Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

npm audit is failing #55

Open
jfly opened this issue Jul 16, 2020 · 2 comments
Open

npm audit is failing #55

jfly opened this issue Jul 16, 2020 · 2 comments

Comments

@jfly
Copy link
Member

jfly commented Jul 16, 2020

Here's what npm audit shows against main:

npm audit
$ npm audit
...
                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-iconfont [dev]                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-iconfont > gulp-svg2ttf > gulp-util > minimist          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-iconfont [dev]                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-iconfont > gulp-ttf2eot > gulp-util > minimist          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-iconfont [dev]                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-iconfont > gulp-ttf2woff > gulp-util > minimist         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-jimp [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-jimp > gulp-util > minimist                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg2png [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg2png > gulp-util > minimist                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-jimp [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-jimp > jimp > mkdirp > minimist                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ minimist                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.2.1 <1.0.0 || >=1.2.3                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg2png [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg2png > svg2png > phantomjs-prebuilt > extract-zip >  │
│               │ mkdirp > minimist                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1179                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ yargs-parser                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=13.1.2 <14.0.0 || >=15.0.1 <16.0.0 || >=18.1.2             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-svg2png [dev]                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-svg2png > svg2png > yargs > yargs-parser                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1500                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 8 low severity vulnerabilities in 793 scanned packages
  8 vulnerabilities require manual review. See the full report for details.

These stragglers all are indirectly related to these top level dependencies that I think may be unmaintained now. The state of things as of 2020-07-16:

It might not be worth going to a lot of effort to fix this:

  • gulp may be going out of style, so even if the core project is maintained, plugin developers seem to be fading away. I don't know that it's worth us forking the above projects and trying to get them working. @lgarron suggests it might be worth investigating parcel as a more modern alternative.
  • These security vulnerabilities don't actually affect us: we are just generating static content, and this code all runs in a VM secured by Travis.

So, for now, I'm going to just comment out the npm audit step of our build and link back to this issue.

jfly added a commit to jfly/icons that referenced this issue Jul 16, 2020
This is a workaround for cubing#55
jfly added a commit that referenced this issue Jul 16, 2020
This is a workaround for #55
lgarron added a commit that referenced this issue Sep 12, 2023
Compared to our `gulp` pipeline, this is:

- Faster
- Much simpler
- Easier to maintain
- Not full of deprecated dependencies with vulnerabilities

This also changes the project organization to match other `github.com/cubing` projects more closely.

Closes:
- #55
- #93
@dmint789
Copy link
Contributor

dmint789 commented Apr 4, 2024

Is this being worked on? This seems like an urgent issue to fix

@jfly
Copy link
Member Author

jfly commented Apr 4, 2024

It's not actively being worked on, but there's #112, which would make these problems evaporate.

The original post explains why this isn't urgent.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants