RE: NPM Audit found 5 vulnerabilities (1 low, 4 moderate)

Thank you for your quick answer Julian.

I hope the update to less v3 can be so fast
At least thank you for your explanation, I'm on the lookout to be able to use nodebb

Hello,

A 3 month old post already exist on this subject (Link), but i need more explication and details so i create this topic.

I use for a while Ghost as IT Security blog with friends and after seen some posts of @julian i wish to add NodeBB as forum for members.

But i am surprised to see this result after fresh install of the last version :

npm audit

                   === npm audit security report ===                        

# Run npm install [email protected] to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > boom > hoek
│ More info │ https://nodesecurity.io/advisories/566

│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > cryptiles > boom > hoek
│ More info │ https://nodesecurity.io/advisories/566

│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > hoek
│ More info │ https://nodesecurity.io/advisories/566

│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > sntp > hoek
│ More info │ https://nodesecurity.io/advisories/566

│ Manual Review
│ Some vulnerabilities require your attention to resolve
│ Visit https://go.npm.me/audit-guide for additional guidance

│ Low │ Regular Expression Denial of Service
│ Package │ debug
│ Patched in │ >= 2.6.9 < 3.0.0 || >= 3.1.0
│ Dependency of │ socket.io-adapter-mongo
│ Path │ socket.io-adapter-mongo > debug
│ More info │ https://nodesecurity.io/advisories/534

found 5 vulnerabilities (1 low, 4 moderate) in 4330 scanned packages
4 vulnerabilities require semver-major dependency updates.
1 vulnerability requires manual review. See the full report for details.

If i try to update some modules like this :

npm install [email protected]

• [email protected]
  removed 19 packages, updated 1 package and audited 4322 packages in 6.717s
  found 1 low severity vulnerability
  run npm audit fix to fix them, or npm audit for details

npm install [email protected]

• [email protected]
  updated 1 package and audited 4322 packages in 6.529s
  found 1 low severity vulnerability
  run npm audit fix to fix them, or npm audit for details

npm install [email protected]

• [email protected]
  added 12 packages from 3 contributors, updated 1 package and audited 4324 packages in 5.94s
  found 1 low severity vulnerability
  run npm audit fix to fix them, or npm audit for details

This breaks the dependencies and makes it impossible to install NodeBB.

By default I don't install components with known security vulnerabilities on a production environment, so I find myself a little annoyed that I can't use NodeBB on my server for this moment.

I looked at the advisories of the 5 vulnerabilities, it's not very bad but it still remains vulnerabilities.

Do you have a how-to on how to fix them or reduce the perimeter?

In addition,
do you have a date to communicate for a new release that will be fixed of its flaws?

Regards and congratulations for your work.