npm audit is reporting some vulnerabilities for this dependency - Githubissues

joepie91 / node-bhttp

A sane HTTP client library for Node.js with Streams2 support.

62 stars 12 forks source link

npm audit is reporting some vulnerabilities for this dependency #41

Closed ariellyciandt closed 4 years ago

ariellyciandt commented 5 years ago

Issue

There are some vulnerabilities reported by npm audit when we use the latest version of this module.

Version:

1.2.4

Tested in

Aug 2nd, 2019

Vulnerabilities reported

Level	Module	Path	Issue	Advisory
High	string	bhttp > string	Regular Expression Denial of Service	https://nodesecurity.io/advisories/536
Low	lodash	bhttp > form-data2 > lodash	Prototype Pollution	https://nodesecurity.io/advisories/577
Low	lodash	bhttp > lodash	Prototype Pollution	https://nodesecurity.io/advisories/577
Low	lodash	bhttp > form-data2 > lodash	Prototype Pollution	https://nodesecurity.io/advisories/782
High	lodash	bhttp > lodash	Prototype Pollution	https://nodesecurity.io/advisories/782
High	lodash	bhttp > form-data2 > lodash	Prototype Pollution	https://nodesecurity.io/advisories/1065
High	lodash	bhttp > lodash	Prototype Pollution	https://nodesecurity.io/advisories/1065

Prints

joepie91 commented 4 years ago

Thanks for the report! While none of these vulnerabilities ever actually affected bhttp (I checked this when they were originally reported, but forgot to make note of it here), I've just released a new version (of both bhttp and form-data2) that resolves these audit warnings. Once you upgrade to 1.2.6, the warnings should be all gone.