8000 Update karma to 3.0.0 · Issue #384 · filerjs/filer · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Update karma to 3.0.0 #384

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
0xazure opened this issue Sep 10, 2018 · 2 comments
Closed

Update karma to 3.0.0 #384

0xazure opened this issue Sep 10, 2018 · 2 comments
Assignees
@0xazure

Comments

@0xazure
Copy link
Contributor
0xazure commented Sep 10, 2018
edited
Loading

A fresh install of the project dependencies ends with a little blurb about dependency vulnerabilities:

added 1079 packages from 1531 contributors and audited 9518 packages in 33.813s
found 6 vulnerabilities (1 low, 5 moderate)
  run `npm audit fix` to fix them, or `npm audit` for details

The full output of npm audit is as follows (and rather long, see details), but the audit suggests a key take-away:

=== npm audit security report ===                        
                                                                                
# Run  npm install --save-dev karma@3.0.0  to resolve 6 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Memory Exposure                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tunnel-agent                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > log4js > loggly > request > tunnel-agent             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/598                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > log4js > loggly > request > hawk > boom > hoek       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                      
8000
                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > log4js > loggly > request > hawk > cryptiles > boom  │
│               │ > hoek                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > log4js > loggly > request > hawk > hoek              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ hoek                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > log4js > loggly > request > hawk > sntp > hoek       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/566                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Regular Expression Denial of Service                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ timespan                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ karma [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ karma > log4js > loggly > timespan                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/533                       │
└───────────────┴──────────────────────────────────────────────────────────────┘


found 6 vulnerabilities (1 low, 5 moderate) in 9518 scanned packages
  6 vulnerabilities require semver-major dependency updates.

# Run  npm install --save-dev karma@3.0.0  to resolve 6 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change

It seems like upgrading the karma dev dependency resolves all of the issues identified in the audit.

The breaking change between the 2.x and 3.x branches seems to be dropping Nodejs4 support but no other major changes, so this should be a pretty straight-forward upgrade.
@humphd
Copy link
Contributor
humphd commented Sep 10, 2018

@0xazure thanks for reporting this. Would you be willing to send a pull request with an update to our karma version in package.json? Let me know if you need any help with that.

@0xazure
Copy link
Contributor Author
0xazure commented Sep 11, 2018

I'd be happy to! I'll dig into npm audit a bit and see what I can find out about the specific advisories too. :shipit:

@0xazure 0xazure mentioned this issue Sep 13, 2018
Merged
humphd pushed a commit that referenced this issue Sep 13, 2018
@0xazure @humphd
Update karma dev dependency
fd3de6b 
Resolves `npm audit` warnings about 1 low, 5
moderate vulnerabilities related to versions before
karma@3.0.0.

Closes #384.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@0xazure 0xazure

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@humphd @0xazure
0