search

dtao / autodoc

Doc generation on steroids
https://npmjs.org/package/autodoc
MIT License
232 stars 15 forks source link

still active? #62

Open machinshin opened 5 years ago

machinshin commented 5 years ago

Is this library still actively developed?

I ask because I saw this on my 'trending' list today and installed it on a project and run npm audit and this comes back::

                   === npm audit security report ===

┌──────────────────────────────────────────────────────────────────────────────┐ │ Manual Review │ │ Some vulnerabilities require your attention to resolve │ │ │ │ Visit https://go.npm.me/audit-guide for additional guidance │ └──────────────────────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ marked │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.3.4 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ autodoc │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ autodoc > marked │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/23 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ VBScript Content Injection │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ marked │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.3.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ autodoc │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ autodoc > marked │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/24 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Sanitization bypass using HTML Entities │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ marked │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.3.6 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ autodoc │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ autodoc > marked │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/101 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ marked │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=0.3.9 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ autodoc │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ autodoc > marked │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/531 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Cross-Site Scripting │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ mustache │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=2.2.1 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ autodoc │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ autodoc > mustache │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/62 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimatch │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=3.0.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ autodoc │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ autodoc > jasmine-node > gaze > fileset > glob > minimatch │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/118 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimatch │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=3.0.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ autodoc │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ autodoc > jasmine-node > gaze > fileset > minimatch │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/118 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ High │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ minimatch │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=3.0.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ autodoc │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ autodoc > jasmine-node > gaze > minimatch │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/118 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Critical │ Command Injection │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ growl │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=1.10.2 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ autodoc │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ autodoc > jasmine-node > jasmine-growl-reporter > growl │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/146 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Moderate │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ mime │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >= 1.4.1 < 2.0.0 || >= 2.0.3 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ autodoc │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ autodoc > less > mime │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/535 │ └───────────────┴──────────────────────────────────────────────────────────────┘ ┌───────────────┬──────────────────────────────────────────────────────────────┐ │ Low │ Regular Expression Denial of Service │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Package │ clean-css │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Patched in │ >=4.1.11 │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Dependency of │ autodoc │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ Path │ autodoc > less > clean-css │ ├───────────────┼──────────────────────────────────────────────────────────────┤ │ More info │ https://npmjs.com/advisories/785 │ └───────────────┴──────────────────────────────────────────────────────────────┘ found 11 vulnerabilities (1 low, 2 moderate, 7 high, 1 critical) in 45646 scanned packages 11 vulnerabilities require manual review. See the full report for details.

machinshin commented 5 years ago

full audit report

{ "actions": [ { "action": "review", "module": "marked", "resolves": [ { "id": 23, "path": "autodoc>marked", "dev": false, "optional": false, "bundled": false }, { "id": 24, "path": "autodoc>marked", "dev": false, "optional": false, "bundled": false }, { "id": 101, "path": "autodoc>marked", "dev": false, "optional": false, "bundled": false }, { "id": 531, "path": "autodoc>marked", "dev": false, "optional": false, "bundled": false } ] }, { "action": "review", "module": "mustache", "resolves": [ { "id": 62, "path": "autodoc>mustache", "dev": false, "optional": false, "bundled": false } ] }, { "action": "review", "module": "minimatch", "resolves": [ { "id": 118, "path": "autodoc>jasmine-node>gaze>fileset>glob>minimatch", "dev": false, "optional": false, "bundled": false }, { "id": 118, "path": "autodoc>jasmine-node>gaze>fileset>minimatch", "dev": false, "optional": false, "bundled": false }, { "id": 118, "path": "autodoc>jasmine-node>gaze>minimatch", "dev": false, "optional": false, "bundled": false } ] }, { "action": "review", "module": "growl", "resolves": [ { "id": 146, "path": "autodoc>jasmine-node>jasmine-growl-reporter>growl", "dev": false, "optional": false, "bundled": false } ] }, { "action": "review", "module": "mime", "resolves": [ { "id": 535, "path": "autodoc>less>mime", "dev": false, "optional": true, "bundled": false } ] }, { "action": "review", "module": "clean-css", "resolves": [ { "id": 785, "path": "autodoc>less>clean-css", "dev": false, "optional": true, "bundled": false } ] } ], "advisories": { "23": { "findings": [ { "version": "0.3.2", "paths": [ "autodoc>marked" ] } ], "id": 23, "created": "2015-10-17T19:41:46.382Z", "updated": "2019-06-24T14:43:42.223Z", "deleted": null, "title": "Regular Expression Denial of Service", "found_by": { "name": "Barış Soner Uşaklı" }, "reported_by": { "name": "Barış Soner Uşaklı" }, "module_name": "marked", "cves": [ "CVE-2015-8854" ], "vulnerable_versions": "<=0.3.3", "patched_versions": ">=0.3.4", "overview": "Versions 0.3.3 and earlier of marked are affected by a regular expression denial of service ( ReDoS ) vulnerability when passed inputs that reach the em inline rule.\n", "recommendation": "Update to version 0.3.4 or later.", "references": "- Regular Expression Denial of Service - OWASP\n- Issue 497", "access": "public", "severity": "high", "cwe": "CWE-400", "metadata": { "module_type": "Multi.Library", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/23" }, "24": { "findings": [ { "version": "0.3.2", "paths": [ "autodoc>marked" ] } ], "id": 24, "created": "2015-10-17T19:41:46.382Z", "updated": "2019-06-24T14:43:51.258Z", "deleted": null, "title": "VBScript Content Injection", "found_by": { "name": "Xiao Long" }, "reported_by": { "name": "Xiao Long" }, "module_name": "marked", "cves": [ "CVE-2015-1370" ], "vulnerable_versions": "<=0.3.2", "patched_versions": ">=0.3.3", "overview": "Versions 0.3.2 and earlier of marked are affected by a cross-site scripting vulnerability even when sanitize:true is set. \n\n## Proof of Concept ( IE10 Compatibility Mode Only )\n\n[xss link](vbscript:alert(1&#41;)\n\nwill get a link\n\n<a href=\"vbscript:alert(1)\">xss link</a>", "recommendation": "Update to version 0.3.3 or later.", "references": "- Issue 492", "access": "public", "severity": "moderate", "cwe": "CWE-74", "metadata": { "module_type": "Multi.Library", "exploitability": 1, "affected_components": "" }, "url": "https://npmjs.com/advisories/24" }, "62": { "findings": [ { "version": "0.7.2", "paths": [ "autodoc>mustache" ] } ], "id": 62, "created": "2015-12-14T17:05:06.592Z", "updated": "2018-02-26T21:54:28.175Z", "deleted": null, "title": "Cross-Site Scripting", "found_by": { "name": "Matias P. Brutti" }, "reported_by": { "name": "Matias P. Brutti" }, "module_name": "mustache", "cves": [ "CVE-2015-8862" ], "vulnerable_versions": "<2.2.1", "patched_versions": ">=2.2.1", "overview": "Versions of mustache prior to 2.2.1 are affected by a cross-site scripting vulnerability when attributes in mustache templates are not quoted.\n\n\n\n### Example\nTemplate:\n<a href={{foo}}/>\n\nInput:\n{ 'foo' : 'test.com onload=alert(1)'}\n\nRendered result:\n<a href=test.com onload=alert(1)/>", "recommendation": "Update to version 2.2.1 or later.\nAlternatively, ensure that all attributes in hmustache templates are encapsulated with quotes.", "references": "Commit #378bcca", "access": "public", "severity": "high", "cwe": "CWE-79", "metadata": { "module_type": "Network.Library", "exploitability": 7, "affected_components": "" }, "url": "https://npmjs.com/advisories/62" }, "101": { "findings": [ { "version": "0.3.2", "paths": [ "autodoc>marked" ] } ], "id": 101, "created": "2016-04-18T16:26:59.000Z", "updated": "2019-06-24T14:59:12.354Z", "deleted": null, "title": "Sanitization bypass using HTML Entities", "found_by": { "name": "Matt Austin" }, "reported_by": { "name": "Matt Austin" }, "module_name": "marked", "cves": [ "CVE-2016-10531" ], "vulnerable_versions": "<=0.3.5", "patched_versions": ">=0.3.6", "overview": "Affected versions of marked are susceptible to a cross-site scripting vulnerability in link components when sanitize:true is configured. \n\n## Proof of Concept\n\nThis flaw exists because link URIs containing HTML entities get processed in an abnormal manner. Any HTML Entities get parsed on a best-effort basis and included in the resulting link, while if that parsing fails that character is omitted.