Skip to content
This repository has been archived by the owner on Jun 17, 2024. It is now read-only.

NPM audit and vulnerabilities #32

Open
simonchabrol opened this issue Jul 13, 2018 · 5 comments
Open

NPM audit and vulnerabilities #32

simonchabrol opened this issue Jul 13, 2018 · 5 comments

Comments

@simonchabrol
Copy link

Hey,

After installing the clone of this github, npm audit notified me of the presence of five vulnerabilities (2 low, 3 moderate). So I asked myself if this problem comes from my side, or if parts of your package have problems. Here is the list of vulnerabilities :

Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   botkit

  Path            botkit > botbuilder > jsonwebtoken > joi > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   botkit

  Path            botkit > botbuilder > jsonwebtoken > joi > topo > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Out-of-bounds Read

  Package         base64url

  Patched in      >=3.0.0

  Dependency of   botkit

  Path            botkit > botbuilder > base64url

  More info       https://nodesecurity.io/advisories/658


  Low             Regular Expression Denial of Service

  Package         debug

  Patched in      >= 2.6.9 < 3.0.0 || >= 3.1.0

  Dependency of   botkit

  Path            botkit > localtunnel > debug

  More info       https://nodesecurity.io/advisories/534


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   botkit

  Path            botkit > vorpal > inquirer > lodash

  More info       https://nodesecurity.io/advisories/577
@peterswimm
Copy link

You can update these yourself in the package.json file. It would be useful if someone can test if these updates, and if they do not break any functionality, submit a pull request to get these updated.

@simonchabrol
Copy link
Author

Hi, sorry but I don't know how to make a pull request.

@peterswimm
Copy link

You can read more about that here:
https://github.com/howdyai/botkit/blob/master/CONTRIBUTING.md

In the meantime, you can update the minimum versions in your package.json to avoid the warn errors, and Ill put the task on our internal roadmap if the community doesn't beat us to the updates.

@Laptopmini
Copy link

The latest version has a couple of fixes needed.

found 4 vulnerabilities (3 moderate, 1 high)

After running npm audit fix its down to:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ express-hbs                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ express-hbs > handlebars                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/755                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

However it seems the dev has fixed this in his v1 releases:
https://github.com/barc/express-hbs/tree/v1.1.1

Thus you can fix it using:

$ npm install express-hbs@1.1.1
+ express-hbs@1.1.1
added 1 package, removed 16 packages, updated 6 packages and audited 7430 packages in 4.15s
found 0 vulnerabilities

@Laptopmini
Copy link

Laptopmini commented Apr 30, 2019

Its also worth noting both dependencies querystring and request are never used in the code base and can be removed.

Mind you, request is only removed from package.json as its also a child dependency.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants