regular Expression Denial of Service                          
                                                                                
  Package         minimatch                                                     
                                                                                
  Patched in      >=3.0.2                                                       
                                                                                
  Dependency of   gulp-nodemon [dev]                                            
                                                                                
  Path            gulp-nodemon > gulp > vinyl-fs > glob-watcher > gaze >        
                  globule > minimatch                                           
                                                                                
  More info       https://nodesecurity.io/advisories/118                        
                                                                                
                                                                                
  Low             Prototype Pollution                                           
                                                                                
  Package         lodash                                                        
                                                                                
  Patched in      >=4.17.5                                                      
                                                                                
  Dependency of   gulp-nodemon [dev]                                            
                                                                                
  Path            gulp-nodemon > gulp > vinyl-fs > glob-watcher > gaze >        
                  globule > lodash                                              
                                                                                
  More info       https://nodesecurity.io/advisories/577                        
                                                                                
found 11 vulnerabilities (3 low, 8 high) in 8935 scanned packages
  6 vulnerabilities require semver-major dependency updates.
  5 vulnerabilities require manual review. See the full report for details.

And for the frontend:

D:\Git\geli\app\webFrontend>npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm install [email protected]  to resolve 10 vulnerabilities
                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   node-sass                                                     
                                                                                
  Path            node-sass > request > hawk > boom > hoek                      
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   node-sass                                                     
                                                                                
  Path            node-sass > request > hawk > cryptiles > boom > hoek          
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   node-sass                                                     
                                                                                
  Path            node-sass > request > hawk > hoek                             
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   node-sass                                                     
                                                                                
  Path            node-sass > request > hawk > sntp > hoek                      
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Memory Exposure                                               
                                                                                
  Package         tunnel-agent                                                  
                                                                                
  Dependency of   node-sass                                                     
                                                                                
  Path            node-sass > request > tunnel-agent                            
                                                                                
  More info       https://nodesecurity.io/advisories/598                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   node-sass                                                     
                                                                                
  Path            node-sass > node-gyp > request > hawk > boom > hoek           
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   node-sass                                                     
                                                                                
  Path            node-sass > node-gyp > request > hawk > cryptiles > boom >    
                  hoek                                                          
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   node-sass                                                     
                                                                                
  Path            node-sass > node-gyp > request > hawk > hoek                  
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   node-sass                                                     
                                                                                
  Path            node-sass > node-gyp > request > hawk > sntp > hoek           
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Memory Exposure                                               
                                                                                
  Package         tunnel-agent                                                  
                                                                                
  Dependency of   node-sass                                                     
                                                                                
  Path            node-sass > node-gyp > request > tunnel-agent                 
                                                                                
  More info       https://nodesecurity.io/advisories/598                        
                                                                                


# Run  npm update log4js --depth 2  to resolve 14 vulnerabilities
                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > loggly > request > hawk > sntp > hoek        
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > slack-node > requestretry > request > hawk   
                  > boom > hoek                                                 
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > loggly > request > hawk > boom > hoek        
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > slack-node > requestretry > request > hawk   
                  > cryptiles > boom > hoek                                     
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > hipchat-notifier > request > hawk >          
                  cryptiles > boom > hoek                                       
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > slack-node > requestretry > request > hawk   
                  > hoek                                                        
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > loggly > request > hawk > cryptiles > boom   
                  > hoek                                                        
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > slack-node > requestretry > request > hawk   
                  > sntp > hoek                                                 
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > hipchat-notifier > request > hawk > sntp >   
                  hoek                                                          
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Memory Exposure                                               
                                                                                
  Package         tunnel-agent                                                  
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > loggly > request > tunnel-agent              
                                                                                
  More info       https://nodesecurity.io/advisories/598                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > loggly > request > hawk > hoek               
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Memory Exposure                                               
                                                                                
  Package         tunnel-agent                                                  
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > slack-node > requestretry > request >        
                  tunnel-agent                                                  
                                                                                
  More info       https://nodesecurity.io/advisories/598                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > hipchat-notifier > request > hawk > boom >   
                  hoek                                                          
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Low             Regular Expression Denial of Service                          
                                                                                
  Package         timespan                                                      
                                                                                
  Dependency of   karma [dev]                                                   
                                                                                
  Path            karma > log4js > loggly > timespan                            
                                                                                
  More info       https://nodesecurity.io/advisories/533                        
                                                                                


# Run  npm update request --depth 4  to resolve 7 vulnerabilities
                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   protractor                                                    
                                                                                
  Path            protractor > webdriver-manager > request > hawk > cryptiles   
                  > boom > hoek                                                 
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   protractor                                                    
                                                                                
  Path            protractor > webdriver-manager > request > hawk > hoek        
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   protractor                                                    
                                                                                
  Path            protractor > webdriver-manager > request > hawk > sntp >      
                  hoek                                                          
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > hipchat-notifier > request > hawk > hoek     
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Memory Exposure                                               
                                                                                
  Package         tunnel-agent                                                  
                                                                                
  Dependency of   karma                                                         
                                                                                
  Path            karma > log4js > hipchat-notifier > request > tunnel-agent    
                                                                                
  More info       https://nodesecurity.io/advisories/598                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   protractor                                                    
                                                                                
  Path            protractor > webdriver-manager > request > hawk > boom >      
                  hoek                                                          
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Memory Exposure                                               
                                                                                
  Package         tunnel-agent                                                  
                                                                                
  Dependency of   protractor                                                    
                                                                                
  Path            protractor > webdriver-manager > request > tunnel-agent       
                                                                                
  More info       https://nodesecurity.io/advisories/598                        
                                                                                


found 31 vulnerabilities (1 low, 30 moderate) in 24375 scanned packages
  run `npm audit fix` to fix 31 of them.
@grosspersky grosspersky added bug This Issue describes a unwanted behavior api All Backend related Issues web-frontend All frontend related issues labels Jul 15, 2018
grosspersky added a commit that referenced this issue Jul 15, 2018
@grosspersky
Update insecure dependencies in api and frontend if possible, solves #…
398d63e 
…816
@grosspersky grosspersky mentioned this issue Jul 15, 2018
Merged
@grosspersky grosspersky self-assigned this Jul 16, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@grosspersky grosspersky

Labels
api All Backend related Issues bug This Issue describes a unwanted behavior web-frontend All frontend related issues
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update insecure dependencies in api and frontend geli-lms/geli
1 participant
@grosspersky