Open insanity54 opened 5 years ago
npm audit reports many security vulnerabilities with this package--
npm audit
{ "actions": [ { "action": "review", "module": "hoek", "resolves": [ { "id": 566, "path": "d3-timeline>node-lessify>less>request>hawk>boom>hoek", "dev": false, "optional": true, "bundled": false }, { "id": 566, "path": "d3-timeline>node-lessify>less>request>hawk>cryptiles>boom>hoek", "dev": false, "optional": true, "bundled": false }, { "id": 566, "path": "d3-timeline>node-lessify>less>request>hawk>hoek", "dev": false, "optional": true, "bundled": false }, { "id": 566, "path": "d3-timeline>node-lessify>less>request>hawk>sntp>hoek", "dev": false, "optional": true, "bundled": false } ] }, { "action": "review", "module": "mime", "resolves": [ { "id": 535, "path": "d3-timeline>node-lessify>less>mime", "dev": false, "optional": true, "bundled": false }, { "id": 535, "path": "d3-timeline>node-lessify>less>request>form-data>mime", "dev": false, "optional": true, "bundled": false } ] }, { "action": "review", "module": "uglify-js", "resolves": [ { "id": 39, "path": "d3-timeline>vashify>vash>uglify-js", "dev": false, "optional": false, "bundled": false }, { "id": 48, "path": "d3-timeline>vashify>vash>uglify-js", "dev": false, "optional": false, "bundled": false } ] }, { "action": "review", "module": "lodash", "resolves": [ { "id": 577, "path": "d3-timeline>lodash", "dev": false, "optional": false, "bundled": false } ] }, { "action": "review", "module": "hawk", "resolves": [ { "id": 77, "path": "d3-timeline>node-lessify>less>request>hawk", "dev": false, "optional": true, "bundled": false } ] }, { "action": "review", "module": "tunnel-agent", "resolves": [ { "id": 598, "path": "d3-timeline>node-lessify>less>request>tunnel-agent", "dev": false, "optional": true, "bundled": false } ] } ], "advisories": { "39": { "findings": [ { "version": "1.0.6", "paths": [ "d3-timeline>vashify>vash>uglify-js" ], "dev": false, "optional": false, "bundled": false } ], "id": 39, "created": "2015-10-17T19:41:46.382Z", "updated": "2018-02-24T00:13:52.640Z", "deleted": null, "title": "Incorrect Handling of Non-Boolean Comparisons During Minification", "found_by": { "name": "Tom MacWright" }, "reported_by": { "name": "Tom MacWright" }, "module_name": "uglify-js", "cves": [ "CVE-2015-8857" ], "vulnerable_versions": "<= 2.4.23", "patched_versions": ">= 2.4.24", "overview": "Versions of `uglify-js` prior to 2.4.24 are affected by a vulnerability which may cause crafted JavaScript to have altered functionality after minification.\n\n", "recommendation": "Upgrade UglifyJS to version >= 2.4.24.", "references": "[Backdooring JS - Yan Zhu(@bcrypt)](https://zyan.scripts.mit.edu[Backdooring JS - Yan Zhu(@bcrypt)]/blog/backdooring-js/)\n[Issue #751](https://github.com/mishoo/UglifyJS2/issues/751)", "access": "public", "severity": "low", "cwe": "CWE-95", "metadata": { "module_type": "Multi.Compiler", "exploitability": 2, "affected_components": "" }, "url": "https://npmjs.com/advisories/39" }, "48": { "findings": [ { "version": "1.0.6", "paths": [ "d3-timeline>vashify>vash>uglify-js" ], "dev": false, "optional": false, "bundled": false } ], "id": 48, "created": "2015-10-24T17:58:34.232Z", "updated": "2018-02-24T00:59:58.129Z", "deleted": null, "title": "Regular Expression Denial of Service", "found_by": { "name": "Adam Baldwin" }, "reported_by": { "name": "Adam Baldwin" }, "module_name": "uglify-js", "cves": [ "CVE-2015-8858" ], "vulnerable_versions": "<2.6.0", "patched_versions": ">=2.6.0", "overview": "Versions of `uglify-js` prior to 2.6.0 are affected by a regular expression denial of service vulnerability when malicious inputs are passed into the `parse()` method.