Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

high severity vulnerability #129

Open
mcandre opened this issue Jul 18, 2019 · 2 comments
Open

high severity vulnerability #129

mcandre opened this issue Jul 18, 2019 · 2 comments

Comments

@mcandre
Copy link
Contributor

mcandre commented Jul 18, 2019 

$ npm audit
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ set-value                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ grunt-cli [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ grunt-cli > liftoff > findup-sync > micromatch > braces >    │
│               │ snapdragon > base > cache-base > set-value                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1012                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
@shama
Copy link
Member

shama commented Jul 18, 2019

Strange on a fresh install I don't see that:
Screen Shot 2019-07-18 at 10 04 17 AM

But [email protected] does get installed. Even when installing the latest liftoff so we might need wait for gulpjs/liftoff#107 to be resolved and then update here.

@nitinsurana nitinsurana mentioned this issue Aug 7, 2019
Closed
@mcandre
Copy link
Contributor Author

mcandre commented May 5, 2020
edited

Something weird is going on. When I run npm audit against grunt-cli master branch, I get no warnings. But when I import grunt-cli 1.3.2 into another project, I get dozens of warnings for grunt-cli dependencies.

Regards liftoff, the project has lapsed. I published a fork with the security patches:

https://www.npmjs.com/package/liftoff2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mcandre @shama