GitHub found a potential security vulnerability from node-growl

shahryarjb · July 19, 2018, 6:05am

Hello, I saw a potential security vulnerability when I tried to use my repository in github again which it told me to fix this, this error is in blow link:

github.com

shahryarjb/ESOGTIPH/blob/master/assets/package-lock.json#L1328


    "true-case-path": "1.0.2"
  },
  "dependencies": {
    "loggy": {
      "version": "0.3.5",
      "resolved": "https://registry.npmjs.org/loggy/-/loggy-0.3.5.tgz",
      "integrity": "sha1-M/EoAbH2Bjlm6nnZtqJduPy8QQc=",
      "dev": true,
      "requires": {
        "ansicolors": "0.3.2",
        "growl": "1.8.1"
      }
    }
  }
},
"deps-install": {
  "version": "0.1.1",
  "resolved": "https://registry.npmjs.org/deps-install/-/deps-install-0.1.1.tgz",
  "integrity": "sha512-jWfJiF0TZ4DgMcx6TIshx/slF6MexjHxik6iGlAx89z5cxHHtF/zt9c9UOC41PJX5kkJhlpXdU9msTq4K1v4Qg==",
  "dev": true,
  "requires": {

after this error I issued it in Phoenix github :
https://github.com/brunch/brunch/issues/1603

and I searched it in google and found https://github.com/brunch/brunch/issues/1603 that they said it was for the sake of Brunch, but I didn’t how I can update this , was there a solution?

I use Phoenix v1.3.3 && Node v9.3.0, Is there some security error for me or not ?

marc-bouvier · September 17, 2018, 6:21pm

Hi, I got the same issue as you just after boostraping a pheonix application.

Github has detected a potential vulnerability from node-growl dependency. The vulnerability comes from loggy pulled from brunch.io . I had to upgrade brunch to a version that doesn’t use loggy anymore. I used the tool npm-check-updates to do so.

cd assets

Installed ncu

~/s/e/assets ❯❯❯ npm i -g npm-check-updates                                                              ✘ 127 master ◼
/home/marco/.npm-global/bin/npm-check-updates -> /home/marco/.npm-global/lib/node_modules/npm-check-updates/bin/npm-check-updates
/home/marco/.npm-global/bin/ncu -> /home/marco/.npm-global/lib/node_modules/npm-check-updates/bin/ncu
+ npm-check-updates@2.14.2
added 383 packages in 15.239s

Performed npm dependencies upgrades with ncu.

~/s/e/assets ❯❯❯ ncu -u
Using /home/marco/sources/eisenhower_matrix/assets/package.json
[..................] \ :
 babel-brunch   6.1.1  →    7.0.0 
 brunch        2.10.9  →  2.10.17 
Upgraded /home/marco/sources/eisenhower_matrix/assets/package.json

Installed npm dependencies.

~/s/e/assets ❯❯❯ npm install                                                                                 master ✱ ◼
npm WARN assets No description
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

added 125 packages, removed 106 packages, updated 30 packages and moved 10 packages in 17.284s

Then I pushed the project to GitHub and the vulnerability was fixed.

I hope it helps you too.

OvermindDL1 · September 17, 2018, 6:28pm

You can always upgrade brunch manually that’s fine, you don’t even need to use brunch at all, use whatever you want (it’s pluggable! ), even the next phoenix (1.4) has switched to webpack instead of brunch now that webpack is fast now.