Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency Vulnerabilities #29

Open
alexpArtos opened this issue Jul 17, 2018 · 3 comments
Open

Dependency Vulnerabilities #29

alexpArtos opened this issue Jul 17, 2018 · 3 comments

Comments

@alexpArtos
Copy link

When I clone the Doxity repository on a Windows machine and run npm install , I get this output:
(Note: I modified the compile target in package.json to work in Windows)

rmdir /q /s lib & node_modules.bin\babel src -d lib

src\bin\doxity.js -> lib\bin\doxity.js
src\build.js -> lib\build.js
src\compile\index.js -> lib\compile\index.js
src\compile\parse-abi.js -> lib\compile\parse-abi.js
src\compile\parse-asm.js -> lib\compile\parse-asm.js
src\compile\solc.js -> lib\compile\solc.js
src\constants.js -> lib\constants.js
src\develop.js -> lib\develop.js
src\helpers.js -> lib\helpers.js
src\index.js -> lib\index.js
src\init.js -> lib\init.js
src\publish.js -> lib\publish.js

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [email protected] (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for [email protected]: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

audited 4315 packages in 6.389s
found 308 vulnerabilities (292 low, 10 moderate, 5 high, 1 critical)
run npm audit fix to fix them, or npm audit for details

Could these references be updated in the repo?

@alexpArtos
Copy link
Author

Does anyone out there have a similar problem? We would really like to use Doxity with our code, because it adds value to what we're doing, but we are wary of using it with a critical vulnerability around.
Is anyone else also affected by this, or does anyone have a workaround?

Thank you.

@alexpArtos
Copy link
Author

To add some context to this.
Although my team would like to use Doxity for our development, we are probably not going to do it while those vulnerabilities persist, as one of them is critical.
I've traced it down to growl 1.9.2 being requested by a chain of dependencies that leads ultimately to solidity-parser 0.3.0, which is requested by the truffle-compile fork inside doxity.

trufflesuite/truffle-compile is now deprecated, and has been migrated to trufflesuite/truffle, which no longer uses solidity-parser. I tried changing my package.json locally to request the latest mocha package, which will pick the most recent growl and remove the vulnerability, but that creates repeated versions of mocha and growl, keeping the vulnerability in.

Any advice on how to fix this?
Thanks.

@roynalnaruto
Copy link

roynalnaruto commented Aug 30, 2018

Hi @alexpArtos Please refer the doxity-latest branch

This will also work for truffle projects, with the latest version of solc (0.4.24).

As a guideline, please check how we have used doxity in this repository

Also please check my comment for steps on setting it up. Hope this helps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants