┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-native-cached-image │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ react-native-cached-image > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 11 vulnerabilities (2 low, 8 moderate, 1 high) in 26316 scanned packages
11 vulnerabilities require manual review. See the full report for details.
This shows up when I try to npm install, and all of them required manual review. I've tried to visit this to check for more info and apparently it's because my lodash is of version 4.17.4. So I've then run npm install --save lodash#4.17.5 and checked my package.json to make sure it's reflecting correctly.
However, it seems the vulnerabilities is still there. Wondering if I fix it the wrong way?
As per requested, the body of package.json
"dependencies": {
"lodash": "^4.17.5",
}
You can solve it with https://github.com/rogeriochaves/npm-force-resolutions
1) add resolutions section
"resolutions": {
"lodash": "^4.17.5"
}
2) run
rm -r node_modules
npx npm-force-resolutions
npm install
Issue is related to the react-native-cached-image package having a dependency on lodash 4.17.4 as you can see here: https://github.com/kfiroo/react-native-cached-image/blob/master/package.json#L51
Related
npm audit
npm audit report
json5 <1.0.2
Severity: high
Prototype Pollution in JSON5 via Parse Method - https://github.com/advisories/GHSA-9c47-m6qq-7p4h
fix available via npm audit fix --force
Will install expo#1.0.0, which is a breaking change
node_modules/babel-preset-expo/node_modules/json5
find-babel-config <=1.2.0
Depends on vulnerable versions of json5
node_modules/babel-preset-expo/node_modules/find-babel-config
babel-plugin-module-resolver 2.3.0 - 4.1.0
Depends on vulnerable versions of find-babel-config
node_modules/babel-preset-expo/node_modules/babel-plugin-module-resolver
babel-preset-expo *
Depends on vulnerable versions of babel-plugin-module-resolver
node_modules/babel-preset-expo
expo >=14.0.0
Depends on vulnerable versions of babel-preset-expo
node_modules/expo
5 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
├─┬ #babel/core#7.20.12
│ └── json5#2.2.3 deduped
├─┬ #expo/json-file#8.2.35 extraneous
│ └── json5#1.0.2 extraneous
├─┬ babel-plugin-module-resolver#2.5.0 invalid: "5.0.0" from the root project
│ └─┬ find-babel-config#1.2.0
│ └── json5#0.5.1
├─┬ expo-splash-screen#0.17.5 extraneous
│ └─┬ #expo/prebuild-config#5.0.7
│ └─┬ #expo/json-file#8.2.36
│ └── json5#1.0.2
├─┬ expo#47.0.13
│ ├─┬ #expo/cli#0.4.11
│ │ ├─┬ #expo/json-file#8.2.36
│ │ │ └── json5#1.0.2
│ │ ├─┬ #expo/metro-config#0.5.2
│ │ │ └─┬ #expo/json-file#8.2.36
│ │ │ └── json5#1.0.2
│ │ └─┬ #expo/package-manager#0.0.57
│ │ └─┬ #expo/json-file#8.2.36
│ │ └── json5#1.0.2
│ ├─┬ #expo/config-plugins#5.0.4
│ │ └─┬ #expo/json-file#8.2.36
│ │ └── json5#1.0.2
│ ├─┬ babel-preset-expo#9.2.2
│ │ └─┬ babel-plugin-module-resolver#4.1.0
│ │ └─┬ find-babel-config#1.2.0
│ │ └── json5#0.5.1
│ └─┬ expo-constants#14.0.2
│ └─┬ #expo/config#7.0.3
│ └─┬ #expo/json-file#8.2.36
│ └── json5#1.0.2
├─┬ find-babel-config#2.0.0
│ └── json5#2.2.3 deduped
├── json5#2.2.3
└─┬ loader-utils#2.0.4 extraneous
└── json5#2.2.3 deduped
"npm audit fix --force" or npm install --save json5#latest command is not working as expected.
Hi everybody I don't really now if these are called "instances" of a package...anyway, my problem is this:
if I run yarn npm audit it shows me a problem with the package trim-newlines and suggests me to upgrade it to a version >=3.0.1 After the upgrade (with yarn up trim-newlines), I run npm ls trim-newlines and this is the output:
├─┬ lerna#3.22.1
│ └─┬ #lerna/version#3.22.1
│ └─┬ #lerna/conventional-commits#3.22.0
│ ├─┬ conventional-changelog-core#3.2.3
│ │ ├─┬ conventional-changelog-writer#4.1.0
│ │ │ └─┬ meow#8.1.2
│ │ │ └── trim-newlines#3.0.1
│ │ ├─┬ conventional-commits-parser#3.2.4
│ │ │ └─┬ meow#8.1.2
│ │ │ └── trim-newlines#3.0.1
│ │ └─┬ get-pkg-repo#1.4.0
│ │ └─┬ meow#3.7.0
│ │ └── trim-newlines#1.0.0
│ └─┬ conventional-recommended-bump#5.0.1
│ └─┬ meow#4.0.1
│ └── trim-newlines#2.0.0
└── trim-newlines#4.0.2
So it looks like there are multiple versions of it. I managed to upgrade the bottom one to latest version, but how do I upgrade the others?
