Comments (12)
Here is the output of npm audit
:
vdhcoapp_1.2.0_npm_audit.txt
from vdhcoapp.
As of 1.4.0 we have now 20 vulns, 10 of which rank high:
npm WARN deprecated [email protected]: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated [email protected]: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated [email protected]: All versions below 4.0.1 of Nodemailer are deprecated. See https://nodemailer.com/status/
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm WARN deprecated [email protected]: request has been deprecated, see https://github.com/request/request/issues/3142
npm WARN deprecated [email protected]: This project is unmaintained
npm WARN deprecated [email protected]: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: This module relies on Node.js's internals and will break at some point. Do not use it, and update to [email protected].
npm WARN deprecated [email protected]: Use uuid module instead
npm WARN deprecated [email protected]: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated [email protected]: This project is unmaintained
npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated [email protected]: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: Please see https://github.com/lydell/urix#deprecated
npm WARN deprecated [email protected]: https://github.com/lydell/resolve-url#deprecated
npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
The lack of action in this thread as well as the piling amount of vulns really speaks for itself…
from vdhcoapp.
It seems indeed like every of these vulnerabilities was pulled in as a dependency of a dependency, and not directly, meaning that the dependencies need fixing.
In my view, a developer is responsible for the code stack released, so also for chosen dependencies. If fixing these (e.g. by moving to another version) is not possible, one has to find another (safer?) library to do the job, IMHO.
Don't get me wrong, this is not a demand to anyone (let alone the developer here), but a basic philosophy about responsibility in coding.
Feel free to close the ticket, but the issue raised is definitely not solved: when building the project as-is you get a result with know vulnerabilities.
from vdhcoapp.
for version 1.3.0 there are 17 vulnerabilites and 3 low, 6 moderate, 8 high:
npm WARN deprecated [email protected]: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated [email protected]: All versions below 4.0.1 of Nodemailer are deprecated. See https://nodemailer.com/status/
npm WARN deprecated [email protected]: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated [email protected]: This project is unmaintained
npm WARN deprecated [email protected]: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0
npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated [email protected]: Use uuid module instead
npm WARN deprecated [email protected]: This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated [email protected]: This project is unmaintained
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: This module relies on Node.js's internals and will break at some point. Do not use it, and update to [email protected].
npm WARN deprecated [email protected]: This module moved to @hapi/sntp. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.
npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated [email protected]: This version has been deprecated in accordance with the hapi support policy (hapi.im/support). Please upgrade to the latest version to get the best features, bug fixes, and security patches. If you are unable to upgrade at this time, paid support is available for older versions (hapi.im/commercial).
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm notice created a lockfile as package-lock.json. You should commit this file.
added 838 packages from 450 contributors and audited 3965 packages in 22.618s
found 17 vulnerabilities (3 low, 6 moderate, 8 high)
run `npm audit fix` to fix them, or `npm audit` for details```
from vdhcoapp.
mates, not sure what u want the guy to do.... all the things you listed are from your Linux distribution..., there is nothing in the code, where he provides , say the "mailcomposer" package, and other packages that are listed !
so as the printout tells you run: "npm audit fix"
from vdhcoapp.
I'm far from being an npm expert, but I'm pretty sure this has nothing to do with the distribution. As far as I understand it, the developers state in package.json
which dependencies and versions they expect to be installed, and npm audit
checks for known vulns in these modules and reports. These modules are pulled from npm directly and have nothing to do with the linux distributions packages.
If it is indeed as I laid out, the developers are using vulnerable outdated npm modules and it is totally on their side to migrate their code to a fixed version.
Running npm audit fix
is a crotch of npm to find hopefully matching versions that don't have the same reported vulnerabilities.
Correct me if I'm wrong, but thats the way I understood it so far.
from vdhcoapp.
am looking where in code it has "package.json"
https://github.com/mi-g/vdhcoapp/search?q=package.json&unscoped_q=package.json
he doesn't provide any package.json...
it comes from NPM, so NPM developers would need to update their "package.json" file to not to use the vulnerable (outdated) packages.
from vdhcoapp.
What about this one?
(I think you were searching in files, not for files)
from vdhcoapp.
ah thanks! i looked at the file/link you provided:
my previous comment still stands...
his 'package.json' lists which packages it depends on from NPM... none of the packages listed in that package.json are in the 'vulnerability printouts'
so it is the base NPM packages that need to be updated/ take care of those vulnerabilities.
these are the listed in the vul. report:
- boom
- buildmail
- circular-json
- cryptiles
- graceful-fs
- gulp-util
- hawk
- hoek
- mailcomposer
- minimatch
- mkdirp
- natives
- nodemailer
- node-uuid
- request
- resolve-url
- sntp
- socks
- urix
these are what is listed in the tools package.json
- appdmg
- download
- fs.extra
- fs-extra
- got
- gulp
- gulp-clean
- gulp-deb
- gulp-debug
- gulp-ejs
- gulp-gzip
- gulp-if
- gulp-rename
- gulp-tar
- log4js
- opn
- pkg
- regedit
- run-sequence
- tmp
- vinyl-fs
- which
- yargs
if u can find a package listed in the vul. report and the developer's use, then i will 110% agree developer needs to update the code to not use the vul. package.
but, if you cannot find...
then the developer (@mi-g ) does not have to modify one character in the code.
and the ticket should be closed.
from vdhcoapp.
Maybe these vulnerabilites come mostly from one or a few dependencies? That would make fixing it easier.
Is there a nice way to check for that with npm
?
from vdhcoapp.
Version 1.6.0 contains 1 vulnerability and it is low severity. At this point we cannot do better.
from vdhcoapp.
Thanks for taking care of this!
from vdhcoapp.
Related Issues (20)
- [Proxy issue] GrabInfo: Cannot get info from HOT 7
- Proxy feature not working HOT 2
- Install via brew? HOT 1
- Coapp install on linux mint to VDH HOT 1
- Any support for Mac 10.11 El Capitan? HOT 3
- migrate from pkg to "Single executable applications" HOT 1
- replace filepicker with zenity HOT 3
- The video-download can't see Companion App in ubuntu 22.04 for firefox, can anyone to help me please ???? HOT 1
- How do I uninstall the helper app? HOT 2
- Add build for Windows ARM HOT 1
- How to refresh detection? HOT 10
- Cloudflare returns Error code 520 HOT 4
- Uninstallation Question About Flatpak Linking HOT 4
- bash cannot find vdhcoapp file? HOT 10
- File name of downloaded videos HOT 7
- Wait 120 minutes? HOT 2
- Waterfox Not Detected
- [Feature request] Mega.nz/mega.io-integration
- Installing Win7 64 displays Win64. Trojan QQPass QQRob. 0jgl virus HOT 2
- Firefox Is Leaking my Email... Is Anyone Else, with Companion App Installed, Getting Unsolicited an Email from Sites You've Visited? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vdhcoapp.