Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies to fix npm audit issues #57

Closed
AlexZeitler opened this issue Apr 17, 2019 · 5 comments · Fixed by #59
Closed

Update dependencies to fix npm audit issues #57

AlexZeitler opened this issue Apr 17, 2019 · 5 comments · Fixed by #59
Assignees
@AlexZeitler
Labels
security

Comments

@AlexZeitler
Copy link
Contributor

AlexZeitler commented Apr 17, 2019
edited
Loading 

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ composefile [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ composefile > parser-yaml > js-yaml                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/788                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ composefile [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ composefile > write-yaml > js-yaml                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/788                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint [dev]                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint > js-yaml                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/788                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ composefile [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ composefile > parser-yaml > js-yaml                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/813                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ composefile [dev]                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ composefile > write-yaml > js-yaml                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/813                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Code Injection                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ js-yaml                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ eslint [dev]                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ eslint > js-yaml                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/813                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 6 vulnerabilities (3 moderate, 3 high) in 379 scanned packages

Blocked by PDMLab/composefile#1
@AlexZeitler AlexZeitler self-assigned this Apr 17, 2019
@Steveb-p
Copy link
Contributor

Aren't those strictly related to development environment for library only?

@AlexZeitler
Copy link
Contributor Author

Yes

Steveb-p pushed a commit to Steveb-p/docker-compose that referenced this issue Apr 17, 2019
Fix security issues
069d9c9 
Fixes PDMLab#57
@Steveb-p Steveb-p mentioned this issue Apr 17, 2019
Merged
@Steveb-p
Copy link
Contributor

Steveb-p commented Apr 17, 2019
edited
Loading

@AlexZeitler This should do, unless I'm missing something?

EDIT: It's not like package-lock.json has any effect on library users - afaik it should be ignored by npm.

@AlexZeitler
Copy link
Contributor Author

Isn't the package-lock.json "Turtles All the Way Down"?
I guess it's not used on regular lib install because it's in devDependencies

@Steveb-p
Copy link
Contributor

According to documentation

One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package.

So it will be ignored and npm will - should - never contain it. package.json should instead declare specifically which versions should be allowed, in most cases adhering to semver specification.

Btw, what's the purpose of winston dependency? It doesn't seem used in index.js?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AlexZeitler AlexZeitler

Labels
security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix security issues Steveb-p/docker-compose
2 participants
@AlexZeitler @Steveb-p