Growl in package-lock.json security vulnerability

I’m quite new to Phoenix, and Node.js for that matter. If you can help me and other newcomers with this one that would be great. The issue is that a couple of Phoenix projects I’ve published in GitHub, ex: https://github.com/mark-b-kauffman/phoenixDSK3LO , are now marked with a security vulnerability having to do with Node, package-json.lock, and growl. I tried npm install, and removing package-json.lock and running npm install again. I still end up with the old, vulnerable, version of growl.

My question is simple - how do I rebuild the node/brunch stuff in a Phoenix project to use newer versions of node, esp. one that doesn’t have that vulnerability? I could start over with a new Phoenix project and copy my code over - but if there is a way to do this in place, that would be best. Please provide a reasonable amount of detail.

Thank you.

1 Like

Looking at your package lock file, it looks like growl is pulled in by loggy that is pulled in by Brunch. That lead me to find this issue report where the resolution was to update loggy to a new version that no longer uses growl.

Unfortunately Brunch also depends on deppack that depends on an old version of loggy, so just upgrading Brunch to the latest version may not fix the issue.

Apparently it may be possible to force the usage of a recent version of loggy by using npm shrinkwrap, but I do not know enough about how it works. In the future versions, Phoenix is moving away from Brunch to Webpack, which would also solve your problem (and I think there are blogposts already on how to make the switch).

1 Like