After doing npm install for the first time, the console had 12 vulnerabilities regarding dependencies:
**Critical** Verification Bypass
Package jsonwebtoken
Dependency of express-jwt
Path express-jwt > jsonwebtoken
More info https://npmjs.com/advisories/17
**Moderate** Regular Expression Denial of Service
Package moment
Dependency of express-jwt
Path express-jwt > jsonwebtoken > moment
More info https://npmjs.com/advisories/55
**High** Forgeable Public/Private Tokens
Package jws
Dependency of express-jwt
Path express-jwt > jsonwebtoken > jws
More info https://npmjs.com/advisories/88
**Low** Regular Expression Denial of Service
Package moment
Dependency of express-jwt
Path express-jwt > jsonwebtoken > moment
More info https://npmjs.com/advisories/532
**Moderate** Out-of-bounds Read
Package base64url
Dependency of express-jwt
Path express-jwt > jsonwebtoken > jws > base64url
More info https://npmjs.com/advisories/658
**Moderate** Out-of-bounds Read
Package base64url
Dependency of express-jwt
Path express-jwt > jsonwebtoken > jws > jwa > base64url
More info https://npmjs.com/advisories/658
**Moderate** Cross-Site Scripting
Package sanitize-html
Dependency of sanitize-html
Path sanitize-html
More info https://npmjs.com/advisories/135
**Moderate** Cross-Site Scripting
Package sanitize-html
Dependency of sanitize-html
Path sanitize-html
More info https://npmjs.com/advisories/154
**Low** Prototype Pollution
Package lodash
Dependency of sanitize-html
Path sanitize-html > lodash
More info https://npmjs.com/advisories/577
**High** Prototype Pollution
Package lodash
Dependency of sanitize-html
Path sanitize-html > lodash
More info https://npmjs.com/advisories/782
**High** Prototype Pollution
Package lodash
Dependency of sanitize-html
Path sanitize-html > lodash
More info https://npmjs.com/advisories/1065
**Critical** Command Injection
Package marsdb
Patched in No patch available
Dependency of marsdb
Path marsdb
More info https://npmjs.com/advisories/1122
After these, on doing npm start, following error occurs:
UnhandledPromiseRejectionWarning: Error: Package exports for 'F:\gsoc\OWASP\juice-shop\node_modules\hashids' do not define a './cjs' subpath
Maybe a solution to this is:
npm install [email protected]
npm install [email protected]
Not sure.
npm install and then run npm startThanks a lot for opening your first issue with us! π§‘ We'll get back to you shortly! β³ If it was a _Support Request_, please consider asking on the community chat next time! π¬
@bkimminich, I'd suggest that you should look into the issue because updating dependencies does not seem to fix the error. It's still the same
Hi π
Can you post some basic information about your system?
OS, 32 or 64bit, node and npm version?
Running into the same problem with [email protected] & [email protected]:
β npm start
> [email protected] start /private/tmp/juice-shop
> node app
info: All dependencies in ./package.json are satisfied (OK)
(node:38413) UnhandledPromiseRejectionWarning: Error: Package exports for '/private/tmp/juice-shop/node_modules/hashids' do not define a './cjs' subpath
at applyExports (internal/modules/cjs/loader.js:529:13)
at resolveExports (internal/modules/cjs/loader.js:549:12)
at Function.Module._findPath (internal/modules/cjs/loader.js:664:22)
at Function.Module._resolveFilename (internal/modules/cjs/loader.js:967:27)
at Function.Module._load (internal/modules/cjs/loader.js:862:27)
at Module.require (internal/modules/cjs/loader.js:1040:19)
at require (internal/modules/cjs/helpers.js:72:18)
at Object.<anonymous> (/private/tmp/juice-shop/routes/continueCode.js:1:17)
at Module._compile (internal/modules/cjs/loader.js:1151:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1171:10)
at Module.load (internal/modules/cjs/loader.js:1000:32)
at Function.Module._load (internal/modules/cjs/loader.js:899:14)
at Module.require (internal/modules/cjs/loader.js:1040:19)
at require (internal/modules/cjs/helpers.js:72:18)
at Object.<anonymous> (/private/tmp/juice-shop/server.js:36:22)
at Module._compile (internal/modules/cjs/loader.js:1151:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:1171:10)
at Module.load (internal/modules/cjs/loader.js:1000:32)
at Function.Module._load (internal/modules/cjs/loader.js:899:14)
at Module.require (internal/modules/cjs/loader.js:1040:19)
at require (internal/modules/cjs/helpers.js:72:18)
at /private/tmp/juice-shop/app.js:2:18
at processTicksAndRejections (internal/process/task_queues.js:97:5)
(node:38413) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:38413) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.
Hashids released a new version 2.2.0 last night which is included in our ^2.1.0 version range. Pinning to 2.1.0 seems to fix this.
Open up an issue in the hashids repo
2.1.0 works fine....didn't understand what's causing the problem?
one more thing:
npm outdated gives :
hashids 2.1.0(current) 2.2.0(latest) 2.2.0(required) juice-shop
Consider moving to 2.2.0 once the issue resolves in hashids repo
@J12934 , I think the other dependencies which are causing problems(vulnerabilities) also needs to be updated...I am opening a PR for that
I'm guessing the hashids module changed it module structure so that the cjs import which is required for node doesn't work correctly anymore.
Pinned the hashids version on the master branch so that other people trying the local install route don't run into the same issues. Hopefully the hashids module is able fix this / recommend another install route soon so that we don't have to pin an old version anymore.
Don't think the other dependencies are causing problems. We actually need some of them at old and vulnerable version to showcase as they are used in challenges.
Most helpful comment
Don't think the other dependencies are causing problems. We actually need some of them at old and vulnerable version to showcase as they are used in challenges.