Vulnerabilities found after npm install

[dangelion]

Hi
after running npm install I get this message:

added 1743 packages from 735 contributors and audited 15913 packages in 43.147s
found 13 vulnerabilities (1 low, 10 moderate, 2 high)
  run `npm audit fix` to fix them, or `npm audit` for details

What's wrong?
Thanks

[pnikolov]

Hi,

Thanks for sharing your feedback. It turns out that there are dev dependencies that have been reported to be vulnerable to Arbitrary File Overwrite (tar - reported 3 days ago sass/node-sass#2625)
All those are dev dependencies of node-sass with high severity but as those packages should not be part of your production code there is no actual risk.

Anyway I've reviewed the full npm audit report and have addressed all the reported issues and have just released Release 2.4.1 - Release Notes

• NPM audit review and dependency packages updates
• Auto fixing with npm audit fix
• Manually updated
  • updated tar to 4.4.2 dependency path node-sass > node-gyp > tar - more info
  • updated braces to 2.3.2 dependency path browser-sync > micromatch > braces - more info
• README file updated
• Added instructions how to update/migrate to newer version of this setup.

So to resolve all reported vulnerabilities update to 2.4.1 release and make a clean install after this by running:

$ npm run ci

More instructions you can find in the README#clean-install

[pnikolov]

I've just republished released Release 2.4.1 to correctly reference the updated package.json version. So feel free to install / update.

[dangelion]

Hi @pnikolov
thanks for the fast answer! It solved.
Hope you're going to maintains this boilerplate for a long time, we're considering to adopt it for our projects. 👍

[dangelion]

Hi @pnikolov
I downloaded new release 2.4.2 and after npm install I get again:

found 2 vulnerabilities (1 low, 1 high)
  run `npm audit fix` to fix them, or `npm audit` for details

Let me know
Thanks

[pnikolov]

Thanks for the feedback. I was not aware that after updating the package version it will reintroduce the official latest versions of the referenced dependencies trees. I've release v2.4.3 and have additionally simulated clean install and here is the result:

added 1774 packages from 738 contributors and audited 15992 packages in 50.103s
found 0 vulnerabilities

Note: We are still waiting for a new release of node-sass that will not rely on the outdated tar and will simplify our release process.

[pnikolov]

I've just released Release 2.5.0

The main reason of this is the behaviour of npm install command. Every time you execute npm install it will rewrite your package-lock.json file and will reintroduce the current security issues inherited from the development packages of the package dependency (tar from node-sass > node-gyp > tar and braces from browser-sync > micromatch > braces).

So, from now on use only the npm ci command for setup/installation. It will respect the package-lock.json file and will not overwrite it. More on the clean install npm command can be read here npm ci