npm audit and vulnerabilities
angelogulina opened this issue ยท 5 comments
After a fresh install of the package, running npm audit
shows the following result:
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Critical Command Injection
Package growl
Patched in >=1.10.2
Dependency of webpagetest [dev]
Path webpagetest > mocha > growl
More info https://nodesecurity.io/advisories/146
Low Regular Expression Denial of Service
Package debug
Patched in >= 2.6.9 < 3.0.0 || >= 3.1.0
Dependency of webpagetest [dev]
Path webpagetest > mocha > debug
More info https://nodesecurity.io/advisories/534
Is there any plan to work on that?
Ping @marcelduran right now one of these dependencies gives a critical warning when you install. I would really want to get rid of it since it gives us that critical in our WebPageTest wrapper at work+ also for people that installs sitespeed.io.
I can do a PR but want to know the plan. Right now the API support NodeJS later than 0.10.1 but upgrading to at least Mocha 4 drops support for so old NodeJS version. It would be sane to match current LTS of Node and upgrade to latest Mocha (6.x).
Also the tests now has test cases that result in:
1) WPT test of test (not really an error)
median.firstView.render: 793 should be less than 300:
AssertionError [ERR_ASSERTION]: false == true
+ expected - actual
What's up with that? :)
Best
Peter
Is mocha
even an actual dependency
of this package?
If it's only used for the unit tests, it could be moved into the devDependencies
quite easily, and from there it would no longer cause vulnerability warnings when people npm install
the package, right?
Is
mocha
even an actualdependency
of this package?If it's only used for the unit tests, it could be moved into the
devDependencies
quite easily, and from there it would no longer cause vulnerability warnings when peoplenpm install
the package, right?
Mocha is I believe a dependency because the library (webpagetest-api) can run the API as a test and return mocha results. So this makes it part of the library.
Fixed in #128
I think we can close this then. Thanks!