npm install vulnerability

Question

npm install vulnerability

ulftietze opened this issue 6 years ago · comments

Hey Guys,

love your project.
I'm trying to install this mage package for your mainpackage and can't install this because of severity vulnerability.
Just like you described in your documentation i run npm install in src folder.

$ npm install
npm WARN magentosync@1.0.0 No repository field.

audited 705 packages in 3.352s
found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

We can't fix this with a simple:

npm audit fix

or

npm audit fix --force

Output here is:

npm WARN magentosync@1.0.0 No repository field.

up to date in 1.836s
fixed 0 of 1 vulnerability in 705 scanned packages
  1 vulnerability required manual review and could not be updated

More information, i think the really important information is following:

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ command-router                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ command-router > tape > glob > minimatch                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 705 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Keep on going, guys.

Greetz, Ulf

Piotr Karwatka · Answer 1 · Thu Aug 30 2018 17:31:25 GMT+0800 (China Standard Time)

Thanks for noticing this. Could You please maybe try to just update the package.json version (it seems like it should be >=3.02) regarding this report and commit this change as PR?

Ulf Tietze · Answer 2 · Thu Aug 30 2018 19:54:04 GMT+0800 (China Standard Time)

I had a look on this.
Problem here is, that you use the package command-router, which last version 1.0.1 was updated 4 years ago. May you use another package to use command routing.
The command router has tape as dependency, tape has glob as dependency and glob has the minimatch as dependency.

i guess, that command-router isn't your package, so it would be difficult to make an update here.

Łukasz Romanowicz · Answer 3 · Fri Jul 12 2019 03:13:04 GMT+0800 (China Standard Time)

The latest version of mage2vsf doesn't seem to have any vulnerabilities.

$ yarn audit
yarn audit v1.15.2
0 vulnerabilities found - Packages audited: 738
Done in 1.46s.