Hello,
first of all i would like to say how cool this project is and give a big THANK YOU to the author!
That being said, when i tried to build the project (as described in #212 ) there is a list of vulnerabilities reported.
Could you please have a look if the dependencies can be updated to a newer version?
```root@dc7454869483:/nightTab# npm audit
=== npm audit security report ===
High Remote Memory Exposure
Package bl
Dependency of web-ext [dev]
Path web-ext > firefox-profile > archiver > tar-stream > bl
More info https://npmjs.com/advisories/1555
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Critical Deserialization Code Execution
Package js-yaml
Patched in >= 2.0.5
Dependency of build
Path build > jxLoader > js-yaml
More info https://npmjs.com/advisories/16
Moderate Denial of Service
Package js-yaml
Patched in >=3.13.0
Dependency of build
Path build > jxLoader > js-yaml
More info https://npmjs.com/advisories/788
High Code Injection
Package js-yaml
Patched in >=3.13.1
Dependency of build
Path build > jxLoader > js-yaml
More info https://npmjs.com/advisories/813
Low Incorrect Handling of Non-Boolean Comparisons During
Minification
Package uglify-js
Patched in >= 2.4.24
Dependency of build
Path build > uglify-js
More info https://npmjs.com/advisories/39
Low Regular Expression Denial of Service
Package uglify-js
Patched in >=2.6.0
Dependency of build
Path build > uglify-js
More info https://npmjs.com/advisories/48
Low Regular Expression Denial of Service
Package timespan
Patched in No patch available
Dependency of build
Path build > timespan
More info https://npmjs.com/advisories/533
Low Regular Expression Denial of Service
Package braces
Patched in >=2.3.1
Dependency of gulp-watch [dev]
Path gulp-watch > anymatch > micromatch > braces
More info https://npmjs.com/advisories/786
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of gulp [dev]
Path gulp > gulp-cli > yargs > yargs-parser
More info https://npmjs.com/advisories/1500
Low Prototype Pollution
Package yargs-parser
Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2
Dependency of gulp-cli [dev]
Path gulp-cli > yargs > yargs-parser
More info https://npmjs.com/advisories/1500
found 10 vulnerabilities (6 low, 1 moderate, 2 high, 1 critical) in 1092 scanned packages
run npm audit fix to fix 1 of them.
9 vulnerabilities require manual review. See the full report for details.
```
first of all i would like to say how cool this project is and give a big THANK YOU to the author!
Many thanks, glad you like the project! (Shameless plug, but relevant as it is a new project with a [I think] mode modern build process) Do checkout hexagonTab.
Could you please have a look if the dependencies can be updated to a newer version?
Thanks for that, I'll see what I can do. I am aware of the security issue with the package Bl. I just don't know how to resolve it as it is a dependency of a dependency, so not directly listed in my package.json. How would I go about fixing that?
Looks like I just had to wait for NPM to catch up as today npm audit fix worked. I've merged that fix now.
Still not sure how to deal with the others.
Unfortunately my node knowledge is below 0. The only thing i have found is that you are using a node module called "jxloader" which is apparently abandoned since a long time.
https://github.com/jonlb/jxLoader
BTW I have resolved few low vulnerabilities by upgrading some dependencies to next major version.
#Gives you an overview of your package current status. Find mine below
npm outdated
root@dc7454869483:/nightTab# npm outdated
Package Current Wanted Latest Location
@fortawesome/fontawesome-free 5.13.0 5.14.0 5.14.0 nightTab
gh-pages 2.1.1 2.2.0 3.1.0 nightTab
gulp-cli 2.2.0 2.3.0 2.3.0 nightTab
gulp-csso 3.0.1 3.0.1 4.0.1 nightTab
gulp-file-include 2.1.1 2.2.2 2.2.2 nightTab
html5sortable 0.9.16 0.9.18 0.9.18 nightTab
moment 2.24.0 2.27.0 2.27.0 nightTab
#I have installed this module
npm install -g npm-check-updates
#and ran
root@dc7454869483:/nightTab# ncu -u
Upgrading /nightTab/package.json
[====================] 19/19 100%
@fortawesome/fontawesome-free ^5.13.0 โ ^5.14.0
gh-pages ^2.1.1 โ ^3.1.0
gulp-cli ^2.2.0 โ ^2.3.0
gulp-csso ^3.0.1 โ ^4.0.1
gulp-file-include ^2.1.1 โ ^2.2.2
html5sortable ^0.9.16 โ ^0.9.18
moment ^2.24.0 โ ^2.27.0
#and finally install the new versions
npm install
#npn audit now reports this
found 7 vulnerabilities (4 low, 1 moderate, 1 high, 1 critical) in 1090 scanned packages
7 vulnerabilities require manual review. See the full report for details.
Thank you @tato69 I'll aim to update the dependencies too.
Right, following your help, @tato69, I've fixed all but 1 "low severity vulnerability" and merged the update to master. I'll keep working on the following:
=== npm audit security report ===
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Manual Review โ
โ Some vulnerabilities require your attention to resolve โ
โ โ
โ Visit https://go.npm.me/audit-guide for additional guidance โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Low โ Regular Expression Denial of Service โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Package โ braces โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Patched in โ >=2.3.1 โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Dependency of โ gulp-watch [dev] โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ Path โ gulp-watch > anymatch > micromatch > braces โ
โโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ More info โ https://npmjs.com/advisories/786 โ
โโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
found 1 low severity vulnerability in 1054 scanned packages
1 vulnerability requires manual review. See the full report for details.
Learning about NPM is a pain but fun!
Thanks to you @zombieFox ! I'm glad it helped a bit!