Feb 25, 2019
0
Level 1
NPM: webpack-dev-server High vulnerability
After running "spark new project-name" I got the following message:
added 1215 packages from 714 contributors and audited 11752 packages in 71.472s
found 2 vulnerabilities (1 low, 1 high)
run `npm audit fix` to fix them, or `npm audit` for details
As suggested I run first npm audit
=== npm audit security report ===
# Run npm install [email protected] to resolve 2 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
Low Regular Expression Denial of Service
Package braces
Dependency of laravel-mix
Path laravel-mix > webpack-dev-server > http-proxy-middleware >
micromatch > braces
More info https://nodesecurity.io/advisories/786
High Missing Origin Validation
Package webpack-dev-server
Dependency of laravel-mix
Path laravel-mix > webpack-dev-server
More info https://nodesecurity.io/advisories/725
found 2 vulnerabilities (1 low, 1 high) in 11752 scanned packages
2 vulnerabilities require semver-major dependency updates.
then npm audit fix
npm WARN [email protected] requires a peer of ajv@^6.9.1 but none is installed. You must install peer dependencies yourself.
npm WARN [email protected] requires a peer of imagemin@^5.0.0 || ^6.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
up to date in 7.197s
fixed 0 of 2 vulnerabilities in 11752 scanned packages
1 package update for 2 vulns involved breaking changes
(use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually)
npm install [email protected] seems fixing the problem.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
+ [email protected]
added 257 packages from 100 contributors, removed 505 packages, updated 161 packages, moved 8 packages and audited 14730 packages in 79.027s
found 0 vulnerabilities
Is it the right way to fix it?
Please or to participate in this conversation.