You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Start a fresh install (from a git clone) of mattermost.
cd webapp
npm install && npm audit
Since mattermost-webapp is a channel name, the package from NPM is never directly installed.
Expected behavior
Just a report with lots of Regex DoS like usual for npm audit.
Observed behavior (that appears unintentional)
The audit report contains this segment:
mattermost-webapp *
Severity: critical
Malware in mattermost-webapp - https://github.com/advisories/GHSA-r5gc-r4qf-2vh7
No fix available
channels
node_modules/mattermost-webapp
Possible fixes
In the PHP ecosystem, we have the ability to make a package that conflicts with every vulnerable version, thereby preventing it from ever being installed. I don't see a similar mechanism in package.json.
It may be possible to use overrides to achieve a similar effect, but it's not immediately clear to us if that will work. (We are not Node.js experts.)
The text was updated successfully, but these errors were encountered:
Summary
When first installing Mattermost,
npm audit
reports a critical issue for malware in a dependency, but appears to be a false positive.Advisory link: GHSA-r5gc-r4qf-2vh7
Steps to reproduce
git clone
) of mattermost.cd webapp
npm install && npm audit
Since
mattermost-webapp
is a channel name, the package from NPM is never directly installed.Expected behavior
Just a report with lots of Regex DoS like usual for
npm audit
.Observed behavior (that appears unintentional)
The audit report contains this segment:
Possible fixes
In the PHP ecosystem, we have the ability to make a package that conflicts with every vulnerable version, thereby preventing it from ever being installed. I don't see a similar mechanism in package.json.
It may be possible to use overrides to achieve a similar effect, but it's not immediately clear to us if that will work. (We are not Node.js experts.)
The text was updated successfully, but these errors were encountered: