shahryarjb

shahryarjb

GitHub found a potential security vulnerability from node-growl

Hello, I saw a potential security vulnerability when I tried to use my repository in github again which it told me to fix this, this error is in blow link:
https://github.com/shahryarjb/ESOGTIPH/blob/master/assets/package-lock.json#L1328

after this error I issued it in Phoenix github :
https://github.com/brunch/brunch/issues/1603

and I searched it in google and found Notifications: Shell injection vulnerability! (was: Problems with $-sign) · Issue #1603 · brunch/brunch · GitHub that they said it was for the sake of Brunch, but I didn’t how I can update this , was there a solution?

I use Phoenix v1.3.3 && Node v9.3.0, Is there some security error for me or not ?

Most Liked Responses

marc-bouvier

marc-bouvier

Hi, I got the same issue as you just after boostraping a pheonix application.

Github has detected a potential vulnerability from node-growl dependency. The vulnerability comes from loggy pulled from brunch.io . I had to upgrade brunch to a version that doesn’t use loggy anymore. I used the tool npm-check-updates to do so.

cd assets

Installed ncu

~/s/e/assets ❯❯❯ npm i -g npm-check-updates                                                              ✘ 127 master ◼
/home/marco/.npm-global/bin/npm-check-updates -> /home/marco/.npm-global/lib/node_modules/npm-check-updates/bin/npm-check-updates
/home/marco/.npm-global/bin/ncu -> /home/marco/.npm-global/lib/node_modules/npm-check-updates/bin/ncu
+ npm-check-updates@2.14.2
added 383 packages in 15.239s

Performed npm dependencies upgrades with ncu.

~/s/e/assets ❯❯❯ ncu -u
Using /home/marco/sources/eisenhower_matrix/assets/package.json
[..................] \ :
 babel-brunch   6.1.1  →    7.0.0 
 brunch        2.10.9  →  2.10.17 
Upgraded /home/marco/sources/eisenhower_matrix/assets/package.json

Installed npm dependencies.

~/s/e/assets ❯❯❯ npm install                                                                                 master ✱ ◼
npm WARN assets No description
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

added 125 packages, removed 106 packages, updated 30 packages and moved 10 packages in 17.284s

Then I pushed the project to GitHub and the vulnerability was fixed.

I hope it helps you too.

OvermindDL1

OvermindDL1

You can always upgrade brunch manually that’s fine, you don’t even need to use brunch at all, use whatever you want (it’s pluggable! :slight_smile: ), even the next phoenix (1.4) has switched to webpack instead of brunch now that webpack is fast now. :slight_smile:

Where Next?

Popular in Questions Top

aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
sergio
In Ruby, I can go: User.find_by(email: "foobar@email.com").update(email: "hello@email.com") How can I do something similar in Elixir? ...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
mcarvalho
What is the difference between System.get_env and Application.get_env? For example, what are best practices to use one versus another.
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
LegitStack
I’m trying to make a websocket server in Phoenix or raw Elixir. I heard about gun, I think I could use cowboy, but since I’m not that sma...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
freewebwithme
Using vs code and installed ElixirLS: support and debugger. And I got an error popped up on start up says Failed to run ‘elixir’ comma...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New

Other popular topics Top

aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
SoCreat
i’m a new one to elixir which editor can i use vs code? or atom? Thanks! :smiley:
New
RisingFromAshes
I’ve read in another post that it may be possible with a router helper - but I couldn’t find an appropriate one, and tbh, I’m still just ...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
dblack
I’ve got an issue with an app and I’ve no idea of how to troubleshoot it. I’m hoping someone here might have seen something similar. I p...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

We're in Beta

About us Mission Statement