Security issues with outdated dependency #433

franher · 2018-05-28T09:48:54Z

Description/Steps to reproduce

There is a security vulnerability in "strong-globalize": "^3.1.0" (see Prototype Pollution for more details).

To reproduce it set up a project with latest loopback-connector-mongodb (v3.4.3) as dependency and run nspover it:

$> npm init
$> npm i --save loopback-connector-mongodb
$> npx nsp -- check

The vulnerability comes from [email protected] > [email protected] > [email protected] > [email protected] . All the related packages with the issue have release a version fixing the vulnerability:

[email protected] is released few days ago, so updating it here would fix the issue.

Not apply for this issue.

Not security vulnerabilities after running nsp or npm audit.

Result of node -e 'console.log(process.platform, process.arch, process.versions.node)'

darwin x64 8.11.2

├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]
├── [email protected]

The text was updated successfully, but these errors were encountered:

virkt25 · 2018-06-01T15:36:59Z

@franher Can you please try this again -- npm i for me installs [email protected] which is not vulnerable. nsp comes clean for me.

franher · 2018-06-05T15:43:34Z

@virkt25 You're right. Now, installing loopback-connector-mongodb v3.4.3 and v3.4.4 the security issue is out.

Thank you for your time.

virkt25 self-assigned this Jun 1, 2018

franher closed this as completed Jun 5, 2018

tgijasonyip mentioned this issue Sep 10, 2018

Security issues with outdated dependency loopbackio/loopback-connector-mysql#359

Closed