This post was first published on my Developer Blog, June 5, 2018.
First Github started letting us know about npm package vulnerabilities
in our Github repos. Now Nodejs
has followed suit and does the same in our local repos via command line.
It took me a little while to figure out how to fix these vulnerabilities. It was a matter of not so hot npm documentation
. It seems that it has since improved! Node Security is very new, after all! Links to better documentation is now included in our vulnerability warnings in Terminal (Mac OSX).
Currently I am working on an app using express
, nodejs
, sequelize
, express-session
, bcrypt
, among others. I wanted to include the sequelize-cli
, and did so with the command
npm i sequelize-cli --save
However, once installed, I got the following warning in Terminal:
sequelize-cli@4.0.0
added 53 packages from 34 contributors and audited 2069 packages in 10.745s
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
First I followed the instructions to fix the vulnerability with
npm audit fix
That did not work. I got the warning
up to date in 2.155s
fixed 0 of 1 vulnerability in 2069 scanned packages
1 vulnerability required manual review and could not be updated
Then I ran
npm audit
information included a link to Node Security with next steps to take:
npm audit ✖ ✹ ✭
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.5.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ bcrypt │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ bcrypt > node-pre-gyp > rc > deep-extend │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/612 │
└───────────────┴──────────────────────────────────────────────────────────────┘
It involved the package deep-extend
, which is a dependency of sequelize-cli
and bcrypt
, both which I have included in my root dependencies. I got the following information on deep-extend
in the Node Security link:
Overview
Versions of deep-extend before 0.5.1 are vulnerable to prototype pollution.
Remediation
Update to version 0.5.1 or later.
When I ran npm audit
in Terminal, it told me to go into the package located in node_modules
and check that a package-lock.json
actually existed. If not, I should create one:
✖ ✹ ✭
npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/mariacam/.npm/_logs/2018-06-05T10_22_24_882Z-debug.log
But first I got rid of my top level package-lock.json
so that I could actually upgrade deep-extend
. If I had kept it, deep-extend
would just be re-installed with the same version. To learn more, please visit package-lock.json on npmjs.com.
After I deleted the top-level package-lock.json
, I went into sequelize-cli
in node_modules
, which contained the deep-extend
dependency, and saw that there was no package-lock.json
. I ran the following command to create one for sequelize-cli
:
npm i --package-lock-only
After running it, I got back the following warning in Terminal:
created a lockfile as package-lock.json. You should commit this file.
added 839 packages from 79 contributors and audited 4797 packages in 17.936s
found 18 vulnerabilities (3 low, 9 moderate, 5 high, 1 critical)
run `npm audit fix` to fix them, or `npm audit` for details
I went back up to the root directory and ran the following command:
npm i deep-extend@0.5.1
Again, I got the following warning in Terminal:
deep-extend@0.5.1
added 1 package from 5 contributors, updated 1 package and audited 2070 packages in 3.454s
found 1 low severity vulnerability
run `npm audit fix` to fix them, or `npm audit` for details
This installed the version needed to get rid of the vulnerability, as mentioned earlier.
Now I was ready to run the command
npm audit fix
and afterwards received
audited 2070 packages in 3.049s
found 0 vulnerabilities
I had also received a warning for the npm package sharp
, and had uninstalled it, Now, if I really wanted to, I could re-install and fix the vulnerability. This also goes for any vulnerabilities you may have to fix on your remote repos on Github! I know I have a few to address!
Top comments (0)