Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
npm audit vulnerability from dot-prop
See original GitHub issueRunning npm audit mentions a vulnerability with a sub-dependency: dot-prop.
N/A
npm i --package-lock-only && npm audit output
=== npm audit security report ===
# Run npm install update-notifier@4.1.0 to resolve 1 vulnerability
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ update-notifier │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ update-notifier > configstore > dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1213 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm install --save-dev @commitlint/cli@9.1.2 to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @commitlint/cli [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @commitlint/cli > meow > yargs-parser │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1500 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm update @commitlint/lint --depth 2 to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @commitlint/cli [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @commitlint/cli > @commitlint/lint > @commitlint/parse > │
│ │ conventional-changelog-angular > compare-func > dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1213 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm update conventional-changelog-angular --depth 3 to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ standard-version > conventional-changelog > │
│ │ conventional-changelog-angular > compare-func > dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1213 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm update conventional-changelog-conventionalcommits --depth 3 to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ standard-version > conventional-changelog > │
│ │ conventional-changelog-conventionalcommits > compare-func > │
│ │ dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1213 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm update conventional-changelog-core --depth 3 to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ standard-version > conventional-changelog > │
│ │ conventional-changelog-core > conventional-changelog-writer │
│ │ > compare-func > dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1213 │
└───────────────┴──────────────────────────────────────────────────────────────┘
# Run npm update conventional-changelog-jshint --depth 3 to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ standard-version > conventional-changelog > │
│ │ conventional-changelog-jshint > compare-func > dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1213 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.1.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @serverless/enterprise-plugin │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @serverless/enterprise-plugin > update-notifier > │
│ │ configstore > dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1213 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.1.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ cos-nodejs-sdk-v5 [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ cos-nodejs-sdk-v5 > configstore > dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1213 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=5.1.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ standard-version [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ standard-version > │
│ │ conventional-changelog-conventionalcommits > compare-func > │
│ │ dot-prop │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1213 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 10 vulnerabilities (1 low, 9 high) in 1568 scanned packages
run `npm audit fix` to fix 6 of them.
1 vulnerability requires semver-major dependency updates.
3 vulnerabilities require manual review. See the full report for details.
Installed version
N/A
Issue Analytics
- State:
- Created 3 years ago
- Reactions:4
- Comments:5 (5 by maintainers)
Top Results From Across the Web
Facing vulnerability security issue for dot-prop when updating ...
After updating npm to the latest, I ran npm audit and got two vulnerabilities for the dot-prop package dependency which is showing under...
Read more >High severity security vulnerability in dot-prop #26128 - GitHub
Fixing this is important & urgent. right now most gatsby-cli versions fail 'npm audit' (nam security audit); this immediately breaks the CI ...
Read more >dot-prop - Snyk Vulnerability Database
version published direct vulnerabilities
7.2.0 16 Feb, 2022 0. C. 0. H. 0. M. 0. L
7.1.1 22 Jan, 2022 0. C. 0. H. 0....
Read more >Resolve NPM security vulnerabilities - Payam Mousavi - Medium
If you have seen your CI pipeline builds failed due to security vulnerabilities in some NPM packages, you have probably tried npm audit...
Read more >Auditing package dependencies for security vulnerabilities
The npm audit command submits a description of the dependencies configured in your package to your default registry and asks for a report...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
@joshuanapoli that’s a valid point and we’re aware of that.
It’s unfortunate problem that comes from monolithic nature of Serverless Framework. It’s one of the reasons we’re revisiting that approach with Serverless Components, where each cloud functionality is covered by different component.
Ok, I understand. Something to consider: the wide range of dependencies in the serverless package are giving users quite a bit of cost for features that I’m not using. For example, sub-dependency vulnerabilities in utils-china and update-notifier cause concern and burden even though I don’t use these. I’d rather see these included through plugin/preset style system, so that I can remove the features.