hypesystem
commented
6 years ago Can you provide some output from nsp or similar, just so I know what we're talking about?
Closed BDav24 closed 6 years ago
hypesystem
commented
6 years ago Can you provide some output from nsp or similar, just so I know what we're talking about?
BDav24
commented
6 years ago Here is the output when you run nsp from notifme-sdk: https://github.com/notifme/notifme-sdk/issues/25
eladnava
commented
6 years ago Here is the output from nsp after running it on a project with a package.json that includes the latest version of node-gcm:
(+) 1 vulnerabilities found
┌───────────────┬───────────────────────────────────────────────────────────────────────────┐
│ │ Regular Expression Denial of Service │
├───────────────┼───────────────────────────────────────────────────────────────────────────┤
│ Name │ debug │
├───────────────┼───────────────────────────────────────────────────────────────────────────┤
│ CVSS │ 3.7 (Low) │
├───────────────┼───────────────────────────────────────────────────────────────────────────┤
│ Installed │ 0.8.1 │
├───────────────┼───────────────────────────────────────────────────────────────────────────┤
│ Vulnerable │ <= 2.6.8 || >= 3.0.0 <= 3.0.1 │
├───────────────┼───────────────────────────────────────────────────────────────────────────┤
│ Patched │ >= 2.6.9 < 3.0.0 || >= 3.1.0 │
├───────────────┼───────────────────────────────────────────────────────────────────────────┤
│ Path │ tester@1.0.0 > node-gcm@0.14.6 > debug@0.8.1 │
├───────────────┼───────────────────────────────────────────────────────────────────────────┤
│ More Info │ https://nodesecurity.io/advisories/534 │
└───────────────┴───────────────────────────────────────────────────────────────────────────┘It seems that updating debug would fix this, @hypesystem any reason not to do so?
hypesystem
commented
6 years ago Only if it breaks platform compatibility. (We need to continue supporting node 0.10.) They don't have an engine tag in the latest version, so I don't know.
If you have time to test it on node 0.10.x with newest debug, that would be great :smile:
BDav24
commented
6 years ago Seems to be working :)
> docker run -it --rm node:0.10 bash
root@00393189f13b:/# node -v
v0.10.48
root@00393189f13b:/# echo "var debug = require('debug')('node-gcm');" > index.js
root@00393189f13b:/# echo "debug(\"Error 4xx -- no use retrying. Something is wrong with the request (probably authentication?)\");" >> index.js
root@00393189f13b:/# more index.js
var debug = require('debug')('node-gcm');
debug("Error 4xx -- no use retrying. Something is wrong with the request (probably authentication?)")
;
root@00393189f13b:/# npm init
This utility will walk you through creating a package.json file.
It only covers the most common items, and tries to guess sensible defaults.
See `npm help json` for definitive documentation on these fields
and exactly what they do.
Use `npm install <pkg> --save` afterwards to install a package and
save it as a dependency in the package.json file.
Press ^C at any time to quit.
name: test
version: (1.0.0)
description:
entry point: (index.js)
test command:
git repository:
keywords:
author:
license: (ISC)
About to write to /package.json:
{
"name": "test",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC"
}
Is this ok? (yes)
root@00393189f13b:/# npm i -S debug
npm WARN package.json test@1.0.0 No description
npm WARN package.json test@1.0.0 No repository field.
npm WARN package.json test@1.0.0 No README data
debug@3.1.0 node_modules/debug
└── ms@2.0.0
root@00393189f13b:/# node index.js
root@00393189f13b:/# DEBUG=node-gcm node index.js
node-gcm Error 4xx -- no use retrying. Something is wrong with the request (probably authentication?) +0msGreat! If anyone wants to do a PR for this, we'll get it merged ASAP :smile:
eladnava
commented
6 years ago @hypesystem PR submitted 😄
The problem comes from
debugdependency version. An upgrade should fix the problem.