Hexo: vulnerability message when hexo init

Created on 3 Mar 2019 · 16Comments · Source: hexojs/hexo

在blog目录中执行hexo init，出现以下信息：
INFO Cloning hexo-starter to F:\blog
Cloning into 'F:\blog'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 71 (delta 0), reused 0 (delta 0), pack-reused 68
Unpacking objects: 100% (71/71), done.
Submodule 'themes/landscape' (https://github.com/hexojs/hexo-theme-landscape.git) registered for path 'themes/landscape'
Cloning into 'F:/blog/themes/landscape'...
remote: Enumerating objects: 8, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 885 (delta 1), reused 5 (delta 0), pack-reused 877
Receiving objects: 100% (885/885), 2.55 MiB | 1.75 MiB/s, done.
Resolving deltas: 100% (464/464), done.
Submodule path 'themes/landscape': checked out '73a23c51f8487cfcd7c6deec96ccc7543960d350'
INFO Install dependencies
npm WARN deprecated [email protected]: no longer maintained
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

added 421 packages from 504 contributors and audited 4697 packages in 98.85s
found 2 low severity vulnerabilities
run npm audit fix to fix them, or npm audit for details
INFO Start blogging with Hexo!

执行npm audit后出现以下信息：
=== npm audit security report ===

                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of hexo

Path hexo > hexo-cli > hexo-fs > chokidar > anymatch > micromatch

braces

More info https://nodesecurity.io/advisories/786

Low Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of hexo

Path hexo > hexo-fs > chokidar > anymatch > micromatch > braces

More info https://nodesecurity.io/advisories/786

found 2 low severity vulnerabilities in 4697 scanned packages
2 vulnerabilities require manual review. See the full report for details.
执行npm update braces后，再次执行npm audit，还是提示braces版本低于2.3.1

dependencies

Source

kabiuo

Most helpful comment

Vulnerability warnings are not displayed If hexo-cli is 2.0.0

Hi @YoshinoriN,

As I tested today new project created by hexo init no longer has vulnerability warning.
And after I run npm udpate in my old project the warning also disappeared.

So thanks you all :D

midoriki on 17 Jun 2019

😄2

All 16 comments

G:\blog>check-audit

npm audit --json
exit: 1

Total of 1 actions to process

[low] Regular Expression Denial of Service

dependencies: hexo>hexo-cli>hexo-fs>chokidar>anymatch>micromatch>braces

- dependencies: hexo>hexo-fs>chokidar>anymatch>micromatch>braces

😱 Unresolved issues found!

I‘m the same question.

wqmcr on 10 Mar 2019

Both issues have been resolved already, but we just need to publish a new version (starting with hexo-cli)

tomap on 10 Mar 2019

I have the same problem .

➜ blog npm install
audited 4697 packages in 3.847s
found 3 vulnerabilities (2 low, 1 moderate)
run npm audit fix to fix them, or npm audit for details
➜ blog npm audit fix
up to date in 1.918s
fixed 0 of 3 vulnerabilities in 4697 scanned packages
3 vulnerabilities required manual review and could not be updated
➜ blog npm audit fix --force
npm WARN using --force I sure hope you know what you are doing.
up to date in 1.932s
fixed 0 of 3 vulnerabilities in 4697 scanned packages
3 vulnerabilities required manual review and could not be updated
➜ blog npm audit

                   === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ braces │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.3.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ hexo │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ hexo > hexo-cli > hexo-fs > chokidar > anymatch > micromatch │
│ │ > braces │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/786 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ braces │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=2.3.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ hexo │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ hexo > hexo-fs > chokidar > anymatch > micromatch > braces │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/786 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.6.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ hexo-renderer-marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ hexo-renderer-marked > marked │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/812 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (2 low, 1 moderate) in 4697 scanned packages
3 vulnerabilities require manual review. See the full report for details.

sapphirezzz on 25 Apr 2019

😱 Unresolved issues found!
I‘m the same question.

dingsheng123 on 29 Apr 2019

same question.

kuritan on 20 May 2019

same question,too.

lsj731965675 on 20 May 2019

same question. And the pics on my blog can't show.

😱 Unresolved issues found!

Jinnm on 28 May 2019

在blog目录中执行hexo init，出现以下信息：
INFO Cloning hexo-starter to F:\blog
Cloning into 'F:\blog'...
remote: Enumerating objects: 3, done.
remote: Counting objects: 100% (3/3), done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 71 (delta 0), reused 0 (delta 0), pack-reused 68
Unpacking objects: 100% (71/71), done.
Submodule 'themes/landscape' (https://github.com/hexojs/hexo-theme-landscape.git) registered for path 'themes/landscape'
Cloning into 'F:/blog/themes/landscape'...
remote: Enumerating objects: 8, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 885 (delta 1), reused 5 (delta 0), pack-reused 877
Receiving objects: 100% (885/885), 2.55 MiB | 1.75 MiB/s, done.
Resolving deltas: 100% (464/464), done.
Submodule path 'themes/landscape': checked out '73a23c51f8487cfcd7c6deec96ccc7543960d350'
INFO Install dependencies
npm WARN deprecated [email protected]: no longer maintained
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

added 421 packages from 504 contributors and audited 4697 packages in 98.85s
found 2 low severity vulnerabilities
run npm audit fix to fix them, or npm audit for details
INFO Start blogging with Hexo!

