CODEWITHSUNDEEP
node.jsnpmnpm-request
Rio
Rio

Reputation: 21

How to fix vulnerability in npm dependencies?

I got 18 vulnerabilities by giving npm audit , then i went for the one which is labeled as high.

here is its detail,

  High            Denial-of-Service Memory Exhaustion                           

  Package         qs                                                            

  Patched in      >= 1.x                                                        

  Dependency of   google-search-scraper                                         

  Path            google-search-scraper > request > qs                          

  More info       https://nodesecurity.io/advisories/29

it seems like we need to update request package , so by >npm i request i have installed it.

now what next, the audit command is giving same results again

please help ,

Thank you

EDIT

Moderate        Prototype pollution                                           

  Package         hoek                                                          

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3                                   

  Dependency of   botkit                                                        

  Path            botkit > botbuilder > jsonwebtoken > joi > hoek               

  More info       https://nodesecurity.io/advisories/566

Upvotes: 0

Views: 2445

Answers (2)

kelvin.M
kelvin.M

Reputation: 1

A solution that has worked for me is by initially creating JSON file which will be the manifest. Before installing the npm package start with the followingnpm init -y that way you agree to all the details that will be added by the JSON file, you can edit them afterwards.

Then proceed with npm install <package name>

Upvotes: 0

Estus Flask
Estus Flask

Reputation: 223114

As the report says, qs vulnerability has been fixed in 1.x. It's not a problem for latest request versions. google-search-scraper has request@~2.33.0 dependency that depends on qs@~0.6.0. Regardless of which request version is installed in the project, google-search-scraper will continue to use 2.33.x version that contains vulnerability.

google-search-scraper should be forked and used instead of original package, request dependency version should be updated in a fork, e.g. to request@^2.33.0. Additionally, an issue can be opened in package repository and supplemented with a PR.

Upvotes: 1

Related Questions