Nighttab: Security vulnerabilities reported during depencies install

Created on 9 Sep 2020  ยท  6Comments  ยท  Source: zombieFox/nightTab

Hello,

first of all i would like to say how cool this project is and give a big THANK YOU to the author!
That being said, when i tried to build the project (as described in #212 ) there is a list of vulnerabilities reported.

Could you please have a look if the dependencies can be updated to a newer version?

```root@dc7454869483:/nightTab# npm audit

                   === npm audit security report ===

Run npm update bl --depth 5 to resolve 1 vulnerability

High Remote Memory Exposure

Package bl

Dependency of web-ext [dev]

Path web-ext > firefox-profile > archiver > tar-stream > bl

More info https://npmjs.com/advisories/1555

                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Critical Deserialization Code Execution

Package js-yaml

Patched in >= 2.0.5

Dependency of build

Path build > jxLoader > js-yaml

More info https://npmjs.com/advisories/16

Moderate Denial of Service

Package js-yaml

Patched in >=3.13.0

Dependency of build

Path build > jxLoader > js-yaml

More info https://npmjs.com/advisories/788

High Code Injection

Package js-yaml

Patched in >=3.13.1

Dependency of build

Path build > jxLoader > js-yaml

More info https://npmjs.com/advisories/813

Low Incorrect Handling of Non-Boolean Comparisons During
Minification

Package uglify-js

Patched in >= 2.4.24

Dependency of build

Path build > uglify-js

More info https://npmjs.com/advisories/39

Low Regular Expression Denial of Service

Package uglify-js

Patched in >=2.6.0

Dependency of build

Path build > uglify-js

More info https://npmjs.com/advisories/48

Low Regular Expression Denial of Service

Package timespan

Patched in No patch available

Dependency of build

Path build > timespan

More info https://npmjs.com/advisories/533

Low Regular Expression Denial of Service

Package braces

Patched in >=2.3.1

Dependency of gulp-watch [dev]

Path gulp-watch > anymatch > micromatch > braces

More info https://npmjs.com/advisories/786

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of gulp [dev]

Path gulp > gulp-cli > yargs > yargs-parser

More info https://npmjs.com/advisories/1500

Low Prototype Pollution

Package yargs-parser

Patched in >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2

Dependency of gulp-cli [dev]

Path gulp-cli > yargs > yargs-parser

More info https://npmjs.com/advisories/1500

found 10 vulnerabilities (6 low, 1 moderate, 2 high, 1 critical) in 1092 scanned packages
run npm audit fix to fix 1 of them.
9 vulnerabilities require manual review. See the full report for details.
```

All 6 comments

first of all i would like to say how cool this project is and give a big THANK YOU to the author!

Many thanks, glad you like the project! (Shameless plug, but relevant as it is a new project with a [I think] mode modern build process) Do checkout hexagonTab.

Could you please have a look if the dependencies can be updated to a newer version?

Thanks for that, I'll see what I can do. I am aware of the security issue with the package Bl. I just don't know how to resolve it as it is a dependency of a dependency, so not directly listed in my package.json. How would I go about fixing that?

Looks like I just had to wait for NPM to catch up as today npm audit fix worked. I've merged that fix now.

Still not sure how to deal with the others.

Unfortunately my node knowledge is below 0. The only thing i have found is that you are using a node module called "jxloader" which is apparently abandoned since a long time.

https://github.com/jonlb/jxLoader

BTW I have resolved few low vulnerabilities by upgrading some dependencies to next major version.

#Gives you an overview of your package current status. Find mine below
npm outdated

root@dc7454869483:/nightTab# npm outdated
Package                        Current  Wanted  Latest  Location
@fortawesome/fontawesome-free   5.13.0  5.14.0  5.14.0  nightTab
gh-pages                         2.1.1   2.2.0   3.1.0  nightTab
gulp-cli                         2.2.0   2.3.0   2.3.0  nightTab
gulp-csso                        3.0.1   3.0.1   4.0.1  nightTab
gulp-file-include                2.1.1   2.2.2   2.2.2  nightTab
html5sortable                   0.9.16  0.9.18  0.9.18  nightTab
moment                          2.24.0  2.27.0  2.27.0  nightTab

#I have installed this module 
npm install -g npm-check-updates

#and ran 
root@dc7454869483:/nightTab# ncu -u
Upgrading /nightTab/package.json
[====================] 19/19 100%

 @fortawesome/fontawesome-free  ^5.13.0  โ†’  ^5.14.0
 gh-pages                        ^2.1.1  โ†’   ^3.1.0
 gulp-cli                        ^2.2.0  โ†’   ^2.3.0
 gulp-csso                       ^3.0.1  โ†’   ^4.0.1
 gulp-file-include               ^2.1.1  โ†’   ^2.2.2
 html5sortable                  ^0.9.16  โ†’  ^0.9.18
 moment                         ^2.24.0  โ†’  ^2.27.0

#and finally install the new versions
npm install

#npn audit now reports this
found 7 vulnerabilities (4 low, 1 moderate, 1 high, 1 critical) in 1090 scanned packages
  7 vulnerabilities require manual review. See the full report for details.

Thank you @tato69 I'll aim to update the dependencies too.

Right, following your help, @tato69, I've fixed all but 1 "low severity vulnerability" and merged the update to master. I'll keep working on the following:

                       === npm audit security report ===                        

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                                Manual Review                                 โ”‚
โ”‚            Some vulnerabilities require your attention to resolve            โ”‚
โ”‚                                                                              โ”‚
โ”‚         Visit https://go.npm.me/audit-guide for additional guidance          โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Low           โ”‚ Regular Expression Denial of Service                         โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ Package       โ”‚ braces                                                       โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ Patched in    โ”‚ >=2.3.1                                                      โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ Dependency of โ”‚ gulp-watch [dev]                                             โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ Path          โ”‚ gulp-watch > anymatch > micromatch > braces                  โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚ More info     โ”‚ https://npmjs.com/advisories/786                             โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
found 1 low severity vulnerability in 1054 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Learning about NPM is a pain but fun!

Thanks to you @zombieFox ! I'm glad it helped a bit!

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Q-out picture Q-out  ยท  4Comments

maxnatt picture maxnatt  ยท  3Comments

amitchaudhari9121 picture amitchaudhari9121  ยท  5Comments

smaragdus picture smaragdus  ยท  5Comments

smaragdus picture smaragdus  ยท  4Comments