`npm audit` reports vulnerabilities

Question

`npm audit` reports vulnerabilities

smithki opened this issue 3 years ago · 2 comments

There are transitive dependencies of lambdafs which depend on vulnerable versions of minimist and bl. It's not clear to me how this vulnerability might affect playwright-aws-lambda in practice, but it does create scary-looking noise upon npm install.

An example of npm install playwright-aws-lambda output on a fresh project:

up to date, audited 20 packages in 451ms

3 vulnerabilities (2 moderate, 1 critical)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.

And the npm audit report:

# npm audit report

bl  3.0.0
Severity: moderate
Remote Memory Exposure in bl - https://github.com/advisories/GHSA-pp7h-53gx-mx7r
fix available via `npm audit fix`
node_modules/lambdafs/node_modules/bl

minimist  <=1.2.5
Severity: critical
Prototype Pollution in minimist - https://github.com/advisories/GHSA-xvch-5gv4-984h
Prototype Pollution in minimist - https://github.com/advisories/GHSA-vh95-rmgr-6w4m
fix available via `npm audit fix`
node_modules/lambdafs/node_modules/minimist
  mkdirp  0.4.1 - 0.5.1
  Depends on vulnerable versions of minimist
  node_modules/lambdafs/node_modules/mkdirp

3 vulnerabilities (2 moderate, 1 critical)

To address all issues, run:
  npm audit fix

Unfortunately, npm audit fix does nothing to resolve the issue. This appears to be a known issue in NPM itself.

There's seemingly a bazillion different places where this specific issue could be resolved upstream, but getting support for packages that appear to be stale is a challenge. Perhaps a solution can be implemented directly by playwright-aws-lambda?

Answer 1 · 2022-06-09T21:00:30.000Z

FWIW, the audit reports no vulnerabilities if lambdafs is upgraded to v2.1.1

Answer 2 · 2022-06-09T21:07:32.000Z

A (hopefully temporary) workaround for anyone else experiencing this using npm@>=8.3:

// package.json
{
  "overrides": {
    "lambdafs": "2.1.1"
  }
}