Security warnings about set-value and http-proxy

[sgeisler]

Security warnings are shown for the packages set-value and http-proxy during install.

I'm submitting a…

• Regression (a behavior that used to work and stopped working in a new release)
• Bug report
• Feature request
• Documentation issue or request
• Support request

Expected Behavior

Installation without security warnings.

Current Behavior

There seem to be two dependencies with security vulnerabilities marked as "high" (whatever that means in JS land).

npm WARN notice [SECURITY] set-value has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=set-value&version=2.0.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.
npm WARN notice [SECURITY] http-proxy has the following vulnerability: 1 high. Go here for more details: https://www.npmjs.com/advisories?search=http-proxy&version=1.18.1 - Run `npm i npm@latest -g` to upgrade your npm version, and then `npm audit` to get more info.

Possible Solution

Assuming there's a fix upstream upgrading the dependencies might help.

Steps to Reproduce (for bugs)

1. Fresh Debian 10.4 install
2. apt install npm
3. clone caravan repo
4. npm install

Environment

• Debian 10.4

• npm 5.8.0

• nodejs v10.19.0

• Where are you running caravan: VM (quite irrelevant)

• Operating system: Linux (Debian 10.4)

• Browser and version: N/A

caravan@0.2.0 /opt/caravan
├── unchained-bitcoin@0.0.13 
└─┬ unchained-wallets@0.0.12 
  └── unchained-bitcoin@0.0.12 

npm: 5.8.0 
node: v10.19.0
Linux 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU/Linux

[waldenraines]

@sgeisler thanks for the bug report!

Not sure if this an option for you but if you upgrade your version of nodejs and npm, rm -fr node_modules, and npm i again you should see the following (I used nvm to test in node.js 12 and 13):

found 3 low severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

[sgeisler]

Thx for the quick reply! I'm not too concerned about it for myself (have it running in a restricted environment anyway), just wanted to let you know. I fear debian doesn't ship any more recent versions and I don't want to alter the system too much just for that.

So if you can fix it by upgrading some dep: great (I assume that's what npm audit fix would do?)! If it's just a reporting error due to old npm: my bad, feel free to close.

[bucko13]

I believe some of the dependencies need to be bumped manually (not just npm audit fix) as they could result in some breaking changes (minor or major changes rather than just a patch) and so will need some testing.

Thanks for reporting!

[abhiShandy]

I don't see this high vulnerability with the latest version but 5000 low-level vulnerabilities, where npm audit fix fixes 4999 of them.

Should I start a PR with the updated package.json and package-lock.json?

[waldenraines]

Should I start a PR with the updated package.json and package-lock.json?

💯 PRs are always welcome!