Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability of a dependency (macaddress) #6160

Closed
Legend96th opened this issue May 18, 2018 · 4 comments
Closed

Security vulnerability of a dependency (macaddress) #6160

Legend96th opened this issue May 18, 2018 · 4 comments

Comments

@Legend96th
Copy link

Version

4.2.2

Test Case

Steps to reproduce

Simply by installing the package

Expected Behavior

Actual Behavior

While installing the react-router-dom I had the following error message:

+ [email protected]
added 205 packages from 159 contributors, removed 157 packages and updated 1071 packages in 116.886s
[!] 1 vulnerability found [14452 packages audited]
    Severity: 1 critical
    Run `npm audit` for more detail

The result of npm audit

 === npm audit security report ===                        
                                                                                



┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ critical      │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ macaddress                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts > css-loader > cssnano >                       │
│               │ postcss-filter-plugins > uniqid > macaddress                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/654                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

[!] 1 vulnerability found - Packages audited: 14452 (0 dev, 335 optional)
    Severity: 1 critical

As the audit report said, more info in https://nodesecurity.io/advisories/654
@timdorr
Copy link
Member

timdorr commented May 18, 2018

We don't depend on react-scripts. That's coming from some other dependency.

@timdorr timdorr closed this as completed May 18, 2018
@rwschmitz
Copy link

rwschmitz commented May 18, 2018
edited
Loading

@Legend96th -- Take a look at the following two links. Those may help.

@rwschmitz
Copy link

@Legend96th -- Also looks like Dan Abramov addressed this:

@Legend96th
Copy link
Author

Thank you guys for the clarification!
(sorry for the late answer)

@lock lock bot locked as resolved and limited conversation to collaborators Jul 23, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timdorr @Legend96th @rwschmitz