Security issue

Jenkler

When doing this, how to fix? @julian, can you update this for 1.11.x ??? ( 4 vulns involved breaking changes)
plz advize!

git clone https://github.com/NodeBB/NodeBB.git ; cd NodeBB
git checkout v1.11.x
npm install --production

npm audit fix
up to date in 9.946s
fixed 0 of 5 vulnerabilities in 4314 scanned packages
  1 vulnerability required manual review and could not be updated
  1 package update for 4 vulns involved breaking changes
  (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)


                       === npm audit security report ===                        
                                                                                
# Run  npm install less@3.9.0  to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   less                                                          
                                                                                
  Path            less > request > hawk > boom > hoek                           
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   less                                                          
                                                                                
  Path            less > request > hawk > cryptiles > boom > hoek               
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   less                                                          
                                                                                
  Path            less > request > hawk > hoek                                  
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                


                                                                                
  Moderate        Prototype pollution                                           
                                                                                
  Package         hoek                                                          
                                                                                
  Dependency of   less                                                          
                                                                                
  Path            less > request > hawk > sntp > hoek                           
                                                                                
  More info       https://nodesecurity.io/advisories/566                        
                                                                                

                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                
                                                                                
  Low             Regular Expression Denial of Service                          
                                                                                
  Package         debug                                                         
                                                                                
  Patched in      >= 2.6.9 < 3.0.0 || >= 3.1.0                                  
                                                                                
  Dependency of   socket.io-adapter-mongo                                       
                                                                                
  Path            socket.io-adapter-mongo > debug                               
                                                                                
  More info       https://nodesecurity.io/advisories/534                        
                                                                                
found 5 vulnerabilities (1 low, 4 moderate) in 4314 scanned packages
  4 vulnerabilities require semver-major dependency updates.
  1 vulnerability requires manual review. See the full report for details.

yariplus

According to the issues here, this is a false positive and updating won't actually make the error go away. Annoying to say the least.

https://github.com/hapijs/hoek/issues?utf8=✓&q=is%3Aissue+Moderate+Prototype+pollution

Jenkler

@yariplus ok thanks. as long as it is safe

Security issue

Suggested Topics

Changes to Lavender theme - few issues.
NodeBB Development • • a_5mith

Security logging?
NodeBB Development • plugin security logging • • dwn

Security, Security, Security.
NodeBB Development • • dylenbrivera

the issue of benchpressjs
NodeBB Development • theme • • tryinteg

community.nodebb.org uses http:// resources on secure page
NodeBB Development • • rfc2822

Security issue

Suggested Topics

Changes to Lavender theme - few issues. NodeBB Development • • a_5mith

Security logging? NodeBB Development • plugin security logging • • dwn

Security, Security, Security. NodeBB Development • • dylenbrivera

the issue of benchpressjs NodeBB Development • theme • • tryinteg

community.nodebb.org uses http:// resources on secure page NodeBB Development • • rfc2822

Changes to Lavender theme - few issues.
NodeBB Development • • a_5mith

Security logging?
NodeBB Development • plugin security logging • • dwn

Security, Security, Security.
NodeBB Development • • dylenbrivera

the issue of benchpressjs
NodeBB Development • theme • • tryinteg

community.nodebb.org uses http:// resources on secure page
NodeBB Development • • rfc2822