artillery
artillery copied to clipboard
artilleryio
npm audit fix downgrades to 2.0.0-dev9
Version info:
2.0.0-28
Steps to reproduce:
mkdir example
cd example
npm init --force
npm install --save artillery
npx artillery version
npm audit fix
npx artillery version
Shell session running the commands above with some long irrelevant output replaced with ...:
$ mkdir example
$ cd example
$ npm init --force
...
...
$ npm install --save artillery
...
...
7 vulnerabilities (4 moderate, 2 high, 1 critical)
To address all issues, run:
npm audit fix
Run `npm audit` for details.
$ npx artillery version
...
...
VERSION INFO:
Artillery: 2.0.0-28
Node.js: v18.1.0
OS: linux
$ npm audit fix
npm WARN audit fix [email protected] node_modules/tap/node_modules/minimatch
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/tap
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the tap package.
npm WARN audit fix [email protected] node_modules/tap/node_modules/json5
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/tap
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the tap package.
npm WARN audit fix [email protected] node_modules/tap/node_modules/minimist
npm WARN audit fix [email protected] is a bundled dependency of
npm WARN audit fix [email protected] [email protected] at node_modules/tap
npm WARN audit fix [email protected] It cannot be fixed automatically.
npm WARN audit fix [email protected] Check for updates to the tap package.
npm WARN deprecated [email protected]: This module relies on Node.js's internals and will break at some point. Do not use it, and update to [email protected].
npm WARN deprecated [email protected]: flatten is deprecated in favor of utility frameworks such as lodash.
npm WARN deprecated [email protected]: The sprintf package is deprecated in favor of sprintf-js.
npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.
npm WARN deprecated [email protected]: This version of Artillery is outdated, please upgrade to a more recent one.
added 446 packages, removed 754 packages, changed 41 packages, and audited 817 packages in 10s
110 packages are looking for funding
run `npm fund` for details
# npm audit report
dot-prop <4.2.1
Severity: high
dot-prop Prototype Pollution vulnerability - https://github.com/advisories/GHSA-ff7x-qrg7-qggm
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/utils-is-little-endian/node_modules/dot-prop
configstore 2.0.0 - 2.1.0 || 3.1.3
Depends on vulnerable versions of dot-prop
node_modules/utils-is-little-endian/node_modules/configstore
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of configstore
Depends on vulnerable versions of latest-version
node_modules/artillery-pro/node_modules/update-notifier
node_modules/ava/node_modules/update-notifier
node_modules/update-notifier
node_modules/utils-is-little-endian/node_modules/update-notifier
artillery >=1.5.7-0
Depends on vulnerable versions of artillery-pro
Depends on vulnerable versions of ava
Depends on vulnerable versions of update-notifier
node_modules/artillery
ava 0.1.0 - 4.0.0-rc.1
Depends on vulnerable versions of update-notifier
node_modules/ava
ejs <3.1.7
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/ejs
artillery-pro *
Depends on vulnerable versions of cfn
Depends on vulnerable versions of ejs
Depends on vulnerable versions of jsonwebtoken
Depends on vulnerable versions of update-notifier
node_modules/artillery-pro
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/artillery-pro/node_modules/package-json/node_modules/got
node_modules/package-json/node_modules/got
node_modules/utils-is-little-endian/node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/artillery-pro/node_modules/package-json
node_modules/package-json
node_modules/utils-is-little-endian/node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/artillery-pro/node_modules/latest-version
node_modules/latest-version
node_modules/utils-is-little-endian/node_modules/latest-version
jsonwebtoken <=8.5.1
Severity: high
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
jsonwebtoken has insecure input validation in jwt.verify function - https://github.com/advisories/GHSA-27h2-hvpr-p74q
fix available via `npm audit fix`
node_modules/jsonwebtoken
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/meow
cfn >=1.6.0
Depends on vulnerable versions of meow
node_modules/cfn
14 vulnerabilities (4 moderate, 7 high, 3 critical)
To address issues that do not require attention, run:
npm audit fix
To address all issues (including breaking changes), run:
npm audit fix --force
$ npx artillery version
ARTILLERY DEV PREVIEW 🚀
Please report bugs on https://github.com/artilleryio/artillery/issues
artillery/2.0.0-dev9 linux-x64 node-v18.1.0
I expected to see this happen:
I expected npm audit fix to fix the problems.
Instead, this happened:
npm audit fix downgraded from from 2.0.0-28 to 2.0.0-dev9 which just has other/more issues. It seems to me that there is something screwed up with the version numbers since npm audit fix considers it valid to move from 2.0.0-28 to 2.0.0-dev9.
Seeing the same. Also, the critical vulnerability is probably an even bigger issue. @hassy
Thank you for the report! Can confirm, I'm able to reproduce it. We'll need to look into it. The behavior is odd as2.0.0-dev9 was never tagged as a latest release and has been deprecated, but for some reason npm audit fix must see it as the most recent version that satisfies some advisory in v2.0.0-28.
Thanks, @hassy! Any ideas on the critical vulnerabilities? Would you like me to create a separate issue for that?
We've upgraded a bunch of dependencies recently (e.g. see #1971 and #1933). There are still a couple of dependencies that seem to be causing this issue, we're looking into it!
Still an issue with 2.0.0-38.
I want to be able to run npm audit fix on my project. I have opened a support case with npm support to see if they can do something in the registry to prevent downgrades to that old 2.0.0-dev9 version of artillery. If they report back with suggestions for something the artillery project needs to do I will add the information here.