Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Npm audit #147

Merged
merged 3 commits into from
Sep 10, 2021
Merged

Npm audit #147

merged 3 commits into from
Sep 10, 2021

Conversation

medied
Copy link
Contributor

@medied medied commented Sep 1, 2021

Summary:


[1]

                       === npm audit security report ===


# Run  npm install --save-dev webpack@5.51.1  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack > watchpack > watchpack-chokidar2 > chokidar >       │
│               │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1751                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

# Run  npm install --save-dev webpack-dev-server@4.1.0  to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Regular expression denial of service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ glob-parent                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-dev-server > chokidar > glob-parent                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1751                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

[2]

emedina@wmf2669 wikipedia-preview % npm run dev
> wikipedia-preview@1.3.0 dev /Users/emedina/internet/wikimedia/wikipedia-preview
> webpack-dev-server --mode development --host=0.0.0.0 --disable-host-check

The command moved into a separate package: @webpack-cli/serve
Would you like to install serve? (That will run npm install -D @webpack-cli/serve) (yes/NO) : y
npm WARN @storybook/addon-measure@2.0.0 requires a peer of @storybook/addons@^6.3.0 but none is installed. You must install peer dependencies yourself
… 
… 
… 
found 38 vulnerabilities (28 moderate, 10 high)
  run `npm audit fix` to fix them, or `npm audit` for details
TypeError: Class constructor ServeCommand cannot be invoked without 'new'
    at runWhenInstalled (/Users/emedina/internet/wikimedia/wikipedia-preview/node_modules/webpack-cli/bin/utils/prompt-command.js:46:9)
    at /Users/emedina/internet/wikimedia/wikipedia-preview/node_modules/webpack-cli/bin/utils/prompt-command.js:124:15
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! wikipedia-preview@1.3.0 dev: `webpack-dev-server --mode development --host=0.0.0.0 --disable-host-check`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the wikipedia-preview@1.3.0 dev script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/emedina/.npm/_logs/2021-09-01T15_50_29_419Z-debug.log

@stephanebisson
Copy link
Collaborator

Running npm audit with this PR give me: "26 vulnerabilities (18 moderate, 8 high)"

Is it possible that there is so many new issues since the PR was created? Maybe. I'll try fixing some more and bringing this branch up to date with the latest.

@stephanebisson
Copy link
Collaborator

It turns out npm audit fix can't fix anything more at this point. I'll merge this PR and let the new issues be addressed next month.

@stephanebisson stephanebisson merged commit 0fe05b2 into main Sep 10, 2021
@stephanebisson stephanebisson deleted the npm-audit-25-sept branch September 10, 2021 19:19
@stephanebisson stephanebisson restored the npm-audit-25-sept branch July 28, 2022 12:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants