[
https://issues.apache.org/jira/browse/SENSSOFT-321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16740959#comment-16740959
]
Joshua Poore commented on SENSSOFT-321:
---------------------------------------
On test, updated package.json to latest version of gulp-mocha (6.0.0 from
3.0.1).
Confirmed that dependencies were appropriately installed by searching
node_packages folder for v6 dependencies/versions. Also, output is near
identical wrt to install will 3.0.1, less two vulnerabilities identified. See
below:
$ npm install
npm WARN deprecated [email protected]: 🙌 Thanks for using Babel: we
recommend using babel-preset-env now: please read babeljs.io/env to update!
npm WARN deprecated [email protected]: gulp-util is deprecated - replace it,
following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated [email protected]: deprecated in favour of uglify-es
npm WARN deprecated [email protected]: This package is unmaintained. Use
@sinonjs/formatio instead
npm WARN deprecated [email protected]: This package has been deprecated in favour of
@sinonjs/samsam
npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for
compatibility with current and future versions of Node.js
npm WARN deprecated [email protected]: This package has been deprecated in favour of
@sinonjs/samsam
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or
higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: CircularJSON is in maintenance only,
flatted is its successor.
npm WARN deprecated [email protected]: Please update to minimatch 3.0.2 or
higher to avoid a RegExp DoS issue
npm WARN deprecated [email protected]: please upgrade to graceful-fs 4 for
compatibility with current and future versions of Node.js
Â
> [email protected] install
> /Users/jpoore/Documents/Apache_SensSoft/Dev/incubator-senssoft-useralejs-SENSSOFT-192/node_modules/fsevents
> node install
Â
node-pre-gyp WARN Tried to download(404):
https://fsevents-binaries.s3-us-west-2.amazonaws.com/v1.2.4/fse-v1.2.4-node-v67-darwin-x64.tar.gz
node-pre-gyp WARN Pre-built binaries not found for [email protected] and
[email protected] (node-v67 ABI, unknown) (falling back to source compile with
node-gyp)
 SOLINK_MODULE(target) Release/.node
 CXX(target) Release/obj.target/fse/fsevents.o
*../fsevents.cc:63:6:* *warning:* *field 'async_resource' will be initialized
after field 'lockStarted' [-Wreorder]*
  : async_resource("fsevents:FSEvents"), lockStarted(false) {
   *^*
1 warning generated.
 SOLINK_MODULE(target) Release/fse.node
 COPY
/Users/jpoore/Documents/Apache_SensSoft/Dev/incubator-senssoft-useralejs-SENSSOFT-192/node_modules/fsevents/lib/binding/Release/node-v67-darwin-x64/fse.node
 TOUCH Release/obj.target/action_after_build.stamp
Â
> [email protected] postinstall
> /Users/jpoore/Documents/Apache_SensSoft/Dev/incubator-senssoft-useralejs-SENSSOFT-192/node_modules/nodemon
> node bin/postinstall || exit 0
Â
npm notice created a lockfile as package-lock.json. You should commit this file.
added 879 packages from 1036 contributors and audited 6258 packages in 22.337s
found {color:#FF0000}5{color} vulnerabilities (1 *low*, 4 high)
> Gulp Mocha Dependency Deprecation: Critical Command Injection Vulnerability
> ---------------------------------------------------------------------------
>
> Key: SENSSOFT-321
> URL: https://issues.apache.org/jira/browse/SENSSOFT-321
> Project: SensSoft
> Issue Type: Bug
> Components: UserALE.js
> Affects Versions: UserALE.js 1.0.0, UserALE.js 1.1.0
> Environment: javascript
> Reporter: Joshua Poore
> Assignee: Joshua Poore
> Priority: Critical
> Fix For: UserALE.js 1.1.0
>
> Attachments: Gulp Mocha Vulnerability
>
>
> Gulp Mocha v3.x has a critical vulnerability (see attached terminal output
> for details) due to "growl" package dependency. Vulnerability must be fixed
> before deployed on a network with any exposure.Â
> Running NPM/Node v 11.6
> Will post in comments as issue is explored.
> Â
> Â
> Â
> Â
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
