Newman vulnerabilities how to fix?

Hi, There are many vulnerabilities when I use “npm audit” command to scan newman dir. how to fix those vulnerabilities? can you update or fix those issure? npm audit report below:

101 >=1.0.0Severity: criticalPrototype pollution in 101 - Depends on vulnerable versions of keypatherfix available via npm audit fix --forceWill install @postman/[email protected], which is a breaking changenode_modules/101keypather >=1.10.2Depends on vulnerable versions of 101node_modules/keypathertiny-error *Depends on vulnerable versions of 101node_modules/tiny-error@postman/yankee *Depends on vulnerable versions of tiny-errornode_modules/@postman/yankee@postman/shipit >=0.3.0Depends on vulnerable versions of @postman/yankeenode_modules/@postman/shipit

jose 3.0.0 - 4.15.4Severity: moderatejose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext fix available via npm audit fix --forceWill install [email protected], which is outside the stated dependency rangenode_modules/josepostman-runtime >=7.31.0Depends on vulnerable versions of joseDepends on vulnerable versions of node-forgenode_modules/postman-runtime

js-yaml <3.14.2Severity: moderatejs-yaml has prototype pollution in merge (<<) - No fix availablenode_modules/dockerfile_lint/node_modules/js-yamldockerfile_lint *Depends on vulnerable versions of js-yamlDepends on vulnerable versions of lodashnode_modules/dockerfile_lint

lodash <=4.17.20Severity: criticalPrototype Pollution in lodash - Command Injection in lodash - Prototype Pollution in lodash - Prototype Pollution in lodash - No fix availablenode_modules/dockerfile_lint/node_modules/lodash

node-forge <=1.3.1Severity: highnode-forge has ASN.1 Unbounded Recursion - node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization - node-forge is vulnerable to ASN.1 OID Integer Truncation - fix available via npm audit fix --forceWill install [email protected], which is outside the stated dependency rangenode_modules/node-forge

11 vulnerabilities (3 moderate, 2 high, 6 critical)

To address all issues possible (including breaking changes), run:npm audit fix --force

Some issues need review, and may require choosinga different dependency.

request fix those pls , Thanks

Hey @YuanLei41

Welcome to the Postman Community!

I can see that these have also been raised on the project’s repo, that’s the best place to raise these issue.

• Critical vulnerabilities · Issue #3336 · postmanlabs/newman · GitHub
• npm audit vulnerabilities · Issue #3339 · postmanlabs/newman · GitHub

Have you tried using the Postman CLI to run your Collections?

You can run the same Collections with this but changing the syntax in the run command:

With Newman:
newman run <Collection File>

With the Postman CLI:
postman collection run <Collection File or Collection Id>

thanks reply.

cli command total can be use and can meet my automate-test requirement. The point is that our project forbid vulnerabilities, there are many vulnerabilities, I hope those vulnerabilities could be fixed. I think 11 vulnerabilities are little much.

11 vulnerabilities (3 moderate, 2 high, 6 critical), espacially 6 critical

What’s preventing you from completely migrating over to the Postman CLI?

Are there specific things that you’re using with Newman?

Are the latest features that can be used within the Postman UI, can be run with the Postman CLI.

my issue is a secure issue, not functional issue.

my point is that newman v6.2.1 packages has 11 vulnerabilities. since those vulnerabilities, my project can’t be allowed to go online. I hope when use “npm audit”, the npm audit report has no vulnerabilities or only moderate vulnerabilites.

101 >=1.0.0
Severity: critical

js-yaml <3.14.2
Severity: moderate

lodash <=4.17.20
Severity: critical

node-forge <=1.3.1
Severity: high

I understand what your issue is, I linked the current open issues from the Newman project.

I just enquiring about the reasons you’re using Newman over using the Postman CLI? What is stopping you from using the CLI in your projects? What’s keeping you using Newman?

You can install the CLI using NPM, just like Newman. You can also run local static exported JSON files, just like Newman.

oh，I knew what you say. I already use postman-cli in my Windows, it can total instead newman. But I met new issue: my linux machine is very old, when i use “postman collection run”, it seems cant work well. what request needs for postman-cli? my error info is

postman: /lib64/libstdc++.so.6: version GLIBCXX_3.4.21' not found (required by postman) postman: /lib64/libstdc++.so.6: version GLIBCXX_3.4.20’ not found (required by postman)
postman: /lib64/libstdc++.so.6: version CXXABI_1.3.9' not found (required by postman) postman: /lib64/libm.so.6: version GLIBC_2.27’ not found (required by postman)
postman: /lib64/libc.so.6: version GLIBC_2.27' not found (required by postman) postman: /lib64/libc.so.6: version GLIBC_2.28’ not found (required by postman)
postman: /lib64/libc.so.6: version `GLIBC_2.25’ not found (required by postman)

seems some component version is low

This seems similar to an issue that was fixed last week:

seems similar, but I only want to install postman-cli, not total postman client, may i have method to download and install postman-cli ? Or postman-cli docker maybe?

You can find the direct installation here:

How did you install that on the Windows machine that you mentioned you’re using that on?

windows I use powershell install. Maybe in my old linux machine， i need old version postman-cli. May I download old version? my linux machine system info like below:

Linux version 3.10.0-957.10.1.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC) ) #1 SMP Mon Mar 18 15:06:45 UTC 2019

any adapt postman-cli version here?