npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Npm audit sweems to get semver wrong?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.


It is resolved by npm now



We have exactly the same issue and have not yet found a workaround. This makes our build fail and is preventing us from making a release until we find a solution. (Furthermore, webpack-dev-server is only a dev dependency so shouldn’t be a high priority issue anyway). Suggestions most welcome!


Hi,

I’ve updated to webpack-dev-server@3.1.14, but the issue remains.
Where am I wrong?


Still having this same issue with Angular 7


I had this issue in two projects this morning.

npm resolved this only in one, for angular 6 project with dev dependency
@angular-devkit/build-angular”: “~0.7.0”,
@angular/cli”: “~6.1.2”

Issue still occurs for the second angular 7 project with dev dep:
@angular-devkit/build-angular": “^0.11.4”,
@angular/cli”: “~7.0.2”,


you can add this to your package.json until angular-devkit releases a new version:

"resolutions": {
    "@angular-devkit/build-angular/webpack-dev-server": "^3.1.14"
}


Hi,

How should the people already facing this issue fix it?

Thanks for the answer!!


could you please let me know how to update the webpack-dev-server to a greater version?


Interesting enough, yarn audit fails with the same error.


Thank you for raising this issue to the attention of the npm security team. The issue has been fixed and you should no longer face the incorrect advisory. We understand what caused the issue and will take measures in our tooling to prevent it in the future.

If you find any issues in the future please let us know and we will do our best to help.

Thank you for helping us make the npm ecosystem more secure.
Best regards,
Andre Eleuterio
npm security team


No fix should be necessary. We updated the advisory so by running npm audit on a project with webpack-dev-server >= 3.1.11 you should no longer see the incorrect advisory. Please let us know if you still face the issue.

Best regards,
Andre Eleuterio
npm security team


The original commit supposedly fixing this issue isn’t included in any releases, so I suppose original confusion might come from that. v3.1.11 does have a fix for this issue, however versions v3.1.12 to v3.1.14 all seem bugfixes for the first fix in v3.1.11.

Either way, that does look like a typo.

Also, I find it a bit weird that prereleases are automatically considered unaffected.


Hi,

I am still facing the same issue, even tried creating a new project using angular cli latest version 7.2.0.

Also tried updating webserver version.

Please help!!!
image


Hi Diaan,

Thanks for your information. I have changed the version number both at package.json file and package-lock.json file, deleted the node_modules and installed again using npm i. This fixed the issue.


Note: I’m going to be deleting “me too” posts. They mostly add noise. If you’re still having issues, see Npm audit sweems to get semver wrong? because some packages have not updated webpack-dev-server and thus, there’s no way to fix this without removing those packages right now. This is outside our control and more of a #support issue or a bug for those individual projects.


I still get the same error, please advise:

npm WARN rollback Rolling back node-pre-gyp@0.10.0 failed (this is probably harmless): EPERM: operation not permitted, lstat ‘C:\Users\vamsi.kondaparthi\Desktop\myjava\Anjular\cmp-databinding\node_modules\fsevents\node_modules’
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {“os”:“darwin”,“arch”:“any”} (current: {“os”:“win32”,“arch”:“x64”})

C:\Users\vamsi.kondaparthi\Desktop\myjava\Anjular\cmp-databinding>npm audit

                   === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

High Missing Origin Validation

Package webpack-dev-server

Patched in >=3.1.11

Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > webpack-dev-server

More info https://nodesecurity.io/advisories/725

found 1 high severity vulnerability in 43619 scanned packages
1 vulnerability requires manual review. See the full report for details.


Is mentioning this typo here the correct place to get this issue resolved?
Or should it be reported as a separate bug?

Because it is causing problems for quite some people:
https://github.com/angular/angular-cli/issues/13342
https://github.com/webpack/webpack-dev-server/issues/1615


Updating Angular to the latest version solves the problem.


How?? I’m not able to fix mine…
image


I also am still having this issue even after npm apparently resolved it.


I’m still getting the error.

