npm audit vulnerabilities

[henryprescott]

npm audit vulnerabilities & warnings.

Expected behavior

npm audit should not produce deprecation warnings or warn about vulnerabilities relating to keystone.

Actual/Current behavior

                   === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Low Prototype Pollution

Package lodash

Patched in >=4.17.5

Dependency of keystone

Path keystone > asyncdi > lodash

More info https://nodesecurity.io/advisories/577

Low Prototype Pollution

Package lodash

Patched in >=4.17.5

Dependency of keystone

Path keystone > grappling-hook > lodash

More info https://nodesecurity.io/advisories/577

Low Prototype Pollution

Package lodash

Patched in >=4.17.5

Dependency of keystone

Path keystone > embedly > lodash

More info https://nodesecurity.io/advisories/577

Low Prototype Pollution

Package lodash

Patched in >=4.17.5

Dependency of keystone

Path keystone > expression-match > lodash

More info https://nodesecurity.io/advisories/577

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of keystone

Path keystone > less-middleware > less > request > hawk > boom >
hoek

More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of keystone

Path keystone > less-middleware > less > request > hawk >
cryptiles > boom > hoek

More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of keystone

Path keystone > less-middleware > less > request > hawk > hoek

More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of keystone

Path keystone > less-middleware > less > request > hawk > sntp >
hoek

More info https://nodesecurity.io/advisories/566

Moderate Regular Expression Denial of Service

Package mime

Patched in >= 1.4.1 < 2.0.0 || >= 2.0.3

Dependency of keystone

Path keystone > embedly > superagent > mime

More info https://nodesecurity.io/advisories/535

Low Large gzip Denial of Service

Package superagent

Patched in >=3.7.0

Dependency of keystone

Path keystone > embedly > superagent

More info https://nodesecurity.io/advisories/479

found 10 vulnerabilities (5 low, 5 moderate) in 12806 scanned packages
10 vulnerabilities require manual review. See the full report for details.

Steps to reproduce the actual/current behavior

npm audit

Environment

Software	Version
Keystone	4.0.0
Node.js	10.13.0
OS	Windows 7
npm	6.4.0

[stennie]

@henryprescott While ideally npm audit should not produce any warnings, these issues need to be addressed in the upstream packages with flagged dependencies. Aside from less-middleware (which will be updated via #4822), there do not appear to be updated packages available for Keystone to require. Some of those packages haven't had releases in a few years, so it's possible there may be more actively maintained alternatives to use (appreciate if anyone would like to comment with suggestions).

Per the Manual Review information in the npm audit docs, it would be best to create issues (or PRs) in the upstream repos. I'll do so for these.

Regards,
Stennie

[stennie]

Issues/PRs for dependency updates:

• asyncdi: Update dependencies to resolve npm audit warnings JedWatson/asyncdi#7
• grappling-hook: Update dependencies to resolve npm audit warnings grappling-hook#58
• embedly: Please update dependencies to address npm audit warnings embedly/embedly-node#26
• expression-match: Update lodash to the latest version 🚀 inquisive/expression-match#40
• less-middleware: https://github.com/keystonejs/keystone/issues/4822

[henryprescott]

@stennie Thanks for the help, that's great. So now do we wait for those changes to get approved? It looks like some of those repos haven't been touched in a while!

[stennie]

@henryprescott Yes, have to wait for those commits to be merged and included in an npm release. If the repos aren't maintained and there's no response, we could continue ignoring the npm warnings, fork the package and re-release, or look for an alternative package that is actively maintained.

[henryprescott]

@stennie I've been doing some manual updating locally just to see how far I can get. I've managed to get down to 1 low vulnerability, before I run into an issue when running keystone.js:

<project directory>\node_modules\grappling-hook\index.js:498 var middleware = this.__grappling.middleware;
^
TypeError: Cannot read property '__grappling' of undefined at <project directory>\node_modules\grappling-hook\index.js:498:26 at arrayEach (<project directory>\node_modules\grappling-hook\node_modules\lodash\lodash.js:516:11) at Function.forEach (<project directory>\node_modules\grappling-hook\node_modules\lodash\lodash.js:9344:14) at Keystone.allowHooks (<project directory>\node_modules\grappling-hook\index.js:493:5) at new Keystone (<project directory>\node_modules\keystone\index.js:25:24) at Object.<anonymous> (<project directory>\node_modules\keystone\index.js:140:33) at Module._compile (internal/modules/cjs/loader.js:688:30) at Object.Module._extensions..js (internal/modules/cjs/loader.js:699:10) at Module.load (internal/modules/cjs/loader.js:598:32) at tryModuleLoad (internal/modules/cjs/loader.js:537:12)

Did you have this issue when modifying grappling-hook - keystonejs/grappling-hook#58?