Install via NPM reports Vulnerabilities
Fraserhoenes opened this issue · 4 comments
Install via NPM reports Vulnerabilities
Expected Behavior
- run
npm install -g is-website-vulnerable
- returns
added 294 packages, audited 294 packages in [x] seconds
- returns
found 0 vulnerabilities
Current Behavior
- run
npm install -g is-website-vulnerable
- returns
added 294 packages, audited 294 packages in [x] seconds
- returns
9 vulnerabilities (3 low, 6 high)
Possible Solution
Unsure
Steps to Reproduce (for bugs)
See above, and if this is reproducible / if anyone else is getting these vulnerable packages on install, or whether this is a local issue specific to my environment.
Apologies in advance if this isn't an issue with the package, or is only temporary!
Your Environment
- Library Version : v? ( latest pulled from npm
is-website-vulnerable
package ) - Node.js :
v15.3.0
- Npm :
v7.0.15
- macOS / OSx :
v10.15.7
There are indeed 2 issues as we can see here: https://snyk.io/test/github/lirantal/is-website-vulnerable
-
is-url-superb we can upgrade to version 5.0.0 the latest which fixes the indirect security issue, see here on the Advisor to validate:
-
lighthouse - we're on the latest version and there are indeed indirect vulnerabilities there, not a lot to do about it.
@Fraserhoenes if you want to suggest a pull request to upgrade the is-url-superb
version to latest major I'll be merging it gladly.
I'm not crazy experienced but I've forked and I'll give it a go; before committing, check my PR carefully when it comes 😄
No worries at all, happy to review :-)
Security vulnerabilities indeed exist here but none of this is a direct issue for the CLI.