Aurelia-cli new project - npm audit vulnerabilities

airboss001 · February 4, 2019, 7:25pm

With a new project I am getting audit callouts as shown below.
I am using the new alameda bundler with require so not sure why its even trying to install jspm as its under the aurelia-bootstrapper polyfill.
Can’t figure out how to either remove or update that.

Any tips?

                                Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Critical        Symlink Arbitrary File Overwrite

  Package         tar

  Patched in      >=2.0.0

  Dependency of   aurelia-bootstrapper

  Path            aurelia-bootstrapper > aurelia-polyfills > jspm > jspm-npm >
                  tar

  More info       https://nodesecurity.io/advisories/57


  Critical        Symlink Arbitrary File Overwrite

  Package         tar

  Patched in      >=2.0.0

  Dependency of   aurelia-cli

  Path            aurelia-cli > aurelia-polyfills > jspm > jspm-npm > tar

  More info       https://nodesecurity.io/advisories/57

found 2 critical severity vulnerabilities in 28439 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

huochunpeng · February 4, 2019, 9:29pm

That tells you where the “tar” package came from. That’s very strange, because jspm is a devDep of aurelia-polyfills, it should not be installed. I will get back to you if I can find something.

airboss001 · February 4, 2019, 9:32pm

Thank you, much appreciation for the effort you put into responding, along with the rest of the team.

huochunpeng · February 4, 2019, 9:55pm

Ok. I think @fkleuver or @EisenbergEffect accidentally released aurelia-polyfills v1.3.2 which has jspm wrongly in dependencies.

@fkleuver @EisenbergEffect we need release the cleaned up aurelia-polyfills v1.3.3 now.

airboss001 · February 4, 2019, 10:46pm

Thanks for the update!

EisenbergEffect · February 5, 2019, 1:03am

New release is out @1.3.3. We apologize for the inconvenience.

airboss001 · February 5, 2019, 1:09am

No harm, no foul here.
Just wanted to see if I could clean up that error as I am never sure if I am the cause or not, but wanted to point it out in either case to try and resolve.
Been following your work since just before Caliburn.Micro was released, and enjoy watching the evolution of the tools you and the team you have built come together again in Aurelia.

EisenbergEffect · February 5, 2019, 1:25am

Great to hear it @airboss001! We’re pretty excited about Aurelia vNext in this same way. In fact, I’m testing it out now with my own project and I’m finding new ways to even return to some cool patterns from Caliburn.Micro that weren’t as easy with Durandal or the current version of Aurelia. So, lots of good stuff in store for the future and I hope to have lots of cool stuff to blog about Aurelia vNext to help educate the community on patterns and practices too.

Topic		Replies	Views
Aurelia plugin loaded from jspm folder even though bundled [SOLVED] Help Requests	3	809	February 3, 2020
On JSPM and bundling choices Framework Knowledge	3	744	January 8, 2019
Npm update issue Help Requests	18	1207	March 20, 2018
High Severity Security Warnings on Initial aurelia-cli Install Help Requests	5	928	December 20, 2022
Upgraded my package.json and broke my project Help Requests	3	535	March 30, 2019

Aurelia-cli new project - npm audit vulnerabilities

Related Topics