npm icon indicating copy to clipboard operation
npm copied to clipboard
verified publisher icon semantic-release

NPM audit in npm > npm-user-validate

Open PascalHelbig opened this issue 5 years ago • 0 comments

When running npm audit I get a low severity vulnerability:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ npm-user-validate                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.0.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ semantic-release [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ semantic-release > @semantic-release/npm > npm >             │
│               │ npm-user-validate                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1572                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 low severity vulnerability in 1689 scanned packages
  1 vulnerability requires manual review. See the full report for details.

The corresponding package (npm-user-validate) has been updated in npm in version 7.0.1 (see https://github.com/npm/cli/releases/tag/v7.0.1).

My idea to solve this issue was to update npm in package.json in this repo to the latest version and to create a PR. However, some tests did not work after the upgrade:

npm test output > @semantic-release/[email protected] pretest > npm run lint

@semantic-release/[email protected] lint xo

@semantic-release/[email protected] test nyc ava -v

✔ get-channel › Get default channel ✔ get-channel › Get passed channel if valid ✔ get-channel › Prefix channel with "release-" if invalid ✔ get-release-info › Default registry and scoped module ✔ get-release-info › Custom registry and scoped module ✔ get-registry › Get default registry ✔ get-registry › Get the registry configured in "NPM_CONFIG_REGISTRY" ✔ get-pkg › Throw error if missing package.json ✔ get-registry › Get the registry configured in ".npmrc" and normalize trailing slash ✔ get-registry › Get the registry configured in ".npmrc" for scoped package ✔ get-registry › Get the registry configured from "publishConfig" ✔ get-pkg › Throw error if package.json is malformed ✔ get-pkg › Verify name and version then return parsed package.json ✔ get-pkg › Throw error if missing package name ✔ get-pkg › Verify name and version then return parsed package.json from a sub-directory ✔ verify-config › Verify "npmPublish", "tarballDir" and "pkgRoot" options ✔ verify-config › Return SemanticReleaseError if "npmPublish" option is not a Boolean ✔ verify-config › Return SemanticReleaseError if "tarballDir" option is not a String ✔ verify-config › Return SemanticReleaseError if "pkgRoot" option is not a String ✔ set-npmrc-auth › Set auth with "NPM_TOKEN" ✔ verify-config › Return SemanticReleaseError Array if multiple config are invalid ✔ set-npmrc-auth › Set auth with "NPM_USERNAME", "NPM_PASSWORD" and "NPM_EMAIL" ✔ set-npmrc-auth › Preserve home ".npmrc" (206ms) ✔ set-npmrc-auth › Preserve home and local ".npmrc" ✔ set-npmrc-auth › Preserve all ".npmrc" if auth is already configured ✔ set-npmrc-auth › Preserve ".npmrc" if auth is already configured for a scoped package ✔ set-npmrc-auth › Throw error if "NPM_TOKEN" is missing ✔ set-npmrc-auth › Emulate npm config resolution if "NPM_CONFIG_USERCONFIG" is set ✔ set-npmrc-auth › Throw error if "NPM_USERNAME" is missing ✔ set-npmrc-auth › Throw error if "NPM_PASSWORD" is missing ✔ prepare › Updade package.json (699ms) ✔ set-npmrc-auth › Throw error if "NPM_EMAIL" is missing ✔ prepare › Preserve indentation and newline (725ms) ✖ prepare › Use default indentation and newline if it cannot be detected ✔ prepare › Updade package.json and npm-shrinkwrap.json (1.2s) ✔ prepare › Only move the created tarball if the "tarballDir" directory is not the CWD (1.2s) ✔ prepare › Create the package in the "tarballDir" directory (1.2s) ✔ prepare › Updade package.json and npm-shrinkwrap.json in a sub-directory (1.3s) ✔ prepare › Updade package.json and package-lock.json in a sub-directory (1.4s) ✔ prepare › Updade package.json and package-lock.json (1.4s) ✖ integration › before hook Promise returned by test never resolved ✖ 27 tests remaining in test/integration.test.js ─

prepare › Use default indentation and newline if it cannot be detected

test/prepare.test.js:212

211: // Verify package.json has been updated
212: t.is(await readFile(packagePath, 'utf-8'), {\n "name": "package-name",\n "version": "1.0.0"\n}\n); 213:

Difference:

  • `{"name":"package-name","version":"1.0.0"}
  • `{␊

› test/prepare.test.js:212:5

integration › before hook

Error: Promise returned by test never resolved

› processEmit [as emit] (node_modules/signal-exit/index.js:161:32)

1 hook failed 1 test failed

PascalHelbig avatar Oct 22 '20 10:10 PascalHelbig