Npm audit error because of json-schema-generator package

Question

Npm audit error because of json-schema-generator package

mariouhrin opened this issue 4 years ago · comments

Describe the bug
I'm using this library with prism for building simple mock server service and during CI/CD pipeline build I got a lot of npm audit vulnerabilities. Because of that my pipeline failed.

The old depedencies for json-schema-generator library is causing this npm audit vulnerabilities.

To Reproduce

git clone https://github.com/stoplightio/http-spec
cd http-spec
npm install
npm audit

Expected behavior
You will get high and medium npm audit vulnerabilities like below:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Insufficient Entropy                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ cryptiles                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.3 <4.0.0 || >=4.1.2                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @stoplight/prism-cli                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @stoplight/prism-cli > @stoplight/prism-http >               │
│               │ @stoplight/http-spec > json-schema-generator > request >     │
│               │ hawk > cryptiles                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/720                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

Environment (remove any that are not applicable):

Node v12.14.0
npm v6.13.4
Mac OS (iterm2)

Vincenzo Chianese · Answer 1 · Sat Jun 13 2020 04:38:32 GMT+0800 (China Standard Time)

@mariouhrin I've updated all the possible dependencies in #96 but unfortunately the problem will persist at this stage. We'd need to bump somehow the thing in json-schema-generatot somehow 🤔

mariouhrin · Answer 2 · Sat Jun 13 2020 22:52:31 GMT+0800 (China Standard Time)

Thanks for your work,
The problem main problem is the old request package for json-schema-generator

Last update for that json-schema-generator was 3 years ago, seems like a dead project

Vincenzo Chianese · Answer 3 · Sat Jun 13 2020 22:55:01 GMT+0800 (China Standard Time)

Yeah I saw that. The project might be old but it still works great for our use case. I'm open to other suggestions though!

mariouhrin · Answer 4 · Wed Jun 24 2020 17:02:45 GMT+0800 (China Standard Time)

Sorry for my late response, I was on vacation

So for me it would be something nice to have, because the service I built was just swagger mock server with example data and security check via npm audit can be skipped.

If there are no alternatives for json-schem-generator then lets keep it