Skip to content
This repository has been archived by the owner on Jan 26, 2019. It is now read-only.

npm audit security report - package: deep-extend #319

Open
KDCinfo opened this issue May 11, 2018 · 1 comment
Open

npm audit security report - package: deep-extend #319

KDCinfo opened this issue May 11, 2018 · 1 comment

Comments

@KDCinfo
Copy link

KDCinfo commented May 11, 2018

For the following npm vulnerability audit report, is our only option to wait for the deep-extend package to get fixed/updated?

Note: When I upgraded to [email protected], the number of deep-extend vulnerabilities went from 11 down to 9 (while all the randomatic vulnerabilities resolved and went away).

The below audit item is the 2nd of the 9 remaining vulnerabilities (post the 3.0.0 upgrade)... all of the 9 reference paths are noted below this one example audit item.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts-ts [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > fsevents > node-pre-gyp > rc >            │
│               │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Path          │ react-scripts-ts > fork-ts-checker-webpack-plugin > chokidar │
│               │ > fsevents > node-pre-gyp > rc > deep-extend                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > fsevents > node-pre-gyp > rc >            │
│               │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > jest > jest-cli > jest-haste-map > sane > │
│               │ fsevents > node-pre-gyp > rc > deep-extend                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > jest > jest-cli > jest-runner >           │
│               │ jest-haste-map > sane > fsevents > node-pre-gyp > rc >       │
│               │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > jest > jest-cli > jest-runner >           │
│               │ jest-runtime > jest-haste-map > sane > fsevents >            │
│               │ node-pre-gyp > rc > deep-extend                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > jest > jest-cli > jest-runtime >          │
│               │ jest-haste-map > sane > fsevents > node-pre-gyp > rc >       │
│               │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > ts-jest > cpx > chokidar > fsevents >     │
│               │ node-pre-gyp > rc > deep-extend                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > webpack > watchpack > chokidar > fsevents │
│               │ > node-pre-gyp > rc > deep-extend                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > webpack-dev-server > chokidar > fsevents  │
│               │ > node-pre-gyp > rc > deep-extend                            │
└───────────────┴──────────────────────────────────────────────────────────────┘

Insights welcome! 😄
Thanks!!

@KDCinfo
Copy link
Author

KDCinfo commented May 11, 2018

As a follow-up, I created a brand new create-react-app test1 --scripts-version=react-scripts-ts. I'm glad to report that although it also yielded the same 9 vulnerabilities, once committed, GitHub did not throw the alert that it did with the hoek dependency vulnerability. Primary concern defused. Cheers!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant