Skip to content
This repository has been archived by the owner on Aug 7, 2021. It is now read-only.

1.4.0, npm audit issues #1107

Closed
dmytro-gokun opened this issue Dec 26, 2019 · 4 comments
Closed

1.4.0, npm audit issues #1107

dmytro-gokun opened this issue Dec 26, 2019 · 4 comments

Comments

@dmytro-gokun
Copy link

dmytro-gokun commented Dec 26, 2019
edited
Loading

When doing npm install, I get some audit warnings:

                       === npm audit security report ===

# Run  npm update css --depth 4  to resolve 1 vulnerability

  Moderate        Out-of-bounds Read

  Package         atob

  Dependency of   nativescript-dev-webpack [dev]

  Path            nativescript-dev-webpack > resolve-url-loader > rework > css
                  > source-map-resolve > atob

  More info       https://npmjs.com/advisories/646



# Run  npm update terser-webpack-plugin --depth 3  to resolve 1 vulnerability

  Moderate        Cross-Site Scripting

  Package         serialize-javascript

  Dependency of   nativescript-dev-webpack [dev]

  Path            nativescript-dev-webpack > webpack > terser-webpack-plugin >
                  serialize-javascript

  More info       https://npmjs.com/advisories/1426




                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Moderate        Out-of-bounds Read

  Package         atob

  Patched in      >=2.1.0

  Dependency of   nativescript-dev-webpack [dev]

  Path            nativescript-dev-webpack > css > source-map-resolve > atob

  More info       https://npmjs.com/advisories/646


  Moderate        Cross-Site Scripting

  Package         serialize-javascript

  Patched in      >=2.1.1

  Dependency of   nativescript-dev-webpack [dev]

  Path            nativescript-dev-webpack > copy-webpack-plugin >
                  serialize-javascript

  More info       https://npmjs.com/advisories/1426


  Moderate        Cross-Site Scripting

  Package         serialize-javascript

  Patched in      >=2.1.1

  Dependency of   nativescript-dev-webpack [dev]

  Path            nativescript-dev-webpack > terser-webpack-plugin >
                  serialize-javascript

  More info       https://npmjs.com/advisories/1426
@PatrickLohan
Copy link

PatrickLohan commented Jan 3, 2020
edited by NickIliev
Loading

#1105
Already been reported.

@NickIliev
Copy link
Contributor

Closing as duplicate to #1105

@dmytro-gokun
Copy link
Author

dmytro-gokun commented Jan 3, 2020
edited
Loading

That's very nice it's a duplicate. But is there any actual intent to fix it? I mean it's a security issue, should be high on the team's list, should not it?

NB: it's not a true duplicate as #1105 is about 1.3.0 and this one is about 1.4.0

@edusperoni
Copy link
Contributor

@dmytro-gokun usually security issues are high priority, especially on the web. That said, app environments are very controlled and all the needed JS is packaged into the final bundle (no external JS can be injected). Most of the time, a XSS vulnerability will not affect a NS/RN app.

The other vulnerability you posted (Out-of-bounds Read) is used by source-map-resolve, which is not used in a non-debug environment.

I'm obviously not saying they shouldn't be fixed, just giving a context as to why they might be considered low priority issues, which is why users are welcome to submit PRs to fix them (see #1105 (comment)), especially considering these might very easy fixes (update packages and run tests).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@dmytro-gokun @edusperoni @NickIliev @PatrickLohan