search

es-analysis / plato

JavaScript source code visualization, static analysis, and complexity tool
MIT License
4.56k stars 322 forks source link

Latest version of plato (1.7.0) using a vulnerable version of lodash (4.13.1) #216

Open AlfredoPardo-zz opened 6 years ago

AlfredoPardo-zz commented 6 years ago

Hi Everyone,

When running a custom static-code analysis tool, we've found that plato 1.7.0 has lodash 4.13.1 within its dependencies, which is known to have a "Prototype Pollution" vulnerability.

More information here

Thank you,

Alfredo Pardo

JaneX8 commented 6 years ago

From: https://nodesecurity.io/advisories/577

Versions of lodash before 4.17.5 are vulnerable to prototype pollution.

The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on all objects.

Remediation Update to version 4.17.5 or later.

@jsoverson Please fix this. 

> npm audit

                       === npm audit security report ===

                                 Manual Review
             Some vulnerabilities require your attention to resolve

          Visit https://go.npm.me/audit-guide for additional guidance

  Low             Prototype Pollution

  Package         lodash

  Patched in      >=4.17.5

  Dependency of   plato [dev]

  Path            plato > lodash

  More info       https://nodesecurity.io/advisories/577

found 1 low severity vulnerability in 19605 scanned packages
  1 vulnerability requires manual review. See the full report for details.
JaneX8 commented 6 years ago

@jsoverson any chance we can update the dependency to >=4.17.5?

JaneX8 commented 5 years ago

@jsoverson sorry for the direct mentioning again. But any chance we can update the dependency to >=4.17.5 for the matter of security?

ainthek commented 5 years ago

+1 please

jsoverson commented 5 years ago

I totally understand the desire but I'm hesitant to accept and publish any changes because it makes this project appear maintained when it isn't. This project needs active maintainers and there aren't any. If there is a fork that has been generally accepted as the-next-best-repo then I can link to it in the readme.

ainthek commented 5 years ago

Shame. Just idea: Maybe write disclaimer “curently not maintained, only security patches” in readme and fix these at least ?

Sent from my iPhone

On 7 Feb 2019, at 18:12, Jarrod Overson notifications@github.com wrote:

I totally understand the desire but I'm hesitant to accept and publish any changes because it makes this project appear maintained when it isn't. This project needs active maintainers and there aren't any. If there is a fork that has been generally accepted as the-next-best-repo then I can link to it in the readme.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.