NPM audit and vulnerabilities

[simonchabrol]

Hey,

After installing the clone of this github, npm audit notified me of the presence of five vulnerabilities (2 low, 3 moderate). So I asked myself if this problem comes from my side, or if parts of your package have problems. Here is the list of vulnerabilities :

Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   botkit

  Path            botkit > botbuilder > jsonwebtoken > joi > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   botkit

  Path            botkit > botbuilder > jsonwebtoken > joi > topo > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Out-of-bounds Read

  Package         base64url

  Patched in      >=3.0.0

  Dependency of   botkit

  Path            botkit > botbuilder > base64url

  More info       https://nodesecurity.io/advisories/658


  Low             Regular Expression Denial of Service

  Package         debug

  Patched in      >= 2.6.9 < 3.0.0 || >= 3.1.0

  Dependency of   botkit

  Path            botkit > localtunnel > debug

  More info       https://nodesecurity.io/advisories/534


  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   botkit

  Path            botkit > vorpal > inquirer > lodash

  More info       https://nodesecurity.io/advisories/577

[peterswimm]

You can update these yourself in the package.json file. It would be useful if someone can test if these updates, and if they do not break any functionality, submit a pull request to get these updated.

[simonchabrol]

Hi, sorry but I don't know how to make a pull request.

[peterswimm]

You can read more about that here:
https://github.com/howdyai/botkit/blob/master/CONTRIBUTING.md

In the meantime, you can update the minimum versions in your package.json to avoid the warn errors, and Ill put the task on our internal roadmap if the community doesn't beat us to the updates.

[Laptopmini]

The latest version has a couple of fixes needed.

found 4 vulnerabilities (3 moderate, 1 high)

After running npm audit fix its down to:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ express-hbs                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ express-hbs > handlebars                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/755                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

However it seems the dev has fixed this in his v1 releases:
https://github.com/barc/express-hbs/tree/v1.1.1

Thus you can fix it using:

$ npm install express-hbs@1.1.1
+ express-hbs@1.1.1
added 1 package, removed 16 packages, updated 6 packages and audited 7430 packages in 4.15s
found 0 vulnerabilities

[Laptopmini]

Its also worth noting both dependencies querystring and request are never used in the code base and can be removed.

Mind you, request is only removed from package.json as its also a child dependency.