Security vulnerability via update-notifier dependency

james-nash commented 4 years ago

Summary

One of the sassdoc's transitive dependencies - dot-prop - is an old version that contains a security vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2020-8116

The company I work for uses Black Duck to scan our code and it's flagging this up. I know the risk of "prototype pollution" in some tiny part of one of my dev dependencies is negligible, but because of our company's policies I'm getting bugs raised on my project which is a PITA.

That being said, upgrading one of your dependencies to a newer version looks relatively straigh-forward, so pelase consider it.

(Side note: Interestingly, npm audit does not flag this particular issue ¯_(ツ)_/¯ )

Steps to reproduce (kinda)

In a project where you have npm install-ed sassdoc run npm ls dot-prop to see where dot-prop is used. The output should include the following:

[your project's name]
└─┬ sassdoc@2.7.2
  └─┬ update-notifier@2.5.0
    └─┬ configstore@3.1.2
      └── dot-prop@4.2.0

As per the vulnerability advisory, dot-prop versions up to and including 5.1.0 have this issue. At the time of writing, their latest version is 5.2.0

Suggested fix

Update sassdoc's dependency to of update-notifier to at least ^4.0.0.

As per the npm ls output, sassdoc's dependency on update-notifier is what ultimately includes the old version of dot-prop. I've had a look and as of version 4.0.0, update-notifier will bring in the newer 5.2.0 version of dot-prop.

Judging by their release notes, the breaking changes between update-notifier 2.5.0 and 4.0.0 are:

Dropping support for Node 6. (dunno if this is an issue for sassdoc - I can't find anything in your docs that explicitly states which versions of Node you're aiming to be compatible with)
Removing and renaming some options that you don't appear to be using (judging by src/notifier.js.

So, hopefully, this might be as simple as npm install update-notifier@latest.

I'd offer to open a PR for this, but am a little busy right now. If I find myself with some spare time in the coming weeks and you haven't already fixed this I may still do so. :-)

Cheers!

dominikwilkowski commented 4 years ago

Hate to pile on here but that's an issue for us as well 😬

pascalduez commented 4 years ago

Updated as of sassdoc@2.7.3

SassDoc / sassdoc