Vulnerabilities in my Ionic 3 Project


#1

ionic info


Ionic:

   ionic (Ionic CLI)  : 4.2.1 (C:\Users\Meftun\AppData\Roaming\npm\node_modules\ionic)
   Ionic Framework    : ionic-angular 3.9.2
   @ionic/app-scripts : 3.2.0

Cordova:

   cordova (Cordova CLI) : 8.1.2 (cordova-lib@8.1.1)
   Cordova Platforms     : not available
   Cordova Plugins       : cordova-plugin-ionic-keyboard 2.0.5, cordova-plugin-ionic-webview 1.1.1, (and 8 other plugins)

System:

   Android SDK Tools : 26.1.1 (C:\Users\Meftun\AppData\Local\Android\sdk)
   NodeJS            : v8.9.3 (C:\Program Files\nodejs\node.exe)
   npm               : 6.4.1
   OS                : Windows 10

cordova plugin ls

cordova-plugin-admob-free 0.21.0 "Cordova AdMob Plugin"
cordova-plugin-device 2.0.2 "Device"
cordova-plugin-fcm 2.1.2 "FCMPlugin"
cordova-plugin-inappbrowser 3.0.0 "InAppBrowser"
cordova-plugin-ionic-keyboard 2.0.5 "cordova-plugin-ionic-keyboard"
cordova-plugin-ionic-webview 1.1.19 "cordova-plugin-ionic-webview"
cordova-plugin-network-information 2.0.1 "Network Information"
cordova-plugin-splashscreen 5.0.2 "Splashscreen"
cordova-plugin-whitelist 1.3.3 "Whitelist"
cordova-plugin-x-socialsharing 5.4.1 "SocialSharing"
es6-promise-plugin 4.2.2 "Promise"
onesignal-cordova-plugin 2.4.3 "OneSignal Push Notifications"

ionic cordova plugin add cordova-plugin-inappbrowser

> cordova plugin add cordova-plugin-inappbrowser --save
Plugin "cordova-plugin-inappbrowser" already installed on android.
Adding cordova-plugin-inappbrowser to package.json
Saved plugin info for "cordova-plugin-inappbrowser" to config.xml

npm install --save @ionic-native/in-app-browser

npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@1.2.4 (node_modules\fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@1.2.4: wanted {"os":"darwin","arch":"any"} (current: {"os":"win32","arch":"x64"})

+ @ionic-native/in-app-browser@4.16.0
updated 1 package and audited 3659 packages in 10.474s
found 5 moderate severity vulnerabilities
  run `npm audit fix` to fix them, or `npm audit` for details

npm audit

  === npm audit security report ===


                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   @ionic/app-scripts [dev]

  Path            @ionic/app-scripts > node-sass > request > hawk > boom >
                  hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   @ionic/app-scripts [dev]

  Path            @ionic/app-scripts > node-sass > request > hawk > cryptiles
                  > boom > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   @ionic/app-scripts [dev]

  Path            @ionic/app-scripts > node-sass > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Prototype pollution

  Package         hoek

  Patched in      > 4.2.0 < 5.0.0 || >= 5.0.3

  Dependency of   @ionic/app-scripts [dev]

  Path            @ionic/app-scripts > node-sass > request > hawk > sntp >
                  hoek

  More info       https://nodesecurity.io/advisories/566


  Moderate        Memory Exposure

  Package         tunnel-agent

  Patched in      >=0.6.0

  Dependency of   @ionic/app-scripts [dev]

  Path            @ionic/app-scripts > node-sass > request > tunnel-agent

  More info       https://nodesecurity.io/advisories/598

found 5 moderate severity vulnerabilities in 3659 scanned packages
  5 vulnerabilities require manual review. See the full report for details.

and i visited this page. https://go.npm.me/audit-guide
I run npm install npm@latest -g
And I don’t really understand what to do next
How can i fix this vulnerabilities ? What else do I need to do ? Thank you.


#2

When all vulnerabilities are in the app-scripts it shouldn’t matter in the resulting app.

Edit: Because the build scripts only run on your machine while your developing or compiling your project.