\n\n\n### Proof of Concept\n\n```\nvar u = require('uglify-js');\nvar genstr = function (len, chr) {\n var result = \"\";\n for (i=0; i<=len; i++) {\n result = result + chr;\n }\n\n return result;\n}\n\nu.parse(\"var a = \" + genstr(process.argv[2], \"1\") + \".1ee7;\");\n```\n\n### Results\n```\n$ time node test.js 10000\nreal\t0m1.091s\nuser\t0m1.047s\nsys\t0m0.039s\n\n$ time node test.js 80000\nreal\t0m6.486s\nuser\t0m6.229s\nsys\t0m0.094s\n```", "recommendation": "Update to version 2.6.0 or later.", "references": "", "access": "public", "severity": "low", "cwe": "CWE-400", "metadata": { "module_type": "CLI.Compiler", "exploitability": 3, "affected_components": "Internal::Code::Method::parse([*])" }, "url": "https://npmjs.com/advisories/48" }, "77": { "findings": [ { "version": "1.1.1", "paths": [ "d3-timeline>node-lessify>less>request>hawk" ], "dev": false, "optional": true, "bundled": false } ], "id": 77, "created": "2016-01-19T21:50:30.175Z", "updated": "2018-02-26T22:47:26.285Z", "deleted": null, "title": "Regular Expression Denial of Service", "found_by": { "name": "Adam Baldwin" }, "reported_by": { "name": "Adam Baldwin" }, "module_name": "hawk", "cves": [ "CVE-2016-2515" ], "vulnerable_versions": "< 3.1.3 || >= 4.0.0 <4.1.1", "patched_versions": ">=3.1.3 < 4.0.0 || >=4.1.1", "overview": "Versions of `hawk` prior to 3.1.3, or 4.x prior to 4.1.1 are affected by a regular expression denial of service vulnerability related to excessively long headers and URI's.\n", "recommendation": "Update to hawk version 4.1.1 or later.", "references": "[Issue #168](https://github.com/hueniverse/hawk/issues/168)", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "Network.Library", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/77" }, "535": { "findings": [ { "version": "1.2.11", "paths": [ "d3-timeline>node-lessify>less>mime", "d3-timeline>node-lessify>less>request>form-data>mime" ], "dev": false, "optional": true, "bundled": false } ], "id": 535, "created": "2017-09-25T19:02:28.152Z", "updated": "2018-04-09T00:38:22.785Z", "deleted": null, "title": "Regular Expression Denial of Service", "found_by": { "name": "Cristian-Alexandru Staicu" }, "reported_by": { "name": "Cristian-Alexandru Staicu" }, "module_name": "mime", "cves": [ "CVE-2017-16138" ], "vulnerable_versions": "< 1.4.1 || > 2.0.0 < 2.0.3", "patched_versions": ">= 1.4.1 < 2.0.0 || >= 2.0.3", "overview": "Affected versions of `mime` are vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.", "recommendation": "Update to version 2.0.3 or later.", "references": "[Issue #167](https://github.com/broofa/node-mime/issues/167)", "access": "public", "severity": "moderate", "cwe": "CWE-400", "metadata": { "module_type": "Multi.Library", "exploitability": 4, "affected_components": "" }, "url": "https://npmjs.com/advisories/535" }, "566": { "findings": [ { "version": "0.9.1", "paths": [ "d3-timeline>node-lessify>less>request>hawk>boom>hoek", "d3-timeline>node-lessify>less>request>hawk>cryptiles>boom>hoek", "d3-timeline>node-lessify>less>request>hawk>hoek", "d3-timeline>node-lessify>less>request>hawk>sntp>hoek" ], "dev": false, "optional": true, "bundled": false } ], "id": 566, "created": "2018-04-20T21:25:58.421Z", "updated": "2018-04-20T21:25:58.421Z", "deleted": null, "title": "Prototype pollution", "found_by": { "name": "HoLyVieR" }, "reported_by": { "name": "HoLyVieR" }, "module_name": "hoek", "cves": [], "vulnerable_versions": "<= 4.2.0 || >= 5.0.0 < 5.0.3", "patched_versions": "> 4.2.0 < 5.0.0 || >= 5.0.3", "overview": "Versions of `hoek` prior to 4.2.1 and 5.0.3 are vulnerable to prototype pollution.