cli
cli copied to clipboard
Published
20 hours ago •
decentraland
decentraland
14 vulnerabilities required manual review and could not be updated
I just forked this repo and cloned it, then when I npm install I got this output:
added 1881 packages from 1688 contributors and audited 50726 packages in 130.963s
found 183 vulnerabilities (5 low, 28 moderate, 150 high)
run `npm audit fix` to fix them, or `npm audit` for details
Then I runned npm audit fix:
fixed 167 of 183 vulnerabilities in 50726 scanned packages
14 vulnerabilities required manual review and could not be updated
1 package update for 2 vulnerabilities involved breaking changes
npm audit:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ decentraland-dapps [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ decentraland-dapps > @types/axios > axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/880 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ decentraland-dapps [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ decentraland-dapps > axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/880 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Insecure Credential Storage │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ web3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ decentraland-eth [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ decentraland-eth > web3 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/877 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=0.18.1 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ analytics-node [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ analytics-node > axios │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/880 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 vulnerabilities (1 low, 3 moderate) in 39697 scanned packages
2 vulnerabilities require semver-major dependency updates.
2 vulnerabilities require manual review. See the full report for details.
And also npm test is not successful :s
Hey thank you for the notice! we're aware of axios vulnerabilities but since they are DoS only we're going to wait to change the whole library instead of patching, we are using dependabot.com for that.
The web3 one don't have availabe patches yet 😢
What about that npm test? have you got the output? Did you first build the project?
My bad, I ran npm test before npm run build.
But the test seems to run forever, I stopped it after hours and here is the output:
> [email protected] test /home/axel/git/github/decentraland
> FORCE_COLOR=1 ava
⠧ unit › lib › Project.ts › Unit - Project.getFiles() - should return all files
⠴ unit › lib › content › ContentService.ts › Unit - ContentService.uploadContent() - should fail if upload calls fails
✖ Exiting due to SIGINT
1 tests were pending in /home/axel/git/github/decentraland/test/e2e/help.test.ts
◌ e2e › help.ts › E2E - help command
79 tests passed
npm ERR! Test failed. See above for more details.
I don't know if it is a real issue