shahryarjb
GitHub found a potential security vulnerability from node-growl
Hello, I saw a potential security vulnerability when I tried to use my repository in github again which it told me to fix this, this error is in blow link:
https://github.com/shahryarjb/ESOGTIPH/blob/master/assets/package-lock.json#L1328
after this error I issued it in Phoenix github :
https://github.com/brunch/brunch/issues/1603
and I searched it in google and found Notifications: Shell injection vulnerability! (was: Problems with $-sign) · Issue #1603 · brunch/brunch · GitHub that they said it was for the sake of Brunch, but I didn’t how I can update this , was there a solution?
I use Phoenix v1.3.3 && Node v9.3.0, Is there some security error for me or not ?
Most Liked Responses
marc-bouvier
Hi, I got the same issue as you just after boostraping a pheonix application.
Github has detected a potential vulnerability from node-growl dependency. The vulnerability comes from loggy pulled from brunch.io . I had to upgrade brunch to a version that doesn’t use loggy anymore. I used the tool npm-check-updates to do so.
cd assets
Installed ncu
~/s/e/assets ❯❯❯ npm i -g npm-check-updates ✘ 127 master ◼
/home/marco/.npm-global/bin/npm-check-updates -> /home/marco/.npm-global/lib/node_modules/npm-check-updates/bin/npm-check-updates
/home/marco/.npm-global/bin/ncu -> /home/marco/.npm-global/lib/node_modules/npm-check-updates/bin/ncu
+ npm-check-updates@2.14.2
added 383 packages in 15.239s
Performed npm dependencies upgrades with ncu.
~/s/e/assets ❯❯❯ ncu -u
Using /home/marco/sources/eisenhower_matrix/assets/package.json
[..................] \ :
babel-brunch 6.1.1 → 7.0.0
brunch 2.10.9 → 2.10.17
Upgraded /home/marco/sources/eisenhower_matrix/assets/package.json
Installed npm dependencies.
~/s/e/assets ❯❯❯ npm install master ✱ ◼
npm WARN assets No description
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
added 125 packages, removed 106 packages, updated 30 packages and moved 10 packages in 17.284s
Then I pushed the project to GitHub and the vulnerability was fixed.
I hope it helps you too.
OvermindDL1
You can always upgrade brunch manually that’s fine, you don’t even need to use brunch at all, use whatever you want (it’s pluggable!
), even the next phoenix (1.4) has switched to webpack instead of brunch now that webpack is fast now. ![]()








