Menu
=== npm audit security report ===
┌───────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└───────────────────────────────────────────────────────────────────┘
┌───────────────┬───────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼───────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼───────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼───────────────────────────────────────────────────┤
│ Dependency of │ gulp-sass │
├───────────────┼───────────────────────────────────────────────────┤
│ Path │ gulp-sass > node-sass > node-gyp > tar │
├───────────────┼───────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/803 │
└───────────────┴───────────────────────────────────────────────────┘
found 1 high severity vulnerability in 7659 scanned packages
1 vulnerability requires manual review. See the full report for details.
261
Try running npm update command. It will update all the package minor versions to the latest and may fix potential security issues. If you have a vulnerability that requires manual review, you will have to raise a request to the maintainers of the dependent package to get an update.
Audit Signatures To ensure the integrity of packages you download from the public npm registry, or any registry that supports signatures, you can verify the registry signatures of downloaded packages using the npm CLI.
You can get npm audit to ignore issues of a certain severity (but only for its exit code) by setting the audit-level option. You can tell npm audit fix to only fix production dependencies with npm audit fix --only=prod .
My suggestion would be to attempt to upgrade, but they do look to be dependant on 3rd party packages.
For the regexDOS, if the right input goes in, it could grind things down to a stop. Unlike the second vulnerability. You should stride to upgrade this one first or remove it completely if you can't.
But js-yaml might keep some connections lingering for longer than it should, if in the unlikely case that you can't upgrade, there are packages out there that you could use to monitor and close off remaining http connections and cheaply hold-off a small dos attack. Fail2ban * Splunk for monitoring spring to mind for linux :)
111
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
