New vulnerabilities can arise from time to time in npm audit reports and they should be addressed by running npm audit fix. Sometimes it can require manual intrusion.
npm audit
npm audit fix
The PRs can be linked to this issue.
https://pagure.io/389-ds-base/pull-request/50500
Metadata Update from @spichugi: - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None
Metadata Update from @mreynolds: - Issue set to the milestone: FUTURE
NPM audit report JSON: { "actions": [ { "action": "update", "resolves": [ { "id": 1118, "path": "eslint>eslint-utils", "dev": true, "optional": false, "bundled": false }, { "id": 1118, "path": "eslint-plugin-node>eslint-plugin-es>eslint-utils", "dev": true, "optional": false, "bundled": false }, { "id": 1118, "path": "eslint-plugin-node>eslint-utils", "dev": true, "optional": false, "bundled": false } ], "module": "eslint-utils", "target": "1.4.2", "depth": 3 } ], "advisories": { "1118": { "findings": [ { "version": "1.3.1", "paths": [ "eslint>eslint-utils", "eslint-plugin-node>eslint-plugin-es>eslint-utils", "eslint-plugin-node>eslint-utils" ] } ], "id": 1118, "created": "2019-08-20T15:17:53.538Z", "updated": "2019-08-22T18:54:18.136Z", "deleted": null, "title": "Arbitrary Code Execution", "found_by": { "link": "", "name": "Toru Nagashima" }, "reported_by": { "link": "", "name": "Toru Nagashima" }, "module_name": "eslint-utils", "cves": [], "vulnerable_versions": ">=1.2.0 <1.4.1", "patched_versions": ">=1.4.1", "overview": "Versions of `eslint-utils` >=1.2.0 or <1.4.1 are vulnerable to Arbitrary Code Execution. The `getStaticValue` does not properly sanitize user input allowing attackers to supply malicious input that executes arbitrary code during the linting process. The `getStringIfConstant` and `getPropertyName` functions are not affected.", "recommendation": "Upgrade to version 1.4.1 or later.", "references": "- [ESLint release](https://eslint.org/blog/2019/08/eslint-v6.2.1-released)\n- [eslint-utils advisory](https://github.com/mysticatea/eslint-utils/security/advisories/GHSA-3gx7-xhv7-5mx3)", "access": "public", "severity": "critical", "cwe": "CWE-94", "metadata": { "module_type": "", "exploitability": 3, "affected_components": "" }, "url": "https://npmjs.com/advisories/1118" } }, "muted": [], "metadata": { "vulnerabilities": { "info": 0, "low": 0, "moderate": 0, "high": 0, "critical": 3 }, "dependencies": 2883, "devDependencies": 7047, "optionalDependencies": 280, "totalDependencies": 10113 }, "runId": "1dbb03fb-3b04-452f-8254-4440e9691b7b" } Failed security audit due to critical vulnerabilities. Exiting... npm ERR! code ELIFECYCLE npm ERR! errno 1 npm ERR! 389-console@1.0.0 audit-ci: `audit-ci --config audit-ci.json` npm ERR! Exit status 1 npm ERR! npm ERR! Failed at the 389-console@1.0.0 audit-ci script. npm ERR! This is probably not a problem with npm. There is likely additional logging output above. npm ERR! A complete log of this run can be found in: npm ERR! /root/.npm/_logs/2019-08-23T07_50_04_578Z-debug.log
https://pagure.io/389-ds-base/pull-request/50560
Commit 2e85b4a relates to this ticket
Fixes npm "handlebar" audit alert
67d69bf..4f84db6 389-ds-base-1.4.1 -> 389-ds-base-1.4.1
Commit 5202ad8 relates to this ticket
Fixes npm "handlebar" audit alert - again
1299143..5202ad8 master -> master 9c210f7..49c7044 389-ds-base-1.4.1 -> 389-ds-base-1.4.1
Commit b1d67c1 relates to this ticket
Commit 9f47598 relates to this ticket
Commit 80e0ce2 relates to this ticket a9fa0ad..d619905 389-ds-base-1.4.1 -> 389-ds-base-1.4.1
Commit a66fe15 relates to this ticket
bf8b4af..a66fe15 master -> master 74046ab..1cda41b 389-ds-base-1.4.1 -> 389-ds-base-1.4.1 610d2f5..88b5cd3 389-ds-base-1.4.2 -> 389-ds-base-1.4.2
@spichugi, nightly build failed due to https://www.npmjs.com/advisories/1179
"vulnerabilities": { "info": 0, "low": 0, "moderate": 126, "high": 0, "critical": 0 },
Could you please take a look?
The build now works, since the vulnerability got lower severity, but it still needs to be fixed.
"vulnerabilities": { "info": 0, "low": 126, "moderate": 0, "high": 0, "critical": 0 },
Fixed latest audit issues, updated existing npm packages, and removed unused packages...
https://pagure.io/389-ds-base/pull-request/51049
Commit 53e9d9f relates to this ticket
Nightly build failed due to npm audit ci:
"vulnerabilities": { "info": 0, "low": 8, "moderate": 17, "high": 0, "critical": 0 },
https://npmjs.com/advisories/1500 https://npmjs.com/advisories/1518
Commit 9afa669 relates to this ticket
d3ae07a..d411837 389-ds-base-1.4.3 -> 389-ds-base-1.4.3
703d857..14c7a3c 389-ds-base-1.4.2 -> 389-ds-base-1.4.2
41e0f4b..62cc505 389-ds-base-1.4.1 -> 389-ds-base-1.4.1
Another one https://www.npmjs.com/advisories/1522 (high)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/3555
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.