Skip to content
This repository was archived by the owner on Mar 5, 2025. It is now read-only.

npm audit reporting numerous security vulnerabilities in the current build #2744

Closed
sshelton76 opened this issue Apr 27, 2019 · 5 comments · Fixed by #2746
Closed

npm audit reporting numerous security vulnerabilities in the current build #2744

sshelton76 opened this issue Apr 27, 2019 · 5 comments · Fixed by #2746
Labels
Bug Addressing a bug

Comments

@sshelton76
Copy link

sshelton76 commented Apr 27, 2019
edited
Loading

I was working on a clean fork of the master branch and on a lark I decided to run npm audit.

found 1325 vulnerabilities (2 low, 1287 moderate, 36 high) in 526462 scanned packages
run npm audit fix to fix 1324 of them.
1 vulnerability requires manual review. See the full report for details.

I'm always hesitant to trust automated tools, but I think it would be advisable for someone to take a look at what it's finding and determine what's what.

update
I opened and deleted some comments a little while ago believing I might be on an ancient branch. I double checked that I am on the 1.0 branch now and getting about the same results.
@sshelton76
Copy link
Author

sshelton76 commented Apr 27, 2019
edited
Loading

I've created a branch called "audit" on my own fork in order to test the changes.
https://github.com/sshelton76/web3.js/tree/audit

Looks like it builds clean without errors, but tests are failing. However it looks like tests are failing on a clean pull of 1.0 for the same reasons. I'll open a separate issue for that.

@nivida
Copy link
Contributor

nivida commented Apr 27, 2019

These issues are mostly because of lodash and js-yaml. The security vulnerabilities got detected between the last and current release of Web3. NPM audit fix will update the dependencies and fix it.

@nivida nivida added the Bug Addressing a bug label Apr 27, 2019
@nivida
Copy link
Contributor

nivida commented Apr 27, 2019
edited
Loading

Updated dependencies by audit fix:

+ [email protected]
+ @babel/[email protected]
+ @babel/[email protected]

Manually updated dependencies:

+ [email protected]

Nine "security vulnerabilities" are left because lerna (8) didn't release a new version until now and because I'm using istanbul-combine (1) to combine the coverage reports.

@nivida nivida mentioned this issue Apr 27, 2019
Merged
12 tasks
@nivida nivida mentioned this issue Apr 29, 2019
Merged
12 tasks
@alcuadrado alcuadrado mentioned this issue Sep 16, 2019
Closed
@snyk-bot snyk-bot mentioned this issue Feb 4, 2020
Open
@wbt
Copy link
Contributor

wbt commented Apr 14, 2020
edited
Loading

FYI, the latest version from the 1.x branch is reporting 1401 vulnerabilities (1378 low, 10 moderate, 13 high).

@cgewecke
Copy link
Collaborator

@wbt

Fwiw the only public facing vuln is for Web3 itself and relates to wallet storage. Everything else is in the development dependency tree.

Root dependencies with sub-dependencies (like handlebars etc) flagged by npm audit are:

High

  • lerna
  • nyc
  • geth-dev-assistant

Moderate

  • lerna
  • nyc
  • browserify (vuln is: acorn - Regular Expression Denial of Service)
  • dependency-check

These are mostly tools used in CI. We are updating Lerna today.

@cgewecke cgewecke mentioned this issue Apr 15, 2020
Merged
13 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Bug Addressing a bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build and test tools updated web3/web3.js
4 participants
@wbt @nivida @cgewecke @sshelton76