talktalk-node
talktalk-node copied to clipboard
hyochan
Some dependency has a critical vulnerability
2 vulnerabilities detected from 6381abc84daf393ff9d89d762a216e3463e446e5
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Critical │ Command Injection │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ open │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ graphql-cli [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ graphql-cli > graphql-cli-prepare > graphql-static-binding > │
│ │ cucumber-html-reporter > open │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/663 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Tmp files readable by other users │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ sync-exec │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ No patch available │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ graphql-cli [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ graphql-cli > npm-run > sync-exec │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/310 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 vulnerabilities (1 moderate, 1 critical) in 24472 scanned packages
2 vulnerabilities require manual review. See the full report for details.
@cometkim I've tried to manage this earlier which happens in merge package. Currently, it tells me there is no update for this and I think we need to wait for some time.
Actually I added graphql-cli package for people who doesn't have graphql-cli package on their computer.
If those vulnerabilities still exist, I think graphql-cli package must be removed and notify people that you guys have to install graphql-cli globally on your computer.
@geoseong Nah, that is even more dangerous decision for all. Some people would like to install node environment for a system, it means global package would go privileged.
We need to add and track dependencies that can be problematic and tell people that this package can be dangerous. And also this package shouldn't be published to NPM until the problem is fully resolved.