Home  ›  Chai 1 Vulnerability Required Manual Review and Could Not Be Updated

Chai 1 Vulnerability Required Manual Review and Could Not Be Updated

Written By sexta-feira, 22 de abril de 2022 Add Comment Edit

npm dependency graph as cover image

https://miro.medium.com/max/1021/i*MrEp6Y0l1B7Ixt5mfE3fWA.png

Hola people!!! 🥑

It's been a while since I accept written a weblog and now since most of us are working from dwelling, the time that used to go in commute is now saved and I thought why not employ this time and write about my recent experience of fixing a security vulnerability.

Then if any of you lot in the recent time have seen something similar this prototype below and take no clue how to set information technology and then this article is for y'all. When I saw information technology, I had no inkling either but with some research I could gear up this.

🔬 Trouble:

github security vulernability bot alert

github security vulnerability bot alert

So what this means is 1 of the dependencies in your package.json has some security implications which tin can be exploited past an attacker and can cause bug for y'all, your product, for users of your product or the company you work for.

For case: https://snyk.io/vuln/npm:eslint:20180222

This vulnerability could have caused a Regular Expression Denial of Service

💡 Finding:

In gild to find potential vulnerabilities in your repo, you lot can either do

  1. npm audit — which should show y'all an output like the following image:

npm audit log showing minimist as a prototype pollution vulnerability

npm audit log

2) Github security policy can besides notify y'all — something like the post-obit epitome:

github security page screenshot showing minimist as a moderate level vulnerability

github security alarm

Today when I started working I had to deal with this error where acorn and minimist were being reported equally security vulnerabilities.

🎉 Solution

Solution to this trouble is in steps:-

📦 npm update

  1. This is the showtime thing you should practice and information technology's the simplest one too.
  • Run npm update — https://docs.npmjs.com/cli-commands/update.html
  • Delete your package-lock.json file or for yarn users, delete your yarn.lock file. In an platonic world this would piece of work, simply there might be some dependency which does not follow semver and might become updated too.
  • And so a better solution here would be to simply delete the lines corresponding to the vulnerable packet in your bundle-lock.json(or yarn.lock) file.
  • Run npm install again

In an ideal scenario, this should have upgraded your dependencies to the adjacent semver version and those libraries might accept already fixed the version of there transitive dependencies.

🔭 npm audit

2. But if that did not set up your issue, which for minimistdid non fix for me, then follow the below mentioned steps:

ii.ane) To fix any dependency, y'all need to first know which npm package depends on that.

          npm audit

This volition tell you the packages which are vulnerable.

npm audit log showing minimist as a prototype pollution vulnerability

This tells me that minimist is required by mkdirp and that is required by mocha

A quick glance into package-lock.json can requite you more information around the affected version.

In my example mocha(7.ane.0) -> mkdirp(0.five.ane) -> minimist(0.0.viii) — the vulnerable version.

🔑 Resolutions primal

3) And finally the fix was:

3.1) Outset npm install the non-vulnerable version, which in my case was 1.2.five 

          npm install minimist --save-dev

yarn and npmusers

three.ii) Add together a resolutions fundamental in your package.json file

For npm users, nosotros need one more step for that resolutions key to work.

iii.3) Use npm-force-resolutions (https://www.npmjs.com/parcel/npm-force-resolutions)

3.4) After that run

          npm install

That's it. That solves the dependency bug which can not be updated using either npm update or past uninstalling and reinstalling a new dependency.

To bank check if the dependency works correctly

          npm ls minimist

This should give you an output the image below

⚠️ Disclaimer

If some packages are only compatible with an older version, so this modify might break your app. So be careful while resolving to a particular version and exam your app before releasing this modify.

👯 Requite this article a clap if you found it helpful!

You can follow me on twitter @VivekNayyar09 for more than updates. I work at Qoala App

Besides please don't forget to maintain social distance to forestall the virus from spreading and wash your hands regularly. Stay safe and stay at dwelling house.

About Qoala

Asuransi

Asuransi adalah perjanjian antara perusahaan asuransi dan pemegang polis yang menjadi dasar bagi penerimaan premi oleh perusahaan asuransi sebagai imbalan untuk :

a. ​memberikan penggantian kepada tertanggung atau pemegang polis karena kerugian, kerusakan, biaya yang timbul, kehilangan keuntungan, atau tanggung jawab hukum kepada pihak ketiga yang mungkin diderita tertanggung atau pemegang polis karena terjadinya suatu peristiwa yang tidak pasti;atau

b. memberikan pembayaran yang didasarkan meninggal atau hidupnya tertanggung dengan manfaat yang besarnya telah ditetapkan dan/atau didasarkan pada hasil pengelolaan dana.

Usaha perasuransian merupakan kegiatan usaha yang bergerak di bidang:

a. Jasa pertanggungan atau pengelolaan risiko.

b. Pertanggungan ulang risiko.

c. Pemasaran dan distribusi produk asuransi atau produk asuransi syariah.

d. Konsultasi dan keperantaraan asuransi, asuransi syariah, reasuransi, atau reasuransi syariah, atau

e. Penilai kerugian asuransi atau asuransi syariah.

Usaha perasuransian dilaksanakan oleh:

one. Perusahaan Asuransi:

​a. Perusahaan Asuransi Umum, adalah perusahaan yang memberikan jasa pertanggungan risiko yang memberikan penggantian karena kerugian, kerusakan, biaya yang timbul, kehilangan keuntungan, atau tanggung jawab hukum kepada pihak ketiga yang mungkin diderita tertanggung atau pemegang polis karena terjadinya suatu peristiwa yang tidak pasti.

b. Perusahaan Asuransi Jiwa, adalah perusahaan yang memberikan jasa dalam penanggulangan risiko yang memberikan pembayaran kepada pemegang polis, tertanggung, atau pihak lain yang berhak dalam hal tertanggung meninggal dunia atau tetap hidup, atau pembayaran lain kepada pemegang polis, tertanggung, atau pihak lain yang berhak pada waktu tertentu yang diatur dalam perjanjian, yang besarnya telah ditetapkan dan/atau didasarkan pada hasil pengelolaan dana.

c. Perusahaan Reasuransi, adalah perusahaan yang memberikan jasa dalam pertanggungan ulang terhadap risiko yang dihadapi oleh Perusahaan Asuransi Kerugian, Perusahaan Asuransi Jiwa, Perusahaan Penjaminan, atau Perusahaan Reasuransi lainnya.

two. Penunjang Usaha Asuransi:

a. Perusahaan Pialang Asuransi, adalah perusahaan yang memberikan jasa keperantaraan dalam penutupan asuransi atau asuransi syariah dan penanganan penyelesaian ganti rugi asuransi dengan bertindak untuk kepentingan tertanggung.

b. Perusahaan Pialang Reasuransi, adalah perusahaan yang memberikan jasa keperantaraan dalam penempatan reasuransi dan penanganan penyelesaian ganti rugi reasuransi dengan bertindak untuk kepentingan perusahaan asuransi, perusahaan penjaminan, perusahaan reasuransi.

c. Perusahaan Penilai Kerugian Asuransi, adalah perusahaan yang memberikan jasa penilaian terhadap klaim dan/atau jasa konsultasi atas obyek asuransi yang dipertanggungkan.

morabutedinefs.blogspot.com

Source: https://itnext.io/fixing-security-vulnerabilities-in-npm-dependencies-in-less-than-3-mins-a53af735261d

0 Response to "Chai 1 Vulnerability Required Manual Review and Could Not Be Updated"

Postar um comentário

Assinar: Postar comentários (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel