NPM Audit found 5 vulnerabilities (1 low, 4 moderate)



  • Hello,

    A 3 month old post already exist on this subject (Link), but i need more explication and details so i create this topic.

    I use for a while Ghost as IT Security blog with friends and after seen some posts of @julian i wish to add NodeBB as forum for members.

    But i am surprised to see this result after fresh install of the last version :

    npm audit

                       === npm audit security report ===                        
    

    # Run npm install less@3.8.1 to resolve 4 vulnerabilities
    SEMVER WARNING: Recommended action is a potentially breaking change
    │ Moderate │ Prototype pollution
    │ Package │ hoek
    │ Dependency of │ less
    │ Path │ less > request > hawk > boom > hoek
    │ More info │ https://nodesecurity.io/advisories/566

    │ Moderate │ Prototype pollution
    │ Package │ hoek
    │ Dependency of │ less
    │ Path │ less > request > hawk > cryptiles > boom > hoek
    │ More info │ https://nodesecurity.io/advisories/566

    │ Moderate │ Prototype pollution
    │ Package │ hoek
    │ Dependency of │ less
    │ Path │ less > request > hawk > hoek
    │ More info │ https://nodesecurity.io/advisories/566

    │ Moderate │ Prototype pollution
    │ Package │ hoek
    │ Dependency of │ less
    │ Path │ less > request > hawk > sntp > hoek
    │ More info │ https://nodesecurity.io/advisories/566

    │ Manual Review
    │ Some vulnerabilities require your attention to resolve
    │ Visit https://go.npm.me/audit-guide for additional guidance

    │ Low │ Regular Expression Denial of Service
    │ Package │ debug
    │ Patched in │ >= 2.6.9 < 3.0.0 || >= 3.1.0
    │ Dependency of │ socket.io-adapter-mongo
    │ Path │ socket.io-adapter-mongo > debug
    │ More info │ https://nodesecurity.io/advisories/534

    found 5 vulnerabilities (1 low, 4 moderate) in 4330 scanned packages
    4 vulnerabilities require semver-major dependency updates.
    1 vulnerability requires manual review. See the full report for details.

    If i try to update some modules like this :

    npm install less@3.8.1

    • less@3.8.1
      removed 19 packages, updated 1 package and audited 4322 packages in 6.717s
      found 1 low severity vulnerability
      run npm audit fix to fix them, or npm audit for details

    npm install socket.io-adapter-mongo@latest

    • socket.io-adapter-mongo@2.0.3
      updated 1 package and audited 4322 packages in 6.529s
      found 1 low severity vulnerability
      run npm audit fix to fix them, or npm audit for details

    npm install debug@latest

    • debug@4.0.1
      added 12 packages from 3 contributors, updated 1 package and audited 4324 packages in 5.94s
      found 1 low severity vulnerability
      run npm audit fix to fix them, or npm audit for details

    This breaks the dependencies and makes it impossible to install NodeBB.

    By default I don't install components with known security vulnerabilities on a production environment, so I find myself a little annoyed that I can't use NodeBB on my server for this moment.

    I looked at the advisories of the 5 vulnerabilities, it's not very bad but it still remains vulnerabilities.

    Do you have a how-to on how to fix them or reduce the perimeter?

    In addition,
    do you have a date to communicate for a new release that will be fixed of its flaws?

    Regards and congratulations for your work.


  • Admin

    We might be able to update to less v3... I am not sure why we have not yet, but we will look into it.

    As far as I know the only known security vulnerability with respect to our dependencies is our use of Bootstrap v3, with the fix only in v4.

    The bad news is updating to v4 is a work in progress.
    The good news is we are unaffected because we don't use any of the vulnerable code.

    C'est la vie...



  • Thank you for your quick answer Julian.

    I hope the update to less v3 can be so fast ☺
    At least thank you for your explanation, I'm on the lookout to be able to use nodebb


 

Suggested Topics

| |