Aurelia-cli new project - npm audit vulnerabilities


#1

With a new project I am getting audit callouts as shown below.
I am using the new alameda bundler with require so not sure why its even trying to install jspm as its under the aurelia-bootstrapper polyfill.
Can’t figure out how to either remove or update that.

Any tips?

                                Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Critical        Symlink Arbitrary File Overwrite

  Package         tar

  Patched in      >=2.0.0

  Dependency of   aurelia-bootstrapper

  Path            aurelia-bootstrapper > aurelia-polyfills > jspm > jspm-npm >
                  tar

  More info       https://nodesecurity.io/advisories/57


  Critical        Symlink Arbitrary File Overwrite

  Package         tar

  Patched in      >=2.0.0

  Dependency of   aurelia-cli

  Path            aurelia-cli > aurelia-polyfills > jspm > jspm-npm > tar

  More info       https://nodesecurity.io/advisories/57

found 2 critical severity vulnerabilities in 28439 scanned packages
  2 vulnerabilities require manual review. See the full report for details.


#2

That tells you where the “tar” package came from. That’s very strange, because jspm is a devDep of aurelia-polyfills, it should not be installed. I will get back to you if I can find something.


#3

Thank you, much appreciation for the effort you put into responding, along with the rest of the team.


#4

Ok. I think @fkleuver or @EisenbergEffect accidentally released aurelia-polyfills v1.3.2 which has jspm wrongly in dependencies.

@fkleuver @EisenbergEffect we need release the cleaned up aurelia-polyfills v1.3.3 now.


#5

Thanks for the update!


#6

New release is out @1.3.3. We apologize for the inconvenience.


#7

No harm, no foul here.
Just wanted to see if I could clean up that error as I am never sure if I am the cause or not, but wanted to point it out in either case to try and resolve.
Been following your work since just before Caliburn.Micro was released, and enjoy watching the evolution of the tools you and the team you have built come together again in Aurelia.


#8

Great to hear it @airboss001! We’re pretty excited about Aurelia vNext in this same way. In fact, I’m testing it out now with my own project and I’m finding new ways to even return to some cool patterns from Caliburn.Micro that weren’t as easy with Durandal or the current version of Aurelia. So, lots of good stuff in store for the future and I hope to have lots of cool stuff to blog about Aurelia vNext to help educate the community on patterns and practices too.