Skip to content

npm6 vulnerability #41

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 of 6 tasks
caub opened this issue May 8, 2018 · 15 comments
Closed
1 of 6 tasks

npm6 vulnerability #41

caub opened this issue May 8, 2018 · 15 comments

Comments

@caub
Copy link

caub commented May 8, 2018
edited
Loading 

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack > watchpack > chokidar > fsevents > node-pre-gyp >   │
│               │ rc > deep-extend                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ webpack-dev-server [dev]                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ webpack-dev-server > chokidar > fsevents > node-pre-gyp > rc │
│               │ > deep-extend                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Edit: It's fixed in 9423fae and #40
@guylepage3
Copy link

guylepage3 commented May 8, 2018
edited
Loading

+1. Just ran into this issue.

@whackdev
Copy link

whackdev commented May 8, 2018

+1. Encountering same, security report advise update to 0.5.1 or higher will resolve but I still get the same issue.

@theRealSheng
Copy link

+1

1 similar comment
@ThLewis
Copy link

ThLewis commented May 9, 2018

+1

@ichthub
Copy link

ichthub commented May 9, 2018

I still have the same problem even after upgrading to the new released version ("version": "0.5.1",)

@EmersonCDias
Copy link

EmersonCDias commented May 10, 2018
edited
Loading

Me too, with GULP.

@KDCinfo
Copy link

KDCinfo commented May 11, 2018
edited
Loading

Just hit this with my React TypeScript app. Vulnerabilities: deep-extend: 9

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ react-scripts-ts [dev]                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ react-scripts-ts > fsevents > node-pre-gyp > rc >            │
│               │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

Tried manually installing/updating deep-extend to 0.5.1 to no avail. Tried my old pacakge.json with no luck. Afraid to publish (GH-Pages; Travis CI) based on what the hoek dependency did a few weeks back.

Edit: When I upgraded to [email protected], the number of deep-extend vulnerabilities went from 11 down to 9 (and all the randomatic vulnerabilities resolved).

@KDCinfo KDCinfo mentioned this issue May 11, 2018
Open
@mahdifani14
Copy link

mahdifani14 commented May 11, 2018
edited
Loading

Same security issue using nodemon:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=0.5.1                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nodemon [dev]                                                │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nodemon > chokidar > fsevents > node-pre-gyp > rc >          │
│               │ deep-extend                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/612                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

@mohsen1
Copy link

mohsen1 commented May 13, 2018
edited
Loading

This was fixed in #40

9423fae#diff-5202fc56f6565a0319e4cbad698a7255

There is a PR outstanding for rc
dominictarr/rc#103

@juanpicado juanpicado mentioned this issue May 13, 2018
Closed
@rob-orr
Copy link

rob-orr commented May 15, 2018

Ugh. @unclechu Any idea why this is still showing up as a vulnerability?

@unclechu
Copy link
Owner

@rob-orr No, I don't. I'm actually not very in touch with javascript world these days. So I'd expect someone else to write a test that reproduces it and then I could fix it.

@guillermodoghel
Copy link

guillermodoghel commented May 17, 2018
edited
Loading

+1

@unclechu
Copy link
Owner

@caub @rob-orr I've tested it by new npm audit command and it detected vulnerability in mocha package from devDependencies, I fixed it and released with v0.6.0, so I think it is fixed for now? Could you please check and confirm if it's okay with latest version?

P.S. As a side-effect I dropped support of older versions of node.js and io.js because they're failing on Travis-CI by those new versions of devDependencies.

@rob-orr rob-orr mentioned this issue May 23, 2018
Closed
@rob-orr
Copy link

rob-orr commented May 24, 2018

@unclechu Thanks, much appreciated! We've tested it and it is passing our scanner. Now we just need rc and closure-loader to update their dependencies!

@unclechu unclechu removed the waiting label May 24, 2018
@unclechu
Copy link
Owner

@rob-orr Thank you for the response, I'm closing the issue as fixed.

@franher franher mentioned this issue May 28, 2018
Closed
@Brian-Kaplan Brian-Kaplan mentioned this issue May 29, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests