ionic-cli icon indicating copy to clipboard operation
ionic-cli copied to clipboard

Published 20 hours ago verified publisher icon ionic-team

Dependencies of @ionic/v1-toolkit have 10 vulnerabilities (2 low, 8 high)

Open fredlemieux opened this issue 6 years ago • 3 comments

Description:

When creating a new Ionic-v1 project which includes the Ionic toolkit. When I then install ionic-native using

npm i ionic-native --save

I get the following (npm audit fix doesn't fix any vulnerabilities):

Output:

                   === npm audit security report ===

Run npm install --save-dev [email protected] to resolve 5 vulnerabilities SEMVER WARNING: Recommended action is a potentially breaking change

Low Prototype Pollution

Package lodash

Dependency of gulp [dev]

Path gulp > vinyl-fs > glob-watcher > gaze > globule > lodash

More info https://nodesecurity.io/advisories/577

High Regular Expression Denial of Service

Package minimatch

Dependency of gulp [dev]

Path gulp > vinyl-fs > glob-stream > glob > minimatch

More info https://nodesecurity.io/advisories/118

High Regular Expression Denial of Service

Package minimatch

Dependency of gulp [dev]

Path gulp > vinyl-fs > glob-stream > minimatch

More info https://nodesecurity.io/advisories/118

High Regular Expression Denial of Service

Package minimatch

Dependency of gulp [dev]

Path gulp > vinyl-fs > glob-watcher > gaze > globule > glob >
minimatch

More info https://nodesecurity.io/advisories/118

High Regular Expression Denial of Service

Package minimatch

Dependency of gulp [dev]

Path gulp > vinyl-fs > glob-watcher > gaze > globule > minimatch

More info https://nodesecurity.io/advisories/118

                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             
                                                                            
      Visit https://go.npm.me/audit-guide for additional guidance

High Regular Expression Denial of Service

Package minimatch

Patched in >=3.0.2

Dependency of @ionic/v1-toolkit [dev]

Path @ionic/v1-toolkit > gulp > vinyl-fs > glob-stream > glob >
minimatch

More info https://nodesecurity.io/advisories/118

High Regular Expression Denial of Service

Package minimatch

Patched in >=3.0.2

Dependency of @ionic/v1-toolkit [dev]

Path @ionic/v1-toolkit > gulp > vinyl-fs > glob-stream >
minimatch

More info https://nodesecurity.io/advisories/118

High Regular Expression Denial of Service

Package minimatch

Patched in >=3.0.2

Dependency of @ionic/v1-toolkit [dev]

Path @ionic/v1-toolkit > gulp > vinyl-fs > glob-watcher > gaze >
globule > glob > minimatch

More info https://nodesecurity.io/advisories/118

High Regular Expression Denial of Service

Package minimatch

Patched in >=3.0.2

Dependency of @ionic/v1-toolkit [dev]

Path @ionic/v1-toolkit > gulp > vinyl-fs > glob-watcher > gaze >
globule > minimatch

More info https://nodesecurity.io/advisories/118

Low Prototype Pollution

Package lodash

Patched in >=4.17.5

Dependency of @ionic/v1-toolkit [dev]

Path @ionic/v1-toolkit > gulp > vinyl-fs > glob-watcher > gaze >
globule > lodash

More info https://nodesecurity.io/advisories/577

found 10 vulnerabilities (2 low, 8 high) in 6476 scanned packages 5 vulnerabilities require semver-major dependency updates. 5 vulnerabilities require manual review. See the full report for details.

My ionic info: I'm using Ionic CLI 4.5.0

fredlemieux avatar Dec 06 '18 12:12 fredlemieux

Any update on this?

austin-wang avatar Sep 04 '19 05:09 austin-wang

I just remove modules reported (without global parameter) and it fix the problems:

npm uninstall @ionic/v1-toolkit
npm uninstall gulp-sass

esstein avatar Jan 07 '20 04:01 esstein

Is 2021 and this is an ongoing issue,

eliashdezr avatar Oct 13 '21 15:10 eliashdezr