Ngx-admin: Vulnerabilities in packages - NPM

Created on 29 Jun 2018  路  8Comments  路  Source: akveo/ngx-admin

Issue type

I'm submitting a ... (check one with "x")

  • [ ] bug report
  • [ ] feature request
  • [x] question about the decisions made in the repository

Issue description

Current behavior:
When I run npm install npm informs me that it found 22 vulnerabilities.
I leave report.

found 22 vulnerabilities (11 low, 5 moderate, 6 high) runnpm audit fixto fix them, ornpm auditfor details 

# Run  npm install --save-dev [email protected]  to resolve 13 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Low             Prototype Pollution

  Package         lodash

  Dependency of   karma [dev]

  Path            karma > lodash

  More info       https://nodesecurity.io/advisories/577




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > debug

  More info       https://nodesecurity.io/advisories/534




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > engine.io > debug

  More info       https://nodesecurity.io/advisories/534




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-adapter > debug

  More info       https://nodesecurity.io/advisories/534




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > debug

  More info       https://nodesecurity.io/advisories/534




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > engine.io-client >
                  debug

  More info       https://nodesecurity.io/advisories/534




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-adapter > socket.io-parser >
                  debug

  More info       https://nodesecurity.io/advisories/534




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > socket.io-parser >
                  debug

  More info       https://nodesecurity.io/advisories/534




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-parser > debug

  More info       https://nodesecurity.io/advisories/534




  High            Denial of Service

  Package         ws

  Dependency of   karma [dev]

  Path            karma > socket.io > engine.io > ws

  More info       https://nodesecurity.io/advisories/550




  High            Denial of Service

  Package         ws

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > engine.io-client > ws

  More info       https://nodesecurity.io/advisories/550




  High            Regular Expression Denial of Service

  Package         parsejson

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > engine.io-client >
                  parsejson

  More info       https://nodesecurity.io/advisories/528




  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   karma [dev]

  Path            karma > chokidar > anymatch > micromatch > braces >
                  expand-range > fill-range > randomatic

  More info       https://nodesecurity.io/advisories/157



# Run  npm install --save-dev [email protected]  to resolve 8 vulnerabilities

  High            Denial of Service

  Package         https-proxy-agent

  Dependency of   protractor [dev]

  Path            protractor > saucelabs > https-proxy-agent

  More info       https://nodesecurity.io/advisories/593




  High            Denial of Service

  Package         ws

  Dependency of   protractor [dev]

  Path            protractor > webdriver-js-extender > selenium-webdriver > ws

  More info       https://nodesecurity.io/advisories/550




  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566




  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > cryptiles
                  > boom > hoek

  More info       https://nodesecurity.io/advisories/566




  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566




  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > sntp >
                  hoek

  More info       https://nodesecurity.io/advisories/566




  High            Regular Expression Denial of Service

  Package         sshpk

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > http-signature >
                  sshpk

  More info       https://nodesecurity.io/advisories/606




  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > stringstream

  More info       https://nodesecurity.io/advisories/664



# Run  npm update fill-range --depth 5  to resolve 1 vulnerability

  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   stylelint [dev]

  Path            stylelint > micromatch > braces > expand-range > fill-range
                  > randomatic

  More info       https://nodesecurity.io/advisories/157

Expected behavior:
Not have high vulnerabilities.

Steps to reproduce:
Clone project starter-kit and run npm install

Other information:

  • Angular CLI: 6.0.0
  • Node: 8.9.3
  • NPM: 6.1.0
  • OS: win32 x64
  • Angular: 6.0.0

Thank you and excuse me for my English.
Regards

urgent
Source
picture HerreraG

Most helpful comment

https://github.com/akveo/ngx-admin/pull/1822 Created PR, fixes 90% of issues

picture blankstar85 on 12 Aug 2018
👍4

All 8 comments

Unfortunately I have the same problem

jpldevpub picture jpldevpub on 11 Jul 2018

I noticed this as well, I started a pr (branched off my fork) and started looking, however a lot of the vulnerabilities have to do with karma, Karma Issue, which is waiting for Log4js to update, which 2 days ago just fixed its vulnerabilities Log4js Issue. I'll keep track over the next couple days to see how this moves.

blankstar85 picture blankstar85 on 18 Jul 2018
👍1

Hello, do you have any news on this issue? I now have 27 vulnerabilities with the same environment.

Ledimor picture Ledimor on 6 Aug 2018

Log4js Issue is resolved, still waiting on karma, They did a 2.x version release, the Updated log4js required karma to drop nodev4, which they have a merged fix, but it will start in v3 of karma which hasn't been released just yet,

blankstar85 picture blankstar85 on 6 Aug 2018
👍2

https://github.com/akveo/ngx-admin/pull/1822 Created PR, fixes 90% of issues

blankstar85 picture blankstar85 on 12 Aug 2018
👍4

Hello!
Just ran npm install on a fresh clone today and now it's 54 vulnerabilities.
added 1757 packages from 1379 contributors and audited 23286 packages in 31.621s found 54 vulnerabilities (17 low, 22 moderate, 15 high)

lienbacher picture lienbacher on 10 Oct 2018

Hello,
I have updated my own and have 0, I'll pull the official one down and finish getting everything cleared out. Then just need to get the pr merged.

blankstar85 picture blankstar85 on 11 Oct 2018

Still exists on v3.0.0?

added 1998 packages from 1382 contributors and audited 25850 packages in 101.583s
found 42 vulnerabilities (17 low, 11 moderate, 14 high)
  run `npm audit fix` to fix them, or `npm audit` for details
fauzie picture fauzie on 13 Jan 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

fabltd picture fabltd  路  3Comments
dreamerleolioa picture dreamerleolioa  路  4Comments
tal-shahar picture tal-shahar  路  3Comments
AZm1n picture AZm1n  路  4Comments
yanyim picture yanyim  路  3Comments