99 vulnerabilities found innpm audit
#511
Comments
|
Thanks for reporting this. This should be tracked in a JiRA item.
…On Wed 16 May, 2018 15:39 Manoj L, ***@***.***> wrote:
Hi,
I was trying out cloning this repo and doing install locally, npm install
indicated 99 vulnerabilities found.
Reporting issue - so this does not fall out of track.
added 2145 packages from 1770 contributors in 464.896s
[!] 99 vulnerabilities found [18775 packages audited]
Severity: 42 Low | 23 Moderate | 32 High | 2 Critical
Run `npm audit` for more detail
***@***.***:~/GIT/ekstep-repos-all/sunbird-portal/src$ npm audit
=== npm audit security report ===
# Run npm install ***@***.*** to resolve 21 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Low Prototype Pollution
Package lodash
Dependency of karma
Path karma > lodash
More info https://nodesecurity.io/advisories/577
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > body-parser > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > compression > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > connect-timeout > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > express-session > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > finalhandler > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > morgan > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > serve-index > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of karma [dev]
Path karma > connect > serve-static > send > debug
More info https://nodesecurity.io/advisories/534
High Regular Expression Denial of Service
Package minimatch
Dependency of karma [dev]
Path karma > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package negotiator
Dependency of karma [dev]
Path karma > connect > compression > accepts > negotiator
More info https://nodesecurity.io/advisories/106
High Regular Expression Denial of Service
Package negotiator
Dependency of karma [dev]
Path karma > connect > serve-index > accepts > negotiator
More info https://nodesecurity.io/advisories/106
High Regular Expression Denial of Service
Package fresh
Dependency of karma [dev]
Path karma > connect > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package fresh
Dependency of karma [dev]
Path karma > connect > serve-favicon > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package fresh
Dependency of karma [dev]
Path karma > connect > serve-static > send > fresh
More info https://nodesecurity.io/advisories/526
Moderate Regular Expression Denial of Service
Package mime
Dependency of karma [dev]
Path karma > connect > serve-static > send > mime
More info https://nodesecurity.io/advisories/535
High Denial of Service
Package ws
Dependency of karma [dev]
Path karma > socket.io > socket.io-client > ws
More info https://nodesecurity.io/advisories/550
High DoS due to excessively large websocket message
Package ws
Dependency of karma [dev]
Path karma > socket.io > socket.io-client > ws
More info https://nodesecurity.io/advisories/120
Low Remote Memory Disclosure
Package ws
Dependency of karma [dev]
Path karma > socket.io > socket.io-client > ws
More info https://nodesecurity.io/advisories/67
High Regular Expression Denial of Service
Package minimatch
Dependency of karma [dev]
Path karma > glob > minimatch
More info https://nodesecurity.io/advisories/118
# Run npm install ***@***.*** to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Moderate Prototype pollution
Package hoek
Dependency of gulp-less
Path gulp-less > less > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of gulp-less
Path gulp-less > less > request > hawk > cryptiles > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of gulp-less
Path gulp-less > less > request > hawk > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of gulp-less
Path gulp-less > less > request > hawk > sntp > hoek
More info https://nodesecurity.io/advisories/566
# Run npm install ***@***.*** to resolve 4 vulnerabilities
Moderate Prototype pollution
Package hoek
Dependency of phantomjs-prebuilt
Path phantomjs-prebuilt > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of phantomjs-prebuilt
Path phantomjs-prebuilt > request > hawk > cryptiles > boom >
hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of phantomjs-prebuilt
Path phantomjs-prebuilt > request > hawk > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of phantomjs-prebuilt
Path phantomjs-prebuilt > request > hawk > sntp > hoek
More info https://nodesecurity.io/advisories/566
# Run npm install --dev ***@***.*** to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Low Prototype Pollution
Package lodash
Dependency of gulp [dev]
Path gulp > vinyl-fs > glob-watcher > gaze > globule > lodash
More info https://nodesecurity.io/advisories/577
High Regular Expression Denial of Service
Package minimatch
Dependency of gulp [dev]
Path gulp > vinyl-fs > glob-stream > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Dependency of gulp [dev]
Path gulp > vinyl-fs > glob-watcher > gaze > globule > glob >
minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Dependency of gulp [dev]
Path gulp > vinyl-fs > glob-watcher > gaze > globule > minimatch
More info https://nodesecurity.io/advisories/118
