Skip to content

npm audit security warning #1615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 of 2 tasks
rosko opened this issue Dec 31, 2018 · 24 comments
Closed
1 of 2 tasks

npm audit security warning #1615

rosko opened this issue Dec 31, 2018 · 24 comments

Comments

@rosko
Copy link

rosko commented Dec 31, 2018
edited
Loading

  • Operating System: All
  • Node Version: Any
  • NPM Version: Any
  • webpack Version:
  • webpack-dev-server Version: <=3.1.14
  • This is a bug
  • This is a modification request

https://www.npmjs.com/advisories/725

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/725                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
@maddev0
Copy link

maddev0 commented Dec 31, 2018

I have the same issue. I have tried: npm audit fix, manual update of webpack-dev-server to version 3.1.14, removal of node_modules and package-lock.json. Nothing of this helps.

With webpack-dev-server version 3.1.10 initially installed npm audit fix says

+ [email protected]
updated 1 package in 3.517s
fixed 1 of 1 vulnerability...

But then npm audit still reports about 1 high severity vulnerability:

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Missing Origin Validation                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.11                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-dev-server                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/725                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 9001 scanned packages
  1 vulnerability requires manual review. See the full report for details.

@SharakPL
Copy link

It's probably caused by #1604

@danzlarkin danzlarkin mentioned this issue Jan 1, 2019
Closed
@O-J1
Copy link

O-J1 commented Jan 1, 2019

Still getting this issue despite the fact that I am on v3.1.14. Reinstalling does nothing

untitled-1

@ericmartinezr ericmartinezr mentioned this issue Jan 1, 2019
Closed
@pauldraper
Copy link

The npmjs advisory is currently inconsistent and there is no 3.1.x patch that npm audit will allow.

https://npm.community/t/advisory-725-inconsistently-marks-affected-versions/4333

@manishaggarwalm
Copy link

Not working with [email protected]

@skreborn
Copy link

skreborn commented Jan 2, 2019

@antimodern Don't worry, you're not being hacked. As you can see, it's trying to access a local address - most likely your own computer. The reason it fails to do so is because you've disconnected from the network, and your computer lost its IP address.

@charlesfaustin charlesfaustin mentioned this issue Jan 2, 2019
Closed
@charlesfaustin
Copy link

I'm getting the same issue, updating to 3.1.14 doesnt solve the issue, npm audit still returns the vulnerability after updating

@Diaan
Copy link

Diaan commented Jan 2, 2019

there seems to be a typo in the vulnerability database: https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

@manishaggarwalm
Copy link

there seems to be a typo in the vulnerability database: https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

You saved my rest of the day

@charlesfaustin
Copy link

there seems to be a typo in the vulnerability database: https://npm.community/t/npm-audit-sweems-to-get-semver-wrong/4352/4

how can we get this typo fixed? some builds require npm audit returning a clean bill of health

@Diaan
Copy link

Diaan commented Jan 2, 2019

how can we get this typo fixed? some builds require npm audit returning a clean bill of health

Not sure, but the link in my previous post is a bug-report at NPM, so maybe voting on it will help it getting resolved faster.

@charlesfaustin
Copy link

how can we get this typo fixed? some builds require npm audit returning a clean bill of health

Not sure, but the link in my previous post is a bug-report at NPM, so maybe voting on it will help it getting resolved faster.

done, thanks

@manishaggarwalm
Copy link

manishaggarwalm commented Jan 2, 2019 via email

@SyedFarhan
Copy link

SyedFarhan commented Jan 2, 2019
edited
Loading

Either wepack and create a new version with 3.2.0 like that would help?

I would just wait for the NPM audit team to fix this. This is a widely used dependency so I'm sure they'll have it fixed in a few hours.

@Diaan
Copy link

Diaan commented Jan 2, 2019
edited
Loading

Either wepack and create a new version with 3.2.0 like that would help?

probably not, unless they are releasing version 3.110.1 ;)

@manishaggarwalm
Copy link

manishaggarwalm commented Jan 2, 2019 via email

@Diaan
Copy link

Diaan commented Jan 2, 2019

I think it is fixed, the audit passes for me.

@rosko
Copy link
Author

rosko commented Jan 2, 2019

Cool, thank you all!

@rosko rosko closed this as completed Jan 2, 2019
@orenyodfat orenyodfat mentioned this issue Jan 6, 2019
Closed
@tshravan86
Copy link

I'm still getting the error. Can someone please help me how to resolve this issue? Thanks.

webpackerror

@nelson1212
Copy link

nelson1212 commented Jan 7, 2019
edited
Loading

Hi @tshravan86. You must update the version of "webpack-dev-server" to 3.1.14 in the following files: package-lock.json and package.json. in all occurrences. Finally, run "npm update"

it works for me

@smlombardi
Copy link

@nelson1212 note that npm update will update all your package to their latest versions, which might not be what you want

@chimericdream
Copy link

If you want to do a more targeted update (and you tend to save exact version numbers in your package.json), here is what I did:

  1. Update webpack-dev-server version in package.json
  2. Delete package-lock.json
  3. Delete the node_modules directory
  4. Run npm i to re-fetch everything and write a new package-lock.json

Alternatively, if you use caret notation for your dependencies and want to be certain that only webpack-dev-server is updated, follow what @nelson1212 suggested with the following change:

  1. Update package.json and package-lock.json as @nelson1212 described
  2. Blow away node_modules
  3. Run npm i

@tshravan86
Copy link

@nelson1212 Thanks for your help, it worked. @chimericdream thanks for your information. Need to change the version number at package-lock.json as well. Thanks once again.

@nelson1212
Copy link

@nelson1212 Thanks for your help, it worked. @chimericdream thanks for your information. Need to change the version number at package-lock.json as well. Thanks once again.

My pleasure

@marc-wilson marc-wilson mentioned this issue Jan 9, 2019
Closed
@AliTopal89 AliTopal89 mentioned this issue Jan 11, 2019
Merged
@N6REJ N6REJ mentioned this issue Oct 29, 2019
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests