search

cc-archive / open-ledger

Prototype code and examples for work on the Creative Commons "CC Search" project
MIT License
48 stars 23 forks source link

Security vulnerability with hoek (jsdom dependency) #236

Closed pa-w closed 6 years ago

pa-w commented 6 years ago

Github detected a vulnerable dependency in our code.

b230b59e-ed37-42ce-879b-f80132b60589

aldenstpage commented 6 years ago

This is from our dependency on jsdom. The dependency graph is jsdom->request->hawk->vulnerable version of hoek.

In package.json, you can see that this is only a dependency in our local development environment:

  "devDependencies": {
    . . .
    "chai": "^3.5.0",
    "jsdom": "9.8.3",
    "jsdom-global": "2.1.0",
    "mocha": "^3.5.0",
    . . .

Since this does not affect the production (or even beta) environment, this is a low priority fix for us. We may be stuck if jsdom hasn't been updated to use a patched version of request.

aldenstpage commented 6 years ago

The maintainer of jsdom has declined to take action.

pa-w commented 6 years ago

Great, thanks @aldenstpage. Let's keep an eye on this.

aldenstpage commented 6 years ago

Closed since we are no longer using the original open-ledger app