GitHub found a potential security vulnerability from node-growl

Hello, I saw a potential security vulnerability when I tried to use my repository in github again which it told me to fix this, this error is in blow link:

after this error I issued it in Phoenix github :
https://github.com/brunch/brunch/issues/1603

and I searched it in google and found https://github.com/brunch/brunch/issues/1603 that they said it was for the sake of Brunch, but I didn’t how I can update this , was there a solution?

I use Phoenix v1.3.3 && Node v9.3.0, Is there some security error for me or not ?

1 Like

Hi, I got the same issue as you just after boostraping a pheonix application.

Github has detected a potential vulnerability from node-growl dependency. The vulnerability comes from loggy pulled from brunch.io . I had to upgrade brunch to a version that doesn’t use loggy anymore. I used the tool npm-check-updates to do so.

cd assets

Installed ncu

~/s/e/assets ❯❯❯ npm i -g npm-check-updates                                                              ✘ 127 master ◼
/home/marco/.npm-global/bin/npm-check-updates -> /home/marco/.npm-global/lib/node_modules/npm-check-updates/bin/npm-check-updates
/home/marco/.npm-global/bin/ncu -> /home/marco/.npm-global/lib/node_modules/npm-check-updates/bin/ncu
+ npm-check-updates@2.14.2
added 383 packages in 15.239s

Performed npm dependencies upgrades with ncu.

~/s/e/assets ❯❯❯ ncu -u
Using /home/marco/sources/eisenhower_matrix/assets/package.json
[..................] \ :
 babel-brunch   6.1.1  →    7.0.0 
 brunch        2.10.9  →  2.10.17 
Upgraded /home/marco/sources/eisenhower_matrix/assets/package.json

Installed npm dependencies.

~/s/e/assets ❯❯❯ npm install                                                                                 master ✱ ◼
npm WARN assets No description
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})

added 125 packages, removed 106 packages, updated 30 packages and moved 10 packages in 17.284s

Then I pushed the project to GitHub and the vulnerability was fixed.

I hope it helps you too.

2 Likes

You can always upgrade brunch manually that’s fine, you don’t even need to use brunch at all, use whatever you want (it’s pluggable! :slight_smile: ), even the next phoenix (1.4) has switched to webpack instead of brunch now that webpack is fast now. :slight_smile:

1 Like