Open
Description
After installing dependencies, npm notifies some security issues with the nightwatch package. I don't know if this easily fixable, I report it just in case.
Detailed output
Software version and init
$ nodejs --version
v8.12.0
$ npm --version
6.4.1
$ vue init pwa vue-pizza
[...]
$ cd vue-pizza
Output of npm install
npm WARN deprecated [email protected]: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
npm WARN deprecated [email protected]: Switch to the `bfj` package for fixes and new features!
npm WARN deprecated [email protected]: Browserslist 2 could fail on reading Browserslist >3.0 config used in other tools.
npm WARN deprecated [email protected]: CircularJSON is in maintenance only, flatted is its successor.
npm WARN deprecated [email protected]: If using 2.x branch, please upgrade to at least 2.1.6 to avoid a serious bug with socket data flow and an import issue introduced in 2.1.0
> [email protected] install /home/rrobby/vue-pizza/node_modules/chromedriver
> node install.js
Downloading https://chromedriver.storage.googleapis.com/2.43/chromedriver_linux64.zip
Saving to /tmp/chromedriver/chromedriver_linux64.zip
Received 781K...
Received 1568K...
Received 2352K...
Received 3136K...
Received 3920K...
Received 3987K total.
Extracting zip contents
Copying to target path /home/rrobby/vue-pizza/node_modules/chromedriver/lib/chromedriver
Fixing file permissions
Done. ChromeDriver binary available at /home/rrobby/vue-pizza/node_modules/chromedriver/lib/chromedriver/chromedriver
> [email protected] postinstall /home/rrobby/vue-pizza/node_modules/uglifyjs-webpack-plugin
> node lib/post_install.js
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
added 1350 packages from 975 contributors and audited 9602 packages in 42.421s
found 6 vulnerabilities (1 low, 4 high, 1 critical)
run `npm audit fix` to fix them, or `npm audit` for details
┌──────────────────────────────────────────────────────────┐
│ npm update check failed │
│ Try running with sudo or get access │
│ to the local update config store via │
│ sudo chown -R $USER:$(id -gn $USER) /home/rrobby/.config │
└──────────────────────────────────────────────────────────┘
Output of the suggested npm audit command
=== npm audit security report ===
# Run npm install --save-dev [email protected] to resolve 6 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nightwatch [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nightwatch > mocha-nightwatch > debug │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/534 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Command Injection │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ growl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nightwatch [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nightwatch > mocha-nightwatch > growl │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/146 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ http-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nightwatch [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nightwatch > proxy-agent > http-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/607 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ http-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nightwatch [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nightwatch > proxy-agent > pac-proxy-agent > │
│ │ http-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/607 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ https-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nightwatch [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nightwatch > proxy-agent > https-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/593 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ https-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nightwatch [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ nightwatch > proxy-agent > pac-proxy-agent > │
│ │ https-proxy-agent │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/593 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 6 vulnerabilities (1 low, 4 high, 1 critical) in 9602 scanned packages
6 vulnerabilities require semver-major dependency updates.
Metadata
Metadata
Assignees
Labels
No labels