olegs
November 1, 2018, 10:49pm
1
installing serverless-offline generate security vulnerability.
found 4 high severity vulnerabilities in 20279 scanned packages
4 vulnerabilities require manual review. See the full report for details.
the reason is:
serverless-offline -> includes hapi v. 14.2.0 which in results includes cryptiles with version < 4.1.2
which generates this problem.
Any work around it?
Thank you,
Oleg
buggy
November 2, 2018, 1:59am
2
The plugin’s github repo is the best place to look for support. It seems like someone has already reported it.
opened 12:47AM - 02 Nov 18 UTC
closed 11:17AM - 08 Jan 19 UTC
help wanted
Looks like `serverless-offline`'s dependecy `hapi` is out of date. Normally thi… s wouldn't be a big deal but there's a new (as of today) security warning triggered by `cryptiles`, one of `hapi`'s dependencies: https://www.npmjs.com/advisories/720. I don't know if this exposes an actual security issue (probably not because serverless-offline is only for local development!) but it's annoying to see those warnings.
The highest LTS version of `hapi` is 16.6.3, but I'm not sure if this version has the updated `cryptiles`. The latest `hapi` is 17.6.2 which does seem to have the updated . The version of `hapi` that's currently in `serverless-offline` is 14.2.0.
```
npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Insufficient Entropy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-offline [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless-offline > hapi > cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/720 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Insufficient Entropy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-offline [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless-offline > hapi > iron > cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/720 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Insufficient Entropy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-offline [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless-offline > hapi > statehood > cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/720 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Insufficient Entropy │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.1.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ serverless-offline [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ serverless-offline > hapi > statehood > iron > cryptiles │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/720 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 4 high severity vulnerabilities in 44688 scanned packages
4 vulnerabilities require manual review. See the full report for details.
> npm v hapi
hapi@17.6.2 | BSD-3-Clause | deps: 17 | versions: 279
HTTP Server framework
https://hapijs.com
keywords: framework, http, api, web
dist
.tarball: https://registry.npmjs.org/hapi/-/hapi-17.6.2.tgz
.shasum: 67797e66ab7d2d58c43bdae7f1237f13f48481a9
.integrity: sha512-vvOfssoAmRVczKMVC0lyGtpB0bvgdHVnzRrMGe5A9jy0JVnj24Kplt+mFIOVHmPt7zsZgUiqpGzF1R4grOh/Yg==
.unpackedSize: 175.3 kB
dependencies:
accept: 3.x.x bounce: 1.x.x catbox: 10.x.x joi: 14.x.x shot: 4.x.x teamwork: 3.x.x
ammo: 3.x.x call: 5.x.x heavy: 6.x.x mimos: 4.x.x statehood: 6.x.x topo: 3.x.x
boom: 7.x.x catbox-memory: 3.x.x hoek: 6.x.x podium: 3.x.x subtext: 6.x.x
maintainers:
- hueniverse <eran@hueniverse.com>
dist-tags:
latest: 17.6.2 lts: 16.6.3 next: 17.0.1 override: 13.5.3
published an hour ago by hueniverse <eran@hammer.io>
> npm v serverless-offline
serverless-offline@3.31.0 | MIT | deps: 13 | versions: 158
Emulate AWS λ and API Gateway locally when developing your Serverless project
https://github.com/dherault/serverless-offline
keywords: Serverless, Amazon Web Services, AWS, Lambda, API Gateway
dist
.tarball: https://registry.npmjs.org/serverless-offline/-/serverless-offline-3.31.0.tgz
.shasum: 0ee5885df968c4be415cf10d229370fd6cd5c908
.integrity: sha512-uGur1/LeQ8LkOl1U6RFDlfTUXAl08GeYRqqX1mjFjQQxh7Lol0JORyFQP3xfIWszCWjkdTPw79R4TPqVncMHtA==
.unpackedSize: 164.5 kB
dependencies:
@babel/core: ^7.0.0 cryptiles: ^4.1.2 hapi: 14.2.0 jsonwebtoken: ^8.3.0 velocityjs: ^1.1.2
@babel/register: ^7.0.0 h2o2: ^5.4.0 js-string-escape: ^1.0.1 lodash: ^4.17.10
boom: ^4.2.0 hapi-cors-headers: ^1.0.3 jsonpath-plus: ^0.16.0 uuid: ^3.3.2
maintainers:
- daniel-cottone <daniel.cottone@asurion.com>
- dherault <dherault@gmail.com>
dist-tags:
beta: 1.0.0-beta3 latest: 3.31.0
published yesterday by dherault <dherault@gmail.com>
```