Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Update version of request and debug #171

Open
acuntex opened this issue Aug 16, 2018 · 2 comments
Open

Security: Update version of request and debug #171

acuntex opened this issue Aug 16, 2018 · 2 comments

Comments

@acuntex
Copy link

acuntex commented Aug 16, 2018

npm audit currently shows a lot of possible vulnerabilities for fb. These error might not be a big problem, but the more warnings you get, the higher is the chance that you might miss a real threat when it happens.

Any chance these dependencies could be updated?

  Moderate        Prototype pollution

  Package         hoek

  Dependency of   fb

  Path            fb > request > hawk > sntp > hoek

  More info       https://nodesecurity.io/advisories/566




  Moderate        Prototype pollution

  Package         hoek

  Dependency of   fb

  Path            fb > request > hawk > boom > hoek

  More info       https://nodesecurity.io/advisories/566




  High            Regular Expression Denial of Service

  Package         sshpk

  Dependency of   fb

  Path            fb > request > http-signature > sshpk

  More info       https://nodesecurity.io/advisories/606




  Moderate        Prototype pollution

  Package         hoek

  Dependency of   fb

  Path            fb > request > hawk > cryptiles > boom > hoek

  More info       https://nodesecurity.io/advisories/566




  Moderate        Out-of-bounds Read

  Package         stringstream

  Dependency of   fb

  Path            fb > request > stringstream

  More info       https://nodesecurity.io/advisories/664




  Moderate        Prototype pollution

  Package         hoek

  Dependency of   fb

  Path            fb > request > hawk > hoek

  More info       https://nodesecurity.io/advisories/566




  High            Regular Expression Denial of Service

  Package         tough-cookie

  Dependency of   fb

  Path            fb > request > tough-cookie

  More info       https://nodesecurity.io/advisories/525



# Run  npm update debug --depth 8  to resolve 8 vulnerabilities

  Low             Regular Expression Denial of Service

  Package         debug

  Dependency of   fb

  Path            fb > debug

  More info       https://nodesecurity.io/advisories/534
@dantman
Copy link

dantman commented Aug 16, 2018

Could you make a PR with the update and verify the library still works.

@acuntex acuntex mentioned this issue Aug 17, 2018
Open
@acuntex
Copy link
Author

acuntex commented Aug 17, 2018

I updated the vulnerable dependencies.
Apparently the library has been already changed from request to needle but wasn't published yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dantman @acuntex