Please help me to fix this. Thanks.


What I Wanted to Do

npm audit -> all god

What Happened Instead

npm audit reporting a vulnerability

Reproduction Steps

$ grep webpack-dev-server package-lock.json
    "webpack-dev-server": {
      "resolved": "https://registry.npmjs.org/webpack-dev-server/-/webpack-dev-server-3.1.14.tgz",

$ grep webpack-dev-server package.json
    "start": "webpack-dev-server --mode=development --no-info",
    "webpack-dev-server": "3.1.14"

$ npm audit

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  High            Missing Origin Validation

  Package         webpack-dev-server

  Patched in      >=3.1.11

  Dependency of   webpack-dev-server [dev]

  Path            webpack-dev-server

  More info       https://nodesecurity.io/advisories/725

found 1 high severity vulnerability in 8521 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Details

Isn’t 3.1.14 >=3.1.11 ???

Even more confusing, citing https://www.npmjs.com/advisories/725:

Versions of webpack-dev-server before 3.1.6 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer’s source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.

Remediation

Update to version 3.1.6 or later.

Platform Info

$ npm --versions
{ 'paolos-password-safe': '1.0.0',
  npm: '6.5.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.12.0',
  openssl: '1.0.2p',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.2',
  v8: '6.2.414.66',
  zlib: '1.2.11' }
$ node -p process.platform
win32


This appears to be a typo in the npm vulnerability database. Someone has typed "vulnerable_versions":"<=3.110" (rather than <=3.1.10) which is marking all versions as vulnerable. Needs to be fixed upstream by the npm audit team.

Output of yarn audit --json:

{"type":"auditAdvisory","data":{"resolution":{"id":725,"path":"webpack-dev-server","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"3.1.14","paths":["webpack-dev-server"],"dev":false,"optional":false,"bundled":false}],"id":725,"created":"2018-11-07T17:10:22.191Z","updated":"2018-12-31T18:58:12.106Z","deleted":null,"title":"Missing Origin Validation","found_by":{"link":"https://blog.cal1.cn/link","name":"Jiantao Li"},"reported_by":{"link":"https://blog.cal1.cn/link","name":"Jiantao Li"},"module_name":"webpack-dev-server","cves":["CVE-2018-14732"],"vulnerable_versions":"<=3.110","patched_versions":">=3.1.11","overview":"Versions of `webpack-dev-server` before 3.1.6 are missing origin validation on the websocket server. This vulnerability allows a remote attacker to steal a developer's source code because the origin of requests to the websocket server that is used for Hot Module Replacement (HMR) are not validated.","recommendation":"Update to version 3.1.6 or later.","references":"- [Sniffing Codes in Hot Module Reloading Messages\n](https://blog.cal1.cn/post/Sniffing%20Codes%20in%20Hot%20Module%20Reloading%20Messages)\n- [GitHub commit](https://github.com/webpack/webpack-dev-server/commit/f18e5adf123221a1015be63e1ca2491ca45b8d10)","access":"public","severity":"high","cwe":"CWE-346","metadata":{"module_type":"","exploitability":5,"affected_components":""},"url":"https://npmjs.com/advisories/725"}}}


It appears they’ve updated the advisory and fixed the typo


I’m still having the same issue and I’m using the Angular CLI version 7.1.14.

I run the npm install --save-dev webpack-dev-server@latest command but the error still happears.


npm install --save-dev webpack-dev-server@latest

This should do the job.


I’m still having the same problem.

C:\Users\Oscar\Documents\Node\Projects\angular-todo>npm audit

                   === npm audit security report ===


                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

High Missing Origin Validation

Package webpack-dev-server

Patched in >=3.1.11

Dependency of @angular-devkit/build-angular [dev]

Path @angular-devkit/build-angular > webpack-dev-server

More info https://nodesecurity.io/advisories/725

found 1 high severity vulnerability in 43822 scanned packages
1 vulnerability requires manual review. See the full report for details.


??? what its :thinking: