Vulnerability in sub-dependency, "debug"

Medium / phantomjs

NPM wrapper for installing phantomjs

Other

1.42k stars 436 forks source link

Vulnerability in sub-dependency, "debug" #745

Closed avindra closed 6 years ago

avindra commented 7 years ago

PR is made upstream for the fix

https://github.com/maxogden/extract-zip/pull/52

phantomjs will also need to unlock the version number or bump it so that upgrades will pass through.

avindra commented 7 years ago

I would recommend using ^ in the dependencies, so that upgrades will automatically pass through, particularly because Medium has expressed that they are not interested in maintaining this package.

kgrubb commented 6 years ago

Extract-zip has been updated with a newer version of debug in 94b877a. According to NSP, there are no longer any known vulnerabilities for phantomjs-prebuilt! 🍰

avindra commented 6 years ago

@kgrubb NSP is incorrect. phantomjs-prebuilt still has to bump it's dependencies, or change the tilde to a caret to allow semver updates automatically.

PR here for the latter: https://github.com/Medium/phantomjs/pull/746

kgrubb commented 6 years ago

Oh duh, my apologies. I completely overlooked the package.json upgrade required for this package.

avindra commented 6 years ago

No worries. It seems that NSP needs to take into account how dependencies are resolved using semver in node land.

avindra commented 6 years ago

@kgrubb I was wrong.

Tilde means patch upgrades are allowed:

https://docs.npmjs.com/misc/semver#tilde-ranges-123-12-1

So NSP is correct, and this particular issue, is indeed fixed.