\n\nThe `merge` function, and the `applyToDefaults` and `applyToDefaultsWithShallow` functions which leverage `merge` behind the scenes, are vulnerable to a prototype pollution attack when provided an _unvalidated_ payload created from a JSON string containing the `__proto__` property.\n\nThis can be demonstrated like so:\n\n```javascript\nvar Hoek = require('hoek');\nvar malicious_payload = '{\"__proto__\":{\"oops\":\"It works !\"}}';\n\nvar a = {};\nconsole.log(\"Before : \" + a.oops);\nHoek.merge({}, JSON.parse(malicious_payload));\nconsole.log(\"After : \" + a.oops);\n```\n\nThis type of attack can be used to overwrite existing properties causing a potential denial of service.", "recommendation": "Update to version 4.2.1, 5.0.3 or later.", "references": "", "access": "public", "severity": "moderate", "cwe": "CWE-471", "metadata": { "module_type": "", "exploitability": 5, "affected_components": "" }, "url": "https://npmjs.com/advisories/566" }, "577": { "findings": [ { "version": "3.10.1", "paths": [ "d3-timeline>lodash" ], "dev": false, "optional": false, "bundled": false } ], "id": 577, "created": "2018-04-24T14:27:02.796Z", "updated": "2018-04-24T14:27:13.049Z", "deleted": null, "title": "Prototype Pollution", "found_by": { "name": "Olivier Arteau (HoLyVieR)" }, "reported_by": { "name": "Olivier Arteau (HoLyVieR)" }, "module_name": "lodash", "cves": [ "CVE-2018-3721" ], "vulnerable_versions": "<4.17.5", "patched_versions": ">=4.17.5", "overview": "Versions of `lodash` before 4.17.5 are vulnerable to prototype pollution. \n\nThe vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of `Object` via `__proto__` causing the addition or modification of an existing property that will exist on all objects.\n\n", "recommendation": "Update to version 4.17.5 or later.", "references": "- [HackerOne Report](https://hackerone.com/reports/310443)", "access": "public", "severity": "low", "cwe": "CWE-471", "metadata": { "module_type": "", "exploitability": 1, "affected_components": "" }, "url": "https://npmjs.com/advisories/577" }, "598": { "findings": [ { "version": "0.4.3", "paths": [ "d3-timeline>node-lessify>less>request>tunnel-agent" ], "dev": false, "optional": true, "bundled": false } ], "id": 598, "created": "2018-04-24T20:30:16.099Z", "updated": "2018-04-24T20:31:15.816Z", "deleted": null, "title": "Memory Exposure", "found_by": { "name": "Сковорода Никита Андреевич" }, "reported_by": { "name": "Сковорода Никита Андреевич" }, "module_name": "tunnel-agent", "cves": [], "vulnerable_versions": "<0.6.0", "patched_versions": ">=0.6.0", "overview": "Versions of `tunnel-agent` before 0.6.0 are vulnerable to memory exposure.\n\nThis is exploitable if user supplied input is provided to the auth value and is a number.\n\nProof-of-concept:\n```js\nrequire('request')({\n method: 'GET',\n uri: 'http://www.example.com',\n tunnel: true,\n proxy:{\n protocol: 'http:',\n host:'127.0.0.1',\n port:8080,\n auth:USERSUPPLIEDINPUT // number\n }\n});\n```", "recommendation": "Update to version 0.6.0 or later.", "references": "- [GitHub Commit #9ca95ec](https://github.com/request/tunnel-agent/commit/9ca95ec7219daface8a6fc2674000653de0922c0)\n- [Proof of Concept](https://gist.github.com/ChALkeR/fd6b2c445834244e7d440a043f9d2ff4)", "access": "public", "severity": "moderate", "cwe": "CWE-20", "metadata": { "module_type": "", "exploitability": 3, "affected_components": "" }, "url": "https://npmjs.com/advisories/598" } }, "muted": [], "metadata": { "vulnerabilities": { "info": 0, "low": 3, "moderate": 8, "high": 0, "critical": 0 }, "dependencies": 611, "devDependencies": 13697, "optionalDependencies": 242, "totalDependencies": 14356 }, "runId": "a54c0ce2-bb9b-4eb6-be31-42e48c5cbae6" }
npm auditreports many security vulnerabilities with this package--