The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
high severity vulnerabilities due to firstname.lastname@example.org
What I Wanted to Do
I am using hippie in one of my repos. Installing it yields a vulnerability warning in the console.
My goal is to get rid of those vulnerability warnings for gaining trust rgd trust #security ¯\_(ツ)_/¯
I learned that the dependency of node-gyp is causing this issue. You might want to upgrade to
What Happened Instead
I got the vulnerability warning
- set up a repo with email@example.com as a dependency
- run npm install
- see the vulnerability report
Then, if you do
npm audit fix and check the diff afterwards, you’ll see that firstname.lastname@example.org is causing ta to be included at version 2.x which is causing trouble. If you update node-gyp@latest this should be mitigated.
└─┬ email@example.com └─┬ firstname.lastname@example.org └─┬ email@example.com └─┬ firstname.lastname@example.org └── email@example.com
$ npm -v 6.9.0 $ node -p process.platform linux
There’s even a fix in tar: https://github.com/npm/node-tar/issues/212
But, there’s a feature in npm called “bundledDependencies” which the
npm package uses which effectively prevents dependencies
npm uses from being updated. -_-
Please make npm audit happy with npm / tar / node-gyp again. TIA.