Skip to content
This repository has been archived by the owner on Dec 10, 2024. It is now read-only.

npm audit reports 1 critical, 1 high, 1 low #258

Closed
jbryson3 opened this issue Jun 21, 2018 · 2 comments
Closed

npm audit reports 1 critical, 1 high, 1 low #258

jbryson3 opened this issue Jun 21, 2018 · 2 comments

Comments

@jbryson3
Copy link

Npm 6.1's audit feature reports that the latest ember-cli-mocha (0.15.0) has vulnerabilities found. Of particular worry is the growl command injection vuln.

It looks like #167 & #73 are preventing the upgrade to get rid of the vulnerability.

jbryson3@unknown-DHCP-client-134-0-2-10 ~/c/t/ember-latest> npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ growl                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.10.2                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli-mocha [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli-mocha > ember-mocha > mocha > growl                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/146                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli-mocha [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli-mocha > ember-mocha > mocha > glob > minimatch     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli-mocha [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli-mocha > ember-mocha > mocha > debug                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (1 low, 1 high, 1 critical) in 58904 scanned packages
  3 vulnerabilities require manual review. See the full report for details.

Steps to reproduce

  1. npm i -g npm
  2. npm i -g ember-cli
  3. ember init
  4. ember install ember-cli-mocha
  5. npm audit
@Turbo87
Copy link
Member

Turbo87 commented Jun 21, 2018

@jbryson3 none of those are actually relevant, since we don't use the Node.js runner that ships with mocha and only use their browser assets.

eventually we will need to update the used mocha version but as you can see in the issues this is quite a bit more involved than I would like :-/

@Turbo87 Turbo87 closed this as completed Jun 21, 2018
@jbryson3
Copy link
Author

Yup, my worry is only about optics for new users. But at least now they have a closed issue to reference :-)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants