Closed Kesavadas closed 7 months ago
Thanks @Kesavadas. Dependencies with high severity CVEs will be addressed in the next release.
Thank you @hassy for the quick response. much appreciated.
I'd just like to share that there still seem to be some open security vulnerabilities in 2.0.0-35.
# npm audit report
dot-prop <4.2.1
Severity: high
dot-prop Prototype Pollution vulnerability - https://github.com/advisories/GHSA-ff7x-qrg7-qggm
fix available via `npm audit fix --force`
Will install artillery@1.7.9, which is a breaking change
node_modules/utils-is-little-endian/node_modules/dot-prop
configstore 2.0.0 - 2.1.0 || 3.1.3
Depends on vulnerable versions of dot-prop
node_modules/utils-is-little-endian/node_modules/configstore
update-notifier 0.2.0 - 5.1.0
Depends on vulnerable versions of configstore
Depends on vulnerable versions of latest-version
node_modules/artillery-pro/node_modules/update-notifier
node_modules/ava/node_modules/update-notifier
node_modules/update-notifier
node_modules/utils-is-little-endian/node_modules/update-notifier
artillery >=1.5.7-0
Depends on vulnerable versions of artillery-pro
Depends on vulnerable versions of ava
Depends on vulnerable versions of sketches-js-hassy
Depends on vulnerable versions of update-notifier
node_modules/artillery
ava 0.1.0 - 4.0.0-rc.1
Depends on vulnerable versions of update-notifier
node_modules/ava
ejs <3.1.7
Severity: critical
ejs template injection vulnerability - https://github.com/advisories/GHSA-phwq-j96m-2c2q
fix available via `npm audit fix --force`
Will install artillery@1.7.9, which is a breaking change
node_modules/ejs
artillery-pro *
Depends on vulnerable versions of cfn
Depends on vulnerable versions of dependency-tree
Depends on vulnerable versions of ejs
Depends on vulnerable versions of jsonwebtoken
Depends on vulnerable versions of update-notifier
node_modules/artillery-pro
got <11.8.5
Severity: moderate
Got allows a redirect to a UNIX socket - https://github.com/advisories/GHSA-pfrx-2q88-qq97
fix available via `npm audit fix --force`
Will install artillery@1.7.9, which is a breaking change
node_modules/artillery-pro/node_modules/package-json/node_modules/got
node_modules/package-json/node_modules/got
node_modules/utils-is-little-endian/node_modules/got
package-json <=6.5.0
Depends on vulnerable versions of got
node_modules/artillery-pro/node_modules/package-json
node_modules/package-json
node_modules/utils-is-little-endian/node_modules/package-json
latest-version 0.2.0 - 5.1.0
Depends on vulnerable versions of package-json
node_modules/artillery-pro/node_modules/latest-version
node_modules/latest-version
node_modules/utils-is-little-endian/node_modules/latest-version
jsonwebtoken <=8.5.1
Severity: moderate
jsonwebtoken unrestricted key type could lead to legacy keys usage - https://github.com/advisories/GHSA-8cf7-32gw-wr33
jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - https://github.com/advisories/GHSA-hjrf-2m68-5959
jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify() - https://github.com/advisories/GHSA-qwph-4952-7xr6
fix available via `npm audit fix --force`
Will install artillery@1.7.9, which is a breaking change
node_modules/jsonwebtoken
protobufjs 6.10.0 - 7.2.3
Severity: high
protobufjs Prototype Pollution vulnerability - https://github.com/advisories/GHSA-h755-8qp9-cq85
fix available via `npm audit fix`
node_modules/protobufjs
sketches-js-hassy *
Depends on vulnerable versions of protobufjs
node_modules/sketches-js-hassy
semver <5.7.2
Severity: moderate
semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
fix available via `npm audit fix`
node_modules/typescript-eslint-parser/node_modules/semver
typescript-eslint-parser 3.0.0 - 18.0.0
Depends on vulnerable versions of semver
node_modules/typescript-eslint-parser
detective-typescript 2.0.0 - 4.1.2
Depends on vulnerable versions of typescript-eslint-parser
node_modules/detective-typescript
precinct 4.0.0 - 5.3.1
Depends on vulnerable versions of detective-typescript
node_modules/precinct
dependency-tree 6.0.0 - 6.5.0
Depends on vulnerable versions of precinct
node_modules/dependency-tree
trim-newlines <3.0.1
Severity: high
Uncontrolled Resource Consumption in trim-newlines - https://github.com/advisories/GHSA-7p7h-4mm5-852v
fix available via `npm audit fix`
node_modules/trim-newlines
meow 3.4.0 - 5.0.0
Depends on vulnerable versions of trim-newlines
node_modules/meow
cfn >=1.6.0
Depends on vulnerable versions of meow
node_modules/cfn
21 vulnerabilities (10 moderate, 8 high, 3 critical)
I'm still seeing two in 2.0.0-37
proxy: Improper Handling of Undefined Values
semver: Regular Expression Denial of Service (ReDoS)
Should not be present in latest artillery releases. Please open a new issue if that is the case. Thank you!
While trying to use the docker image of artillery from the docker hub https://hub.docker.com/r/artilleryio/artillery/tags
docker image tag: 2.0.0-34 (docker pull artilleryio/artillery:2.0.0-34)
It has about 13 vulnerabilities high and medium included which prohibits us from pulling the image
could you please push a latest image with no vulnerabilities
below is the screenshot of the vulnerabilities