Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`npm audit` throws 6 vulnerabilities (1 moderate, 5 high)

See original GitHub issue

Bug description

npm audit throws 6 vulnerabilities (1 moderate, 5 high) (Effectively 3)

# npm audit report

axios  <0.21.1
Severity: high
Server-Side Request Forgery -
fix available via `npm audit fix --force`
Will install @paperbits/azure@0.1.412, which is outside the stated dependency range
  @azure/ms-rest-js  <=1.9.0
  Depends on vulnerable versions of axios
    @azure/storage-blob  <=10.3.0
    Depends on vulnerable versions of @azure/ms-rest-js
      @paperbits/azure  0.1.296 - 0.1.376
      Depends on vulnerable versions of @azure/storage-blob

ssri  5.2.2 - 6.0.1 || 7.0.0 - 8.0.0
Severity: moderate
Regular Expression Denial of Service -
fix available via `npm audit fix`

y18n  <3.2.2||=4.0.0||>=5.0.0 <5.0.5
Severity: high
Prototype Pollution -
fix available via `npm audit fix`

6 vulnerabilities (1 moderate, 5 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues, run:
  npm audit fix --force

Reproduction steps

npm install and/or npm audit

Expected behavior

Report Should ideally have no entries.

Is your portal managed or self-hosted?


Release tag or commit SHA (if using self-hosted version)


API Management service name




Additional context


Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:5

github_iconTop GitHub Comments

azaslonovcommented, Apr 29, 2021

Hi @venura9, thanks, we’ll take care of it.

azaslonovcommented, Jun 8, 2021

I have to close this issue because it is nearly impossible to bring the number of security audit warnings to zero. There is always a “dependency of a dependency of a dependency” that has some reported issues. However, this doesn’t always mean that your users are vulnerable. For example, the current audit brings up an issue in meow library which is a dependency of saas-loader which used for the styles compilation in build time:

  meow  3.4.0 - 5.0.0
  Depends on vulnerable versions of trim-newlines
    node-sass  >=3.5.0-beta.1
    Depends on vulnerable versions of meow
      sass-loader  5.0.0 - 6.0.7 || >=8.0.0
      Depends on vulnerable versions of node-sass

Since it’s build time, there is no threat for end-users of the portal, because meow is not executed in the runtime at all.

Of course, we still keep an eye on audit reports and fix whatever can be fixed right away. Besides that, we have automated tools in place that check our services/portals for vulnerabilities, and we have a bounty-hunting program. All these measures help us identify and mitigate actual security issues.

Hope that makes sense.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Don't be alarmed by vulnerabilities after running NPM Install
The NPM registry runs a security audit on NPM packages. With the release of NPM ... One with a moderate status and one...
Read more >
Found 4 vulnerabilities on npm install - Stack Overflow
Run the npm audit fix subcommand to automatically install compatible updates to vulnerable dependencies. Run the recommended commands ...
Read more >
Auditing package dependencies for security vulnerabilities
A security audit is an assessment of package dependencies for security vulnerabilities. ... Note: The npm audit command is available in npm@6.
Read more >
How to Fix Security Vulnerabilities with NPM - IFS Blog
Fixing security vulnerabilities is essential to the the success of ... Get a detailed report of the security vulnerabilities with npm audit.
Read more >
Fixing security vulnerabilities in npm dependencies in less ...
2.1) To fix any dependency, you need to first know which npm package depends on that. npm audit. This will tell you the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found