• Home
  • Categories
  • Recent
  • Popular
  • Top
  • Tags
  • Users
  • Groups
  • Documentation
    • Home
    • Read API
    • Write API
    • Plugin Development
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
v3.5.2 Latest
Buy Hosting

Security issue

Scheduled Pinned Locked Moved NodeBB Development
3 Posts 2 Posters 313 Views
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • JenklerJ Offline
    JenklerJ Offline
    Mikael Jenkler Swedes
    wrote on last edited by PitaJ
    #1

    When doing this, how to fix? @julian, can you update this for 1.11.x ??? ( 4 vulns involved breaking changes)
    plz advize!

    git clone https://github.com/NodeBB/NodeBB.git ; cd NodeBB
    git checkout v1.11.x
    npm install --production
    
    npm audit fix
    up to date in 9.946s
    fixed 0 of 5 vulnerabilities in 4314 scanned packages
      1 vulnerability required manual review and could not be updated
      1 package update for 4 vulns involved breaking changes
      (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)
    
    
                           === npm audit security report ===                        
                                                                                    
    # Run  npm install [email protected]  to resolve 4 vulnerabilities
    SEMVER WARNING: Recommended action is a potentially breaking change
                                                                                    
      Moderate        Prototype pollution                                           
                                                                                    
      Package         hoek                                                          
                                                                                    
      Dependency of   less                                                          
                                                                                    
      Path            less > request > hawk > boom > hoek                           
                                                                                    
      More info       https://nodesecurity.io/advisories/566                        
                                                                                    
    
    
                                                                                    
      Moderate        Prototype pollution                                           
                                                                                    
      Package         hoek                                                          
                                                                                    
      Dependency of   less                                                          
                                                                                    
      Path            less > request > hawk > cryptiles > boom > hoek               
                                                                                    
      More info       https://nodesecurity.io/advisories/566                        
                                                                                    
    
    
                                                                                    
      Moderate        Prototype pollution                                           
                                                                                    
      Package         hoek                                                          
                                                                                    
      Dependency of   less                                                          
                                                                                    
      Path            less > request > hawk > hoek                                  
                                                                                    
      More info       https://nodesecurity.io/advisories/566                        
                                                                                    
    
    
                                                                                    
      Moderate        Prototype pollution                                           
                                                                                    
      Package         hoek                                                          
                                                                                    
      Dependency of   less                                                          
                                                                                    
      Path            less > request > hawk > sntp > hoek                           
                                                                                    
      More info       https://nodesecurity.io/advisories/566                        
                                                                                    
    
                                     Manual Review                                  
                 Some vulnerabilities require your attention to resolve             
                                                                                    
              Visit https://go.npm.me/audit-guide for additional guidance           
                                                                                    
                                                                                    
      Low             Regular Expression Denial of Service                          
                                                                                    
      Package         debug                                                         
                                                                                    
      Patched in      >= 2.6.9 < 3.0.0 || >= 3.1.0                                  
                                                                                    
      Dependency of   socket.io-adapter-mongo                                       
                                                                                    
      Path            socket.io-adapter-mongo > debug                               
                                                                                    
      More info       https://nodesecurity.io/advisories/534                        
                                                                                    
    found 5 vulnerabilities (1 low, 4 moderate) in 4314 scanned packages
      4 vulnerabilities require semver-major dependency updates.
      1 vulnerability requires manual review. See the full report for details.
    
    1 Reply Last reply
    0
  • yariplusY Offline
    yariplusY Offline
    yariplus Community Rep
    wrote on last edited by
    #2

    According to the issues here, this is a false positive and updating won't actually make the error go away. Annoying to say the least.

    https://github.com/hapijs/hoek/issues?utf8=✓&q=is%3Aissue+Moderate+Prototype+pollution

    JenklerJ 1 Reply Last reply
    0
  • JenklerJ Offline
    JenklerJ Offline
    Mikael Jenkler Swedes
    replied to yariplus on last edited by
    #3

    @yariplus ok thanks. as long as it is safe 😉

    1 Reply Last reply
    0

Copyright © 2023 NodeBB | Contributors
  • Login

  • Don't have an account? Register

  • Login or register to search.
Powered by NodeBB Contributors
  • First post
    Last post
0
  • Home
  • Categories
  • Recent
  • Popular
  • Top
  • Tags
  • Users
  • Groups
  • Documentation
    • Home
    • Read API
    • Write API
    • Plugin Development