Hello, I saw a potential security vulnerability when I tried to use my repository in github again which it told me to fix this, this error is in blow link:
"true-case-path": "1.0.2"
},
"dependencies": {
"loggy": {
"version": "0.3.5",
"resolved": "https://registry.npmjs.org/loggy/-/loggy-0.3.5.tgz",
"integrity": "sha1-M/EoAbH2Bjlm6nnZtqJduPy8QQc=",
"dev": true,
"requires": {
"ansicolors": "0.3.2",
"growl": "1.8.1"
}
}
}
},
"deps-install": {
"version": "0.1.1",
"resolved": "https://registry.npmjs.org/deps-install/-/deps-install-0.1.1.tgz",
"integrity": "sha512-jWfJiF0TZ4DgMcx6TIshx/slF6MexjHxik6iGlAx89z5cxHHtF/zt9c9UOC41PJX5kkJhlpXdU9msTq4K1v4Qg==",
"dev": true,
"requires": {
after this error I issued it in Phoenix github :
opened 12:16PM - 29 Dec 16 UTC
closed 04:35PM - 25 Jan 17 UTC
bug
### Description
In brunch notifications, words starting with a `$` seem to be… missing.
### Expected behavior
Words starting with a `$` should be shown.
### Actual behavior
In the above screen shot, note how the word "$black" is missing in the notification. Compare with the text in the terminal.
Here's the test repo: https://github.com/lydell/brunch-notification-bug
1. `npm install`
2. `brunch build`
### Environment
1. Brunch: 2.9.1
2. Node: 6.9.1
3. NPM: 3.10.8
4. Operating system: Ubuntu Gnome 16.04
### `package.json` contents
```json
{
"private": true,
"devDependencies": {
"brunch": "^2.9.1",
"sass-brunch": "^2.9.0"
}
}
```
### brunch config contents
```javascript
module.exports = {
files: {
stylesheets: {
joinTo: 'app.css'
}
}
}
```
and I searched it in google and found Notifications: Shell injection vulnerability! (was: Problems with $-sign) · Issue #1603 · brunch/brunch · GitHub that they said it was for the sake of Brunch, but I didn’t how I can update this , was there a solution?
I use Phoenix v1.3.3 && Node v9.3.0, Is there some security error for me or not ?
1 Like
Hi, I got the same issue as you just after boostraping a pheonix application.
Github has detected a potential vulnerability from node-growl dependency. The vulnerability comes from loggy pulled from brunch.io . I had to upgrade brunch to a version that doesn’t use loggy anymore. I used the tool npm-check-updates to do so.
cd assets
Installed ncu
~/s/e/assets ❯❯❯ npm i -g npm-check-updates ✘ 127 master ◼
/home/marco/.npm-global/bin/npm-check-updates -> /home/marco/.npm-global/lib/node_modules/npm-check-updates/bin/npm-check-updates
/home/marco/.npm-global/bin/ncu -> /home/marco/.npm-global/lib/node_modules/npm-check-updates/bin/ncu
+ npm-check-updates@2.14.2
added 383 packages in 15.239s
Performed npm dependencies upgrades with ncu.
~/s/e/assets ❯❯❯ ncu -u
Using /home/marco/sources/eisenhower_matrix/assets/package.json
[..................] \ :
babel-brunch 6.1.1 → 7.0.0
brunch 2.10.9 → 2.10.17
Upgraded /home/marco/sources/eisenhower_matrix/assets/package.json
Installed npm dependencies.
~/s/e/assets ❯❯❯ npm install master ✱ ◼
npm WARN assets No description
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
added 125 packages, removed 106 packages, updated 30 packages and moved 10 packages in 17.284s
Then I pushed the project to GitHub and the vulnerability was fixed.
I hope it helps you too.
2 Likes
You can always upgrade brunch manually that’s fine, you don’t even need to use brunch at all, use whatever you want (it’s pluggable!
1 Like
), even the next phoenix (1.4) has switched to webpack instead of brunch now that webpack is fast now. 
