node-gyp as a dependency
Issue #35
resolved
Given we are delivering the pre-compiled binary via npm install is it possible to remove node-gyp (and maybe others) from the dependencies section?
This surfaced because of a vulnerability warning in the latest version of npm. Recreate the issue...
First upgrade npm if you're not on the latest version:
┌─[aaron @ KT4001]─[~]
└─[$]› npm i -g npm
/QOpenSys/pkgs/lib/nodejs8/bin/npx -> /QOpenSys/pkgs/lib/nodejs8/lib/node_modules/npm/bin/npx-cli.js
/QOpenSys/pkgs/lib/nodejs8/bin/npm -> /QOpenSys/pkgs/lib/nodejs8/lib/node_modules/npm/bin/npm-cli.js
+ npm@6.3.0
added 283 packages, removed 363 packages and updated 41 packages in 315.849s
╭─────────────────────────────────────╮
│ │
│ Update available 5.6.0 → 6.3.0 │
│ Run npm i -g npm to update │
│ │
╰─────────────────────────────────────╯
┌─[aaron @ KT4001]─[~]
└─[$]› npm -v
6.3.0
Create a project to test. The npm audit command requires a package.json file.
$]› mkdir idb-connector-audit
┌─[aaron @ KT4001]─[~/git]
└─[$]› cd idb-connector-audit/
┌─[aaron @ KT4001]─[~/git/idb-connector-audit]
└─[$]› npm -y init
Wrote to /home/aaron/git/idb-connector-audit/package.json:
{
"name": "idb-connector-audit",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
Do an install to see warnings.
┌─[aaron @ KT4001]─[~/git/idb-connector-audit]
└─[$]› npm install idb-connector
> idb-connector@1.1.1 install /home/aaron/git/idb-connector-audit/node_modules/idb-connector
> node-pre-gyp install --fallback-to-build
node-pre-gyp WARN Using request for node-pre-gyp https download
[idb-connector] Success: "/home/aaron/git/idb-connector-audit/node_modules/idb-connector/lib/binding/Release/node-v57-ibmi-ppc64/db2ia.node" is installed via remote
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN idb-connector-audit@1.0.0 No description
npm WARN idb-connector-audit@1.0.0 No repository field.
+ idb-connector@1.1.1
added 173 packages from 109 contributors and audited 287 packages in 118.04s
found 4 moderate severity vulnerabilities
run `npm audit fix` to fix them, or `npm audit` for details
Run npm audit as recommended.
┌─[aaron @ KT4001]─[~/git/idb-connector-audit]
└─[$]› npm audit
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
Moderate Prototype pollution
Package hoek
Patched in > 4.2.0 < 5.0.0 || >= 5.0.3
Dependency of idb-connector
Path idb-connector > node-gyp > request > hawk > boom > hoek
More info https://nodesecurity.io/advisories/566
Comments (4)
-
Account Deactivated
-
Account Deactivated
-
assigned issue to
mengxumx
-
assigned issue to
-
Account Deactivated
updated idb-connector to v1.1.12 to remove the node-gyp dependency.
-
Account Deactivated
- changed status to resolved
- Log in to comment
@aaronbartell I will remove the node-gyp dependency in next version.