gulp-nsp 3.0 ignoring exceptions

[nathany]

@nlf Thanks for releasing 3.0 to resolve this issue: #39 (comment).

Unfortunately I'm running into some issues after upgrading our project to 3.0.

I'm now seeing gulp nsp output vulnerability warnings that are in the exceptions list.

.nsprc

{
  "exceptions": [
    "https://nodesecurity.io/advisories/534",
    "https://nodesecurity.io/advisories/566"
  ]
}

┌────────────┬────────────────────────────────────────────────────────────────────┐
│            │ Regular Expression Denial of Service                               │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Name       │ debug                                                              │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ CVSS       │ 3.7 (Low)                                                          │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Installed  │ 0.7.4                                                              │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 2.6.8 || >= 3.0.0 <= 3.0.1                                      │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Patched    │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                       │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ Path       │ [email protected] > [email protected] > [email protected]               │
├────────────┼────────────────────────────────────────────────────────────────────┤
│ More Info  │ https://nodesecurity.io/advisories/534                             │
└────────────┴────────────────────────────────────────────────────────────────────┘

This issue: stdarg/tcp-port-used#5

I'm also not seeing the other 566 vulnerability if I remove the .nsprc file. mapbox/node-pre-gyp#346

If I downgrade gulp-nsp, I see both vulnerabilities when there is no .nsprc file, and they both can be ignored with the .nsprc.

This is the output from gulp-nsp 2.x:

 hoek    2.16.3      > 4.2.0 < 5.0.0 || >= 5.0.3    [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]   https://nodesecurity.io/advisories/566 
 debug   0.7.4       >= 2.6.9 < 3.0.0 || >= 3.1.0   [email protected] > [email protected] > [email protected]                                                                                    https://nodesecurity.io/advisories/534 

Also noticed a Drone test failure on your repo.

[nlf]

i just published [email protected], give that a spin and let me know if it fixes your issue

[nathany]

That solves the issue with the exception not working. Thanks!

However, it's no longer reporting https://nodesecurity.io/advisories/566 for node-pre-gyp.

├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └─┬ [email protected]
│         ├─┬ [email protected]
│         │ └── [email protected]  deduped
│         ├── [email protected] 
│         └─┬ [email protected]
│           └── [email protected]  deduped

[14:45:26] Starting 'security'...
[14:45:34] (+) No known vulnerabilities found
[14:45:34] Finished 'security' after 8.33 s

.nsprc

{
  "exceptions": [
    "https://nodesecurity.io/advisories/534"
  ]
}

[nlf]

that would be because chokidar, the package that ultimately brings in node-pre-gyp is an optional dependency of babel-cli (the top level package you're testing), and currently optional deps are skipped

[nathany]

Okay. At least it's intentional then. But did that behaviour change between nsp 2.7 and nsp 3.2.1?

The output from gulp-nsp 2.x (no .nsprc):

 hoek    2.16.3      > 4.2.0 < 5.0.0 || >= 5.0.3    [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected] > [email protected]   https://nodesecurity.io/advisories/566 
 debug   0.7.4       >= 2.6.9 < 3.0.0 || >= 3.1.0   [email protected] > [email protected] > [email protected]                                                                                    https://nodesecurity.io/advisories/534 

[nlf]

shouldn't have.. nothing in the nsp client, or gulp-nsp does anything with optionalDependencies at all and never has.

the output you're showing from gulp-nsp 2.x looks to be from a different project, as it shows a dependency on [email protected] bringing in [email protected] (a direct dependency, not optional) which in turn brings in the version of chokidar with the vulnerable package.

the output you showed from gulp-nsp 3.x showed a dependency tree from babel-cli, which is entirely different due to chokidar being an optional dependency.

[nathany]

Thanks for clarifying that for me. And also thank you for responding quickly and upgrading gulp-nsp.

Cheers

[nlf]

happy to help, good catch on the exceptions not working and thank you for reporting it so quickly!