\n\nFor example:\n\nA link URI such as\n\njavascript&#x58document;alert&#40;1&#41;\n\nRenders a valid link that when clicked will execute alert(1).", "recommendation": "Update to version 0.3.6 or later.", "references": "- PR #592\n- Commit #2cff859", "access": "public", "severity": "high", "cwe": "CWE-79", "metadata": { "module_type": "Multi.Library", "exploitability": 7, "affected_components": "" }, "url": "https://npmjs.com/advisories/101" }, "118": { "findings": [ { "version": "0.3.0", "paths": [ "autodoc>jasmine-node>gaze>fileset>glob>minimatch" ] }, { "version": "0.2.14", "paths": [ "autodoc>jasmine-node>gaze>fileset>minimatch", "autodoc>jasmine-node>gaze>minimatch" ] } ], "id": 118, "created": "2016-05-25T16:37:20.000Z", "updated": "2018-03-01T21:58:01.072Z", "deleted": null, "title": "Regular Expression Denial of Service", "found_by": { "name": "Nick Starke" }, "reported_by": { "name": "Nick Starke" }, "module_name": "minimatch", "cves": [ "CVE-2016-10540" ], "vulnerable_versions": "<=3.0.1", "patched_versions": ">=3.0.2", "overview": "Affected versions of minimatch are vulnerable to regular expression denial of service attacks when user input is passed into the pattern argument of minimatch(path, pattern).\n\n\n## Proof of Concept\n\nvar minimatch = require(“minimatch”);\n\n// utility function for generating long strings\nvar genstr = function (len, chr) {\n var result = “”;\n for (i=0; i<=len; i++) {\n result = result + chr;\n }\n return result;\n}\n\nvar exploit = “[!” + genstr(1000000, “\\\\”) + “A”;\n\n// minimatch exploit.\nconsole.log(“starting minimatch”);\nminimatch(“foo”, exploit);\nconsole.log(“finishing minimatch”);\n", "recommendation": "Update to version 3.0.2 or later.", "references": "", "access": "public", "severity": "high", "cwe": "CWE-400", "metadata": { "module_type": "Multi.Library", "exploitability": 4, "affected_components": "Internal::Code::Function::minimatch({type:'args', key:0, vector:{type:'string'}})" }, "url": "https://npmjs.com/advisories/118" }, "146": { "findings": [ { "version": "1.7.0", "paths": [ "autodoc>jasmine-node>jasmine-growl-reporter>growl" ] } ], "id": 146, "created": "2016-09-06T12:49:40.000Z", "updated": "2019-06-24T14:53:20.802Z", "deleted": null, "title": "Command Injection", "found_by": { "name": "Cristian-Alexandru Staicu" }, "reported_by": { "name": "Cristian-Alexandru Staicu" }, "module_name": "growl", "cves": [ "CVE-2017-16042" ], "vulnerable_versions": "<1.10.2", "patched_versions": ">=1.10.2", "overview": "Affected versions of growl do not properly sanitize input prior to passing it into a shell command, allowing for arbitrary command execution.", "recommendation": "Update to version 1.10.2 or later.", "references": "- Issue #60\n- PR #61", "access": "public", "severity": "critical", "cwe": "CWE-94", "metadata": { "module_type": "CLI.Library", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/146" }, "531": { "findings": [ { "version": "0.3.2", "paths": [ "autodoc>marked" ] } ], "id": 531, "created": "2017-09-21T04:12:52.054Z", "updated": "2018-04-09T00:28:59.635Z", "deleted": null, "title": "Regular Expression Denial of Service", "found_by": { "name": "Cristian-Alexandru Staicu" }, "reported_by": { "name": "Cristian-Alexandru Staicu" }, "module_name": "marked", "cves": [ "CVE-2017-16114" ], "vulnerable_versions": "<0.3.9", "patched_versions": ">=0.3.9", "overview": "Affected versions of marked are vulnerable to a regular expression denial of service. \n\nThe amplification in this vulnerability is significant, with 1,000 characters resulting in the event loop being blocked for around 6 seconds.", "recommendation": "Update to version 0.3.9 or later.", "references": "Issue #937", "access": "public", "severity": "high", "cwe": "CWE-400", "metadata": { "module_type": "Multi.Library", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/531" }, "535": { "findings": [ { "version": "1.2.11", "paths": [ "autodoc>less>mime" ] } ], "id": 535, "created": "2017-09-25T19:02:28.152Z", "updated": "2018-04-09T00:38:22.785Z", "deleted": null, "title": "Regular Expression Denial of Service", "found_by": { "name": "Cristian-Alexandru Staicu" }, "reported_by": { "name": "Cristian-Alexandru Staicu" }, "module_name": "mime", "cves": [ "CVE-2017-16138" ], "vulnerable_versions": "< 1.4.1 || > 2.0.0 < 2.0.3", "patched_versions": ">= 1.4.1 < 2.0.0 || >= 2.0.3", "overview": "Affected versions of mime are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.", "recommendation": "Update to version 2.0.3 or later.", "references": "Issue #167", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "Multi.Library", "exploitability": 4, "affected_components": "" }, "url": "https://npmjs.com/advisories/535" }, "785": { "findings": [ { "version": "2.0.8", "paths": [ "autodoc>less>clean-css" ] } ], "id": 785, "created": "2019-02-15T21:40:03.940Z", "updated": "2019-02-15T21:41:13.431Z", "deleted": null, "title": "Regular Expression Denial of Service", "found_by": { "link": "https://github.com/davisjam", "name": "Jamie Davis" }, "reported_by": { "link": "", "name": "Santosh Rao" }, "module_name": "clean-css", "cves": [], "vulnerable_versions": "<4.1.11", "patched_versions": ">=4.1.11", "overview": "Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.", "recommendation": "Upgrade to version 4.1.11 or higher.", "references": "- GitHub Commit", "access": "public", "severity": "low", "cwe": "CWE-185", "metadata": { "module_type": "", "exploitability": 4, "affected_components": "" }, "url": "https://npmjs.com/advisories/785" } }, "muted": [], "metadata": { "vulnerabilities": { "info": 0, "low": 1, "moderate": 2, "high": 7, "critical": 1 }, "dependencies": 2145, "devDependencies": 43494, "optionalDependencies": 16, "totalDependencies": 45646 }, "runId": "76301f10-b207-4551-bcb0-150d363020ef" }

bensyverson commented 5 years ago

No, it's not actively developed... Checkout the commit history