npm audit: found 2 high severity vulnerabilities

[francoisromain]

Hello, today npm display a warning

🐛 Bug Report

A clear and concise description of what the bug is.

To Reproduce

Steps to reproduce the behavior:

npm i jest

# Run  npm update handlebars --depth 5  to resolve 2 vulnerabilities
│ High          │ Prototype Pollusion
│ Package       │ handlebars
│ Dependency of │ jest [dev]
│ Path          │ jest > jest-cli > istanbul-api > istanbul-reports > handlebars
│ More info     │ https://npmjs.com/advisories/755                  

## Expected behavior

A clear and concise description of what you expected to happen.

Install Jest with no warning

## Link to repl or repo (highly encouraged)

Please provide either a [repl.it demo](https://repl.it/languages/jest) or a minimal repository on GitHub.

Issues without a reproduction link are likely to stall.

## Run `npx envinfo --preset jest`

Paste the results here:

```bash
  System:
    OS: macOS High Sierra 10.13.6
    CPU: (8) x64 Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
  Binaries:
    Node: 11.9.0 - /usr/local/bin/node
    npm: 6.7.0 - /usr/local/bin/npm
  npmPackages:
    jest: ^24.1.0 => 24.1.0 

[SimenB]

Is this actionable? The error message you posted includes instructions on how to upgrade?

[francoisromain]

I don't understand. Now I do npm i and I don't have the warning message anymore

[davityavryan]

Issue still exists. Just run npm audit (in my case it is yarn audit).

[davityavryan]

never-mind. just upgrade istanbul-reports to >=2.1.0 ;)

[kumar303]

Ugh, yarn makes this so hard: yarnpkg/yarn#4986

[ttrentham]

This still is an issue as the jest library still is on the vulnerable version of istanbul-reports. Are you saying that dependency can't be upgraded in jest?

[SimenB]

I'm saying we don't need to since the fixed version is within semver range

[joshua-econify]

Do not understand why this is closed. Out of the box there should not be security warnings? Even if npm audit fix works, first impression on install should not be 6 high security warnings from npm.. requiring every developer that installs this to dig into npm audit to identify jest as the culprit and then run npm audit fix.

(X jest users * Y minutes wasted) + negative first impression = why is this closed?

[SimenB]

Again, this is not something to complain about in this issue tracker.

$ mkdir test-install
$ cd test-install
$ npm init -y
# ...
$ npm i jest
# ...
$ npm audit

                       === npm audit security report ===

found 0 vulnerabilities
 in 876354 scanned packages

That means a fresh install of Jest has no vulnerabilities, and you get the warning since your local project is outdated. The error message tells you how to fix it. How do you suppose anyone on this issue tracker should fix issues in the lockfile in your project?

[joshua-econify]

Out of the box was a bit too ambiguous. Added jest to a project two weeks ago and did a clone/install. Saw a bunch of warnings classified has high. Landed here on a closed issue. npm ls handlebars shows:

Fixed two days ago? istanbuljs/istanbuljs#503

Cheers

[SimenB]

The handlebars/uglifyjs is fixed in those alphas yes (I've already upgraded in #9192 which is pending stable release) but

• This issue was opened for https://www.npmjs.com/advisories/755 which was fixed in April. So the warning you saw now was for a different vulnerability. So this issue was not the correct one anyways
• there will always be new security vulnerabilities and opening issues for every dependent when the fix is within semver range is just a waste of time for most people involved
• I'm mostly frustrated with npm's and github's messaging for these vulnerabilities as they are just causing fud - this dependency is (was) used to generate html reports of code coverage so a vulnerability to "prototype pollution" is 100% not something that affects you as a consumer. hopefully it'll get better (https://twitter.com/greybaker/status/1192145443553021958), but it's really draining to have to keep fielding questions about it.
• Sorry if I came across as frustrated with you specifically, not my intention at all

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.