Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerabilities in dependencies #493

Closed
pilwon opened this issue May 24, 2018 · 1 comment · Fixed by #641
Closed

Vulnerabilities in dependencies #493

pilwon opened this issue May 24, 2018 · 1 comment · Fixed by #641

Comments

@pilwon
Copy link

pilwon commented May 24, 2018

Bug report

2 Vulnerabilities found after npm install vuepress

+ vuepress@0.9.0
added 1184 packages from 655 contributors in 54.018s
[!] 2 vulnerabilities found [11060 packages audited]
    Severity: 2 High
    Run `npm audit` for more detail

Version

v0.9.0

Steps to reproduce

$ npm audit

                       === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ string                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > markdown-it-anchor > string                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/536                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ string                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress [dev]                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > markdown-it-table-of-contents > string            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/536                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[!] 2 vulnerabilities found - Packages audited: 11060 (11060 dev, 199 optional)
    Severity: 2 High

What is expected?

No error message after npm install vuepress

What is actually happening?

Vulnerabilities found in dependencies

Other relevant information

  • Your OS: MacOS 10.13.4
  • Node.js version: v8.11.1
  • Browser version: n/a
  • Is this a global or local install? local
  • Which package manager did you use for the install? npm (v6.0.1)
@ulivz
Copy link
Member

ulivz commented May 24, 2018

Thanks,

This should be fixed by string.js, and there has been a fixing pull request: jprichardson/string.js#217.

Hold this issue until this pull request is merged. for now you can use yarn.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants