Vulnerabilities with `npm install`

Question

Vulnerabilities with `npm install`

Closed this issue 5 years ago · 4 comments

Installing from source (either release 1.2.1 or latest master branch) issues a warning about vulnerabilities:

npm install

added 275 packages from 317 contributors and audited 862 packages in 207.604s
found 18 vulnerabilities (7 moderate, 10 high, 1 critical)
run npm audit fix to fix them, or npm audit for details

npm audit fix fixes most of them, but two need manual intervention:

                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Cross-Site Scripting (XSS)                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.0.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ 6e44d50bacc878a1fec8f2e35b9e15154e57a73f67b28be770f40b01236… │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ 6e44d50bacc878a1fec8f2e35b9e15154e57a73f67b28be770f40b01236… │
│               │ > jquery                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/328                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ jquery                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.4.0                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ 6e44d50bacc878a1fec8f2e35b9e15154e57a73f67b28be770f40b01236… │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ 6e44d50bacc878a1fec8f2e35b9e15154e57a73f67b28be770f40b01236… │
│               │ > jquery                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/796                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 vulnerabilities (1 moderate, 1 high) in 867 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

Answer 1 · 2019-08-14T18:53:58.000Z

Thanks for the report. Yeah, I've been getting e-mails about these. I'm just wary of updating everything without testing first, and I've just been lazy about it. I will take a look this weekend and try to patch #40 while investigating #42 as well.

Answer 2 · 2019-08-16T23:12:36.000Z

This has been fixed by 893ecd1.

Answer 3 · 2019-08-17T02:41:49.000Z

Actually, the two above warnings continue. On the bright side, 893ecd1 fixed #42 and now the electron build compiles and runs correctly.

Answer 4 · 2019-08-17T05:08:40.000Z

Ah, so these are the result of the ProtVista protein viewer having a jquery dependency itself. Updating to 3.4 doesn't seem to affect its function, which is good, but it does cause some wonkiness with the expression widget that I haven't seen before. I will see if I can figure it out, but I have been mostly "plug & play"-ing these widgets given that they aren't exactly simple.

If I can't figure it out, I will likely roll back to the old version of jquery and just live with it.