Thanks! While I think we should clean these up, it's not super important for karma-runner users. karma-runner isn't a library or service that continuously with access to valuable resources.

If any of these issues are actually critical, let's hear about the case and focus on it.

Yeah, mostly just wanted to get the information out there so y'all Karma folks knew and could roadmap it. :) (I would like to see at least the High's taken care of sooner than later, if possible, as it's not great to see NPM screaming atcha in bright red every time. And the npm audit log spits out a lot of Karma stuff, so it'd be easy to lose any other, more important vulnerabilities in other packages in the mix, y'know?)

Well I think you should rethink your security policy.

It is not useable to do a npm install with all @latest packages and get installed about 33000 packages where about 180 packages have vulnerabilities.
How should I decided if one of these vulns is now a problem? I'd like to see no vuln warning when running npm audit.

If this is important to you, please help:
https://help.github.com/articles/creating-a-pull-request/

First we need a new log4js version...
https://github.com/log4js-node/log4js-node/issues/706

Seems like they released a new version of log4js

seems there's issue with karma-browserify too.

Low │ Prototype Pollution
Package │ lodash
Patched in │ >=4.17.5
Dependency of │ karma-browserify [dev]
Path │ karma-browserify > lodash
More info │ https://nodesecurity.io/advisories/577

Moderate │ Prototype pollution
Package │ hoek
Patched in │ > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of │ karma [dev]
Path │ karma > log4js > loggly > request > hawk > hoek
More info │ https://nodesecurity.io/advisories/566

I thought I'd link to these two related threads as well:

• https://github.com/karma-runner/karma/pull/2996
• https://github.com/log4js-node/log4js-node/issues/716

2996 Our closed PR to update log4js to 2.5.3.

log4js-node/log4js-node#716 implies our update is blocked by log4js update to 3.x

log4js 3.0.0 has been released which should be able to resolve the remaining npm audit complaints

Considering that log4js 3.0.0 is out and fixes this issue, any idea when this is going to be updated and released?

The resolution of log4js requires us to drop node v4, which requires us to move to v3.0. See issue #3016

I currently have 7 vulnerabilities, 1 low and 6 moderate, all of them coming from karma:

1. Out-of-bounds Read (karma > log4js > loggly > request > stringstream)
2. Prototype pollution (karma > log4js > loggly > request > hawk > boom > hoek)
3. Prototype pollution (karma > log4js > loggly > request > hawk > cryptiles > boom > hoek)
4. Prototype pollution (karma > log4js > loggly > request > hawk > hoek
5. Prototype pollution (karma > log4js > loggly > request > hawk > sntp > hoek)
6. Memory Exposure (karma > log4js > loggly > request > tunnel-agent)
7. Regular Expression Denial of Service (karma > log4js > loggly > timespan)

I am not worried about this since karma is just a dev dependency in my project, but it will be nice to see the 0 vulnerabilities message for once :)

To be clear: none of those come from karma, they all originate upstream. And they ware all fixed already at HEAD.

Also: this issue is only reproducible for nodejs v10

Nop. Node 8.11 here.

The npm audit command is part of npm not node.

Any way this issue is fixed AFAIK.

Which version of karma can I install to fix this problem? We are using v2.0.5 (the latest release) and is still there...

This fix will be in the next release, 3.0

Then shouldn't the issue be open until then?
When would that be?

Generally we close issues when they are fixed. If you would like to be in charge of closing issues when we do a release, please volunteer, that would be great!

If you would like to help with the work to get 3.0 released, also please volunteer! We just need to get the rest of PR #2997 to land.

Maybe I am bad at using this UI, but I don't see the commit in which this is supposed to be fixed (for 3.0). I suspect it would be quite minor.

Doesn't it make sense to fix something minor which is a security vulnerability in 2.x as a hotfix instead of gating it on the 3.0 major release? That means that in order to have this vulnerability fixed, consumers will have to make a major version upgrade with breaking changes.

The security fix involves upgrading a 3rd party dependency to a new major version, which drops support for node 4.x, which is a breaking change anyways. Hence why it's not being backported to the 2.x branch.

I see, thanks!

On Wed, Aug 8, 2018 at 3:05 PM Darryl Pogue notifications@github.com
wrote:

The security fix involves upgrading a 3rd party dependency to a new major
version, which drops support for node 4.x, which is a breaking change
anyways. Hence why it's not being backported to the 2.x branch.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/karma-runner/karma/issues/2994#issuecomment-411517662,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAKHCzHTuT405M7AoevitXjmjM63cHI7ks5uOzaPgaJpZM4T5InD
.

The "solutions" doesn't work

OK, version 3.0.0 has been released and vulnerabilities messages have disappeared. 0 vulnerabilities in my project now! Thank you all!