# Run npm install --dev ***@***.*** to resolve 11 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > body-parser > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > compression > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > connect-timeout > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > express-session > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > finalhandler > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > morgan > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > serve-index > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > connect > serve-static > send > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > tiny-lr > body-parser > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of gulp-connect [dev]
Path gulp-connect > tiny-lr > debug
More info https://nodesecurity.io/advisories/534
# Run npm install ***@***.*** to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Moderate Prototype pollution
Package hoek
Dependency of jsonwebtoken
Path jsonwebtoken > joi > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of jsonwebtoken
Path jsonwebtoken > joi > topo > hoek
More info https://nodesecurity.io/advisories/566
# Run npm install --dev ***@***.*** to resolve 6 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Moderate Memory Exposure
Package tunnel-agent
Dependency of gulp-imagemin [dev]
Path gulp-imagemin > imagemin > imagemin-gifsicle > gifsicle >
bin-build > download > caw > tunnel-agent
More info https://nodesecurity.io/advisories/598
Moderate Memory Exposure
Package tunnel-agent
Dependency of gulp-imagemin [dev]
Path gulp-imagemin > imagemin > imagemin-gifsicle > gifsicle >
bin-wrapper > download > caw > tunnel-agent
More info https://nodesecurity.io/advisories/598
Moderate Memory Exposure
Package tunnel-agent
Dependency of gulp-imagemin [dev]
Path gulp-imagemin > imagemin > imagemin-jpegtran > jpegtran-bin
> bin-build > download > caw > tunnel-agent
More info https://nodesecurity.io/advisories/598
Moderate Memory Exposure
Package tunnel-agent
Dependency of gulp-imagemin [dev]
Path gulp-imagemin > imagemin > imagemin-jpegtran > jpegtran-bin
> bin-wrapper > download > caw > tunnel-agent
More info https://nodesecurity.io/advisories/598
Moderate Memory Exposure
Package tunnel-agent
Dependency of gulp-imagemin [dev]
Path gulp-imagemin > imagemin > imagemin-optipng > optipng-bin >
bin-build > download > caw > tunnel-agent
More info https://nodesecurity.io/advisories/598
Moderate Memory Exposure
Package tunnel-agent
Dependency of gulp-imagemin [dev]
Path gulp-imagemin > imagemin > imagemin-optipng > optipng-bin >
bin-wrapper > download > caw > tunnel-agent
More info https://nodesecurity.io/advisories/598
# Run npm install ***@***.*** to resolve 2 vulnerabilities
Low Regular Expression Denial of Service
Package debug
Dependency of helmet
Path helmet > connect > debug
More info https://nodesecurity.io/advisories/534
Low Regular Expression Denial of Service
Package debug
Dependency of helmet
Path helmet > connect > finalhandler > debug
More info https://nodesecurity.io/advisories/534
# Run npm install --dev ***@***.*** to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
Low Prototype Pollution
Package lodash
Dependency of wiredep [dev]
Path wiredep > lodash
More info https://nodesecurity.io/advisories/577
# Run npm install --dev ***@***.*** to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
Low Large gzip Denial of Service
Package superagent
Dependency of chai-http [dev]
Path chai-http > superagent
More info https://nodesecurity.io/advisories/479
# Run npm update phantomjs-prebuilt --depth 2 to resolve 4 vulnerabilities
Moderate Prototype pollution
Package hoek
Dependency of karma-phantomjs-launcher
Path karma-phantomjs-launcher > phantomjs-prebuilt > request >
hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of karma-phantomjs-launcher
Path karma-phantomjs-launcher > phantomjs-prebuilt > request >
hawk > cryptiles > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of karma-phantomjs-launcher
Path karma-phantomjs-launcher > phantomjs-prebuilt > request >
hawk > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Dependency of karma-phantomjs-launcher
Path karma-phantomjs-launcher > phantomjs-prebuilt > request >
hawk > sntp > hoek
More info https://nodesecurity.io/advisories/566
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp [dev]
Path gulp > vinyl-fs > glob-stream > glob > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-jshint [dev]
Path gulp-jshint > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-load-plugins [dev]
Path gulp-load-plugins > findup-sync > glob > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-load-plugins [dev]
Path gulp-load-plugins > multimatch > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of wiredep [dev]
Path wiredep > glob > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-jasmine-node [dev]
Path gulp-jasmine-node > jasmine-node > gaze > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-test [dev]
Path gulp-test > gulp-mocha > mocha > glob > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-jasmine-node [dev]
Path gulp-jasmine-node > jasmine-node > gaze > fileset > glob >
minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-test [dev]
Path gulp-test > gulp-istanbul > istanbul > fileset > glob >
minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-test [dev]
Path gulp-test > gulp-jshint > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-test [dev]
Path gulp-test > gulp-load-plugins > findup-sync > glob >
minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-test [dev]
Path gulp-test > gulp-load-plugins > multimatch > minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-jasmine-node [dev]
Path gulp-jasmine-node > jasmine-node > gaze > fileset >
minimatch
More info https://nodesecurity.io/advisories/118
High Regular Expression Denial of Service
Package minimatch
Patched in >=3.0.2
Dependency of gulp-test [dev]
Path gulp-test > gulp-istanbul > istanbul > fileset > minimatch
More info https://nodesecurity.io/advisories/118
Critical Command Injection
Package growl
Patched in >=1.10.2
Dependency of gulp-jasmine-node [dev]
Path gulp-jasmine-node > jasmine-node > jasmine-growl-reporter >
growl
More info https://nodesecurity.io/advisories/146
Critical Command Injection
Package growl
Patched in >=1.10.2
Dependency of gulp-test [dev]
Path gulp-test > gulp-mocha > mocha > growl
More info https://nodesecurity.io/advisories/146
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of asyncawait
Path asyncawait > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-jshint
Path gulp-jshint > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-jshint [dev]
Path gulp-jshint > jshint > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-test [dev]
Path gulp-test > gulp-jshint > jshint > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-jshint [dev]
Path gulp-jshint > rcloader > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-test [dev]
Path gulp-test > gulp-istanbul > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-test [dev]
Path gulp-test > gulp-jshint > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-test [dev]
Path gulp-test > gulp-jshint > rcloader > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-test [dev]
Path gulp-test > gulp-load-plugins > findup-sync > lodash
More info https://nodesecurity.io/advisories/577
Low Prototype Pollution
Package lodash
Patched in >=4.17.5
Dependency of gulp-test [dev]
Path gulp-test > gulp-help > lodash
More info https://nodesecurity.io/advisories/577
High Regular Expression Denial of Service
Package fresh
Patched in >= 0.5.2
Dependency of gulp-connect [dev]
Path gulp-connect > connect > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package fresh
Patched in >= 0.5.2
Dependency of gulp-connect [dev]
Path gulp-connect > connect > serve-favicon > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package fresh
Patched in >= 0.5.2
Dependency of gulp-connect [dev]
Path gulp-connect > connect > serve-static > send > fresh
More info https://nodesecurity.io/advisories/526
High Regular Expression Denial of Service
Package negotiator
Patched in >= 0.6.1
Dependency of gulp-connect [dev]
Path gulp-connect > connect > compression > accepts > negotiator
More info https://nodesecurity.io/advisories/106
High Regular Expression Denial of Service
Package negotiator
Patched in >= 0.6.1
Dependency of gulp-connect [dev]
Path gulp-connect > connect > serve-index > accepts > negotiator
More info https://nodesecurity.io/advisories/106
High Cross-Site Scripting
Package handlebars
Patched in >=4.0.0
Dependency of gulp-test [dev]
Path gulp-test > gulp-istanbul > istanbul > handlebars
More info https://nodesecurity.io/advisories/61
Low Incorrect Handling of Non-Boolean Comparisons During
Minification
Package uglify-js
Patched in >= 2.4.24
Dependency of gulp-test [dev]
Path gulp-test > gulp-istanbul > istanbul > handlebars >
uglify-js
More info https://nodesecurity.io/advisories/39
Low Incorrect Handling of Non-Boolean Comparisons During
Minification
Package uglify-js
Patched in >= 2.4.24
Dependency of karma [dev]
Path karma > socket.io > socket.io-client > uglify-js
More info https://nodesecurity.io/advisories/39
Low Regular Expression Denial of Service
Package uglify-js
Patched in >=2.6.0
Dependency of gulp-test [dev]
Path gulp-test > gulp-istanbul > istanbul > handlebars >
uglify-js
More info https://nodesecurity.io/advisories/48
Low Regular Expression Denial of Service
Package uglify-js
Patched in >=2.6.0
Dependency of karma [dev]
Path karma > socket.io > socket.io-client > uglify-js
More info https://nodesecurity.io/advisories/48
Moderate Regular Expression Denial of Service
Package ms
Patched in >0.7.0
Dependency of gulp-test [dev]
Path gulp-test > gulp-mocha > mocha > debug > ms
More info https://nodesecurity.io/advisories/46
Moderate Regular Expression Denial of Service
Package mime
Patched in >= 1.4.1 < 2.0.0 || >= 2.0.3
Dependency of gulp-connect [dev]
Path gulp-connect > connect > serve-static > send > mime
More info https://nodesecurity.io/advisories/535
Low Regular Expression Denial of Service
Package debug
Patched in >= 2.6.9 < 3.0.0 || >= 3.1.0
Dependency of gulp-test [dev]
Path gulp-test > gulp-mocha > mocha > debug
More info https://nodesecurity.io/advisories/534
[!] 99 vulnerabilities found - Packages audited: 18775 (18032 dev, 8557 optional)
Severity: 42 Low | 23 Moderate | 32 High | 2 Critical
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#511>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAGVqk9OTbpP-BSf4deDCoYB0JRQjlyeks5ty_rZgaJpZM4UBBjk>
.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
I was trying out cloning this repo and doing install locally, npm install indicated 99 vulnerabilities found.
Reporting issue - so this does not fall out of track. (master branch)
The text was updated successfully, but these errors were encountered: