Vulnerabilities in packages - NPM

[HerreraG]

Issue type

I'm submitting a ... (check one with "x")

• bug report
• feature request
• question about the decisions made in the repository

Issue description

Current behavior:
When I run npm install npm informs me that it found 22 vulnerabilities.
I leave report.

found 22 vulnerabilities (11 low, 5 moderate, 6 high) run npm audit fixto fix them, ornpm auditfor details

# Run  npm install --save-dev karma@2.0.4  to resolve 13 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

  Low             Prototype Pollution

  Package         lodash

  Dependency of   karma [dev]

  Path            karma > lodash

  More info       https://nodesecurity.io/advisories/577




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > debug

  More info       https://nodesecurity.io/advisories/534




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > engine.io > debug

  More info       https://nodesecurity.io/advisories/534




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-adapter > debug

  More info       https://nodesecurity.io/advisories/534




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > debug

  More info       https://nodesecurity.io/advisories/534




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > engine.io-client >
                  debug

  More info       https://nodesecurity.io/advisories/534




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-adapter > socket.io-parser >
                  debug

  More info       https://nodesecurity.io/advisories/534




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > socket.io-parser >
                  debug

  More info       https://nodesecurity.io/advisories/534




  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-parser > debug

  More info       https://nodesecurity.io/advisories/534




  High            Denial of Service

  Package         ws

  Dependency of   karma [dev]

  Path            karma > socket.io > engine.io > ws

  More info       https://nodesecurity.io/advisories/550




  High            Denial of Service

  Package         ws

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > engine.io-client > ws

  More info       https://nodesecurity.io/advisories/550




  High            Regular Expression Denial of Service

  Package         parsejson

  Dependency of   karma [dev]

  Path            karma > socket.io > socket.io-client > engine.io-client >
                  parsejson

  More info       https://nodesecurity.io/advisories/528




  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   karma [dev]

  Path            karma > chokidar > anymatch > micromatch > braces >
                  expand-range > fill-range > randomatic

  More info       https://nodesecurity.io/advisories/157



# Run  npm install --save-dev protractor@5.3.2  to resolve 8 vulnerabilities

  High            Denial of Service

  Package         https-proxy-agent

  Dependency of   protractor [dev]

  Path            protractor > saucelabs > https-proxy-agent

  More info       https://nodesecurity.io/advisories/593




  High            Denial of Service

  Package         ws

  Dependency of   protractor [dev]

  Path            protractor > webdriver-js-extender > selenium-webdriver > ws

  More info       https://nodesecurity.io/advisories/550




  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566




  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > cryptiles
                  > boom > hoek

  More info       https://nodesecurity.io/advisories/566




  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566




  Moderate        Prototype pollution

  Package         hoek

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > hawk > sntp >
                  hoek

  More info       https://nodesecurity.io/advisories/566




  High            Regular Expression Denial of Service

  Package         sshpk

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > http-signature >
                  sshpk

  More info       https://nodesecurity.io/advisories/606




  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   protractor [dev]

  Path            protractor > webdriver-manager > request > stringstream

  More info       https://nodesecurity.io/advisories/664



# Run  npm update fill-range --depth 5  to resolve 1 vulnerability

  Low             Cryptographically Weak PRNG

  Package         randomatic

  Dependency of   stylelint [dev]

  Path            stylelint > micromatch > braces > expand-range > fill-range
                  > randomatic

  More info       https://nodesecurity.io/advisories/157

Expected behavior:
Not have high vulnerabilities.

Steps to reproduce:
Clone project starter-kit and run npm install

Other information:

• Angular CLI: 6.0.0
• Node: 8.9.3
• NPM: 6.1.0
• OS: win32 x64
• Angular: 6.0.0

Thank you and excuse me for my English.
Regards

[jpldevpub]

Unfortunately I have the same problem

[blankstar85]

I noticed this as well, I started a pr (branched off my fork) and started looking, however a lot of the vulnerabilities have to do with karma, Karma Issue, which is waiting for Log4js to update, which 2 days ago just fixed its vulnerabilities Log4js Issue. I'll keep track over the next couple days to see how this moves.

[Ledimor]

Hello, do you have any news on this issue? I now have 27 vulnerabilities with the same environment.

[blankstar85]

Log4js Issue is resolved, still waiting on karma, They did a 2.x version release, the Updated log4js required karma to drop nodev4, which they have a merged fix, but it will start in v3 of karma which hasn't been released just yet,

[blankstar85]

#1822 Created PR, fixes 90% of issues

[lienbacher]

Hello!
Just ran npm install on a fresh clone today and now it's 54 vulnerabilities.
added 1757 packages from 1379 contributors and audited 23286 packages in 31.621s found 54 vulnerabilities (17 low, 22 moderate, 15 high)

[blankstar85]

Hello,
I have updated my own and have 0, I'll pull the official one down and finish getting everything cleared out. Then just need to get the pr merged.

[fauzie]

Still exists on v3.0.0?

added 1998 packages from 1382 contributors and audited 25850 packages in 101.583s
found 42 vulnerabilities (17 low, 11 moderate, 14 high)
  run `npm audit fix` to fix them, or `npm audit` for details