search

jaggedsoft / node-binance-api

Node Binance API is an asynchronous node.js library for the Binance API designed to be easy to use.
MIT License
1.58k stars 769 forks source link

Security problem json-schema is vulnerable to Prototype Pollution #763

Open Jabbaxx opened 2 years ago

Jabbaxx commented 2 years ago

Hello, there seems to be a security problem of a dependency in the latest version. It needs to be fixed soon.

Anyone know a workaround ?

"npm audit fix --force" is NOT a goof idea as it installs a very old version 0.2.1 node-binance-api.

How to test:

cd /tmp/ mkdir test cd test/ npm install node-binance-api npm WARN deprecated har-validator@5.1.5: this library is no longer supported npm WARN deprecated querystring@0.2.0: The querystring API is considered Legacy. new code should use the URLSearchParams API instead. npm WARN deprecated uuid@3.4.0: Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details. npm WARN deprecated request@2.88.2: request has been deprecated, see https://github.com/request/request/issues/3142

added 67 packages, and audited 68 packages in 1s

2 packages are looking for funding run npm fund for details

5 moderate severity vulnerabilities

To address all issues, run: npm audit fix

Run npm audit for details.

npm audit --dry-run

npm audit report

json-schema <0.4.0 Severity: moderate json-schema is vulnerable to Prototype Pollution - https://github.com/advisories/GHSA-896r-f27r-55mw fix available via npm audit fix --force Will install node-binance-api@0.2.1, which is a breaking change node_modules/json-schema jsprim 0.3.0 - 2.0.1 Depends on vulnerable versions of json-schema node_modules/jsprim http-signature 1.0.0 - 1.3.5 Depends on vulnerable versions of jsprim node_modules/http-signature request >=2.66.0 Depends on vulnerable versions of http-signature node_modules/request node-binance-api >=0.2.2 Depends on vulnerable versions of request node_modules/node-binance-api

5 moderate severity vulnerabilities

To address all issues (including breaking changes), run: npm audit fix --force

marte3707 commented 2 years ago

Very serious issue.

grzegorzkrukowski commented 2 years ago

+1 for this one

grzegorzkrukowski commented 2 years ago

It will be fixed now when you run npm install again on your project - dependencies has been updated in deeper libraries