#50499 The tracking issue for npm audit fix commits
Opened 5 months ago by spichugi. Modified 19 hours ago

Issue Description

New vulnerabilities can arise from time to time in npm audit reports and they should be addressed by running npm audit fix. Sometimes it can require manual intrusion.

The PRs can be linked to this issue.


Metadata Update from @spichugi:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None

5 months ago

Metadata Update from @mreynolds:
- Issue set to the milestone: FUTURE

4 months ago
NPM audit report JSON:
{
  "actions": [
    {
      "action": "update",
      "resolves": [
        {
          "id": 1118,
          "path": "eslint>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1118,
          "path": "eslint-plugin-node>eslint-plugin-es>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        },
        {
          "id": 1118,
          "path": "eslint-plugin-node>eslint-utils",
          "dev": true,
          "optional": false,
          "bundled": false
        }
      ],
      "module": "eslint-utils",
      "target": "1.4.2",
      "depth": 3
    }
  ],
  "advisories": {
    "1118": {
      "findings": [
        {
          "version": "1.3.1",
          "paths": [
            "eslint>eslint-utils",
            "eslint-plugin-node>eslint-plugin-es>eslint-utils",
            "eslint-plugin-node>eslint-utils"
          ]
        }
      ],
      "id": 1118,
      "created": "2019-08-20T15:17:53.538Z",
      "updated": "2019-08-22T18:54:18.136Z",
      "deleted": null,
      "title": "Arbitrary Code Execution",
      "found_by": {
        "link": "",
        "name": "Toru Nagashima"
      },
      "reported_by": {
        "link": "",
        "name": "Toru Nagashima"
      },
      "module_name": "eslint-utils",
      "cves": [],
      "vulnerable_versions": ">=1.2.0 <1.4.1",
      "patched_versions": ">=1.4.1",
      "overview": "Versions of `eslint-utils` >=1.2.0 or <1.4.1 are vulnerable to Arbitrary Code Execution. The `getStaticValue` does not properly sanitize user input allowing attackers to supply malicious input that executes arbitrary code during the linting process. The `getStringIfConstant` and `getPropertyName` functions are not affected.",
      "recommendation": "Upgrade to version 1.4.1 or later.",
      "references": "- [ESLint release](https://eslint.org/blog/2019/08/eslint-v6.2.1-released)\n- [eslint-utils advisory](https://github.com/mysticatea/eslint-utils/security/advisories/GHSA-3gx7-xhv7-5mx3)",
      "access": "public",
      "severity": "critical",
      "cwe": "CWE-94",
      "metadata": {
        "module_type": "",
        "exploitability": 3,
        "affected_components": ""
      },
      "url": "https://npmjs.com/advisories/1118"
    }
  },
  "muted": [],
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 0,
      "high": 0,
      "critical": 3
    },
    "dependencies": 2883,
    "devDependencies": 7047,
    "optionalDependencies": 280,
    "totalDependencies": 10113
  },
  "runId": "1dbb03fb-3b04-452f-8254-4440e9691b7b"
}
Failed security audit due to critical vulnerabilities.
Exiting...
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! 389-console@1.0.0 audit-ci: `audit-ci --config audit-ci.json`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the 389-console@1.0.0 audit-ci script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2019-08-23T07_50_04_578Z-debug.log

Commit 2e85b4a relates to this ticket

Fixes npm "handlebar" audit alert

Commit 2e85b4a relates to this ticket

67d69bf..4f84db6 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

Commit 5202ad8 relates to this ticket

Fixes npm "handlebar" audit alert - again

1299143..5202ad8 master -> master
9c210f7..49c7044 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

Commit b1d67c1 relates to this ticket

Commit 9f47598 relates to this ticket

Commit 80e0ce2 relates to this ticket
a9fa0ad..d619905 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

Login to comment on this ticket.

Metadata