NPM Audit found 5 vulnerabilities (1 low, 4 moderate)

gh0-0st

Hello,

A 3 month old post already exist on this subject (Link), but i need more explication and details so i create this topic.

I use for a while Ghost as IT Security blog with friends and after seen some posts of @julian i wish to add NodeBB as forum for members.

But i am surprised to see this result after fresh install of the last version :

npm audit

                   === npm audit security report ===                        

# Run npm install [email protected] to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > boom > hoek
│ More info │ https://nodesecurity.io/advisories/566

│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > cryptiles > boom > hoek
│ More info │ https://nodesecurity.io/advisories/566

│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > hoek
│ More info │ https://nodesecurity.io/advisories/566

│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > sntp > hoek
│ More info │ https://nodesecurity.io/advisories/566

│ Manual Review
│ Some vulnerabilities require your attention to resolve
│ Visit https://go.npm.me/audit-guide for additional guidance

│ Low │ Regular Expression Denial of Service
│ Package │ debug
│ Patched in │ >= 2.6.9 < 3.0.0 || >= 3.1.0
│ Dependency of │ socket.io-adapter-mongo
│ Path │ socket.io-adapter-mongo > debug
│ More info │ https://nodesecurity.io/advisories/534

found 5 vulnerabilities (1 low, 4 moderate) in 4330 scanned packages
4 vulnerabilities require semver-major dependency updates.
1 vulnerability requires manual review. See the full report for details.

If i try to update some modules like this :

npm install [email protected]

• [email protected]
  removed 19 packages, updated 1 package and audited 4322 packages in 6.717s
  found 1 low severity vulnerability
  run npm audit fix to fix them, or npm audit for details

npm install socket.io-adapter-mongo@latest

• [email protected]
  updated 1 package and audited 4322 packages in 6.529s
  found 1 low severity vulnerability
  run npm audit fix to fix them, or npm audit for details

npm install debug@latest

• [email protected]
  added 12 packages from 3 contributors, updated 1 package and audited 4324 packages in 5.94s
  found 1 low severity vulnerability
  run npm audit fix to fix them, or npm audit for details

This breaks the dependencies and makes it impossible to install NodeBB.

By default I don't install components with known security vulnerabilities on a production environment, so I find myself a little annoyed that I can't use NodeBB on my server for this moment.

I looked at the advisories of the 5 vulnerabilities, it's not very bad but it still remains vulnerabilities.

Do you have a how-to on how to fix them or reduce the perimeter?

In addition,
do you have a date to communicate for a new release that will be fixed of its flaws?

Regards and congratulations for your work.

julian

We might be able to update to less v3... I am not sure why we have not yet, but we will look into it.

As far as I know the only known security vulnerability with respect to our dependencies is our use of Bootstrap v3, with the fix only in v4.

The bad news is updating to v4 is a work in progress.
The good news is we are unaffected because we don't use any of the vulnerable code.

C'est la vie...

gh0-0st

Thank you for your quick answer Julian.

I hope the update to less v3 can be so fast
At least thank you for your explanation, I'm on the lookout to be able to use nodebb