P5.js-web-editor: npm audit finds 1084 vulnerabilities as many package.json dependencies are outdated
Nature of issue?
- [x] Found a bug
- [ ] Existing feature enhancement
- [ ] New feature request
Running npm start gave 1084 vulnerabilities. So I ran npm audit, which gave a full report. The gist goes as:
found 1084 vulnerabilities (839 low, 167 moderate, 74 high, 4 critical) in 26554 scanned packages
Now, I did fix some of them by running npm audit fix, however, I would like it if the dependency versions were updated in the current package.json. For example, here is one output table that was present in the thousands of tables npm audit gave me:
As I can see in the current package.json, the version is outdated:
Now, running npm audit fix gave this final output, after fetching binaries for [email protected] and [email protected]:
npm WARN [email protected] requires a peer of webpack@>=1.12.9 <3.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
added 267 packages from 219 contributors, removed 1280 packages, updated 100 packages and moved 69 packages in 301.168s
fixed 734 of 1084 vulnerabilities in 26554 scanned packages
2 vulnerabilities required manual review and could not be updated
5 package updates for 348 vulns involved breaking changes
(use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)
I will make a PR updating all these non-breaking version changes in the package.json.
Also, could you please review the remaining vulns? They seem to be quite critical. I would request you to update the dependency versions.
To reproduce these messages, simply a fresh clone of this repo and running npm install should suffice. (running node v8.14.0 on npm 6.4.1)
GaurangTandon
All 4 comments
thanks for submitting this! i can try to update the dependencies that you weren't able to update. hopefully they don't introduce too many regressions 馃樃
catarak
on 17 Dec 2018
as part of working on this issue, i'm also updating node! which really has turned out to be far harder than i expected, and included forking a webpack plugin. PR soon...
catarak
on 16 Jan 2019
Just curious, but is this type of security vulnerability checking being done on a regular basis? I work in the IT department at a college that is thinking of using this with a CS program, but need to determine if it should be running on our infrastructure and/or cloud host it so that it is not mixed in with our other school systems.
everygamer
on 30 Jan 2020
It is being checked on a regular basis!
catarak
on 4 Feb 2020
Related issues
andytilia
路
4Comments
hellonearthis
路
4Comments
plxity
路
3Comments
aferriss
路
5Comments
aferriss
路
5Comments