$ npm audit : 68 vulnerabilities found - 20 low | 33 moderate | 15 high
Hi, After installing a package from npm, I was prompted to run npm audit and it returned some vulnerabilities. I was working in react-native where I found 3-4 security issues and checking my laravel project I discovered
110 low | 35 moderate | 19 high
I have been trying to fix these with the given commands and have reduced the numbers to
20 low | 33 moderate | 15 high
But I am not sure how to proceed further. Should I drill down into each child node_module folders and update dependencies manually?
Some prompts to fix incl
# Run `npm install [email protected]` to resolve 9 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
# Run `npm install [email protected]` to resolve 4 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
npm update node-pre-gyp --depth 6 // doesn't do anything
Most of these vulnerabilities are to do with hoek, webpack, deep-extend and gulp, which laravel-mix are dependent on. Running npm update laravel-mix or npm install --save laravel-mix doesn't do anything either
Some of the vulnerabilities -
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tough-cookie │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ laravel-mix │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ laravel-mix > webpack-dev-server > chokidar > fsevents > │
│ │ node-pre-gyp > request > tough-cookie │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/525 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ sshpk │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ webpack > watchpack > chokidar > fsevents > node-pre-gyp > │
│ │ request > http-signature > sshpk │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/606 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ gulp > vinyl-fs > glob-watcher > gaze > globule > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Please or to participate in this conversation.