Last active
March 9, 2021 10:59
-
-
Save mtreacy002/592b670535b1d367a867615365f1aa33 to your computer and use it in GitHub Desktop.
Vulnerability reports on new npm install
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| === npm audit security report === | |
| # Run npm install react-scripts@4.0.3 to resolve 2 vulnerabilities | |
| SEMVER WARNING: Recommended action is a potentially breaking change | |
| High Prototype Pollution | |
| Package object-path | |
| Dependency of react-scripts | |
| Path react-scripts > resolve-url-loader > adjust-sourcemap-loader | |
| > object-path | |
| More info https://npmjs.com/advisories/1573 | |
| High Prototype Pollution | |
| Package immer | |
| Dependency of react-scripts | |
| Path react-scripts > react-dev-utils > immer | |
| More info https://npmjs.com/advisories/1603 | |
| # Run npm update ini --depth 5 to resolve 1 vulnerability | |
| Low Prototype Pollution | |
| Package ini | |
| Dependency of react-scripts | |
| Path react-scripts > react-dev-utils > global-modules > | |
| global-prefix > ini | |
| More info https://npmjs.com/advisories/1589 | |
| # Run npm update elliptic --depth 6 to resolve 2 vulnerabilities | |
| Moderate Use of a Broken or Risky Cryptographic Algorithm | |
| Package elliptic | |
| Dependency of react-scripts | |
| Path react-scripts > webpack > node-libs-browser > | |
| crypto-browserify > browserify-sign > elliptic | |
| More info https://npmjs.com/advisories/1648 | |
| Moderate Use of a Broken or Risky Cryptographic Algorithm | |
| Package elliptic | |
| Dependency of react-scripts | |
| Path react-scripts > webpack > node-libs-browser > | |
| crypto-browserify > create-ecdh > elliptic | |
| More info https://npmjs.com/advisories/1648 | |
| found 5 vulnerabilities (1 low, 2 moderate, 2 high) in 1733 scanned packages | |
| run `npm audit fix` to fix 3 of them. | |
| 2 vulnerabilities require semver-major dependency updates. | |
| # After running `npm audit fix` | |
| final result: | |
| fixed 3 of 5 vulnerabilities in 1733 scanned packages | |
| 1 package update for 2 vulnerabilities involved breaking changes | |
| (use `npm audit fix --force` to install breaking changes; or refer to `npm audit` for steps to fix these manually) | |
| # After fix audit report | |
| === npm audit security report === | |
| # Run npm install react-scripts@4.0.3 to resolve 2 vulnerabilities | |
| SEMVER WARNING: Recommended action is a potentially breaking change | |
| High Prototype Pollution | |
| Package object-path | |
| Dependency of react-scripts | |
| Path react-scripts > resolve-url-loader > adjust-sourcemap-loader | |
| > object-path | |
| More info https://npmjs.com/advisories/1573 | |
| High Prototype Pollution | |
| Package immer | |
| Dependency of react-scripts | |
| Path react-scripts > react-dev-utils > immer | |
| More info https://npmjs.com/advisories/1603 | |
| found 2 high severity vulnerabilities in 1733 scanned packages | |
| 2 vulnerabilities require semver-major dependency updates. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment