Skip to content
This repository has been archived by the owner on Apr 25, 2024. It is now read-only.

Security warnings about set-value and http-proxy #134

Open
1 of 5 tasks
sgeisler opened this issue May 21, 2020 · 5 comments
Open
1 of 5 tasks

Security warnings about set-value and http-proxy #134

sgeisler opened this issue May 21, 2020 · 5 comments
Labels
good first issue Good for newcomers help wanted Extra attention is needed

Comments

@sgeisler
Copy link

Security warnings are shown for the packages set-value and http-proxy during install.

I'm submitting a…

  • Regression (a behavior that used to work and stopped working in a new release)
  • Bug report
  • Feature request
  • Documentation issue or request
  • Support request

Expected Behavior

Installation without security warnings.

Current Behavior

There seem to be two dependencies with security vulnerabilities marked as "high" (whatever that means in JS land).

npm WARN notice [SECURITY] set-value has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=set-value&version=2.0.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] http-proxy has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=http-proxy&version=1.18.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.

Possible Solution

Assuming there's a fix upstream upgrading the dependencies might help.

Steps to Reproduce (for bugs)

  1. Fresh Debian 10.4 install
  2. apt install npm
  3. clone caravan repo
  4. npm install

Environment

  • Debian 10.4

  • npm 5.8.0

  • nodejs v10.19.0

  • Where are you running caravan: VM (quite irrelevant)

  • Operating system: Linux (Debian 10.4)

  • Browser and version: N/A

[email protected] /opt/caravan
├── [email protected] 
└─┬ [email protected] 
  └── [email protected] 

npm: 5.8.0 
node: v10.19.0
Linux 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux
@waldenraines
Copy link
Contributor

waldenraines commented May 22, 2020

@sgeisler thanks for the bug report!

Not sure if this an option for you but if you upgrade your version of nodejs and npm, rm -fr node_modules, and npm i again you should see the following (I used nvm to test in node.js 12 and 13):

found 3 low severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

@sgeisler
Copy link
Author

Thx for the quick reply! I'm not too concerned about it for myself (have it running in a restricted environment anyway), just wanted to let you know. I fear debian doesn't ship any more recent versions and I don't want to alter the system too much just for that.

So if you can fix it by upgrading some dep: great (I assume that's what npm audit fix would do?)! If it's just a reporting error due to old npm: my bad, feel free to close.

@bucko13
Copy link
Contributor

bucko13 commented May 26, 2020

I believe some of the dependencies need to be bumped manually (not just npm audit fix) as they could result in some breaking changes (minor or major changes rather than just a patch) and so will need some testing.

Thanks for reporting!

@bucko13 bucko13 added good first issue Good for newcomers help wanted Extra attention is needed labels May 26, 2020
@abhiShandy
Copy link
Contributor

I don't see this high vulnerability with the latest version but 5000 low-level vulnerabilities, where npm audit fix fixes 4999 of them.

Should I start a PR with the updated package.json and package-lock.json?

abhiShandy added a commit to abhiShandy/caravan that referenced this issue Jul 27, 2020
5000 low severity vulnerabilities are shown during `npm install` which might be intimidating for
uninformed users

ISSUES: unchained-capital#134
@waldenraines
Copy link
Contributor

Should I start a PR with the updated package.json and package-lock.json?

💯 PRs are always welcome!

waldenraines pushed a commit that referenced this issue Jul 27, 2020
5000 low severity vulnerabilities are shown during `npm install` which might be intimidating for
uninformed users

ISSUES: #134
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
good first issue Good for newcomers help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

4 participants