Vulnerabilities
Closed this issue · 1 comments
I was installing node-opus, and I ran into these vulnerabilities. None of them could be fixed, though. It said they required manual review:
` === npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of ffmpeg-binaries
Path ffmpeg-binaries > decompress-tarxz > lzma-native >
node-pre-gyp > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of ffmpeg-binaries
Path ffmpeg-binaries > decompress-tarxz > lzma-native >
node-pre-gyp > hawk > cryptiles > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of ffmpeg-binaries
Path ffmpeg-binaries > decompress-tarxz > lzma-native >
node-pre-gyp > hawk > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of ffmpeg-binaries
Path ffmpeg-binaries > decompress-tarxz > lzma-native >
node-pre-gyp > hawk > sntp > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of ffmpeg-binaries
Path ffmpeg-binaries > decompress-tarxz > lzma-native >
node-pre-gyp > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of ffmpeg-binaries
Path ffmpeg-binaries > decompress-tarxz > lzma-native >
node-pre-gyp > request > hawk > cryptiles > boom > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of ffmpeg-binaries
Path ffmpeg-binaries > decompress-tarxz > lzma-native >
node-pre-gyp > request > hawk > hoek
More info https://nodesecurity.io/advisories/566
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of ffmpeg-binaries
Path ffmpeg-binaries > decompress-tarxz > lzma-native >
node-pre-gyp > request > hawk > sntp > hoek
More info https://nodesecurity.io/advisories/566
Moderate Out-of-bounds Read
Package stringstream
Patched in >=0.0.6
Dependency of ffmpeg-binaries
Path ffmpeg-binaries > decompress-tarxz > lzma-native >
node-pre-gyp > request > stringstream
More info https://nodesecurity.io/advisories/664
found 9 moderate severity vulnerabilities in 506 scanned packages
9 vulnerabilities require manual review. See the full report for details.`
Updated mocha, which took care of all the ones in node-opus.
The rest (such as hoek?) above are not part of node-opus dependencies as far as I can tell.
Please re-open the issue if you feel I'm wrong in my evaluation.