Upgrade archiver and lodash for npm audit security report

ralphtheninja commented 6 years ago

Fixes the following:

=== npm audit security report ===                        

# Run  npm install archiver@2.1.1  to resolve 5 vulnerabilities
SEMVER WARNING: Recommended action is a potentially breaking change
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ archiver                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ archiver > archiver-utils > lodash                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ archiver                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ archiver > async > lodash                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ archiver                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ archiver > lodash                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ archiver                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ archiver > zip-stream > archiver-utils > lodash              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ archiver                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ archiver > zip-stream > lodash                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

# Run  npm install lodash@4.17.10  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

# Run  npm update lodash --depth 2  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low           │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ lodash                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ async                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ async > lodash                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/577                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

found 7 low severity vulnerabilities in 248 scanned packages
  run `npm audit fix` to fix 2 of them.
  5 vulnerabilities require semver-major dependency updates.

ralphtheninja commented 6 years ago

I didn't bother to update devDependencies since it doesn't affect dependents. Also, it would be really nice if you could consider using ~ or ^ for version ranges. At least consider using ~.

ralphtheninja commented 6 years ago

Tests break but I get the same errors on latest master.

jlipps commented 6 years ago

@ralphtheninja yes, deps should use better ranges. when upgrading archiver did you check to make sure there were no API changes that affect this project's usage of it?

ralphtheninja commented 6 years ago

@jlipps I didn't. But allow me to spend some time on it and get back to you!

ralphtheninja commented 6 years ago

@jlipps Some digging below.

From archivers CHANGELOG.md:

2.0.0 — July 5th, 2017 — Diff

feature: support for symlinks. (#228)
feature: support for promises on finalize. (#248)
feature: addition of symlink method for programmatically creating symlinks within an archive.
change: emit warning instead of error when stat fails and the process can still continue.
change: errors and warnings now contain extended data (where available) and have standardized error codes (#256)
change: removal of deprecated bulk functionality. (#249)
change: removal of internal _entries property in favor of progress event. (#247)
change: support for node v4.0+ only. node v0.10 and v0.12 support has been dropped. (#241)

Looking at the code it's only used in commands.uploadFile() in lib/commands.js:

commands.uploadFile = function(filepath) {
  var cb = findCallback(arguments);
  var _this = this;
  var archiver = require('archiver');

  var archive = archiver('zip');
  var dataList = [];

  archive
  .on('error', function(err) {
    cb(err);
  })
  .on('data', function(data) {
    dataList.push(data);
  })
  .on('end', function() {
    _this._jsonWireCall({
    method: 'POST'
      , relPath: '/file'
      , data: { file: Buffer.concat(dataList).toString('base64') },
      cb: callbackWithData(cb, _this)
    });
  });

  archive
  .append(
    fs.createReadStream(filepath),
    { name: path.basename(filepath) }
  );

  archive.finalize(function(err) {
    if (err) {
      cb(err);
    }
  });
};

And .append() and .finalize() doesn't seem to be affected of the new major version.

jlipps commented 6 years ago

great, thanks!

admc / wd

Upgrade archiver and lodash for npm audit security report #534