Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Security: found 6 vulnerabilities (1 low, 4 high, 1 critical) in 37738 scanned packages

See original GitHub issue

Version

3.2.3

Reproduction link

https://github.com/peterennis/aeicons-vue

Environment info

C:\ae\adaept.com\aeicons-vue>vue info

Environment Info:

  System:
    OS: Windows 10
    CPU: (4) x64 Intel(R) Core(TM) i7-3540M CPU @ 3.00GHz
  Binaries:
    Node: 10.14.2 - C:\Program Files\nodejs\node.EXE
    Yarn: Not Found
    npm: 6.4.1 - C:\Program Files\nodejs\npm.CMD
  Browsers:
    Edge: 44.17763.1.0
  npmPackages:
    @vue/cli-overlay:  3.2.0
    @vue/cli-plugin-e2e-nightwatch: ^3.2.0 => 3.2.2
    @vue/cli-plugin-eslint: ^3.2.0 => 3.2.2
    @vue/cli-plugin-pwa: ^3.2.0 => 3.2.2
    @vue/cli-plugin-typescript: ^3.2.0 => 3.2.2
    @vue/cli-plugin-unit-jest: ^3.2.0 => 3.2.3
    @vue/cli-service: ^3.2.0 => 3.2.3
    @vue/cli-shared-utils:  3.2.2
    @vue/component-compiler-utils:  2.4.0
    @vue/eslint-config-prettier: ^4.0.1 => 4.0.1
    @vue/eslint-config-typescript: ^3.2.0 => 3.2.0
    @vue/preload-webpack-plugin:  1.1.0
    @vue/test-utils: ^1.0.0-beta.20 => 1.0.0-beta.28
    @vue/web-component-wrapper:  1.2.0
    eslint-plugin-vue: ^5.0.0 => 5.1.0
    jest-serializer-vue:  2.0.2
    vue: ^2.5.21 => 2.5.21
    vue-class-component: ^6.0.0 => 6.3.2
    vue-eslint-parser:  2.0.3
    vue-hot-reload-api:  2.3.1
    vue-jest:  3.0.2
    vue-loader:  15.5.0
    vue-property-decorator: ^7.0.0 => 7.2.0
    vue-style-loader:  4.1.2
    vue-template-compiler: ^2.5.21 => 2.5.21
    vue-template-es2015-compiler:  1.6.0
  npmGlobalPackages:
    @vue/cli: Not Found


C:\ae\adaept.com\aeicons-vue>

Steps to reproduce

Create project with the relevant selections

What is expected?

No security errors

What is actually happening?

npm audit shows security errors npm audit fix cannot fix

C:\ae\adaept.com\aeicons-vue>npm audit

                   === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Critical Command Injection

Package growl

Patched in >=1.10.2

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch > mocha-nightwatch > growl

More info https://nodesecurity.io/advisories/146

High Denial of Service

Package http-proxy-agent

Patched in >=2.1.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch > proxy-agent > http-proxy-agent

More info https://nodesecurity.io/advisories/607

High Denial of Service

Package http-proxy-agent

Patched in >=2.1.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch > proxy-agent > pac-proxy-agent > http-proxy-agent

More info https://nodesecurity.io/advisories/607

High Denial of Service

Package https-proxy-agent

Patched in >=2.2.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch > proxy-agent > https-proxy-agent

More info https://nodesecurity.io/advisories/593

High Denial of Service

Package https-proxy-agent

Patched in >=2.2.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch > proxy-agent > pac-proxy-agent > https-proxy-agent

More info https://nodesecurity.io/advisories/593

Low Regular Expression Denial of Service

Package debug

Patched in >= 2.6.9 < 3.0.0 || >= 3.1.0

Dependency of @vue/cli-plugin-e2e-nightwatch [dev]

Path @vue/cli-plugin-e2e-nightwatch > nightwatch > mocha-nightwatch > debug

More info https://nodesecurity.io/advisories/534

found 6 vulnerabilities (1 low, 4 high, 1 critical) in 37738 scanned packages 6 vulnerabilities require manual review. See the full report for details.

C:\ae\adaept.com\aeicons-vue>

Issue Analytics

State:
Created 5 years ago
Comments:7 (6 by maintainers)

Top GitHub Comments

8reactions

beatfactorcommented, Jan 8, 2019

@LinusBorg vue-cli is using nightwatch v0.9 and we have recently released v1.0 into the main npm channel. Anything we can do to help with the upgrade? Let us know if there are specific issues blocking it, thanks.

2reactions

LinusBorgcommented, Jan 8, 2019

@beatfactor hey, thanks for getting in touch. I’m not personally familiar with the status of the nightwatch plugin, but we are certainly interested in moving to 1.0 if that’s available now. I honestly missed that. 😅

/cc @sodatea can you chime in!

Top Results From Across the Web

Found 4 vulnerabilities on npm install - Stack Overflow

I got 164 vulnerabilities found - Packages audited: 20493 (312 dev, 1044 optional). Severity: 110 low | 35 moderate | 19 high. –...

Don't be alarmed by vulnerabilities after running NPM Install

The NPM registry runs a security audit on NPM packages. ... of vulnerabilities found in packages from the default SPFx v1.6 web part...

How to Fix Security Vulnerabilities with NPM - IFS Blog

Fixing security vulnerabilities is essential to the the success of a software solution.

Auditing package dependencies for security vulnerabilities

A security audit is an assessment of package dependencies for security vulnerabilities. ... Note: The npm audit command is available in npm@6.

Changelog — Python 3.11.1 documentation

Vulnerability discovered, and initial fix proposed, by Hamza Avvan. ... bpo-47098: The Keccak Code Package for hashlib 's internal _sha3 module has been ......