Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit reports 1 critical, 1 high, 1 low #258

Closed
jbryson3 opened this issue Jun 21, 2018 · 2 comments
Closed

npm audit reports 1 critical, 1 high, 1 low #258

jbryson3 opened this issue Jun 21, 2018 · 2 comments

Comments

@jbryson3
Copy link

Npm 6.1's audit feature reports that the latest ember-cli-mocha (0.15.0) has vulnerabilities found. Of particular worry is the growl command injection vuln.

It looks like #167 & #73 are preventing the upgrade to get rid of the vulnerability.

jbryson3@unknown-DHCP-client-134-0-2-10 ~/c/t/ember-latest> npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical      │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ growl                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.10.2                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli-mocha [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli-mocha > ember-mocha > mocha > growl                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/146                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimatch                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli-mocha [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli-mocha > ember-mocha > mocha > glob > minimatch     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/118                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ ember-cli-mocha [dev]                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ ember-cli-mocha > ember-mocha > mocha > debug                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (1 low, 1 high, 1 critical) in 58904 scanned packages
  3 vulnerabilities require manual review. See the full report for details.

Steps to reproduce

  1. npm i -g npm
  2. npm i -g ember-cli
  3. ember init
  4. ember install ember-cli-mocha
  5. npm audit
@Turbo87
Copy link
Member

Turbo87 commented Jun 21, 2018

@jbryson3 none of those are actually relevant, since we don't use the Node.js runner that ships with mocha and only use their browser assets.

eventually we will need to update the used mocha version but as you can see in the issues this is quite a bit more involved than I would like :-/

@Turbo87 Turbo87 closed this as completed Jun 21, 2018
@jbryson3
Copy link
Author

Yup, my worry is only about optics for new users. But at least now they have a closed issue to reference :-)

@octo-topi octo-topi mentioned this issue Aug 26, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Turbo87 @jbryson3