Get help with testing, discuss unit testing strategies etc.


Post by klodoma »

There are several vulnerabilities errors in npm when using siesta.
Any ideas on fixes? It seems that all is coming from the handlebars package.

package.json
{
    "devDependencies": {},
    "scripts": {},
    "dependencies": {
        "siesta-lite": "^5.3.1"
    }
}
npm i siesta-lite
npm WARN saveError ENOENT: no such file or directory, open 'd:\Projects\espos\tt\package.json'
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open 'd:\Projects\espos\tt\package.json'
npm WARN tt No description
npm WARN tt No repository field.
npm WARN tt No README data
npm WARN tt No license field.

+ siesta-lite@5.3.1
added 326 packages from 162 contributors and audited 660 packages in 11.411s

1 package is looking for funding
  run `npm fund` for details

found 7 vulnerabilities (1 moderate, 5 high, 1 critical)
  run `npm audit fix` to fix them, or `npm audit` for details
npm audit

                       === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Critical        Prototype Pollution

  Package         handlebars

  Patched in      >=4.0.14 <4.1.0 || >=4.1.2

  Dependency of   siesta-lite

  Path            siesta-lite > nyc > istanbul-reports > handlebars

  More info       https://npmjs.com/advisories/755


  High            Prototype Pollution

  Package         handlebars

  Patched in      >=4.3.0

  Dependency of   siesta-lite

  Path            siesta-lite > nyc > istanbul-reports > handlebars

  More info       https://npmjs.com/advisories/1164


  Moderate        Denial of Service

  Package         handlebars

  Patched in      >=4.4.5

  Dependency of   siesta-lite

  Path            siesta-lite > nyc > istanbul-reports > handlebars

  More info       https://npmjs.com/advisories/1300


  High            Arbitrary Code Execution

  Package         handlebars

  Patched in      >=4.5.2

  Dependency of   siesta-lite

  Path            siesta-lite > nyc > istanbul-reports > handlebars

  More info       https://npmjs.com/advisories/1316


  High            Arbitrary Code Execution

  Package         handlebars

  Patched in      >=4.5.3

  Dependency of   siesta-lite

  Path            siesta-lite > nyc > istanbul-reports > handlebars

  More info       https://npmjs.com/advisories/1324


  High            Prototype Pollution

  Package         handlebars

  Patched in      >=4.5.3

  Dependency of   siesta-lite

  Path            siesta-lite > nyc > istanbul-reports > handlebars

  More info       https://npmjs.com/advisories/1325


  High            Prototype Pollution

  Package         lodash

  Patched in      >=4.17.12

  Dependency of   siesta-lite

  Path            siesta-lite > nyc > istanbul-reports > handlebars > async >
                  lodash

  More info       https://npmjs.com/advisories/1065

found 7 vulnerabilities (1 moderate, 5 high, 1 critical) in 660 scanned packages
  7 vulnerabilities require manual review. See the full report for details.

Post by nickolay »

Thanks for pointing that out. Last time I checked, the fix for those required the upgrade of the nyc (code coverage tool) from 13 to 15. Which is a bit more than moderate effort, because Siesta uses nyc's low-level API which has changed. We'll prioritize this task.

Post Reply