Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Vulnerable dependencies

See original GitHub issue

Hello,

according to the output of npm audit command, the latest version of favicons-webpack-plugin has the following vulnerabilities:

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ favicons-webpack-plugin                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ favicons-webpack-plugin > favicons > merge-defaults > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.17.5                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ favicons-webpack-plugin [dev]                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ favicons-webpack-plugin > favicons > cheerio > lodash        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ favicons-webpack-plugin [dev]                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ favicons-webpack-plugin > favicons > node-rest-client >      │
│               │ debug                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/534                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Could you update the dependencies please?

Issue Analytics

State:
Created 5 years ago
Reactions:31
Comments:8 (1 by maintainers)

Top GitHub Comments

8reactions

TrevorSayrecommented, Nov 15, 2018

@DanielRuf The migration is super simple.

npm uninstall favicons-webpack-plugin npm install --save-dev webapp-webpack-plugin

then in your webpack.config.js

remove:

const FaviconsWebpackPlugin = require('favicons-webpack-plugin');

replace with:

const WebappWebpackPlugin = require('webapp-webpack-plugin');

find FaviconsWebpackPlugin and replace with WebappWebpackPlugin

4reactions

jamesball27commented, Jul 31, 2018

+1 still receiving these warnings on 0.0.9 @jantimon

Top Results From Across the Web

What are Vulnerable Dependencies?

When a security vulnerability is found in a third-party dependency, and a new version with a fix is released, it is the responsibility...

Vulnerable Dependency Management Cheat Sheet

The vulnerable dependency is found during one of the following situation in which the provider is not aware of the vulnerability: Via the...

Vulnerabilities in Dependencies: What You Need to Know

Here's what you need to know about the vulnerabilities in dependencies, third party components and open source.

Dependency Vulnerability Assessment - CISA

Dependency Vulnerability Assessment ... Examples of fundamental functions include food, shelter, economy, healthcare, education, and government. Since ...

Troubleshooting the detection of vulnerable dependencies

If the dependency information reported by GitHub is not what you expected, there are a number of points to consider, and various things...