advisories | Security advisories published by Enable Security | Security library

This problem has been answered here: https://stackoverflow.com/a/67502823/8499653

the support for postcss 8 is already merged and probably will be released soon

you can use the npm package npm-force-resolutions to temporarily fix this issue

This article helped me. https://www.npmjs.com/package/npm-force-resolutions. To use resolutions you wrote you should force them by adding this script in package.json

You might just need to edit your package.json, update the version for the offending package to the latest stable version (in this case https://www.npmjs.com/package/node-fetch), and then run "npm install" from the terminal.

You should check your package-lock.json if dns-packet was indeed updated to 5.2.2 or a higher version to fix the Memory Exposure vulnerability.

You can add the least required version to resolutions in package.json and run npx npm-force-resolutions before npm install:

A few developers are now slowly getting this hopefully temporary problem when they update their projects.

For example: https://github.com/facebook/create-react-app/issues/11012

Recommendation is to leave this on the todo list, and wait a few days while the package developers fix this (at least for the packages that already have been notified)

Then run audit fix again

In the meantime, one error in particular the 'high' severity one...

I had posed this question couple of weeks ago here.

You can overcome this by forcing a resolution of postcss to ^8.2.10 temporarily. I wouldn't anyway worry much as a patch is being done as we speak, so it's just going to be a matter of time before it gets resolved.

We run npm ci && npm audit --audit-level=high in our project's CI pipeline and we have encountered this underscore issue today.

There's already the GitHub issue about it:

We are now waiting for new release (patch). Before that a quick fix and a possible solution would be to search for underscore in your package-lock.json and to manually update underscore version there, because npm audit fix won't fix it automatically.

We had 1.9.1 version used and updated to 1.12.1 (which is listed in audit log as a stable one). Kindly change these lines for every underscore's occurrence:

• version: 1.9.1 => 1.12.1;
• resolved: https://registry.npmjs.org/underscore/-/underscore-1.9.1.tgz => https://registry.npmjs.org/underscore/-/underscore-1.12.1.tgz;
• integrity: sha512-5/4etnCkd9c8gwgowi5/om/mYO5ajCaOgdzj/oW+0eQV9WxKBDZw5+ycmKmeaTXjInS/W0BzpGLo2xR2aBwZdg== => sha512-hEQt0+ZLDVUMhebKxL4x1BTtDY7bavVofhZ9KZ4aI26X9SRaE+Y3m83XUL1UP2jn8ynjndwCCpEHdUG+9pP1Tw==.

This way npm ci will get versions from package-lock.json and no error will occur. But npm install will ignore it...

Here's a difference between these 2 commands if needed: Difference between npm install and npm ci

UPDATE

Also you can use npm-force-resolutions package in order to set the specific version of underscore package:

1. Add "resolutions": { "underscore": "1.12.1" } to your package.json;
2. Optionally add preinstall script that will be run every time before npm install starts: "scripts": { "preinstall": "npx npm-force-resolutions" };
3. Run npm install or npx npm-force-resolutions and see your changes in package-lock.json. Also npm audit won't find those vulnerabilities.

FINAL UPDATE

web3@1.3.6 with all fixes is available, you can update your local package.

You could collect all groups and single values and return a flat array.

Is there any way to get similar advisory for the Virtual Machine Scale Set resource type? Is there any included out of the box?

As per the Azure Advisor documentation, Advisor provides recommendations for the following resource types:

Application Gateway, App Services, availability sets, Azure Cache, Azure Data Factory, Azure Database for MySQL, Azure Database for PostgreSQL, Azure Database for MariaDB, Azure ExpressRoute, Azure Cosmos DB, Azure public IP addresses, Azure Synapse Analytics, SQL servers, storage accounts, Traffic Manager profiles, and Virtual machines.

Although Azure Advisor also includes your recommendations from Azure Security Center which may include recommendations for additional resource types, this list does not cover cost recommendations for VMSS as of today, AFAIK.

I need to make a query for this inside of Monitor Logs or similar?

To monitor your Virtual machine Scale sets, you can leverage Azure Monitor. The performance views in the VM Insights feature are powered using log analytics queries, offering “Top N”, aggregate, and list views to quickly find outliers or issues in your scale set based on guest level metrics for CPU, available memory, bytes sent and received, and logical disk space used.

You can also deploy the Azure Monitor Application Insights Agent on Azure virtual machine scale sets to enable monitoring for your .NET or Java based web applications and get all the benefits of using Application Insights without modifying your code.

Could one create their own custom made advisories (inside of Azure Advisor, if not - anywhere else?), to get this functionaltiy in place (if it isn't already provided)?

Nope, that is not doable as of today. Azure Advisor is a managed offering that analyzes your resource configuration and usage telemetry and then recommends solutions that can help you optimize your Azure resources. Feel free to share your feedback and ideas here for the Advisor team to evaluate and prioritize.