LearnNewsExamplesServices
Frontmatter
id135
titleFound 10 vulnerabilities (3 moderate, 5 high, 2 critical) after ran npm install
stateClosed
labels
bugstale
assignees[]
createdAtNov 29, 2019, 2:26 PM
updatedAtSep 29, 2024, 4:38 AM
githubUrlhttps://github.com/neomjs/neo/issues/135
authorbsourcecorp
commentsCount6
parentIssuenull
subIssues[]
subIssuesCompleted0
subIssuesTotal0
blockedBy[]
blocking[]
closedAtSep 29, 2024, 4:38 AM

Found 10 vulnerabilities (3 moderate, 5 high, 2 critical) after ran npm install

bsourcecorp
bsourcecorp commented on Nov 29, 2019, 2:26 PM

I (Daniel da Cunha Bueno, from Brazil) found this problem when I ran npm install.

Here is mentioned the following message:

found 10 vulnerabilities (3 moderate, 5 high, 2 critical)

View the full installation log:

image
Neo mjs - npm install
Neo mjs - npm audit fix

npm WARN deprecated pygmentize-bundled@2.3.0: no longer maintained

deasync@0.1.16 install D: \ Git \ danielcbueno \ tests \ neo \ neo \ node_modules \ deasync node ./build.js

win32-x64-node-10 exists; testing Binary is fine; exiting

node-sass@4.13.0 install D: \ Git \ danielcbueno \ tests \ neo \ neo \ node_modules \ node-sass node scripts / install.js

Downloading binary from https://github.com/sass/node-sass/releases/download/v4.13.0/win32-x64-64_binding.node Download complete.] -: Binary saved to D: \ Git \ danielcbueno \ tests \ neo \ neo \ node_modules \ node-sass \ vendor \ win32-x64-64 \ binding.node Caching binary to C: \ Users \ daniel.bueno \ AppData \ Roaming \ npm-cache \ node-sass \ 4.13.0 \ win32-x64-64_binding.node

node-sass@4.13.0 postinstall D: \ Git \ danielcbueno \ tests \ neo \ neo \ node_modules \ node-sass node scripts / build.js

Binary found at D: \ Git \ danielcbueno \ tests \ neo \ neo \ node_modules \ node-sass \ vendor \ win32-x64-64 \ binding.node Binary Testing Binary is fine npm notice created a lockfile as package-lock.json. You should commit this file. npm WARN sass-loader@8.0.0 requires a peer of sass@^1.3.0 but none is installed. You must install peer dependencies yourself. npm WARN sass-loader@8.0.0 requires a peer of fibers @> = 3.1.0 but none is installed. You must install peer dependencies yourself. npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.9 (node_modules \ fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.9: wanted {"os": "darwin", "arch": "any"} (current: {"os": "win32", "arch": "x64"})

added 1303 packages from 667 contributors and audited 11245 packages in 165.73s found 10 vulnerabilities (3 moderate, 5 high, 2 critical)   run npm audit fix to fix them, or npm audit for details

After that I ran the npm audit fix command as recommended.

And the bugs were fixed.

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.9 (node_modules \ fsevents): npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.9: wanted {"os": "darwin", "arch": "any"} (current: {"os": "win32", "arch": "x64"})

up to date in 7,192s fixed 0 of 10 vulnerabilities in 11245 scanned packages   10 vulnerabilities required manual review and could not be updated

My version of npm is npm@6.11.2 and my OS is **Windows 10 Pro x64 **.

Hope this helps.

bsourcecorp added the bug label on Nov 29, 2019, 2:26 PM
bsourcecorp
bsourcecorp Nov 29, 2019, 2:32 PM

I duplicated one of the images by mistake.

Disregard the extra image.

tobiu
tobiu Nov 29, 2019, 3:37 PM

Hi Daniel,

thx for looking into it. The best (visual) way to check for errors is in my opinion npm audit.

Screenshot 2019-11-29 at 15 31 17
Screenshot 2019-11-29 at 15 31 49

So basically, neo includes 2 packages which contain errors.

  1. We can remove markdown2html (already using showdown instead for md parsing inside the real world app).

  2. I already pinged Mats & Nickolay (Bryntum) about the Siesta issues a while ago. These errors seem to be inside packages which require packages and not inside the direct dependencies, so it might be tricky to patch them.

tobiu cross-referenced by #136 on Nov 29, 2019, 3:41 PM
bsourcecorp
bsourcecorp Nov 29, 2019, 3:45 PM

OK,

I appreciate helping yout project, and this is the first project I following and interact in English, so if I say anything outside to what do you expect, please let me know.

I will continue to test and develop after work.

tobiu
tobiu Nov 29, 2019, 4:01 PM

Hi Daniel,

I added a code of conduct from Mozilla. This one is basically saying "be nice" or more precisely don't be mean to anyone on a personal level. Otherwise any kind of feedback is helpful and appreciated. Especially reporting bugs & vulnerabilities is a good thing.

It is also extremely helpful to upvote or comment on tickets which are important for you. This will definitely influence the current roadmap.

I removed the html2markdown dependency.

There are 7 vulnerabilities left: (1 critical, 5 high, 1 medium) and they are all related to Siesta light. I also ran npm outdated => 0 dependencies.

Screenshot 2019-11-29 at 15 56 04

@github-actions - 2024-09-14T02:28:15Z

This issue is stale because it has been open for 90 days with no activity.

  • 2024-09-14T02:28:15Z @github-actions added the stale label

@github-actions - 2024-09-29T02:38:36Z

This issue was closed because it has been inactive for 14 days since being marked as stale.

  • 2024-09-29T02:38:37Z @github-actions closed this issue