Aframe: Found 4 vulnerabilities (3 low, 1 moderate) during npm install

Created on 23 May 2019 · 5Comments · Source: aframevr/aframe

Description:
Found 4 vulnerabilities (3 low, 1 moderate) during npm install

=== npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.11 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ aframe │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ aframe > browserify-css > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/782 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ aframe │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ aframe > browserify-css > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ clean-css │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.1.11 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ aframe │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ aframe > browserify-css > clean-css │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/785 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ braces │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.3.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ aframe │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ aframe > browserify-css > find-node-modules > findup-sync > │
│ │ micromatch > braces │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/786 │
└───────────────┴──────────────────────────────────────────────────────────────┘

A-Frame Version:
0.9.2
Platform / Device:
macOS / macbook
Reproducible Code Snippet or URL:
npm i aframe --save

Source

MrBokeh

Most helpful comment

Oops, thought this was a different repo. Just need to bump browserify-css.

ngokevin on 23 May 2019

👍2

All 5 comments

Not sure what all that means.

dmarcos on 23 May 2019

Thanks, this should be resolved in A-Frame, although they won't have user effect.

ngokevin on 23 May 2019

Oops, thought this was a different repo. Just need to bump browserify-css.

ngokevin on 23 May 2019

👍2

Thanks @ngokevin, I think the vulnerabilities always gives people an uneasy feeling. I am looking forward to the fix.

Hi @dmarcos, I have installed aframe with the npm install aframe command then it found 4 vulnerabilities, the report can be seen with the npm audit command

MrBokeh on 23 May 2019

While we're at it, shouldn't browserify-css be under devDependencies?

If it's only used for the build process, there shouldn't be any reason for dependent packages to require it
I think having something under dependencies implies that it's used in run-time code that gets shipped to the browser, which is more unsettling (see @MrBokeh's comment about the "uneasy feeling") when a vulnerability does arise. So best to keep stuff in devDependencies unless it's realy needed in dependencies.

Thanks.