npm found 6 vulnerabilities (4 high)
Installing Tramway produces deprecation and vulnerability warnings:
$ node -v
v10.15.3
$ npm -v
6.9.0
$ npm i tramway
npm WARN deprecated gulp-util@3.0.8: gulp-util is deprecated - replace it, following the guidelines at https://medium.com/gulpjs/gulp-util-ca3b1f9f9ac5
npm WARN deprecated graceful-fs@3.0.11: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
npm WARN deprecated minimatch@2.0.10: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated minimatch@0.2.14: Please update to minimatch 3.0.2 or higher to avoid a RegExp DoS issue
npm WARN deprecated graceful-fs@1.2.3: please upgrade to graceful-fs 4 for compatibility with current and future versions of Node.js
> fsevents@1.2.9 install /Users/shawn/git/blllll/node_modules/fsevents
> node install
node-pre-gyp WARN Using needle for node-pre-gyp https download
[fsevents] Success: "/Users/shawn/git/blllll/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node" is installed via remote
> nodemon@1.19.0 postinstall /Users/shawn/git/blllll/node_modules/nodemon
> node bin/postinstall || exit 0
npm WARN saveError ENOENT: no such file or directory, open '/Users/shawn/git/blllll/package.json'
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open '/Users/shawn/git/blllll/package.json'
npm WARN tramway@0.4.2 requires a peer of babel-plugin-transform-flow-strip-types@^6.22.0 but none is installed. You must install peer dependencies yourself.
npm WARN tramway@0.4.2 requires a peer of babel-plugin-transform-object-rest-spread@^6.26.0 but none is installed. You must install peer dependencies yourself.
npm WARN tramway@0.4.2 requires a peer of babel-preset-es2015-node6@^0.4.0 but none is installed. You must install peer dependencies yourself.
npm WARN blllll No description
npm WARN blllll No repository field.
npm WARN blllll No README data
npm WARN blllll No license field.
+ tramway@0.4.2
added 656 packages from 295 contributors and audited 10015 packages in 20.338s
found 6 vulnerabilities (1 low, 1 moderate, 4 high)
run `npm audit fix` to fix them, or `npm audit` for detailsMy guess is that upgrading to the latest Gulp (see #1 (closed)) just might fix all of them. Have a look at the security report:
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.0.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ tramway │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ tramway > gulp > vinyl-fs > glob-stream > glob > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.0.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ tramway │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ tramway > gulp > vinyl-fs > glob-stream > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.0.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ tramway │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ tramway > gulp > vinyl-fs > glob-watcher > gaze > globule > │
│ │ glob > minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Regular Expression Denial of Service │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=3.0.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ tramway │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ tramway > gulp > vinyl-fs > glob-watcher > gaze > globule > │
│ │ minimatch │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/118 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.11 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ tramway │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ tramway > gulp > vinyl-fs > glob-watcher > gaze > globule > │
│ │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/782 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ tramway │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ tramway > gulp > vinyl-fs > glob-watcher > gaze > globule > │
│ │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 6 vulnerabilities (1 low, 1 moderate, 4 high) in 10015 scanned packages
6 vulnerabilities require manual review. See the full report for details.