OS: Artix Linux 64-bit (kernel: 5.4.12-artix1-1)
Node: 13.6.0
Yarn: 1.21.1
Npm: 6.13.6
Upon following the build instructions in the Build.md and running cd Tools && npm install
, I received a security advisory for one of the dependencies. The information from the terminal is shown below.
[I] β> ~/S/g/j/Tools on master β¨― npm audit 02:30:14
=== npm audit security report ===
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Manual Review β
β Some vulnerabilities require your attention to resolve β
β β
β Visit https://go.npm.me/audit-guide for additional guidance β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β High β Insufficient Entropy β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Package β cryptiles β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Patched in β >=3.1.3 <4.0.0 || >=4.1.2 β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Dependency of β request β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Path β request > hawk > cryptiles β
βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β More info β https://npmjs.com/advisories/720 β
βββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
found 1 high severity vulnerability in 178 scanned packages
1 vulnerability requires manual review. See the full report for details.
The reason that I included yarn here is partly because it recommended I have a newer version in the build instructions and also yarn does not throw this security warning when on the Tools build step. Npm is the only one that does. Now, using yarn also doesnβt seem to install all of the dependencies either that npm pulls.
Tools directory node_modules folder results:
-
NPM: npm_deps.txt (1.4 KB)
-
Yarn: yarn_deps.txt (1.4 KB)
Other information
Cryptfiles version pulled: 3.1.2
Running npm audit fix
threw this:
[I] β> ~/S/g/j/Tools on master β¨― npm audit fix
npm WARN tools@1.0.0 No description
npm WARN tools@1.0.0 No repository field.
up to date in 0.658s
fixed 0 of 1 vulnerability in 178 scanned packages
1 vulnerability required manual review and could not be updated