Closed davedoesdev closed 5 years ago
Github has outlined a whole slew of vulnerabilities in outdated package dependencies. Much of this requires pretty significant changes, which will take some free weekends!
On Fri, Sep 14, 2018 at 1:41 PM David Halls notifications@github.com wrote:
github is moaning about a vuln in cryptiles@3.12, brought in via request.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/admc/wd/issues/555, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAUGMNX91TFGk6jqK0rcV-LbeJxW0pBks5ubBRngaJpZM4Wp6x6 .
No problem - library is still working great (thanks)! For non-production use this won't be relevant anyway.
cryptiles seems required like this way:
└─┬ wd@1.10.3
└─┬ request@2.85.0
└─┬ hawk@6.0.2
└── cryptiles@3.1.2
request
module seems to have dropped hawk dependency lately (ref: https://github.com/request/request/pull/2943 )
If we update request
dependency version to 2.87 or above, the above vulnerability warning should disappear.
@admc is this something you would accept a PR for? I'm more than happy to have a go
@mattrayner absolutely, I really want to update all this stuff, but I simply can't find the time right now! If you are willing to send some PR's over, I will absolutely review, test and merge.
@admc Amazing, I'll have a go right now!
Thanks for the nice fix! When will this fix be released? I want to resolve this security problem on my product.
Working on it.
Thank you so much!
Hi @admc, thanks for looking into this issue
I can't see a new version of wd on npm. The latest version of the wd package at the time of this comment is 1.11.1 which was released 2 months ago,
I don't feel that this issue should be closed until a new version (1.11.2) is published to npm. Apologies if I've misunderstood anything.
I think 1.11.1 contains the fix for this problem, and it actually resolved this issue on my environment.
@jonny-improbable can you check it out and let me know if your issue is solved?
github is moaning about a vuln in cryptiles@3.12, brought in via request.