0

I got 18 vulnerabilities by giving npm audit , then i went for the one which is labeled as high.

here is its detail,

  High            Denial-of-Service Memory Exhaustion                           

  Package         qs                                                            

  Patched in      >= 1.x                                                        

  Dependency of   google-search-scraper                                         

  Path            google-search-scraper > request > qs                          

  More info       https://nodesecurity.io/advisories/29

it seems like we need to update request package , so by >npm i request i have installed it.

now what next, the audit command is giving same results again

please help ,

Thank you

EDIT

Moderate        Prototype pollution                                           

  Package         hoek                                                          

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3                                   

  Dependency of   botkit                                                        

  Path            botkit > botbuilder > jsonwebtoken > joi > hoek               

  More info       https://nodesecurity.io/advisories/566
Rio
  • 21
  • 7
  • Did you try using `npm audit fix`? – Spitzbueb Dec 06 '18 at 10:56
  • 1
    This is related: https://www.youtube.com/watch?v=0dgmeTy7X3I If I remember correctly, the speaker mentions the very `qs` vulnerability of interest, although doesn't tell how to fix it – YakovL Dec 06 '18 at 12:28
  • yes , but it didn't work . Actually we have 18 different vulnerabilities – Rio Dec 06 '18 at 12:29

2 Answers2

1

As the report says, qs vulnerability has been fixed in 1.x. It's not a problem for latest request versions. google-search-scraper has request@~2.33.0 dependency that depends on qs@~0.6.0. Regardless of which request version is installed in the project, google-search-scraper will continue to use 2.33.x version that contains vulnerability.

google-search-scraper should be forked and used instead of original package, request dependency version should be updated in a fork, e.g. to request@^2.33.0. Additionally, an issue can be opened in package repository and supplemented with a PR.

Estus Flask
  • 206,104
  • 70
  • 425
  • 565
  • thanks for reply, okay so its not a version problem , then what is the problem , – Rio Dec 06 '18 at 12:35
  • i have already forked and cloned the project (which is using the google search scraper) , so now how should i go about it . – Rio Dec 06 '18 at 12:38
  • The problem is that `google-search-scraper` is messed up and is hard-coded to use vulnerable `request` version. Whether it's your own project or forked one is irrelevant in this context. You need to fork specifically `google-search-scraper` and use it instead of official one. – Estus Flask Dec 06 '18 at 12:51
  • I have edited the question with one more vulnerability , this must be a version problem , i have installed it by > npm i hoek , but still it is not working . please help , i have never worked on these stuff before – Rio Dec 06 '18 at 13:38
  • This is not a vulnerability. Do sanity check when evaluating `npm audit` reports. See https://stackoverflow.com/a/51852121/3731501 . Any way, feel free to open issues in packages that cause audit problems, as long as latest package version imposes them. – Estus Flask Dec 06 '18 at 13:46
  • how to do sanity check while doing npm audit , i didn't know about it , thanks for telling – Rio Dec 06 '18 at 14:07
  • Just check what reported 'vulnerability' actually is, where it comes from and whether it's capable to affect your app at all - directly or through nested dependencies. audit is a blunt tool that creates a lot of noise that doesn't need to be fixed most times, especially the issues labeled with 'moderate' or lower. – Estus Flask Dec 06 '18 at 15:17
0

A solution that has worked for me is by initially creating JSON file which will be the manifest. Before installing the npm package start with the followingnpm init -y that way you agree to all the details that will be added by the JSON file, you can edit them afterwards.

Then proceed with npm install <package name>

kelvin.M
  • 1
  • Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Apr 12 '22 at 16:03