• HOME
    • PRODUCT
    • PRICING
    • ABOUT
    • COMMUNITY
    Menu
    • HOME
    • PRODUCT
    • PRICING
    • ABOUT
    • COMMUNITY
    Get in touch
    Get in touch
    Menu
    • HOME
    • PRODUCT
    • PRICING
    • ABOUT
    • COMMUNITY
    • Sign in
    • Start free trial
    • Get in touch
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Popular
    • Tags
    • Users
    • Groups
    • Documentation
      • Home
      • Read API
      • Write API
      • Plugin Development
    1. Home
    2. gh0-0st
    • Profile
    • Following 0
    • Followers 0
    • Topics 1
    • Posts 2
    • Best 0
    • Controversial 0
    • Groups 0

    gh0-0st

    @gh0-0st

    0
    Reputation
    48
    Profile views
    2
    Posts
    0
    Followers
    0
    Following
    Joined Last Online

    gh0-0st Unfollow Follow

    Latest posts made by gh0-0st

    • RE: NPM Audit found 5 vulnerabilities (1 low, 4 moderate)

      Thank you for your quick answer Julian.

      I hope the update to less v3 can be so fast ☺
      At least thank you for your explanation, I'm on the lookout to be able to use nodebb

      posted in Technical Support
      gh0-0st
      gh0-0st
    • NPM Audit found 5 vulnerabilities (1 low, 4 moderate)

      Hello,

      A 3 month old post already exist on this subject (Link), but i need more explication and details so i create this topic.

      I use for a while Ghost as IT Security blog with friends and after seen some posts of @julian i wish to add NodeBB as forum for members.

      But i am surprised to see this result after fresh install of the last version :

      npm audit

                         === npm audit security report ===                        
      

      # Run npm install [email protected] to resolve 4 vulnerabilities
      SEMVER WARNING: Recommended action is a potentially breaking change
      │ Moderate │ Prototype pollution
      │ Package │ hoek
      │ Dependency of │ less
      │ Path │ less > request > hawk > boom > hoek
      │ More info │ https://nodesecurity.io/advisories/566

      │ Moderate │ Prototype pollution
      │ Package │ hoek
      │ Dependency of │ less
      │ Path │ less > request > hawk > cryptiles > boom > hoek
      │ More info │ https://nodesecurity.io/advisories/566

      │ Moderate │ Prototype pollution
      │ Package │ hoek
      │ Dependency of │ less
      │ Path │ less > request > hawk > hoek
      │ More info │ https://nodesecurity.io/advisories/566

      │ Moderate │ Prototype pollution
      │ Package │ hoek
      │ Dependency of │ less
      │ Path │ less > request > hawk > sntp > hoek
      │ More info │ https://nodesecurity.io/advisories/566

      │ Manual Review
      │ Some vulnerabilities require your attention to resolve
      │ Visit https://go.npm.me/audit-guide for additional guidance

      │ Low │ Regular Expression Denial of Service
      │ Package │ debug
      │ Patched in │ >= 2.6.9 < 3.0.0 || >= 3.1.0
      │ Dependency of │ socket.io-adapter-mongo
      │ Path │ socket.io-adapter-mongo > debug
      │ More info │ https://nodesecurity.io/advisories/534

      found 5 vulnerabilities (1 low, 4 moderate) in 4330 scanned packages
      4 vulnerabilities require semver-major dependency updates.
      1 vulnerability requires manual review. See the full report for details.

      If i try to update some modules like this :

      npm install [email protected]

      • [email protected]
        removed 19 packages, updated 1 package and audited 4322 packages in 6.717s
        found 1 low severity vulnerability
        run npm audit fix to fix them, or npm audit for details

      npm install [email protected]

      • [email protected]
        updated 1 package and audited 4322 packages in 6.529s
        found 1 low severity vulnerability
        run npm audit fix to fix them, or npm audit for details

      npm install [email protected]

      • [email protected]
        added 12 packages from 3 contributors, updated 1 package and audited 4324 packages in 5.94s
        found 1 low severity vulnerability
        run npm audit fix to fix them, or npm audit for details

      This breaks the dependencies and makes it impossible to install NodeBB.

      By default I don't install components with known security vulnerabilities on a production environment, so I find myself a little annoyed that I can't use NodeBB on my server for this moment.

      I looked at the advisories of the 5 vulnerabilities, it's not very bad but it still remains vulnerabilities.

      Do you have a how-to on how to fix them or reduce the perimeter?

      In addition,
      do you have a date to communicate for a new release that will be fixed of its flaws?

      Regards and congratulations for your work.

      posted in Technical Support
      gh0-0st
      gh0-0st

    Get Started

    • Product
    • Pricing

    Resources

    • Demo Site
    • Answers
    • Docs
    • Bug Bounty

    Company

    • About
    • Blog
    • Contact
    Start Free Trial
    Github Facebook Instagram Twitter
    © 2014 – 2022 NodeBB, Inc. — Made in Canada.
    • Terms
    • Privacy
    • GDPR
    • DMCA
    • Contact
    Menu
    • Terms
    • Privacy
    • GDPR
    • DMCA
    • Contact