Serverless-offline security vulnerabilities

olegs · November 1, 2018, 10:49pm

installing serverless-offline generate security vulnerability.

found 4 high severity vulnerabilities in 20279 scanned packages
4 vulnerabilities require manual review. See the full report for details.

the reason is:
serverless-offline -> includes hapi v. 14.2.0 which in results includes cryptiles with version < 4.1.2
which generates this problem.
Any work around it?

Thank you,

Oleg

buggy · November 2, 2018, 1:59am

The plugin’s github repo is the best place to look for support. It seems like someone has already reported it.

github.com/dherault/serverless-offline

dependeny "hapi" is outdated and triggers npm security warning

opened 12:47AM - 02 Nov 18 UTC

closed 11:17AM - 08 Jan 19 UTC

justingrant

help wanted

Looks like `serverless-offline`'s dependecy `hapi` is out of date. Normally thi…s wouldn't be a big deal but there's a new (as of today) security warning triggered by `cryptiles`, one of `hapi`'s dependencies: https://www.npmjs.com/advisories/720. I don't know if this exposes an actual security issue (probably not because serverless-offline is only for local development!) but it's annoying to see those warnings. The highest LTS version of `hapi` is 16.6.3, but I'm not sure if this version has the updated `cryptiles`. The latest `hapi` is 17.6.2 which does seem to have the updated . The version of `hapi` that's currently in `serverless-offline` is 14.2.0. ``` npm audit === npm audit security report === ┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Insufficient Entropy │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ cryptiles │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.1.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ serverless-offline [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ serverless-offline > hapi > cryptiles │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/720 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Insufficient Entropy │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ cryptiles │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.1.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ serverless-offline [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ serverless-offline > hapi > iron > cryptiles │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/720 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Insufficient Entropy │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ cryptiles │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.1.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ serverless-offline [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ serverless-offline > hapi > statehood > cryptiles │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/720 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Insufficient Entropy │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ cryptiles │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.1.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ serverless-offline [dev] │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ serverless-offline > hapi > statehood > iron > cryptiles │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://nodesecurity.io/advisories/720 │ └───────────────┴──────────────────────────────────────────────────────────────┘ found 4 high severity vulnerabilities in 44688 scanned packages 4 vulnerabilities require manual review. See the full report for details. > npm v hapi hapi@17.6.2 | BSD-3-Clause | deps: 17 | versions: 279 HTTP Server framework https://hapijs.com keywords: framework, http, api, web dist .tarball: https://registry.npmjs.org/hapi/-/hapi-17.6.2.tgz .shasum: 67797e66ab7d2d58c43bdae7f1237f13f48481a9 .integrity: sha512-vvOfssoAmRVczKMVC0lyGtpB0bvgdHVnzRrMGe5A9jy0JVnj24Kplt+mFIOVHmPt7zsZgUiqpGzF1R4grOh/Yg== .unpackedSize: 175.3 kB dependencies: accept: 3.x.x bounce: 1.x.x catbox: 10.x.x joi: 14.x.x shot: 4.x.x teamwork: 3.x.x ammo: 3.x.x call: 5.x.x heavy: 6.x.x mimos: 4.x.x statehood: 6.x.x topo: 3.x.x boom: 7.x.x catbox-memory: 3.x.x hoek: 6.x.x podium: 3.x.x subtext: 6.x.x maintainers: - hueniverse <eran@hueniverse.com> dist-tags: latest: 17.6.2 lts: 16.6.3 next: 17.0.1 override: 13.5.3 published an hour ago by hueniverse <eran@hammer.io> > npm v serverless-offline serverless-offline@3.31.0 | MIT | deps: 13 | versions: 158 Emulate AWS λ and API Gateway locally when developing your Serverless project https://github.com/dherault/serverless-offline keywords: Serverless, Amazon Web Services, AWS, Lambda, API Gateway dist .tarball: https://registry.npmjs.org/serverless-offline/-/serverless-offline-3.31.0.tgz .shasum: 0ee5885df968c4be415cf10d229370fd6cd5c908 .integrity: sha512-uGur1/LeQ8LkOl1U6RFDlfTUXAl08GeYRqqX1mjFjQQxh7Lol0JORyFQP3xfIWszCWjkdTPw79R4TPqVncMHtA== .unpackedSize: 164.5 kB dependencies: @babel/core: ^7.0.0 cryptiles: ^4.1.2 hapi: 14.2.0 jsonwebtoken: ^8.3.0 velocityjs: ^1.1.2 @babel/register: ^7.0.0 h2o2: ^5.4.0 js-string-escape: ^1.0.1 lodash: ^4.17.10 boom: ^4.2.0 hapi-cors-headers: ^1.0.3 jsonpath-plus: ^0.16.0 uuid: ^3.3.2 maintainers: - daniel-cottone <daniel.cottone@asurion.com> - dherault <dherault@gmail.com> dist-tags: beta: 1.0.0-beta3 latest: 3.31.0 published yesterday by dherault <dherault@gmail.com> ```

Topic		Replies	Views
Audit error on serverless install (npm audit) Serverless Framework	1	1863	June 11, 2018
Lambda compliant compilation of node modules Serverless Framework aws	4	2452	November 8, 2016
Issue with crypto (native node modules?) Serverless Framework	3	2136	June 25, 2017
Error: CLI options definitions were upgraded with "type" property - ServerlessWebpack for "webpack-use-polling" Serverless Framework lambda	0	615	August 4, 2022
Why are serverless dependencies so out of date? Serverless Framework	2	503	April 10, 2019

Serverless-offline security vulnerabilities

Related Topics