Closed mrlukasbos closed 2 years ago
Thanks. Seems like the issue is due to some slightly older dependencies.
Hey @Fleker, will this be fixed soon?
Hi there, any update on this? Five high security issues right know. Would love to get rid of them in my project. @Fleker Are you maintaining?
Is there any update on this? Please fix the security issues!
Is this the right library to use? It is being maintained at all? Now 9 high security vulnerabilities:
# npm audit report
axios <0.21.1
Severity: high
Server-Side Request Forgery - https://npmjs.com/advisories/1594
fix available via `npm audit fix --force`
Will install actions-on-google@1.7.0, which is a breaking change
node_modules/axios
gcp-metadata 0.5.0 - 0.9.0
Depends on vulnerable versions of axios
node_modules/gcp-metadata
google-auth-library 0.9.4 - 5.10.1
Depends on vulnerable versions of axios
Depends on vulnerable versions of gcp-metadata
Depends on vulnerable versions of gtoken
node_modules/google-auth-library
node_modules/googleapis-common/node_modules/google-auth-library
node_modules/googleapis/node_modules/google-auth-library
actions-on-google >=1.8.0
Depends on vulnerable versions of google-auth-library
Depends on vulnerable versions of googleapis
node_modules/actions-on-google
googleapis 3.0.0 - 48.0.0
Depends on vulnerable versions of google-auth-library
Depends on vulnerable versions of googleapis-common
node_modules/googleapis
googleapis-common <=3.2.2
Depends on vulnerable versions of google-auth-library
node_modules/googleapis-common
node-forge <=0.9.2
Severity: high
Prototype Pollution in node-forge - https://npmjs.com/advisories/1561
fix available via `npm audit fix --force`
Will install actions-on-google@1.7.0, which is a breaking change
node_modules/node-forge
google-p12-pem <=3.0.2
Depends on vulnerable versions of node-forge
node_modules/google-p12-pem
gtoken <=5.0.0
Depends on vulnerable versions of google-p12-pem
node_modules/gtoken
google-auth-library 0.9.4 - 5.10.1
Depends on vulnerable versions of axios
Depends on vulnerable versions of gcp-metadata
Depends on vulnerable versions of gtoken
node_modules/google-auth-library
node_modules/googleapis-common/node_modules/google-auth-library
node_modules/googleapis/node_modules/google-auth-library
actions-on-google >=1.8.0
Depends on vulnerable versions of google-auth-library
Depends on vulnerable versions of googleapis
node_modules/actions-on-google
googleapis 3.0.0 - 48.0.0
Depends on vulnerable versions of google-auth-library
Depends on vulnerable versions of googleapis-common
node_modules/googleapis
googleapis-common <=3.2.2
Depends on vulnerable versions of google-auth-library
node_modules/googleapis-common
9 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Hi there, Any news about that ?
@proppy can you chime in
@Fleker @rtrompier @tommybluhm I just found out that this library is abandonware and unmaintained. Looks like it's been superseded by https://github.com/actions-on-google/assistant-conversation-nodejs which is regularly updated and installs without warnings. I wish the README would mention this in bold at the top - the Google documentation is incredibly unhelpful, has many broken links and doesn't really indicate that this library is obsolete.
Looks like the fundamentals are the same, just some name changes, so "intent" becomes "handle", "ask" becomes "add" etc.
The old 'actions-on-google' way:
const {dialogflow} = require('actions-on-google')
const app = dialogflow()
app.intent('Default Welcome Intent', conv => {
conv.ask('Hi, how is it going?')
})
The new 'google assistant' way:
const {conversation} = require('@assistant/conversation')
const app = conversation()
app.handle('Default Welcome Intent', conv => {
conv.add('Hi, how is it going?')
})
@digitaltoast https://github.com/actions-on-google/assistant-conversation-nodejs is used for conversation action using Action Builder with the new Action SDK, while this repository is still relevant for Smart Home actions.
Looks like the vulnerability in this repository would require a major version upgrade for the google-auth-library
:
- "google-auth-library": "^1.6.1",
+ "google-auth-library": "^7.0.4",
while would in turn transitively change the node engine requirements from:
"engines": {
"node": ">=6.13.0"
},
to:
"engines": {
"node": ">=10"
},
This seems like a reasonable change to me since both Node.js 6 and 8 are not actively supported anymore by the Node.js project: https://nodejs.org/en/about/releases/, but would require a major version bump of the library itself.
Npm audit
indicates a vulnerability in the node-forge dependency.