Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

npm audit reporting numerous security vulnerabilities in the current build #2744

Closed
sshelton76 opened this issue Apr 27, 2019 · 5 comments · Fixed by #2746
Closed

npm audit reporting numerous security vulnerabilities in the current build #2744

sshelton76 opened this issue Apr 27, 2019 · 5 comments · Fixed by #2746
Labels
Bug Addressing a bug

Comments

@sshelton76
Copy link

sshelton76 commented Apr 27, 2019

I was working on a clean fork of the master branch and on a lark I decided to run npm audit.

found 1325 vulnerabilities (2 low, 1287 moderate, 36 high) in 526462 scanned packages
run npm audit fix to fix 1324 of them.
1 vulnerability requires manual review. See the full report for details.

I'm always hesitant to trust automated tools, but I think it would be advisable for someone to take a look at what it's finding and determine what's what.

update
I opened and deleted some comments a little while ago believing I might be on an ancient branch. I double checked that I am on the 1.0 branch now and getting about the same results.

@sshelton76
Copy link
Author

sshelton76 commented Apr 27, 2019

I've created a branch called "audit" on my own fork in order to test the changes.
https://github.com/sshelton76/web3.js/tree/audit

Looks like it builds clean without errors, but tests are failing. However it looks like tests are failing on a clean pull of 1.0 for the same reasons. I'll open a separate issue for that.

@nivida
Copy link
Contributor

nivida commented Apr 27, 2019

These issues are mostly because of lodash and js-yaml. The security vulnerabilities got detected between the last and current release of Web3. NPM audit fix will update the dependencies and fix it.

@nivida nivida added the Bug Addressing a bug label Apr 27, 2019
@nivida
Copy link
Contributor

nivida commented Apr 27, 2019

Updated dependencies by audit fix:

Manually updated dependencies:

Nine "security vulnerabilities" are left because lerna (8) didn't release a new version until now and because I'm using istanbul-combine (1) to combine the coverage reports.

@wbt
Copy link
Contributor

wbt commented Apr 14, 2020

FYI, the latest version from the 1.x branch is reporting 1401 vulnerabilities (1378 low, 10 moderate, 13 high).

@cgewecke
Copy link
Collaborator

@wbt

Fwiw the only public facing vuln is for Web3 itself and relates to wallet storage. Everything else is in the development dependency tree.

Root dependencies with sub-dependencies (like handlebars etc) flagged by npm audit are:

High

  • lerna
  • nyc
  • geth-dev-assistant

Moderate

  • lerna
  • nyc
  • browserify (vuln is: acorn - Regular Expression Denial of Service)
  • dependency-check

These are mostly tools used in CI. We are updating Lerna today.

@cgewecke cgewecke mentioned this issue Apr 15, 2020
13 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Addressing a bug
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants