Login/Register
What exactly do I do about gulp 4.0.2 dependency vulnerabilities?
Asked Answered
node.jsnpmgulp
I

1

14

In my package.json I have listed gulp as one of my dependencies.

{
    "name": "myproject",
    "devDependencies": {
        "gulp": "^4.0.2"
        // other stuff
    }
}

When I run npm i I get a message there are moderate security vulnerabilities. So I do npm audit and I get this

                       === npm audit security report ===                        


                                 Manual Review                                  
             Some vulnerabilities require your attention to resolve             
                                                                                
          Visit https://go.npm.me/audit-guide for additional guidance           


  Moderate        Regular expression denial of service                          

  Package         glob-parent                                                   

  Patched in      >=5.1.2                                                       

  Dependency of   gulp [dev]                                                    

  Path            gulp > glob-watcher > chokidar > glob-parent

  More info       https://npmjs.com/advisories/1751


  Moderate        Regular expression denial of service

  Package         glob-parent

  Patched in      >=5.1.2

  Dependency of   gulp [dev]

  Path            gulp > vinyl-fs > glob-stream > glob-parent

  More info       https://npmjs.com/advisories/1751

found 2 moderate severity vulnerabilities in 751 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

So then I thought it was all a matter of changing the version of gulp to the highest version where it is (probably) patched. But it seems that this is already the highest version, so what do I do about the vulnerability?

Insincerity answered 30/7, 2021 at 10:57 Comment(3)
So it seems that this is actually addressed (sort of) in gulp. github.com/gulpjs/gulp/issues/2611. I guess the best solution is to just not use npm anymore?Insincerity
i wonder how many people started to write something here, AFAIK if you use npm and tools like gulp to build a standalone browser app the standalone browser app should not include these vulnerabilities if you dont explicitly, accidently or unawarely include them. To run and serve the build you then use other infrastructure without npm and gulp, at least thats what i understand so far bcause i´m a beginner with gulp and just came upon the same question. If you are a complete beginner at all you should be extremely careful and take every vuln. serious especially ones like these with high severityContrived
npm audit is generally pretty... wrong, see here. overreacted.io/npm-audit-broken-by-designHuerta
U
4

I've found a real solution on youtube of this: https://youtu.be/d5vfi-l4KWQ

You'll need to update your package.json file to override packages configuration with a newer version of those repos causing the issues

{
    ...
    "overrides": {
        "glob-parent": "6.0.2"
    }
}
Uremia answered 20/6, 2023 at 16:23 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.