Vulnerabilities in meteor build

Hi Team,

When we are building the application package using the meteor and scanning the same with trivy we are getting the vulnerabilities with the same. we have tried specifying the package in version file as well but no help.

vulnerability was found in module extend <2.0.2, ~<3.0.2
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in

there are multiple vulnerabilities for other packages as well. please help in the same context.


Hi @gauravchauhan, I’m not sure if I fully understood your issue.

It seems that you have vulnerabilities with some of the packages you are using, right? One of them is the cryptiles package. From what I could see, this is a package from HapiJS and they have fixed this issue already in version 4.1.2.

So, what you need to do is to update the package and do the same for every package you have
vulnerabilities. How did you try to update it? Can you share how is it in your package.json file?

If I misunderstood, please clarify a little more so we can try to help you.

@fredmaiaarantes thanks for the reply.
I have already updated the mentioned versions to fix the vulnerability. but somehow it’s getting the old version and while performing the trivy scan it shows the vulnerability with old version.

here is the package.json which is being used.

  "name": "app",
  "private": true,
  "scripts": {
    "start": "meteor run"
  "dependencies": {
    "@babel/runtime": "^7.17.2",
    "@contentful/rich-text-html-renderer": "^15.11.1",
    "@contentful/rich-text-types": "^15.1.0",
    "ansi-regex": "^6.0.1",
    "assert": "^2.0.0",
    "bcrypt": "^5.0.1",
    "bowser": "^1.9.4",
    "contentful": "^8.5.8",
    "extend": "^3.0.2",
    "fs": "0.0.1-security",
    "http": "0.0.1-security",
    "https": "^1.0.0",
    "jquery": "^3.6.0",
    "loadsh": "0.0.4",
    "meteor-node-stubs": "^1.1.0",
    "moment": "^2.29.1",
    "moment-range": "^3.1.1",
    "moment-ranges": "^0.8.12",
    "moment-timezone": "^0.5.34",
    "net": "^1.0.2",
    "node-gyp": "^8.4.1",
    "os": "^0.1.2",
    "range_check": "^2.0.4",
    "request": "^2.83.0",
    "stream": "0.0.2",
    "toastr": "^2.1.4",
    "tty": "^1.0.1",
    "url": "^0.11.0",
    "util": "^0.12.4",
    "xml2json": "^0.12.0",
    "zlib": "^1.0.5"

Although some packages are getting updated, but when I specifically mention the packages in package.json those are getting removed.

blaze                  upgraded from 2.3.4 to 2.5.0
blaze-tools            upgraded from 1.0.10 to 1.1.0
caching-html-compiler  upgraded from 1.1.3 to 1.2.0
cryptiles              removed from your project
ddp-server             upgraded from 2.3.2 to 2.5.0
extend                 removed from your project
html-tools             upgraded from 1.0.11 to 1.1.0
htmljs                 upgraded from 1.0.11 to 1.1.0
json-schema            removed from your project
jsonpointer            removed from your project
less                   upgraded from 3.0.1 to 3.0.2
loadsh                 removed from your project
lodash.template        removed from your project
meteor-base            upgraded from 1.4.0 to 1.5.1
npm-bcrypt             removed from your project
react-fast-refresh     added, version 0.2.2
spacebars              upgraded from 1.0.15 to 1.2.0
spacebars-compiler     upgraded from 1.1.3 to 1.2.0
srp                    removed from your project
templating             upgraded from 1.3.2 to 1.4.1
templating-compiler    upgraded from 1.3.3 to 1.4.1
templating-runtime     upgraded from 1.3.2 to 1.5.0
templating-tools       upgraded from 1.1.2 to 1.2.0
url                    added, version 1.3.2

Few examples of used vulnerabilities.
extend | CVE-2018-16492 | MEDIUM | 3.0.0 | 2.0.2, 3.0.2
glob-parent | CVE-2020-28469 | HIGH | 2.0.0 | 5.1.2
lodash | CVE-2019-10744 | CRITICAL | 1.0.2 | 4.17.12

Before starting the build as well I am installing the latest packages

meteor npm install --save range_check ansi-regex node-gyp extend@3.0.2 assert meteor-node-stubs fs http https net os stream tty url util zlib moment-ranges bowser moment-range loadsh 

But that is of no help, not sure from where I am getting these old package versions as well. what I suspect is the old version (14.18.3) of nodejs being used in meteor by default.

I don’t think this is related to Node.js. These packages are probably cached, you need to make sure they are not there, if this is locally you could remove your node_modules and run a meteor reset (this command remove also your local mongo database).

I have tried the meteor reset as well and checked again. still the same.

Maybe They are cached in ~/.npm?