执行npm audit后出现以下信息：
=== npm audit security report ===
                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance
Low Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of hexo

Path hexo > hexo-cli > hexo-fs > chokidar > anymatch > micromatch

braces

More info https://nodesecurity.io/advisories/786

Low Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of hexo

Path hexo > hexo-fs > chokidar > anymatch > micromatch > braces

More info https://nodesecurity.io/advisories/786

found 2 low severity vulnerabilities in 4697 scanned packages
2 vulnerabilities require manual review. See the full report for details.
执行npm update braces后，再次执行npm audit，还是提示braces版本低于2.3.1

您好，想问一下有没有解决这个问题？以及我同时还有图片无法显示的问题，您那边图片是否正常？

Jinnm on 28 May 2019

Dear all

Please read https://github.com/hexojs/hexo/issues/3475#issuecomment-471315039 before post a new comment.

This is a vulnerability issue of package dependencies.
It's not good but not affect hexo's behaviors.

We should publish a new version.
Please wait...

Thanks :)

YoshinoriN on 28 May 2019

👍1

Dear all

We released hexo-cli v2.0.0
Please re-install below command.

$ npm install -g hexo-cli

YoshinoriN on 1 Jun 2019

Hi all,

After I updated hexo-cli, new project created by hexo init still got the same vulnerability warning, as also existing hexo project.
How does new hexo-cli v2.0.0 resolve the issue exactly ?
An how can I resolve the warning for my current project ?

Thanks

midoriki on 10 Jun 2019

👍1

Dear all

We released hexo-cli v2.0.0
Please re-install below command.
$ npm install -g hexo-cli

same question. 😱

marsen on 10 Jun 2019

@midoriki @marsen

Would you please check your hexo-cli version? Latest hexo-cli version is 2.0.0

$ hexo -v

hexo -v
hexo: 3.8.0
hexo-cli: 2.0.0
os: Linux 4.4.0-17134-Microsoft linux x64
http_parser: 2.8.0
node: 8.16.0
v8: 6.2.414.77
uv: 1.23.2
zlib: 1.2.11
ares: 1.10.1-DEV
modules: 57
nghttp2: 1.33.0
napi: 4
openssl: 1.0.2r
icu: 60.1
unicode: 10.0
cldr: 32.0
tz: 2017c

YoshinoriN on 16 Jun 2019

Vulnerability warnings are not displayed If hexo-cli is 2.0.0

$ hexo init
INFO  Cloning hexo-starter https://github.com/hexojs/hexo-starter.git
Cloning into '/mnt/c/Users/N.Yoshinori/work/site/test'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 74 (delta 2), reused 4 (delta 2), pack-reused 68
Unpacking objects: 100% (74/74), done.
Submodule 'themes/landscape' (https://github.com/hexojs/hexo-theme-landscape.git) registered for path 'themes/landscape'
Cloning into '/mnt/c/Users/N.Yoshinori/work/site/test/themes/landscape'...
remote: Enumerating objects: 21, done.
remote: Counting objects: 100% (21/21), done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 917 (delta 4), reused 10 (delta 0), pack-reused 896
Receiving objects: 100% (917/917), 2.56 MiB | 922.00 KiB/s, done.
Resolving deltas: 100% (484/484), done.
Submodule path 'themes/landscape': checked out '73a23c51f8487cfcd7c6deec96ccc7543960d350'
INFO  Install dependencies
yarn install v1.15.2
info No lockfile found.
[1/4] Resolving packages...
warning hexo > warehouse > cuid > [email protected]: core-js@<2.6.8 is no longer maintained. Please, upgrade to core-js@3 or at least to actual version of core-js@2.
[2/4] Fetching packages...
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
[3/4] Linking dependencies...
[4/4] Building fresh packages...
success Saved lockfile.
warning Your current version of Yarn is out of date. The latest version is "1.16.0", while you're on "1.15.2".
info To upgrade, run the following command:
$ curl --compressed -o- -L https://yarnpkg.com/install.sh | bash
Done in 23.87s.
INFO  Start blogging with Hexo!

YoshinoriN on 16 Jun 2019

Vulnerability warnings are not displayed If hexo-cli is 2.0.0

Hi @YoshinoriN,

As I tested today new project created by hexo init no longer has vulnerability warning.
And after I run npm udpate in my old project the warning also disappeared.

So thanks you all :D

midoriki on 17 Jun 2019

😄2

>hexo -v
hexo: 3.8.0
hexo-cli: 2.0.0
os: Windows_NT 10.0.17763 win32 x64
http_parser: 2.8.0
node: 8.11.1
v8: 6.2.414.50
uv: 1.19.1
zlib: 1.2.11
ares: 1.10.1-DEV
modules: 57
nghttp2: 1.25.0
openssl: 1.0.2o
icu: 60.1
unicode: 10.0
cldr: 32.0
tz: 2017c

>npm i
removed 36 packages, updated 16 packages and audited 11576 packages in 5.671s
found 2 low severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

Above is my origin error information

@YoshinoriN @midoriki thank your help
same as midoriki after npm update the result like that

>npm update
npm WARN deprecated [email protected]: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated [email protected]: core-js@<2.6.8 is no longer maintained. Please, upgrade to core-js@3 or at least to actual version of core-js@2.
+ [email protected]
+ [email protected]
+ [email protected]
added 5 packages from 4 contributors, removed 70 packages, updated 25 packages, moved 14 packages and audited 13659 packages in 8.403s
found 0 vulnerabilities

>npm i
audited 13659 packages in 3.569s
found 0 vulnerabilities

Thank you all

marsen on 17 Jun 2019

😄1

Was this page helpful?

0 / 5 - 0 ratings