search

artilleryio / artillery

The complete load testing platform. Everything you need for production-grade load tests. Serverless & distributed. Load test with Playwright. Load test HTTP APIs, GraphQL, WebSocket, and more. Use any Node.js module.
https://www.artillery.io
Mozilla Public License 2.0
8k stars 510 forks source link

Failing npm audit #651

Open vbtelus opened 5 years ago

vbtelus commented 5 years ago

We are using artillery in our projects and recently we started seeing next:


                       === npm audit security report ===                        

┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Sandbox Breakout / Arbitrary Code Execution                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ static-eval                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ No patch available                                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ artillery [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ artillery > jsonpath > static-eval                           │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/758                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

I noticed that similar issue already created in static-eval and fix is awaiting approval: https://github.com/substack/static-eval/issues/20 Can you please monitor their issue and rebuild your library when it's fixed?

Regards, VB

auahmed commented 5 years ago

issue has been resolved but they published it to https://www.npmjs.com/package/static-eval2.

source: https://github.com/substack/static-eval/pull/21

vbtelus commented 5 years ago

It seems new release was published: https://github.com/browserify/static-eval/releases/tag/2.0.1 @hassy

azamb commented 5 years ago

2.0.2 has been released: https://github.com/browserify/static-eval/releases/tag/v2.0.2 with the fix.

hassy commented 5 years ago

There's a new PR ( #659) which fixes the problems reported by npm audit, apart from the issue with static-eval reported here. We don't depend on it directly, and need to wait for jsonpath to update their dependency on it.

millette commented 5 years ago

See https://github.com/browserify/static-eval/issues/20#issuecomment-468224076