#50499 The tracking issue for npm audit fix commits
Opened 3 months ago by spichugi. Modified 16 days ago

Issue Description

New vulnerabilities can arise from time to time in npm audit reports and they should be addressed by running npm audit fix. Sometimes it can require manual intrusion.

The PRs can be linked to this issue.


Metadata Update from @spichugi:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None

3 months ago

Metadata Update from @mreynolds:
- Issue set to the milestone: FUTURE

2 months ago
NPM audit report JSON:
{
  "actions": [
    {
      "action": "update",
      "resolves": [
        {
          "id": 1118,
          "path": "eslint>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1118,
          "path": "eslint-plugin-node>eslint-plugin-es>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1118,
          "path": "eslint-plugin-node>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "eslint-utils",
      "target": "1.4.2",
      "depth": 3
    }
  ],
  "advisories": {
    "1118": {
      "findings": [
        {
          "version": "1.3.1",
          "paths": [
            "eslint>eslint-utils",
            "eslint-plugin-node>eslint-plugin-es>eslint-utils",
            "eslint-plugin-node>eslint-utils"
          ]
        }
      ],
      "id": 1118,
      "created": "2019-08-20T15:17:53.538Z",
      "updated": "2019-08-22T18:54:18.136Z",
      "deleted": null,
      "title": "Arbitrary Code Execution",
      "found_by": {
        "link": "",
        "name": "Toru Nagashima"
      },
      "reported_by": {
        "link": "",
        "name": "Toru Nagashima"
      },
      "module_name": "eslint-utils",
      "cves": [],
      "vulnerable_versions": ">=1.2.0 <1.4.1",
      "patched_versions": ">=1.4.1",
      "overview": "Versions of `eslint-utils` >=1.2.0 or <1.4.1 are vulnerable to Arbitrary Code Execution. The `getStaticValue` does not properly sanitize user input allowing attackers to supply malicious input that executes arbitrary code during the linting process. The `getStringIfConstant` and `getPropertyName` functions are not affected.",
      "recommendation": "Upgrade to version 1.4.1 or later.",
      "references": "- [ESLint release](https://eslint.org/blog/2019/08/eslint-v6.2.1-released)\n- [eslint-utils advisory](https://github.com/mysticatea/eslint-utils/security/advisories/GHSA-3gx7-xhv7-5mx3)",
      "access": "public",
      "severity": "critical",
      "cwe": "CWE-94",
      "metadata": {
        "module_type": "",
        "exploitability": 3,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1118"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 0,
      "critical": 3
    },
    "dependencies": 2883,
    "devDependencies": 7047,
    "optionalDependencies": 280,
    "totalDependencies": 10113
  },
  "runId": "1dbb03fb-3b04-452f-8254-4440e9691b7b"
}
Failed security audit due to critical vulnerabilities.
Exiting...
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! 389-console@1.0.0 audit-ci: `audit-ci --config audit-ci.json`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the 389-console@1.0.0 audit-ci script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2019-08-23T07_50_04_578Z-debug.log

Commit 2e85b4a relates to this ticket

Fixes npm "handlebar" audit alert

Commit 2e85b4a relates to this ticket

67d69bf..4f84db6 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

Login to comment on this ticket.

Metadata