Skip to content
This repository has been archived by the owner on Jan 26, 2019. It is now read-only.

npm audit security report - package: deep-extend #319

Open
KDCinfo opened this issue May 11, 2018 · 1 comment
Open

npm audit security report - package: deep-extend #319

KDCinfo opened this issue May 11, 2018 · 1 comment

Comments

@KDCinfo
Copy link

KDCinfo commented May 11, 2018
edited
Loading

For the following npm vulnerability audit report, is our only option to wait for the deep-extend package to get fixed/updated?

Note: When I upgraded to react-scripts-ts@3.0.0, the number of deep-extend vulnerabilities went from 11 down to 9 (while all the randomatic vulnerabilities resolved and went away).

The below audit item is the 2nd of the 9 remaining vulnerabilities (post the 3.0.0 upgrade)... all of the 9 reference paths are noted below this one example audit item.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts-ts [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > fsevents > node-pre-gyp > rc >            │
│               │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Path          │ react-scripts-ts > fork-ts-checker-webpack-plugin > chokidar │
│               │ > fsevents > node-pre-gyp > rc > deep-extend                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > fsevents > node-pre-gyp > rc >            │
│               │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > jest > jest-cli > jest-haste-map > sane > │
│               │ fsevents > node-pre-gyp > rc > deep-extend                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > jest > jest-cli > jest-runner >           │
│               │ jest-haste-map > sane > fsevents > node-pre-gyp > rc >       │
│               │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > jest > jest-cli > jest-runner >           │
│               │ jest-runtime > jest-haste-map > sane > fsevents >            │
│               │ node-pre-gyp > rc > deep-extend                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > jest > jest-cli > jest-runtime >          │
│               │ jest-haste-map > sane > fsevents > node-pre-gyp > rc >       │
│               │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > ts-jest > cpx > chokidar > fsevents >     │
│               │ node-pre-gyp > rc > deep-extend                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > webpack > watchpack > chokidar > fsevents │
│               │ > node-pre-gyp > rc > deep-extend                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > webpack-dev-server > chokidar > fsevents  │
│               │ > node-pre-gyp > rc > deep-extend                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Insights welcome! 😄
Thanks!!
@KDCinfo
Copy link
Author

KDCinfo commented May 11, 2018

As a follow-up, I created a brand new create-react-app test1 --scripts-version=react-scripts-ts. I'm glad to report that although it also yielded the same 9 vulnerabilities, once committed, GitHub did not throw the alert that it did with the hoek dependency vulnerability. Primary concern defused. Cheers!

@KDCinfo KDCinfo mentioned this issue May 11, 2018
Open
@snyk-bot snyk-bot mentioned this issue Apr 1, 2020
Open
@vechaurijbiko vechaurijbiko mentioned this issue Nov 5, 2022
Open
@snyk-bot snyk-bot mentioned this issue Dec 26, 2022
Open
@vechaurijbiko vechaurijbiko mentioned this issue Feb 2, 2024
Open
@jimmyrperezpierola jimmyrperezpierola mentioned this issue Mar 31, 2024
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@KDCinfo