Thank you for your quick answer Julian.
I hope the update to less v3 can be so fast 
At least thank you for your explanation, I'm on the lookout to be able to use nodebb
Latest posts made by gh0-0st
-
RE: NPM Audit found 5 vulnerabilities (1 low, 4 moderate)posted in Technical Support
-
NPM Audit found 5 vulnerabilities (1 low, 4 moderate)posted in Technical Support
Hello,
A 3 month old post already exist on this subject (Link), but i need more explication and details so i create this topic.
I use for a while Ghost as IT Security blog with friends and after seen some posts of @julian i wish to add NodeBB as forum for members.
But i am surprised to see this result after fresh install of the last version :
npm audit
=== npm audit security report ===# Run npm install less@3.8.1 to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > boom > hoek
│ More info │ https://nodesecurity.io/advisories/566│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > cryptiles > boom > hoek
│ More info │ https://nodesecurity.io/advisories/566│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > hoek
│ More info │ https://nodesecurity.io/advisories/566│ Moderate │ Prototype pollution
│ Package │ hoek
│ Dependency of │ less
│ Path │ less > request > hawk > sntp > hoek
│ More info │ https://nodesecurity.io/advisories/566│ Manual Review
│ Some vulnerabilities require your attention to resolve
│ Visit https://go.npm.me/audit-guide for additional guidance│ Low │ Regular Expression Denial of Service
│ Package │ debug
│ Patched in │ >= 2.6.9 < 3.0.0 || >= 3.1.0
│ Dependency of │ socket.io-adapter-mongo
│ Path │ socket.io-adapter-mongo > debug
│ More info │ https://nodesecurity.io/advisories/534found 5 vulnerabilities (1 low, 4 moderate) in 4330 scanned packages
4 vulnerabilities require semver-major dependency updates.
1 vulnerability requires manual review. See the full report for details.If i try to update some modules like this :
npm install less@3.8.1
- less@3.8.1
removed 19 packages, updated 1 package and audited 4322 packages in 6.717s
found 1 low severity vulnerability
runnpm audit fixto fix them, ornpm auditfor details
npm install socket.io-adapter-mongo@latest
- socket.io-adapter-mongo@2.0.3
updated 1 package and audited 4322 packages in 6.529s
found 1 low severity vulnerability
runnpm audit fixto fix them, ornpm auditfor details
npm install debug@latest
- debug@4.0.1
added 12 packages from 3 contributors, updated 1 package and audited 4324 packages in 5.94s
found 1 low severity vulnerability
runnpm audit fixto fix them, ornpm auditfor details
This breaks the dependencies and makes it impossible to install NodeBB.
By default I don't install components with known security vulnerabilities on a production environment, so I find myself a little annoyed that I can't use NodeBB on my server for this moment.
I looked at the advisories of the 5 vulnerabilities, it's not very bad but it still remains vulnerabilities.
Do you have a how-to on how to fix them or reduce the perimeter?
In addition,
do you have a date to communicate for a new release that will be fixed of its flaws?Regards and congratulations for your work.
- less@3.8.1