Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`npm audit` throws 6 vulnerabilities (1 moderate, 5 high)

See original GitHub issue

Bug description

npm audit throws 6 vulnerabilities (1 moderate, 5 high) (Effectively 3)

# npm audit report

axios  <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix --force`
Will install @paperbits/azure@0.1.412, which is outside the stated dependency range
node_modules/axios
  @azure/ms-rest-js  <=1.9.0
  Depends on vulnerable versions of axios
  node_modules/@azure/ms-rest-js
    @azure/storage-blob  <=10.3.0
    Depends on vulnerable versions of @azure/ms-rest-js
    node_modules/@paperbits/azure/node_modules/@azure/storage-blob
      @paperbits/azure  0.1.296 - 0.1.376
      Depends on vulnerable versions of @azure/storage-blob
      node_modules/@paperbits/azure

ssri  5.2.2 - 6.0.1 || 7.0.0 - 8.0.0
Severity: moderate
Regular Expression Denial of Service - https://npmjs.com/advisories/565
fix available via `npm audit fix`
node_modules/ssri
node_modules/webpack/node_modules/ssri

y18n  <3.2.2||=4.0.0||>=5.0.0 <5.0.5
Severity: high
Prototype Pollution - https://npmjs.com/advisories/1654
fix available via `npm audit fix`
node_modules/y18n

6 vulnerabilities (1 moderate, 5 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues, run:
  npm audit fix --force

Reproduction steps

npm install and/or npm audit

Expected behavior

Report Should ideally have no entries.

Is your portal managed or self-hosted?

Self-hosted

Release tag or commit SHA (if using self-hosted version)

2.8.0

API Management service name

N/A

Environment

N/A

Additional context

N/A

Issue Analytics

State:
Created 2 years ago
Comments:5

Top GitHub Comments

1reaction

azaslonovcommented, Apr 29, 2021

Hi @venura9, thanks, we’ll take care of it.

0reactions

azaslonovcommented, Jun 8, 2021

I have to close this issue because it is nearly impossible to bring the number of security audit warnings to zero. There is always a “dependency of a dependency of a dependency” that has some reported issues. However, this doesn’t always mean that your users are vulnerable. For example, the current audit brings up an issue in meow library which is a dependency of saas-loader which used for the styles compilation in build time:

node_modules/trim-newlines
  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
  node_modules/meow
    node-sass  >=3.5.0-beta.1
    Depends on vulnerable versions of meow
    node_modules/node-sass
      sass-loader  5.0.0 - 6.0.7 || >=8.0.0
      Depends on vulnerable versions of node-sass
      node_modules/sass-loader

Since it’s build time, there is no threat for end-users of the portal, because meow is not executed in the runtime at all.

Of course, we still keep an eye on audit reports and fix whatever can be fixed right away. Besides that, we have automated tools in place that check our services/portals for vulnerabilities, and we have a bounty-hunting program. All these measures help us identify and mitigate actual security issues.

Hope that makes sense.