search

Fabrizz / MMM-OnSpotify

Highly customizable MM2 module that displays what you are listening to in Spotify. Compatible with MMM-LiveLyrics and DynamicTheming.
MIT License
53 stars 9 forks source link

Vulnerability issue with tough-cookie #63

Closed RodMe27 closed 2 months ago

RodMe27 commented 3 months ago

After installing the packet, npm audit was run and it was found the following: 

# npm audit report

request  *
Severity: moderate
Server-Side Request Forgery in Request - https://github.com/advisories/GHSA-p8p7-x288-28g6
Depends on vulnerable versions of tough-cookie
No fix available
node_modules/request

tough-cookie  <4.1.3
Severity: moderate
tough-cookie Prototype Pollution vulnerability - https://github.com/advisories/GHSA-72xf-g2v4-qvf3
No fix available
node_modules/tough-cookie

2 moderate severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

After investigation, accordingly to this https://github.com/advisories/GHSA-72xf-g2v4-qvf3, the vulnerable code was fixed on version 4.1.3 and from the file package-lock.json this package is using 2.5.0

Can the software be updated to this version to avoid this issue?

Fabrizz commented 3 months ago

I will look on removing the dep as its just used for the auth service, still, the auth service is just used once to create the base config, and its not a public facing server nor used in the module by itself