Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`npm start` after first `npm install` throws error[🐛]

See original GitHub issue

🐛 Bug report

Description

After doing npm install for the first time, the console had 12 vulnerabilities regarding dependencies:

 **Critical**        Verification Bypass
  Package         jsonwebtoken
  Dependency of   express-jwt
  Path            express-jwt > jsonwebtoken
  More info       https://npmjs.com/advisories/17

  **Moderate**        Regular Expression Denial of Service
  Package         moment
  Dependency of   express-jwt
  Path            express-jwt > jsonwebtoken > moment
  More info       https://npmjs.com/advisories/55

  **High**            Forgeable Public/Private Tokens
  Package         jws
  Dependency of   express-jwt
  Path            express-jwt > jsonwebtoken > jws
  More info       https://npmjs.com/advisories/88

 **Low**             Regular Expression Denial of Service
  Package         moment
  Dependency of   express-jwt
  Path            express-jwt > jsonwebtoken > moment
  More info       https://npmjs.com/advisories/532

  **Moderate**        Out-of-bounds Read
  Package         base64url
  Dependency of   express-jwt
  Path            express-jwt > jsonwebtoken > jws > base64url
  More info       https://npmjs.com/advisories/658

  **Moderate**        Out-of-bounds Read
  Package         base64url
  Dependency of   express-jwt
  Path            express-jwt > jsonwebtoken > jws > jwa > base64url
  More info       https://npmjs.com/advisories/658

  **Moderate**        Cross-Site Scripting
  Package         sanitize-html
  Dependency of   sanitize-html
  Path            sanitize-html
  More info       https://npmjs.com/advisories/135

  **Moderate**        Cross-Site Scripting
  Package         sanitize-html
  Dependency of   sanitize-html
  Path            sanitize-html
  More info       https://npmjs.com/advisories/154

  **Low**             Prototype Pollution
  Package         lodash
  Dependency of   sanitize-html
  Path            sanitize-html > lodash
  More info       https://npmjs.com/advisories/577

  **High**            Prototype Pollution
  Package         lodash
  Dependency of   sanitize-html
  Path            sanitize-html > lodash
  More info       https://npmjs.com/advisories/782

  **High**            Prototype Pollution
  Package         lodash
  Dependency of   sanitize-html
  Path            sanitize-html > lodash
  More info       https://npmjs.com/advisories/1065

  **Critical**        Command Injection
  Package         marsdb
  Patched in      No patch available
  Dependency of   marsdb
  Path            marsdb
  More info       https://npmjs.com/advisories/1122

After these, on doing npm start, following error occurs:

UnhandledPromiseRejectionWarning: Error: Package exports for 'F:\gsoc\OWASP\juice-shop\node_modules\hashids' do not define a './cjs' subpath

Maybe a solution to this is: npm install sanitize-html@1.21.1 npm install express-jwt@5.3.1

Is this a regression?

Not sure.

🔬 Minimal Reproduction

Clone the repo again in a different directory in your machine
run npm install and then run npm start

Issue Analytics

State:
Created 4 years ago
Comments:10 (8 by maintainers)

Top GitHub Comments

2reactions

J12934commented, Feb 4, 2020

Don’t think the other dependencies are causing problems. We actually need some of them at old and vulnerable version to showcase as they are used in challenges.

1reaction

J12934commented, Feb 4, 2020

Open up an issue in the hashids repo