Hello,

A 3 month old post already exist on this subject (Link), but i need more explication and details so i create this topic.

I use for a while Ghost as IT Security blog with friends and after seen some posts of @julian i wish to add NodeBB as forum for members.

But i am surprised to see this result after fresh install of the last version :

npm audit

                   === npm audit security report ===

# Run npm install less@3.8.1 to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > boom > hoek
│ More info │ https://nodesecurity.io/advisories/566

│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > cryptiles > boom > hoek
│ More info │ https://nodesecurity.io/advisories/566

│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > hoek
│ More info │ https://nodesecurity.io/advisories/566

│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > sntp > hoek
│ More info │ https://nodesecurity.io/advisories/566

│ Manual Review
│ Some vulnerabilities require your attention to resolve
│ Visit https://go.npm.me/audit-guide for additional guidance

│ Low │ Regular Expression Denial of Service
│ Package │ debug
│ Patched in │ >= 2.6.9 < 3.0.0 || >= 3.1.0
│ Dependency of │ socket.io-adapter-mongo
│ Path │ socket.io-adapter-mongo > debug
│ More info │ https://nodesecurity.io/advisories/534

found 5 vulnerabilities (1 low, 4 moderate) in 4330 scanned packages
4 vulnerabilities require semver-major dependency updates.
1 vulnerability requires manual review. See the full report for details.

If i try to update some modules like this :

npm install less@3.8.1

less@3.8.1
removed 19 packages, updated 1 package and audited 4322 packages in 6.717s
found 1 low severity vulnerability
run npm audit fix to fix them, or npm audit for details

npm install socket.io-adapter-mongo@latest

socket.io-adapter-mongo@2.0.3
updated 1 package and audited 4322 packages in 6.529s
found 1 low severity vulnerability
run npm audit fix to fix them, or npm audit for details

npm install debug@latest

debug@4.0.1
added 12 packages from 3 contributors, updated 1 package and audited 4324 packages in 5.94s
found 1 low severity vulnerability
run npm audit fix to fix them, or npm audit for details

This breaks the dependencies and makes it impossible to install NodeBB.

By default I don't install components with known security vulnerabilities on a production environment, so I find myself a little annoyed that I can't use NodeBB on my server for this moment.

I looked at the advisories of the 5 vulnerabilities, it's not very bad but it still remains vulnerabilities.

Do you have a how-to on how to fix them or reduce the perimeter?

In addition,
do you have a date to communicate for a new release that will be fixed of its flaws?

Regards and congratulations for your work.

Community

gh0-0st