I am currently migrating our monorepo to yarn workspaces. It contains multiple packages and services. Services depends on packages in their respective package.json. I would like to deploy my services to Google App Engine without having to publish the packages to a private npm registry.
I managed to deploy a single service by using a custom runtime and by moving the app.yaml and the Dockerfile to the root of the monorepo in order to have access to the packages and the service in the build context. The issue is that I have multiple services and I cannot have all the dockerfiles at the root of the monorepo, as they have to be named Dockerfile and that I cannot change the build context.
I see 2 naive solutions:
The first would be to move the app.yaml and Dockerfile of the corresponding service to the root of the monorepo before deploying. But this looks quite dirty and would make the CI code very complicated.
The second would be to have a single Dockerfile and service1.yaml, service2.yaml etc. at the root of the monorepo and to pass variables to the Dockerfile. The problem is that I don't see any way in App Engine documentation to pass variables to the Dockerfile of a custom runtime.
My dream solution would be to be able to keep each Dockerfile and app.yaml in the directory of their respective services and to be able to set the build context through the gcloud CLI (like we can do in docker-compose).
Example:
project
├── package.json
├── packages
│ ├── package1
│ │ ├── package.json
│ │ └── src
│ ├── package2
│ │ ├── package.json
│ │ └── src
│ └── package3
│ ├── package.json
│ └── src
├── services
│ ├── service1
│ │ ├── app.yaml
│ │ ├── Dockerfile
│ │ ├── package.json
│ │ └── src
│ └── service2
│ ├── app.yaml
│ ├── Dockerfile
│ ├── package.json
│ └── src
└── yarn.lock
and run something like: gcloud app deploy services/service1/app.yaml --build-context=.
But I don't see any way of doing this in the documentation.
Do you know how I can get closer to my "dream solution"?
Adding possible option suggested in comments to give more visibility.
One possibility would be keeping the docker-compose workflow that you were using and integrate it with your App Engine deploys.
As you were already building your docker images with docker-compose in order to specify the build context, you can push the result of the build operations to Google's Container Registry so the images can be later used to deploy App Engine by using the --image-url flag.
There is small React/Redux app I'd like to check against nsp check.
For instance, nsp complains that debug 2.6.8 package I use in app contains a vulnerability. So I need to bump version of debug:
Regular Expression Denial of Service
│ Name │ debug
│ CVSS │ 3.7 (Low)
│ Installed │ 2.6.8
│ Vulnerable │ <= 2.6.8 || >= 3.0.0 <= 3.0.1
│ Patched │ >= 2.6.9 < 3.0.0 || >= 3.1.0
│ Path │ sms-web#0.0.1 > webpack-dev-server#2.5.0 >
compression#1.7.0 >
│ │ debug#2.6.8
│ More Info │ https://nodesecurity.io/advisories/534
I tried npm update --depth=7, but it didn't update debug package.
So how can I update deeply placed packages, e.g. debug?
According to the docs:
As of npm#2.6.1, the npm update will only inspect top-level packages. Prior versions of npm would also recursively inspect all dependencies. To get the old behavior, use npm --depth 9999 update. In order to update just the debug package you could do
npm --depth 9999 update debug
or else you could just uninstall and reinstall it like
npm uninstall -S debug
npm install -S debug
I don't understand the following:
tuxiboy#C:~/Downloads$ sudo npm install -g graceful-fs graceful-fs#latest
/usr/lib
└── graceful-fs#4.1.9
tuxiboy#C:~/Downloads$ sudo npm install -g minimatch minimatch#latest
/usr/lib
└── minimatch#3.0.3
tuxiboy#C:~/Downloads$ sudo npm install -g generator-karma generator-karma#latest
npm WARN deprecated cross-spawn-async#2.2.4: cross-spawn no longer requires a build toolchain, use it instead!
/usr/lib
└── generator-karma#2.0.0
tuxiboy#C:~/Downloads$ sudo npm update minimatch
tuxiboy#C:~/Downloads$ sudo npm update graceful-fs
tuxiboy#C:~/Downloads$ sudo npm update generator-karma
tuxiboy#C:~/Downloads$ sudo npm install npm#latest -g
/usr/bin/npm -> /usr/lib/node_modules/npm/bin/npm-cli.js
/usr/lib
└── npm#3.10.8
tuxiboy#C:~/Downloads$ sudo npm install -g generator-angular generator-angular#latest
npm WARN deprecated graceful-fs#2.0.3: graceful-fs v3.0.0 and before will fail on node releases >= v7.0. Please update to graceful-fs#^4.0.0 as soon as possible. Use 'npm ls graceful-fs' to find it in the tree.
npm WARN deprecated minimatch#2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated CSSselect#0.4.1: the module is now available as 'css-select'
npm WARN deprecated CSSwhat#0.4.7: the module is now available as 'css-what'
npm WARN deprecated minimatch#0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch#0.3.0: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated tough-cookie#0.9.15: ReDoS vulnerability parsing Set-Cookie https://nodesecurity.io/advisories/130
/usr/lib
├── generator-angular#0.15.1
└── UNMET PEER DEPENDENCY generator-karma#>=0.9.0
npm WARN generator-angular#0.15.1 requires a peer of generator-karma#>=0.9.0 but none was installed.
tuxiboy#C:~/Downloads$ npm -g list minimatch
/usr/lib
├─┬ generator-angular#0.15.1
│ ├─┬ wiredep#2.2.2
│ │ └─┬ glob#4.5.3
│ │ └── minimatch#2.0.10
│ └─┬ yeoman-generator#0.16.0
│ ├─┬ file-utils#0.1.5
│ │ ├─┬ glob#3.2.11
│ │ │ └── minimatch#0.3.0
│ │ └── minimatch#0.2.14
│ ├─┬ findup-sync#0.1.3
│ │ └─┬ glob#3.2.11
│ │ └── minimatch#0.3.0
│ └─┬ glob#3.2.11
│ └── minimatch#0.3.0
├─┬ generator-karma#2.0.0
│ └─┬ yeoman-generator#0.22.6
│ └─┬ glob#6.0.4
│ └── minimatch#3.0.3
├─┬ grunt-cli#1.2.0
│ └─┬ findup-sync#0.3.0
│ └─┬ glob#5.0.15
│ └── minimatch#3.0.3
├── minimatch#3.0.3
└─┬ npm#3.10.8
├─┬ fstream-npm#1.2.0
│ └─┬ fstream-ignore#1.0.5
│ └── minimatch#3.0.3
├─┬ glob#7.0.6
│ └── minimatch#3.0.3
├─┬ init-package-json#1.9.4
│ └─┬ glob#6.0.4
│ └── minimatch#3.0.3
├─┬ node-gyp#3.4.0
│ └── minimatch#3.0.3
└─┬ read-package-json#2.0.4
└─┬ glob#6.0.4
└── minimatch#3.0.3
tuxiboy#C:~/Downloads$ npm -g list graceful-fs
/usr/lib
├─┬ generator-angular#0.15.1
│ ├─┬ wiredep#2.2.2
│ │ └─┬ bower-config#0.5.2
│ │ └── graceful-fs#2.0.3
│ └─┬ yeoman-generator#0.16.0
│ └─┬ download#0.1.19
│ └─┬ decompress#0.2.5
│ └─┬ tar#0.1.20
│ └─┬ fstream#0.1.31
│ └── graceful-fs#3.0.11
├─┬ generator-karma#2.0.0
│ └─┬ yeoman-generator#0.22.6
│ └─┬ download#4.4.3
│ └─┬ vinyl-fs#2.4.3
│ └── graceful-fs#4.1.9
├── graceful-fs#4.1.9
└─┬ npm#3.10.8
└── graceful-fs#4.1.6
tuxiboy#C:~/Downloads$ npm -g list generator-karma
/usr/lib
└── generator-karma#2.0.0
tuxiboy#C:~/Downloads$ npm -v
3.10.8
It seems like I have generator-karma in the newest generator-karma#2.0.0 version, but still it complains that I'm using a too old version!
Regarding minimatch and graceful-fs, then under 'generator-angular#0.15.1' it shows version minimatch#2.0.10 and graceful-fs#2.0.3, but other places it seems to have minimatch#3.0.3 and graceful-fs#4.1.9!
First of all these are just warnings.
You are installing the latest versions of minimatch etc. globally on your computer. But the warnings are due to the generator-angular dependency tree, i.e. generator-angular has dependencies that are dependent on older versions of minimatch etc... hence the warnings.
e.g. in this part of the tree:
├─┬ generator-angular#0.15.1
│ ├─┬ wiredep#2.2.2
│ │ └─┬ glob#4.5.3
│ │ └── minimatch#2.0.10
│ └─┬ yeoman-generator#0.16.0
│ ├─┬ file-utils#0.1.5
│ │ ├─┬ glob#3.2.11
│ │ │ └── minimatch#0.3.0
│ │ └── minimatch#0.2.14
│ ├─┬ findup-sync#0.1.3
│ │ └─┬ glob#3.2.11
│ │ └── minimatch#0.3.0
│ └─┬ glob#3.2.11
│ └── minimatch#0.3.0
you see that older versions of minimatch are being retrieved.