Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Nearly half the packages specified have high risk vulnerabilities, all have some vulnerability.

See original GitHub issue

After npm i we can see that the level of vulnerabilities is unacceptable.

added 646 packages from 383 contributors and audited 762 packages in 7.892s found 724 vulnerabilities (353 low, 23 moderate, 348 high) run npm audit fix to fix them, or npm audit for details

I’m trying to fix the problem, at least locally. It will take a long time because every single specified package has a vulnerability.

Issue Analytics

State:
Created 3 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

AmtechInnovarchcommented, Mar 11, 2021

This is why veteran coders with decades of experience disapprove of JS as a back-end language. Javascript is not intended to be a server side language, and these node packages create vulnerabilities that get servers hacked.

grapesjs$ npm audit fix

changed 1 package, and audited 2026 packages in 3s

# npm audit report

diff  <3.5.0
Severity: high
Regular Expression Denial of Service - https://npmjs.com/advisories/1631
fix available via `npm audit fix --force`
Will install documentation@13.1.1, which is a breaking change
node_modules/diff
  disparity  <=2.0.0
  Depends on vulnerable versions of diff
  node_modules/disparity
    documentation  4.0.0-beta - 13.0.1
    Depends on vulnerable versions of disparity
    Depends on vulnerable versions of yargs
    node_modules/documentation

mem  <4.0.0
Denial of Service - https://npmjs.com/advisories/1084
fix available via `npm audit fix --force`
Will install documentation@13.1.1, which is a breaking change
node_modules/mem
  os-locale  2.0.0 - 3.0.0
  Depends on vulnerable versions of mem
  node_modules/os-locale
    yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
    Depends on vulnerable versions of os-locale
    Depends on vulnerable versions of yargs-parser
    node_modules/yargs
      documentation  4.0.0-beta - 13.0.1
      Depends on vulnerable versions of disparity
      Depends on vulnerable versions of yargs
      node_modules/documentation

yargs-parser  <=13.1.1 || 14.0.0 - 15.0.0 || 16.0.0 - 18.1.1
Prototype Pollution - https://npmjs.com/advisories/1500
fix available via `npm audit fix --force`
Will install documentation@13.1.1, which is a breaking change
node_modules/yargs-parser
  yargs  4.0.0-alpha1 - 12.0.5 || 14.1.0 || 15.0.0 - 15.2.0
  Depends on vulnerable versions of os-locale
  Depends on vulnerable versions of yargs-parser
  node_modules/yargs
    documentation  4.0.0-beta - 13.0.1
    Depends on vulnerable versions of disparity
    Depends on vulnerable versions of yargs
    node_modules/documentation

7 vulnerabilities (4 low, 3 high)

This is a serious security concern and should be addressed by the developer, or there should be adequate warning in the readme.md that discourages production use without fixing all these vulnerabilities.

Is there a way to only use the client side layer of GrapesJS? Can the developer please identify the client side files?

0reactions

artfcommented, Mar 21, 2021

honestly, this is what I get from the current dev

found 3 vulnerabilities (2 low, 1 high)
  run `npm audit fix` to fix them, or `npm audit` for details

All related to dependencies of documentation library (used to create API .md files for documentation). Anyway, as others already had mentioned, GrapesJS is a client-side framework, so keep in mind that vulnerabilities reported by npm are mainly in libraries required for the development, so it’s not something you deploy in production.

Top Results From Across the Web

Open Source Security Explained - Snyk

Open source security is the risks and vulnerabilities that come with ... Open source packages are typically maintained by a single developer or...

Tenable: 72% of organizations remain vulnerable to Log4Shell

Tenable conducted research on the current scope and impact of Log4Shell, and found that 72% of organizations remain vulnerable.

25+ Cyber Security Vulnerability Statistics and Facts of 2022

Half of internal-facing web application vulnerabilities are considered high risk. Edgescan's 2022 Vulnerability Statistics Report analyzed ...

Open source trends from the 2022 OSSRA - Synopsys

All industries studied contained a high percentage of open source ... license conflicts and nearly half contained high-risk vulnerabilities.

Severity Levels

The service assigns every vulnerability in the KnowledgeBase a severity level, which is determined by the security risk associated with its exploitation.