Vulnerabilities in dependencies

[yar0d]

Bug report

2 vulnerabilities detected after npm upgrade.

Version

Vuepress 0.14.4

Steps to reproduce

$ npm audit
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ merge-options                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > webpack-serve > @webpack-contrib/config-loader >  │
│               │ merge-options                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/717                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ merge-options                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ vuepress                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ vuepress > webpack-serve > koa-webpack > merge-options       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/717                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 2 low severity vulnerabilities in 25917 scanned packages
  2 vulnerabilities require manual review. See the full report for details.

What is expected?

No error message after npm upgrade.

What is actually happening?

Vulnerabilities found in dependencies.

Other relevant information

• Your OS: Linux 4.18.16-arch1-1-ARCH Update link.js  #1 SMP PREEMPT Sat Oct 20 22:06:45 UTC 2018 x86_64 GNU/Linux
• Node.js version: node v10.10.0
• Browser version: N/A
• Is this a global or local install? It is a local install in my project.
• Which package manager did you use for the install? npm v6.4.1

[fallsimply]

These shouldn't be a problem. NPM says they're low serverity and the problem in prototype polution in packages used by the outdated version of webpack-serve. Running npm audit fix should update that dependency on your side. Andrew Connel wrote an article about npm vulnerablities and why you shouldn't worry about them.

[ulivz]

Thanks @SimplyCodin for explaining