npm i npm@6.2.0 (latest) shows security noise

cli
security
priority:low
triaged

(Christopher J Brody) #1

What I Wanted to Do

npm i npm@latest should run without security noise

What Happened Instead

npm i npm@latest or npm i npm@6.2.0 shows the following security noise:

found 20 moderate severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

I completely understand that this is a known issue with a partial solution proposed in npm/cli#20 which is waiting for a solution on node-gyp, reporting here for tracking and discussion purposes.

Note that I am reporting this a “security noise” issue issue since I have read confirmation from both CLI PR #20 and security@npmjs.com that this is not a real security vulnerability.

Reproduction Steps

  • make a test project using commands like the following (npm audit noise does not show up in case of npm i -g which is another topic coming up
    • mkdir local-npm-test
    • cd local-npm-test
    • npm init and hit return a bunch of times to make empty package.json file
  • try npm i npm@6.2.0 or npm i npm@latest within the local npm test project

Details

Details shown for my Windows 10 system, same issue on my mac OS system.

Platform Info

$ npm --versions
{ npm: '6.2.0',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.32.0',
  node: '10.7.0',
  openssl: '1.1.0h',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.22.0',
  v8: '6.7.288.49-node.15',
  zlib: '1.2.11' }
$ node -p process.platform
win32

(Kat Marchán) #2

tl;dr this isn’t a problem, and is only mildly irritating, but poses no risk whatsoever to our users.

This is intentional. For the time being, we’re unable to upgrade beyond request@2.81.0 because node-gyp@3.7.0 pins it to that version. Until node-gyp itself updates request, it’ll continue to be in our tree, and/or cause a bunch of deduplication.

The audit is entirely related to a single advisory, and Hoek.merge is not used anywhere in the npm source or its dependencies, therefore we are not affected by it. You can safely ignore npm-related audit results for Hoek, and they’ll just be a mild annoyance until upgrades can be made.

See also:


(Christopher J Brody) #3

FYI the needed fix in node-gyp should be coming soon ref:


(Kat Marchán) #4

Nice! Thanks for updating us :tada:


(Christopher J Brody) #5

Still waiting for merge and publish of nodejs/node-gyp#1502. Adding a reminder that the following dependencies should also be updated upon merge and publish of nodejs/node-gyp#1502:

  • npm-lifecycle
  • cipm (should use updated npm-lifecycle once it is available)

(Christopher J Brody) #6

node-gyp@3.8.0 should solve this now ref: nodejs/node-gyp#1521


(Christopher J Brody) #7

(see contribution in npm/cli#44)


(Kat Marchán) #8

This is fixed with Release: npm@6.4.0-next.0. Thanks for letting me know!