Karma Dependencies Security Vulnerabilities (NPM Audit) #2994
Comments
|
Thanks! While I think we should clean these up, it's not super important for karma-runner users. karma-runner isn't a library or service that continuously with access to valuable resources. If any of these issues are actually critical, let's hear about the case and focus on it. |
|
Yeah, mostly just wanted to get the information out there so y'all Karma folks knew and could roadmap it. :) (I would like to see at least the High's taken care of sooner than later, if possible, as it's not great to see NPM screaming atcha in bright red every time. And the npm audit log spits out a lot of Karma stuff, so it'd be easy to lose any other, more important vulnerabilities in other packages in the mix, y'know?) |
|
Well I think you should rethink your security policy. It is not useable to do a npm install with all |
|
If this is important to you, please help: |
|
First we need a new log4js version... |
|
Seems like they released a new version of log4js |
|
seems there's issue with Low │ Prototype Pollution Moderate │ Prototype pollution |
|
I thought I'd link to these two related threads as well: |
|
|
log4js 3.0.0 has been released which should be able to resolve the remaining npm audit complaints |
|
Considering that log4js 3.0.0 is out and fixes this issue, any idea when this is going to be updated and released? |
|
The resolution of log4js requires us to drop node v4, which requires us to move to v3.0. See issue #3016 |
the last few will be cleaned up when the next version of karma is released see this open issue about security vulnerabilities: karma-runner/karma#2994
|
I currently have 7 vulnerabilities, 1 low and 6 moderate, all of them coming from karma:
I am not worried about this since karma is just a dev dependency in my project, but it will be nice to see the 0 vulnerabilities message for once :) |
|
To be clear: none of those come from karma, they all originate upstream. And they ware all fixed already at HEAD. Also: this issue is only reproducible for nodejs v10 |
|
Nop. Node 8.11 here. |
|
The npm audit command is part of npm not node. Any way this issue is fixed AFAIK. |
|
Which version of karma can I install to fix this problem? We are using v2.0.5 (the latest release) and is still there... |
|
This fix will be in the next release, 3.0 |
|
Then shouldn't the issue be open until then? |
|
Generally we close issues when they are fixed. If you would like to be in charge of closing issues when we do a release, please volunteer, that would be great! If you would like to help with the work to get 3.0 released, also please volunteer! We just need to get the rest of PR #2997 to land. |
|
Maybe I am bad at using this UI, but I don't see the commit in which this is supposed to be fixed (for 3.0). I suspect it would be quite minor. Doesn't it make sense to fix something minor which is a security vulnerability in 2.x as a hotfix instead of gating it on the 3.0 major release? That means that in order to have this vulnerability fixed, consumers will have to make a major version upgrade with breaking changes. |
|
The security fix involves upgrading a 3rd party dependency to a new major version, which drops support for node 4.x, which is a breaking change anyways. Hence why it's not being backported to the 2.x branch. |
|
I see, thanks!
…On Wed, Aug 8, 2018 at 3:05 PM Darryl Pogue ***@***.***> wrote:
The security fix involves upgrading a 3rd party dependency to a new major
version, which drops support for node 4.x, which is a breaking change
anyways. Hence why it's not being backported to the 2.x branch.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#2994 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAKHCzHTuT405M7AoevitXjmjM63cHI7ks5uOzaPgaJpZM4T5InD>
.
|
|
The "solutions" doesn't work |
karma v3.0.0 was released, which resolves the following GitHub issue: karma-runner/karma#2994
|
OK, version 3.0.0 has been released and vulnerabilities messages have disappeared. 0 vulnerabilities in my project now! Thank you all! |
NPM 6 introduced a security vulnerability audit feature, and karma's dependencies are being flagged with a variety of levels of issues. (in my case: 4 low, 17 moderate, 5 high)
List of flagged Karma dependencies (Most are the same library re-used):
High:
Moderate:
Low:
Karma version:
Using Angular-CLI 6.0's default, but updated to karma: ^2.0.2 in my package.json to see if karma's deps updated along with and installed
Steps to reproduce the behaviour
The text was updated successfully, but these errors were encountered: