search

ForestAdmin / forest-express-mongoose

🌱 ExpressJS/Mongoose agent for Forest Admin to integrate directly to your existing ExpressJS/Mongoose backend application.
https://www.forestadmin.com
GNU General Public License v3.0
193 stars 28 forks source link

Vulnerability in moment/lodash dependency #112

Closed dphrag closed 5 years ago

dphrag commented 6 years ago

Expected behavior

To not trigger a security failure on my internal pipeline :)

 Actual behavior

lodash and moment packages trigger warnings.

Failure Logs

│ │ Regular Expression Denial of Service │ ├────────────┼────────────────────────────────────────────────────────────────────┤ │ Name │ moment │ ├────────────┼────────────────────────────────────────────────────────────────────┤ │ CVSS │ 7.5 (High) │ ├────────────┼────────────────────────────────────────────────────────────────────┤ │ Installed │ 2.18.1 │ ├────────────┼────────────────────────────────────────────────────────────────────┤ │ Vulnerable │ <2.19.3 │ ├────────────┼────────────────────────────────────────────────────────────────────┤ │ Patched │ >=2.19.3 │ ├────────────┼────────────────────────────────────────────────────────────────────┤ │ Path │ Circus@2.4.4 > forest-express-mongoose@2.12.1 > moment@2.18.1 │ ├────────────┼────────────────────────────────────────────────────────────────────┤ │ More Info │ https://nodesecurity.io/advisories/532 │ └────────────┴────────────────────────────────────────────────────────────────────┘

┌────────────┬────────────────────────────────────────────────────────────────────┐ │ │ Prototype Pollution │ ├────────────┼────────────────────────────────────────────────────────────────────┤ │ Name │ lodash │ ├────────────┼────────────────────────────────────────────────────────────────────┤ │ CVSS │ 2 (Low) │ ├────────────┼────────────────────────────────────────────────────────────────────┤ │ Installed │ 3.9.3 │ ├────────────┼────────────────────────────────────────────────────────────────────┤ │ Vulnerable │ <4.17.5 │ ├────────────┼────────────────────────────────────────────────────────────────────┤ │ Patched │ >=4.17.5 │ ├────────────┼────────────────────────────────────────────────────────────────────┤ │ Path │ Circus@2.4.4 > forest-express-mongoose@2.12.1 > lodash@3.9.3 │ ├────────────┼────────────────────────────────────────────────────────────────────┤ │ More Info │ https://nodesecurity.io/advisories/577

SIMILAR TO https://github.com/ForestAdmin/forest-express/issues/131

arnaudbesnier commented 6 years ago

Hello @dphrag, the vulnerabilities with moment and lodash are about functions we don't use in the Express-Mongoose liana. For this reason there is nothing urgent for security concerns.

But we'll definitely do the updates in the near future.

arnaudbesnier commented 5 years ago

This is now fixed in the latest beta version (v3.0.0-beta.3). And should be released on "latest" in the next week 🙏