This post was first published on my Developer Blog, June 5, 2018.
First Github started letting us know about
npm package vulnerabilities in our Github repos. Now
Nodejs has followed suit and does the same in our local repos via command line.
It took me a little while to figure out how to fix these vulnerabilities. It was a matter of not so hot
npm documentation. It seems that it has since improved! Node Security is very new, after all! Links to better documentation is now included in our vulnerability warnings in Terminal (Mac OSX).
Currently I am working on an app using
bcrypt, among others. I wanted to include the
sequelize-cli, and did so with the command
npm i sequelize-cli --save
However, once installed, I got the following warning in Terminal:
firstname.lastname@example.org added 53 packages from 34 contributors and audited 2069 packages in 10.745s found 1 low severity vulnerability run `npm audit fix` to fix them, or `npm audit` for details
First I followed the instructions to fix the vulnerability with
npm audit fix
That did not work. I got the warning
up to date in 2.155s fixed 0 of 1 vulnerability in 2069 scanned packages 1 vulnerability required manual review and could not be updated
Then I ran
information included a link to Node Security with next steps to take:
npm audit ✖ ✹ ✭ === npm audit security report === ┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Prototype Pollution │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ deep-extend │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.5.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ bcrypt │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ bcrypt > node-pre-gyp > rc > deep-extend │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/612 │ └───────────────┴──────────────────────────────────────────────────────────────┘
It involved the package
deep-extend, which is a dependency of
bcrypt, both which I have included in my root dependencies. I got the following information on
deep-extend in the Node Security link:
Overview Versions of deep-extend before 0.5.1 are vulnerable to prototype pollution. Remediation Update to version 0.5.1 or later.
When I ran
npm audit in Terminal, it told me to go into the package located in
node_modules and check that a
package-lock.json actually existed. If not, I should create one:
✖ ✹ ✭ npm ERR! code EAUDITNOLOCK npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile npm ERR! audit Try creating one first with: npm i --package-lock-only npm ERR! A complete log of this run can be found in: npm ERR! /Users/mariacam/.npm/_logs/2018-06-05T10_22_24_882Z-debug.log
But first I got rid of my top level
package-lock.json so that I could actually upgrade
deep-extend. If I had kept it,
deep-extend would just be re-installed with the same version. To learn more, please visit package-lock.json on npmjs.com.
After I deleted the top-level
package-lock.json, I went into
node_modules, which contained the
deep-extend dependency, and saw that there was no
package-lock.json. I ran the following command to create one for
npm i --package-lock-only
After running it, I got back the following warning in Terminal:
created a lockfile as package-lock.json. You should commit this file. added 839 packages from 79 contributors and audited 4797 packages in 17.936s found 18 vulnerabilities (3 low, 9 moderate, 5 high, 1 critical) run `npm audit fix` to fix them, or `npm audit` for details
I went back up to the root directory and ran the following command:
npm i email@example.com
Again, I got the following warning in Terminal:
firstname.lastname@example.org added 1 package from 5 contributors, updated 1 package and audited 2070 packages in 3.454s found 1 low severity vulnerability run `npm audit fix` to fix them, or `npm audit` for details
This installed the version needed to get rid of the vulnerability, as mentioned earlier.
Now I was ready to run the command
npm audit fix
and afterwards received
audited 2070 packages in 3.049s found 0 vulnerabilities
I had also received a warning for the npm package
sharp, and had uninstalled it, Now, if I really wanted to, I could re-install and fix the vulnerability. This also goes for any vulnerabilities you may have to fix on your remote repos on Github! I know I have a few to address!