Vulnerabilities - Githubissues

Rantanen / node-opus

Opus bindings for Node.js

MIT License

79 stars 32 forks source link

Vulnerabilities #68

Closed NeuroAssassin closed 6 years ago

NeuroAssassin commented 6 years ago

I was installing node-opus, and I ran into these vulnerabilities. None of them could be fixed, though. It said they required manual review:

` === npm audit security report ===

                             Manual Review
         Some vulnerabilities require your attention to resolve

      Visit https://go.npm.me/audit-guide for additional guidance

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of ffmpeg-binaries

Path ffmpeg-binaries > decompress-tarxz > lzma-native > node-pre-gyp > hawk > boom > hoek

More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of ffmpeg-binaries

Path ffmpeg-binaries > decompress-tarxz > lzma-native > node-pre-gyp > hawk > cryptiles > boom > hoek

More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of ffmpeg-binaries

Path ffmpeg-binaries > decompress-tarxz > lzma-native > node-pre-gyp > hawk > hoek

More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of ffmpeg-binaries

Path ffmpeg-binaries > decompress-tarxz > lzma-native > node-pre-gyp > hawk > sntp > hoek

More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of ffmpeg-binaries

Path ffmpeg-binaries > decompress-tarxz > lzma-native > node-pre-gyp > request > hawk > boom > hoek

More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of ffmpeg-binaries

Path ffmpeg-binaries > decompress-tarxz > lzma-native > node-pre-gyp > request > hawk > cryptiles > boom > hoek

More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of ffmpeg-binaries

Path ffmpeg-binaries > decompress-tarxz > lzma-native > node-pre-gyp > request > hawk > hoek

More info https://nodesecurity.io/advisories/566

Moderate Prototype pollution

Package hoek

Patched in > 4.2.0 < 5.0.0 || >= 5.0.3

Dependency of ffmpeg-binaries

Path ffmpeg-binaries > decompress-tarxz > lzma-native > node-pre-gyp > request > hawk > sntp > hoek

More info https://nodesecurity.io/advisories/566

Moderate Out-of-bounds Read

Package stringstream

Patched in >=0.0.6

Dependency of ffmpeg-binaries

Path ffmpeg-binaries > decompress-tarxz > lzma-native > node-pre-gyp > request > stringstream

More info https://nodesecurity.io/advisories/664

found 9 moderate severity vulnerabilities in 506 scanned packages 9 vulnerabilities require manual review. See the full report for details.`

Rantanen commented 6 years ago

Updated mocha, which took care of all the ones in node-opus.

The rest (such as hoek?) above are not part of node-opus dependencies as far as I can tell.

Please re-open the issue if you feel I'm wrong in my evaluation.