When I run npm install
it says found 33 vulnerabilities (2 low, 31 moderate)
run `npm audit fix` to fix them, or `npm audit` for details
.
However, npm audit fix
outputs up to date in 11s
fixed 0 of 33 vulnerabilities in 24653 scanned packages
33 vulnerabilities required manual review and could not be updated
Does that review
mean it is not supposed to be fixed by user?
When I run npm audit
it gives me list of tables, similar to this:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ browser-sync [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ browser-sync > easy-extender > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
In this example remediation section of linked page says Update to version 4.17.5 or later.
. However, in /node_modules/browser-sync/package.json
there are lines:
"devDependencies": {
"lodash-cli": "4.17.5",
}
and no more lodash dependencies. So it should already be v4.17.5. I also checked /node_modules/lodash/lodash.json
which has var VERSION = '4.17.10';
line. In /node_modules/lodash/package.json
there are these lines:
"_from": "lodash@^4.17.4",
"_id": "[email protected]",
I believe that version shown in "_id", not in "_from", so versions are correct but vulnerability still appear in audit list.
I'm still new in node.js and those messages confuses me a lot. Is there any way to fix it manually or get rid of those messages, I can't do anything with?
lodash-cli
in devDependencies
doesn't affect how browser-sync
works in your project, devDependencies
are ignored when a package is installed as a dependency.
What audit
report says is that it's easy-extender
that has lodash
dependency:
browser-sync > easy-extender > lodash
It depends on Lodash 3, while the problem was fixed in Lodash 4. The problem could be fixed by forking easy-extender
, updating it and installing it instead of the package from NPM public registry. But there is no real problem with this dependency.
audit
report importance should be evaluated manually. Even if nested dependency has security risk, this doesn't mean that a feature that introduces this risk was used. This also doesn't mean that even if it's used, it introduces real risk due to how it's used.
browser-sync
is development tool that isn't used in production, there are not so many scenarios where its vulnerabilities could be exploited. And Prototype Pollution isn't a vulnerability at all, just a notice that a package doesn't follow good practices, it can be ignored.
Generally, this is the way to fix reported vulnerabilities:
Most times it's expected that you won't advance beyond a sanity check.
patch-package
can help to patch nested dependencies in-place but this won't affect audit
report.