Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerabilities #13

Open
ghost opened this issue Nov 12, 2020 · 1 comment
Open

Vulnerabilities #13

ghost opened this issue Nov 12, 2020 · 1 comment

Comments

@ghost
Copy link

ghost commented Nov 12, 2020

Issue Overview

When running 'npm install' 15 vulnerabilities (1 low, 12 high, 2 critical) show up.

Is this simply a case of updating some of the

To be entirely honest I don't know if this is an issue or I am missing something.

Describe your environment

npm --version
7.0.10

node --version
v12.18.3

Steps to reproduce

Change directory to desktop:

Git clone https://github.com/planetoftheweb/angulardata.git

Change directory to 'angulardata'.

Run npm install

Expected behaviour

NPM installs modules without critical vulnerabilities

Current behaviour

npm WARN using --force Recommended protections disabled.
npm WARN audit Updating gulp-webserver to 0.5.0,which is a SemVer major change.
npm WARN audit Updating gulp to 4.0.2,which is a SemVer major change.
npm WARN deprecated [email protected]: Chokidar 2 will break on node v14+. Upgrade to chokidar 3 with 15x less dependencies.
npm WARN deprecated [email protected]: fsevents 1 will break on node v14+ and could be using insecure binaries. Upgrade to fsevents 2.

A summary of the critical issues.

Run npm audit for details.
angulardata % npm audit

npm audit report

Severity: critical
Command Injection - https://npmjs.com/advisories/663
fix available via npm audit fix --force
Will install [email protected], which is a breaking change

debug <=2.6.8 || 3.0.0 - 3.0.1
Regular Expression Denial of Service - https://npmjs.com/advisories/534
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/tiny-lr/node_modules/debug

@ghost
Copy link
Author

ghost commented Nov 16, 2020

Deprecated

Please note gulp-util is deprecated

This is the URL for the npm package:
https://www.npmjs.com/package/gulp-util
gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5

Request

It would be good practice to get this updated, I would like to help however this is outside of my scope.

  • Thanks Ray.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

0 participants