Open ErisDS opened 7 years ago
Lodash dependency being < 4.17.5 also exposes a low risk prototype pollution attack. https://nodesecurity.io/advisories/577
It took my colleague over a week to get some sort of answer out of our Clearbit rep, but this is what we were told:
Our dev team said that for now, the node integration works as is, and as some of the dependencies have since changed significantly there’s a significant amount of work involved in updating some of them. It’s on our roadmap, but not something we’re actively prioritizing.
npm audit report
FYI: The risk level on the prototype pollution for the outdated lodash version being used by Clearbit has now been elevated to High
.
I'm really sick of getting nagged by GitHub (and then my team) about these vulnerabilities simply because Clearbit can't be bothered to do basic maintenance of their package deps in well over a year.
As said before, it is pretty straight forward...
@ErisDS @andymjames I addressed the lodash dependency upgrade in https://github.com/clearbit/clearbit-node/pull/46
Howdy, it looks like the clearbit
npm package is still showing high risk security warnings due to the lodash
dependency being out of date. It also looks like there's a PR out to upgrade lodash
. https://github.com/clearbit/clearbit-node/pull/46
@ErisDS @andymjames any chance we could get a new version of this package pushed to resolve these security issues?
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Low │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.5 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ clearbit │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ clearbit > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/577 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.11 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ clearbit │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ clearbit > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/782 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Prototype Pollution │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.17.12 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ clearbit │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ clearbit > lodash │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/1065 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 3 vulnerabilities (1 low, 2 high) in 2079 scanned packages
3 vulnerabilities require manual review. See the full report for details.
cc @gregors @tristandunn @davidlumley
@arasmussen sorry I'm no longer at Clearbit and no longer have access
Bluebird and lodash are both currently pinned to version 2, which are now out of date.
Could you look at upgrading these?
Lodash in particular now gives a deprecation notice when running
npm install
:Current version of lodash is 4.15.0. Upgrading from v2 -> 3 is straightforward, upgrading from v3 -> 4 requires checking some aliases which have been removed.
Current version of bluebird is 3.4.1. v2 is deprecated but v3 is a reasonably major upgrade.