npm audit and vulnerabilities

Question

npm audit and vulnerabilities

angelogulina opened this issue 6 years ago · 5 comments

After a fresh install of the package, running npm audit shows the following result:

=== npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Critical        Command Injection

  Package         growl

  Patched in      >=1.10.2

  Dependency of   webpagetest [dev]

  Path            webpagetest > mocha > growl

  More info       https://nodesecurity.io/advisories/146


  Low             Regular Expression Denial of Service

  Package         debug

  Patched in      >= 2.6.9 < 3.0.0 || >= 3.1.0

  Dependency of   webpagetest [dev]

  Path            webpagetest > mocha > debug

  More info       https://nodesecurity.io/advisories/534

Is there any plan to work on that?

Answer 1 · 2019-01-22T12:44:28.000Z

Ping @marcelduran right now one of these dependencies gives a critical warning when you install. I would really want to get rid of it since it gives us that critical in our WebPageTest wrapper at work+ also for people that installs sitespeed.io.

I can do a PR but want to know the plan. Right now the API support NodeJS later than 0.10.1 but upgrading to at least Mocha 4 drops support for so old NodeJS version. It would be sane to match current LTS of Node and upgrade to latest Mocha (6.x).

Also the tests now has test cases that result in:

 1) WPT test of test (not really an error)
       median.firstView.render: 793 should be less than 300:

      AssertionError [ERR_ASSERTION]: false == true
      + expected - actual

What's up with that? :)

Best
Peter

Answer 2 · 2019-11-06T07:29:45.000Z

Is mocha even an actual dependency of this package?

If it's only used for the unit tests, it could be moved into the devDependencies quite easily, and from there it would no longer cause vulnerability warnings when people npm install the package, right?

Answer 3 · 2020-03-04T02:35:35.000Z

Is mocha even an actual dependency of this package?

If it's only used for the unit tests, it could be moved into the devDependencies quite easily, and from there it would no longer cause vulnerability warnings when people npm install the package, right?

Mocha is I believe a dependency because the library (webpagetest-api) can run the API as a test and return mocha results. So this makes it part of the library.

Answer 4 · 2020-06-18T07:11:38.000Z

Fixed in #128

Answer 5 · 2020-06-18T07:15:13.000Z

I think we can close this then. Thanks!